Why We Fail At Getting the Cybersecurity Basics Right
The cybersecurity basics should be just that—basic. Easy to do, agreed-upon, and adopted at a near 100 percent rate by companies and organizations everywhere, right?
You’d hope. But the reality is that basic cybersecurity blunders continue to affect businesses of all sizes, which has led to embarrassing vulnerabilities, hacks, and attacks. And some of those very mishaps have been the focus of the Lock and Code podcast for months.
In August, Luta Security CEO Katie Moussouris told us about simple security oversights at the company that develops the popular “social listening” app Clubhouse. After poking around with the app on two separate devices, Moussouris discovered that she could easily eavesdrop on conversations without having her user icon present in a room. That same month, hacker Sick Codes told us about how he and roughly 10 other hackers gained extensive reach in just a few days into John Deere’s data operations center, revealing data about farms, farm equipment, and the equipment’s owners. And in July, the chair of the Dutch Institute for Vulnerability Disclosure Victor Gevers told us that he and his organization had found “seven or eight” zero-days in the popular managed service provider tool Kaseya VSA. What’s worse is that Gevers said that he and his volunteers had been finding similar vulnerabilities in many remote networking tools for months.
About these flaws, Gevers said: “I am sorry, but these vulnerabilities—these are not advanced. Not advanced at all.”
The big problem about these vulnerabilities is that, because they are so basic, they are so easy to abuse.
The zero-days that Gevers and his team found in Kaseya VSA led a ransomware attack. A failure to differentiate user passwords on a remote access tool used by a Florida water plant likely led to the attack on that plant’s chemical treatment facilities, and though the attack was caught and prevented, it was still a bit worrisome. And when the meat supplier JBS was hit with ransomware, even though it reportedly had backups in place—which are the single most effective defense against ransomware—the company still chose to pay $11 million to its attackers for a decryption key.
Many of these problems could have been prevented—or at least better mitigated—if the organizations in question had a better grasp on the cybersecurity basics. As our guest on today’s episode of Lock and Code explains, there are huge risks in failing to get these basics right. Jess Dodson, who described herself as a “recovering Windows systems administrator” (ha), said:
“If you are not doing these things, I would say that there is a high chance that you already have a threat actor in your environment. That is the risk.”
Today, on the Lock and Code podcast with host David Ruiz, we speak with Dodson about what are the most commonly-missed cybersecurity basics, which are the most foolish ones to get wrong, and why do we keep failing at what we can all agree is, after all, pretty basic stuff.
Podcast: Tune in to hear all this and more in this Lock and Code podcast, by Malwarebytes Labs.