Feeling Good About Your Cybersecurity Program?

If you are feeling good about your cybersecurity program, don't read the latest report by FireEye on what their assessments found in industrial programs of their clients.  It is depressing.

What they found was what our assessment teams used to find between 1998 and 2008.  Nothing much has changed.  I used to teach that problems that go on over many years, in spite of efforts to change behavior, are missing something very important.  The root cause cannot be addressed by the changes that are being made.  This is worth noting:

"FireEye iSIGHT Intelligence organized the critical and high security risks identified during Mandiant ICS Healthchecks into nine unique categories (Table 1). The three most common were:

Vulnerabilities, Patches, and Updates (32 percent)
Identity and Access Management (25 percent)
Architecture and Network Segmentation (11 percent)

When I taught in college, I used to say that problems that continue after long-term attempts to correct them, are typically being addressed with the wrong solution.  If patches and updates are still the number one problem and they have been for 25 years, there is a good bet that the solution is not training of people who do patches and updates.  The problem is with the vendors who sell us stuff that needs to be patched and updated at such frequent intervals that it is impossible to keep up with.  It is sloppy code development, and no incentive to change to testing in environments where the software has to run.  There is no liability for vendors no matter what they do.  We need to change that.

Until we have legislation that holds vendors accountable to a reasonable standard of care, they will never correct the kinds of things that go out on the Internet every day, knowing they can be patched later.  If you think about that model, it is ridiculous.  The Internet is not a safe place.  All the software vendors know it.  Still, they behave as if there is no big concern about what they might do to compromise my data while they fiddle around with new patches for a couple of months.  Why can't we concentrate on that problem for awhile and see if it helps?