“We aren’t taking care of our systems,” said MKACyber CEO and founder Mischel Kwon at an industry event in the Washington Post office this morning. “This,” she continued, “is as much of an IT problem as a security problem.”
Kwon spoke in a panel discussion at Washington Post live’s “Cybersecurity: Personal Privacy in a Digital World.” While the trio of panel discussions ranged in subject—from a DHS assistant secretary reiterating that information sharing is important to the unfortunate reality that many business leaders view cybersecurity as an exercise in box-checking—Kwon, however, focussed more singularly on network maintenance and system hygiene.
“If you look at the problem and you look at the solutions, there is no silver bullet,” Kwon said, “but one of our biggest problems is that we aren’t taking care of our systems.”
Enterprises and organizations alike, she would later say, ought to be considering system hygiene and threats concurrently. In other words, vulnerability management and threat analysis have to go hand-in-hand. You can’t effectively do one without the other.
“It’s really hard to figure out how to stop the sophisticated adversaries when the unsophisticated adversaries are winning because we’re not patching or replacing older machines,” Kwon argued. “It’s not necessarily something fancy and something new. It’s more going back to looking at what lifecycle management is. It’s looking at actually patching machines.”
She went on to point out that the global Petya outbreak was enabled by an exploit that leveraged a vulnerability in a legacy Windows system that Microsoft said it wasn’t going to support anymore. Despite this, the underlying vulnerability was so widespread and so many people were continuing to use these legacy systems that Microsoft ended up going back on its word and patching a system it stopped supporting in 2014.
“This,” she said, “is really an indication that we’re not taking care of our systems, and we’re not putting the money toward the things that are controlling our lives.”
Furthermore, the focus on Petya and the similar WannaCry outbreak, she said in as many words, was misaligned, with too much time spent talking about the malware—how fast it spread and how many machines it infected—and not enough focus on the underlying hygiene problem. Ultimately, this was an incident that, in many cases, could have been resolved at a fraction of the costs eventually borne by many victims.
It’s not merely a matter of patching for the sake of patching, Kwon pointed out. Indicators of attack should be paired with common vulnerability and exposure (CVE) identification numbers when possible, so that you can know how susceptible your network is to a specific type of attack, so that you actually have data guiding you in your patch prioritization and network defense regimes.
“Often we do the patching after we’ve detected [that the attack] has already happened,” Kwon claimed, noting that it’s best do remediation as early as possible.