Compliance as an Opportunity
What does the Kaseya ransomware breach have in common with the tragic collapse of a 12-story Florida condominium? Both organizations were warned of critical problems to their infrastructure well in advance.
The loss of life in Florida is tragic and there is no comparison to the financial loss of the Kaseya breach, even with the $70 million ransom demand. What is comparable is that both organizations had foreknowledge of the problems but failed to take effective action in advance of their respective events.
These are current day examples of a problem which security practitioners see play out time and time again:
“A structural engineering report provided to the Champlain Towers condominium association in 2018 found widespread problems that required extensive repairs ‘in the near future.’”
Researchers warned Kaseya April 6 about one of the vulnerabilities that REvil ended up exploiting nearly three months later in a crippling ransomware attack.”
“Mandiant notified Kaseya after hearing about it from Alex Holden, founder and chief technology officer of Milwaukee-based cyber intelligence firm Hold Security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal until Saturday afternoon, allowing him to download the site’s ‘web.config’ file, a server component that often contains sensitive information such as usernames and passwords and the locations of key databases.
‘It’s not like they forgot to patch something that Microsoft fixed years ago,’ Holden said. ‘It’s a patch for their own software. And it’s not zero-day. It’s from 2015!’”
Organizations are constantly checking themselves against various security baselines or compliance standards (e.g., PCI-DSS, HIPAA, NIST CSF, CIS CSC, etc.). This is a good activity, yet many organizations do this as a reluctant requirement instead of embracing best practices and the benefit they will derive for their cybersecurity posture. This is one of the most curious aspects of IT Operations I commonly see.
When organizations promote people or hire new people, it generally is because they bring valuable experience to a need. IT leaders are valuable components of achieving organizational goals. Often they will be hands-off while directing activities.
Abstracting the idea, if IT leaders bring value by guiding teams towards good activities, it is because they have experience and can leverage what they’ve learned to bring success to an organization. This is the same thing a baseline or standard represents. These documents are records of best practices and lessons learned, then cultivated into a document for easy reference.
If we value human experience, then why do we not recognize and appreciate these compliance documents?
Circling back to the original point of this posting, baselines or similar evaluation tools were leveraged to ascertain the current state of things. The gap reports in both examples exposed critical weaknesses which should be addressed. The criticality of the reports should tie into a risk-based remediation timetable. Every compliance program functions this way.
Keeping this point at a high level, baseline assessments can expose real opportunities for organizations to improve. When they are treated like a “check the box” exercise, the value is largely lost. At that point, why bother, because it is all theater.
In the unfortunate circumstances of these examples, reacting appropriately might have avoided tragedy. It is my hope that more organizations will embrace the opportunity to improve and embrace a cup half-full mentality.
Food for thought.