As the saying widely attributed (correctly or incorrectly, you be the judge) to the great Albert Einstein goes, “The definition of insanity is doing the same thing over and over again, but expecting different results.”
In 2014, in addition a lot of great work done day in and day out by IT professionals deep in the trenches, a lot of not so great things happened in IT, too. And in the spirit of Mr. Einstein’s profound statement, we should all learn from this. To not do so would mean we risk repeating the same mistakes that led to the negative outcomes experienced in 2014, but expecting a different outcome in 2015. In essence, it would be insane not to!
So, here are the top six lessons I think IT as an industry should learn from 2014.
Point of Sale (PoS) should not be Internet-connected!
A litany of examples of this principle were demonstrated in full glory in 2014. Actually, they started way back in July 2013 with Neiman Marcus, but they didn’t deign to tell the world until a year later. The most egregious examples were JPMorgan Chase, who forgot to upgrade a server with two-factor authentication capabilities, and Home Depot, who apparently didn’t upgrade anything.
LESSON #1: Apply all security patches to Internet facing systems immediately! If there’s a patch, there’s already an exploit, and failing to install the patch makes YOU the next target.
LESSON #2: Systems that contain credit card data and personally identifiable information should not be accessible from the Internet!
Open source is not perfect!
For years, the mantra of open source software was that it must be more secure because everybody can inspect it and there are droves of programmers contributing code. However, Heartbleed and Shellshock both dispelled the myth behind that mantra. And while Heartbleed is pretty much old news (except for the quarter-million servers still not patched), Shellshock is an entirely different story. It continues to be actively exploited; typically in environments for which there exist patches or easily implemented mitigations, but are — much like the open source code it’s based on — being ignored by many.
LESSON #3: You MUST install patches to Internet-facing systems! Did I say that already?
LESSON #4: If you write code, find a trusted programmer of higher capability to peer-review your code; if you deploy code, make sure it comes from trusted sources, and still only trust it with a rock of salt.
Cloud storage is just as risky as home storage
A wise person once said, “If you don’t want it repeated, don’t write it down.” This applies to photographs as well — if you don’t want them shared, don’t take them. Or for the more risk-prone, at least store them in secure storage. Cloud-based storage with an easily guessed password doesn’t count. And even then, if the content is especially prone to personal embarrassment, like say, oh, nude selfies, encrypting the photos is probably a wise move as well — with encryption keys that you own! The same applies to potentially sensitive corporate information.
LESSON #5: Passwords are only as secure as the strength of the password. Have you changed or strengthened your critical account passwords in the past year? Is your company’s sensitive cloud-stored data encrypted with company-owned encryption keys?
Nobody is immune from invasion, but poor cybersecurity is an open door
As if the JPMorgan Chase and Home Depot examples weren’t enough — they shouldn’t have sent every CIO running for the IT director’s office to make sure the corporate network was properly locked down, and they should have reinforced the importance of not placing trade secrets, highly sensitive personnel data and unreleased major motion pictures on Internet-accessible networks — maybe recent events over at Sony Pictures Entertainment has finally done it for us.
LESSON #6: Don’t store sensitive information on Internet-accessible systems! I think I already said something along these lines earlier, too!
Only because these lessons cannot be repeated enough (and, almost certainly, yet more examples will arise in 2015 from people who failed to learn them this year), let’s revisit them one last time:
- Apply all security patches to Internet facing systems immediately. If there’s a patch, there’s already an exploit, and failing to install the patch makes YOU the next target.
- Systems that contain credit card data and personally identifiable data should not be accessible from the Internet!
- You MUST install patches to Internet-facing systems! Yes, I know I’m repeating myself. It must be important, huh?
- If you write code, find a trusted programmer of higher capability to peer-review your code; if you deploy code, make sure it comes from trusted sources, and still only trust it with a rock of salt.
- Passwords are only as secure as the strength of the password. You should update your passwords and use secure encryption protocols you hold the keys to.
- Don’t store sensitive information on Internet-accessible systems! Again, my repetition here is not by accident.