Don’t ignore the details of lifecycle and data management
By Gregory Hoffer, CEO, Covent Software
A relentless bunch of threatening actors. They continue to develop their tools and exercises to try to stay one step ahead of the flow of sophisticated countermeasures designed to detect and prevent their attacks; And they have a great motivation to be good at what they do. According to some estimates, cybercrime as an industry earns more than $ 600 billion a year. It’s a lot of money, and a lot of inspiration.
But given all the attention to high-skilled threat actors and the technologies built to thwart them, there are many hackers who are content to find opportunities and who would prefer to take advantage of more common vulnerabilities to run their trades. They know that even the largest companies with the largest cybersecurity budgets can ignore the common things that make it possible for them to break through walls, get inside, and operate.
A common weakness
One area that is a common weakness of enterprise security is the lack of focus on technology lifecycle management. The habit of keeping a fine list of an organization’s hardware, software, and applications running, and then retiring everything up-to-date, patched, and then obsolete or no longer needed, is no more. The flashy aspect of cyber security, but it is an important component of a successful security strategy.
The results of poor tech lifecycle management were illustrated when financial services firm Morgan Stanley was fined 60 60 million by the U.S. Comptroller of Currency in October 2020 for canceling the company for improper disposal of servers from a data center. Some equipment was sold to third parties and is still found to contain unsafe customer data for 15 million customers. This leads to a class action lawsuit where the court finds the plaintiffs for an additional 60 million. Announced January 3, 2022.
While it is not clear whether those customers’ personally identifiable information (PII) was insecure, or the security status of the data simply cannot be verified, evidence of authority encryption is required, and so the data is assumed to have been compromised. A thorough lifecycle management process will induce retrieval of data from those systems retrievable, and with proper data management processes, actions such as encryption and documentation will provide a verifiable record to satisfy regulators that security and privacy laws have been followed.
Fine management
This is why it is important to carefully manage data এবং and the systems that store and remove it ড়াতে to avoid such incidents. When older technologies become obsolete, and their manufacturers decide to end support, those systems become vulnerable to cybercriminals who target companies known to use them. The dangers of using older, unsupported technology were illustrated when, in early 2020, an unsupported version of a file transfer tool was sold. Axelion was the epicenter of the attack by ransomware gang. Companies around the world, including retail, industry, healthcare, academia, government and financial services, were affected. (Coincidentally, Morgan Stanley was one of the organizations Violation by attack on weak instruments.)
Of course, technology lifecycle management is the responsibility of both the vendor and the user, and it is important to be prepared and responsive to issues such as data patching, termination of support, and upgrades from a vendor. Although reports suggest that Accellion was less than forthcoming with their state of the art technology, another vendor in the data management space has taken a more responsible stance when deciding to discontinue one of its products.
Plan for the end of life
In August 2020, Qlik announced that its RepliWeb file transfer software product would reach the end of its life on January 31, 2021, and support for the product would be discontinued at that time. Qlik was open about the impact of the decision with its customers, giving them enough time to prepare for that date and find a replacement for the file transfer function on which many organizations rely.
Mozilla is another example of a company that stopped supporting a popular technology when it announced last year that it would no longer support the File Transfer Protocol (FTP) in version 90 of the popular Firefox browser. The move follows a similar decision by Google in December 2020 when it discontinued FTP support for Chrome version 88. For companies not paying attention, the lack of support for FTP in those browsers can have serious security consequences. According to a ZDNet articleAlthough FTP remains a popular option for moving files between computers, the protocol is “overshadowed by adequate security issues that browser developers are dropping support for the protocol.”
Among the problems, files transferred via FTP are sent without encryption, and FTP has also been used as an attack vector in malware campaigns. Mozilla’s security team statement, “The biggest security risk is that FTP transfers data to ClearText, allowing attackers to steal, evade and even transmit transmitted data. To this day, many malware distribution campaigns compromise with FTP servers and launch attacks by downloading malware to end-user devices using the FTP protocol. “
DIY Don’t take risks
These issues highlight the importance of using technology and managing life cycles. This means ensuring that the right tool is being used for important business processes rather than trying to solve “products close enough” or engineering manually. After all, FTP is still used for many legitimate business transactions, and with proper efficiency FTP can be secure and automated. But even if you can write the scripts needed to deal with those functions, knowledge of the subtleties that need to be addressed for consent is essential.
DIY method errors may not appear unless there is a breakdown in the process, such as a transfer that fails, a warning that is missed, a security issue occurs, or a call is made for a feature that was not considered when the custom script Has been written. That’s when the risk increases with the cost.
When it comes to file transfers, the method an organization chooses can have an impact on data lifecycle management. With process automation, a secure, managed file transfer (MFT) platform can be used to ensure that files are encrypted before they are removed and even after they are received. And the ability to automatically document all steps in the process of sending, receiving, storing, and recovering goes a long way in ensuring compliance with regulations such as Sarbness-Oxley (SOX), Gram-Leach-Billy (GLBA), and health insurance portability. And the Accountability Act (HIPAA), the European General Data Privacy Regulation (GDPR), and other state, federal and international laws.
Secure MFT does not cure all problems related to an organization’s security and data management, but it can play an important role in maintaining a strong data security and data management program. It can also help mitigate the risks of relying on human intervention, which often leads to inaccuracies and oversight that can lead to an expensive data breach or non-compliance.
Reasonable refresh
The good news is, these are not tools or processes that are beyond the reach of small or limited budget companies, or that have fewer staff. Or “forklift upgrade” technology refresh is not required to achieve them. Indeed, there may be a general technical refresh that is necessary to address a specific need and to gain productivity and safety gains. A recent column in the tech trade journal ComputerWorld has been identified Five reasons for a simple technology refreshIncluding:
- Lack of vendor support for older systems;
- Support employee remote access;
- Mitigating security vulnerabilities;
- Enable regulatory compliance; And,
- Improve ease of use.
Making the necessary changes to address common sense issues, such as fixing or updating hardware, software, or applications to keep up with changes, is an essential aspect of managing an organization’s IT estate and protecting data and systems. In fact, these changes are expected, and can only be a minor nuisance. If you’re responsible for managing your organization’s IT, it’s not a good idea to stop updating, adding or replacing technology.
For wanting a nail
There is an old poem called For Want of a Nail which describes the catastrophic potential if the seemingly simple details are ignored.
Shoes are lost due to lack of nails.
The horse got lost due to lack of shoes.
The rider got lost due to lack of horses.
The message is lost for a rider.
The battle was lost for lack of a message.
In the absence of war the kingdom was defeated.
And for all like a horseshoe nail.
Don’t let the seemingly minor details in your technology lifecycle management or data management program become missing nails that lead to a big event like a data breach. Focus on the little things and improve the security of your organization.
About the author
Gregory Hoffer is the CEO of Covent Software, the creator of the secure, managed file transfer platform Diplomat MFT. Greg’s career spans two decades of successful organizational leadership and award-winning product development. He was instrumental in establishing ground-breaking technology partnerships that helped complete the Federal Information Processing Standards (FIPS), DMZ Gateway, OpenPGP, and other features required for large file and data protection in transit.
For more information, go Coviant software Online, or follow Coviant software On Twitter and LinkedIn.
Notice of fair use: Under the “fair use” law, other authors may restrict the use of the original author’s work without permission. 17 In accordance with U.S. Code § 107, some use of copyrighted material “is not a copyright infringement, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research.” As a matter of principle, fair use is based on the belief that parts of copyrighted material are free to be used for the purpose of public comment and criticism. The privilege of fair use is perhaps the most significant limitation of the exclusive rights of copyright owners. Cyber Defense Media Group is a news reporting company that reports cyber news, events, information and much more on our website Cyber Defense Magazine at no charge. All images and reporting are done exclusively under the fair use of US copyright law.