You can’t force changes, but you can compensate.
Businesses and technologies evolve. Sometimes one is faster than the other. Problems arise when business priorities focus on the next widget, production line or service offering, and new technology is put in place to address the gaps. As they say, “Necessity is the mother of all invention.”
Picture this: Five new widgets are released. Business is booming! All the widgets are selling! Things are great! The board members and shareholders are over the moon and showering your team with praise.
And then the CIO does an audit. Uh oh.
It’s a typical scenario: There’s old equipment from widget number 1 that can’t be upgraded. The widget has major vulnerabilities, wasn’t connected until widget number 4 was made and there are shared resources between the two. To make matters worse, the infrastructure is such a unique design that even the vendor that helped build it is no longer supporting it with updates. There is no risk assessment process in place.
Firstly, we need to ask three questions:
- How many other business-critical pieces of infrastructure using outdated technology do we have?
- What happens if we do nothing?
- What can we do to protect our brand? Our Intellectual Property? Our widget?
Secondly, here are a few more issues for the business process owner to consider:
- What would a breach cost us?
- What east/west access is there from this device? Across the network? Across the company?
- What is the cost of downtime (scheduled or otherwise) for 1 hour? 1 day? 1 week?
And finally, a few additional questions around risk assessment and mitigation:
- Are there local compensating controls that can be put in place? Think out of the box here… be creative!
- What about upstream? (Especially with smarter routers and next-generation firewalls.)
- What real-time notification or audit processes could be created to notify us of changes and problems?
- Is any dynamic process or access required?
The answers to many of these questions are not going to come quickly or easily – that’s for sure!
How would this look in a real-world scenario?
WannaCry ransomware used vulnerabilities associated with SMBv1, a terribly outdated service protocol found on older Windows systems. Why was WannaCry so effective? These systems were still in use and had easy east/west access for propagation.
I don’t need to repeat the names of the companies that were impacted – we all know them. What is critical however is the number of impacted systems. In most of the $250 million+ write offs by those companies, the number of total locked systems was less than 30.
Once a critical system is compromised, other systems are at risk even if they don’t have the original vulnerability. WannaCry also “beaconed” home… Best practice in these cases? Grab the original OEM disk and reload/rebuild.
You can’t always make the changes you want, but you can put things in place to protect your company – and risk assessment is key.
Check out one of the ways I recommend to secure your organizations from this nasty malware.