Security is a hot topic in technology today, largely because of the rise in cyber-attacks. Understanding just how little a bad actor needs to get into a network and do damage will illustrate exactly why security is crucial.
Recently, we’ve talked a lot about cybersecurity. Identity Access Management controls, securing data properly, the increase in cyber-attacks (especially in the healthcare industry), adopting digital transformation and cloud migration. These topics are incredibly important to the success of any business, and due to the influx of remote workers, these topics are at the forefront of everyone’s minds. Bad actors are increasing their efforts because they know businesses are strained, and strained businesses are trying to make the necessary security changes, but it’s not easy to do in the current circumstances. However, let’s illustrate some of the necessary upgrades and interesting places hackers have gained access to systems.
The point of this exercise is not to make any business owner or corporation feel like they are failing. There are many reasons that the issues outlined below become a problem, and typically it is not the fault of the IT department, but rather a budget problem because almost every business has an improperly set information security budget. Even when budget isn’t the reason, there are other reasons upgrades don’t happen. Shut downs are not optional in some instances, making those upgrades impossible to complete.
For example, there are still machines in operation which run on WindowsXP and Windows 2000. ATM’s and MRI machines both fall into this category in a lot of instances. When was the last time your bank told you that ATM’s would be shut down for a system update and you wouldn’t have access to your funds for a set amount of time? Sure, they could try to time it in the middle of the night when most people are sleeping or even during the day when people can go into a bank and get their funds, but there’s going to be an impact. Especially for global institutions which have to consider all time zones before executing this task. It’s no easy feat, logistically.
Then look at the MRI machines. Depending on how a facility is set up, maybe they only have one machine or their systems are integrated and can’t be shut down one by one. What healthcare facility is going to send away a patient or tell them they have to get care elsewhere because their systems are being updated? Again, it’s another logistical nightmare.
The problem in these two examples is that WinXP and Win2000 have been the most vulnerable systems out in the wild for years, and still are today. None of the businesses associated with the examples given can be faulted for their decision to not shut down and upgrade because it would most certainly cause problems. However, there comes a point in every system’s lifespan that requires a complete shutdown and upgrade. It’s not just about security, it’s about functionality. At some point, because of the lack of support for these systems, they will become fragile and break. When that happens, it’s not only going to result in a lengthier shutdown than a standard upgrade, but it’s going to cost a lot more to fix.
But it’s not just old systems that need upgrades that cause problems or vulnerabilities. There are IoT devices in every household, in every business which can act as easy entry points for an attack. For instance, bad actors have gotten into businesses by first accessing a device connected to their network. A pacemaker, an IV pump, a slot machine, kitchen appliances located in offices, HVAC systems and fire alarm systems have all been entry points for attacks. The damage that can be done by entering a network this way has been proven in tests. IV pumps have been forced to fail, coffee machines to overheat, but also it is possible to open a backdoor or reprogram that device to just listen to what is happening on the network.
Remember, all a bad actor needs is a cracked window, a foot in the door. Once they get access to your businesses network, they can work through getting access to your internal network, systems and processes. Many times this means they have sought out an employee’s credentials so they can seemingly legitimately log in to your systems without raising a red flag. IoT devices provide this access easily because they often do not come with encryption or security attached to them. Most people don’t consider them a security risk, even though they most definitely are.
All of this should illustrate just how important security is to your business. IAM controls with least privilege must be in use. Multifactor authentication is hugely important. Ensuring that your network is secure, including any business-owned devices that might be attached, is crucial. If an attacker can get into a medical facility through an IV pump and end up shutting down systems, think about the implications it has for your own business. And when you are reviewing your security, be sure to consult an expert as you make your plan. It is vital to have someone who knows the security industry to have eyes on your plan. You wouldn’t trust a medical student to perform intricate neonatal cardiothoracic surgery, so don’t trust just anyone with your security. Your business is the heartbeat of your livelihood, treat it as such!