Marc Andreessen tenía razón: el software ha devorado el mundo. Como resultado, el mundo puede ser pirateado.
Just look at the last few months. The SolarWinds caper, "the largest and most sophisticated attack the world has ever seen" according to Microsoft Chairman Brad Smith, has given his Russian criminals months of freedom to run countless US government agencies and private companies. But also stupid works: Last month in Florida, cybersecurity at a water treatment plant was so lax that anyone could have been behind a clumsy attempt to poison the local water supply. Meanwhile, ransomware thugs have made hospitals their favorite target; As of October 2020, six US hospitals. UU. they were victims in 24 hours.
Cybersecurity wins the Darkest Science Award. But if being attacked now comes at a cost to doing business, then the traditional approach of prioritizing risk and limiting damage when breaches do occur still offers reason for hope. This collection of articles from CSO, Computerworld, CIO, InfoWorld, and Network World provides specific advice on security best practices across the enterprise, from the C-suite to developer laptops.
Contributor Stacey Collette, writing for CSO, addresses the age-old question of how to focus senior management's attention on security in "4 ways to keep the cybersecurity conversation going after the crisis has passed." The thesis is that five-alarm debacles like the SolarWinds attack can serve as useful wake-up calls. Collette suggests seizing the moment to convince the board to match the company's business model with a proper risk mitigation framework and use clearinghouses and analysis hubs to exchange industry-specific threat information and defensive measures.
The CIO contribution, "Mitigate the Hidden Risks of Digital Transformation" by Bob Violino, highlights a problem that lurks in the open: digital innovation almost always increases risk. Everyone understands the transformative power of the cloud, for example, but every IaaS or SaaS provider seems to have a different security model, increasing the chances of a disastrous misconfiguration. Additionally, digital integration with partners promises all sorts of new efficiencies and, by definition, increases third-party risks. And should it even be said that launching an Internet of Things initiative will significantly expand your attack surface?
A second story written by Violino, this one for Computerworld, explores the cybersecurity obsession of our time: "The WFH Security Lessons from the Pandemic." Some of the article covers familiar ground, such as effective endpoint protection and multi-factor authentication for remote workers. But Violino also offers more advanced solutions, such as cloud desktops and access to untrusted networks. It warns that a new wave of preparation will be needed for hybrid work scenarios, in which employees alternate between the office and home to ensure social distancing at work. The pandemic has shown that large-scale remote work is feasible, but new solutions, such as ubiquitous data defense and response platforms, will be needed to secure our new world without a perimeter.
This also applies to companies with many distributed offices. As contributor Maria Korlov reports in the Network World article “WAN challenges drive Sixt to cloud-native SASE implementation, adoption is accelerating for Secure Access Service Edge (SASE), an architecture that combines SD- WAN with various security measures, from encryption to zero trust authentication. According to Korlov, for the car rental company Sixt, the result was "a 15% to 20% reduction in network maintenance, security and capacity planning costs." At Sixt's 80 branches, downtime is on average one tenth of what it used to be.
In "6 Security Risks in Software Development and How to Deal With Them," Isaac Sacolick, editor-in-chief of InfoWorld, reminds us that modern cybersecurity also means secure code. An ESG survey cited in the article found that nearly half of respondents admitted to regularly posting vulnerable code in production. Thanks to Sacolick's hands-on experience with development teams, he can offer a multitude of practical solutions that development managers can adopt, from explicitly documenting code security acceptance criteria to ensuring that version control repositories are fully blocked.
The SolarWinds fiasco demonstrated that enforcing such policies is no longer optional. Coverage of the attack focused on backdoor Russian hackers embedded into SolarWinds' Orion products, instantly compromising customers who installed the software. Less attention has been paid to the custom malware that hackers have created to sneak into the SolarWinds development process undetected and implant this backdoor. Can a software development shop say for sure that it can support such a sophisticated and concerted effort?
Software companies are asking this question right now, as governments and private companies, seen as high-value targets, furiously monitor their operations to see if they fall victim to other compromised code. Of course, this is just the latest battlefront against a global horde of cybercriminals, from script kiddies to criminal hackers to state-sponsored masterminds.
<p>Copyright © 2021 IDG Communications, Inc.</p>