Security breaches keep happening and they will continue on. That's why

Over the last years, security breaches have become the new normal.

Yahoo! officially admitted a massive security breach, occurred over the previous years, only some days ago.

Rumors about that had been around for a while, but I got an official email from Yahoo! about this only on 9/27 (I had already changed my password at least 4 times in the meantime.)

People all over the world got shocked by this and no one, including presidential candidates, seems to have any clue on what should be really done.

NOT ME.

I'm not surprised at all.

On the contrary, I expect such incidents to exponentially grow over the next months, or years.

Why? Why is this keeping happening and will keep happening?

Reasons

• People keep making the same mistakes over and over again: Information security is too often focused exclusively on a software product, but the real problem is people. People in an organization are the weakest link in the chain and, if they don't understand the importance of a correct security posture, because a breach could cause their employer to close for good, they won't stop making mistakes and organizations will continue being breached. For this reason, organizations need to heavily invest in security awareness training.
  

• In I.T. all is ruled by the CIA triangle dilemma. In other words, if you have to choose between security and usability, you're forced to choose the latter. Sadly, in the name of usability, organizations often choose the most insecure and outdated configurations ever.

• Organizations are often opposed to change, for practical reasons (redesign an app, or a database from a scratch is a real pain), due to budget constraints and because people are lazy.

If most users in an organization are familiar with something, they will be very reluctant to change, even though it could improve their jobs.

Most people don't want to be challenged and they stick with their old habits for as long as they can.  Their little world gets crushed when you tell them they need to move away from that operating system because is ten years old and there are 100,000 exploits available for it online.

What's more, budget constraints and the need to ensure a 24/7 availability for online and network services can prevent an organization from changing outdated vulnerable configurations. If an organization uses a legacy application for its customer database and migrating to a new one would mean taking the website down for an extended period of time and spending more money than the management is willing to allocate, what do you think it's going to happen? No changes will be implemented.

The old saying "if it's not broken don't fix it" still rules, along with its unavoidable appendix: "We've always done this way".

IT'S A MINDSET YOU SIMPLY CAN'T AFFORD TODAY, because in I.T. all changes seamlessly.
  
Constant change is the only constant in I.T.

This old-school mental attitude is destined to fail because breaking things is what a real hacker does. A hacker breaks a software to understand what results may come from that (what happens if I input x in the login field? Will it return y or something totally different?).

And when a hacker finds a way to force a software to behave the way he/she wants, the breach is round the corner already.

• Information security is considered as a mere cost entry: Spending in information security doesn't give an organization an immediate return, so it's considered as a cost entry you want to slash. Sadly, this strategic myopia is very impactful. Breaches may cost much more than the investment that could have been made to prevent them and could even lead to legal lawsuits. Several regulations in force today demand organizations to harden their security systems, so negligence to this extent could lead to class actions, lawsuits and damages for the corporate image.

• Product instead of mindset: Too many organizations think they can settle the security problem by buying a product, a so-called 360° solution, some sorta security suite (be it Norton, AlienVault, or else) and call it a day. This approach is wrong for several reasons. This specific software requires security professionals to monitor logs, so it's useless if the organization lacks this skill set. The more software an organization buys, the more vulnerabilities can be added to a network, or a corporate system. Each software installed has its own vulnerabilities and zero-days, so adding more applications means stacking problems upon problems without solving the underlying causes for a breach to happen. Information security is a mindset, not a product. Until organizations adopt a wrong mindset and don't invest in security awareness training, breaches will keep happening and will be worse and worse. I know, that's not the politically correct thing to say, but the aftermaths of the poor security posture in this country are (and will be) so impactful that honestly I don't give a damn about it. We need cyber security professionals to step up and tell the truth: the state of cyber security in this country and over the world is pretty bad and things aren't gonna change if we don't work on the reasons determining this situation. Pleasing marketers and politicians, who'd rather hide their heads in the sand pretending it's no big deal (in order to sell you a product as the solution, or because slogans are much easier than addressing problems) will lead us nowhere.
• Unskilled people in security management roles: I sometimes happen to check the LinkedIn profile of people who contacted me, or viewed my profile, only to find out, much to my surprise, some guys working as CISO, or employed in alike security management roles, have no technical background, but come from marketing departments. This is a real issue here. You can't secure what you can't understand and, though I have nothing against marketers per se, I don't think they got a clue about information security. I wouldn't tell you how to sell a product, or web content, so don't you tell me how to secure a network, please. I understand information security needs to be somehow "sold" to top management, but no salesperson can sell what he/she doesn't know.

What can be done

• Think like a hacker: No defense can be effective if you don't know how attackers work and what they're after. A quote excerpted from ancient book Art of War by Chinese general Sun-Tzu, often used in my security classes, says:

  "If you know the enemy and know yourself, you need not fear the results of a hundred battles".

  Most organizations don't know the enemy, nor themselves. Knowing the enemy can require a remarkable effort in terms of financial and non-financial resources (security consultants, honeypots, etc.) that not all organizations can afford, but knowing yourself should be imperative. If an organization doesn't know its vulnerabilities and its internal problems that could lead to a breach, it's already lost the battle, because no one will see the enemy coming.

• Check if you were hacked: Haveibeenpwned checks if your email account was involved in a security breach. When hackers steal email accounts or user credentials, they dump them somewhere (on websites like Pastebin or on Darkweb repositories) until they sell them to other hackers. This site is able to inform you if your email account was dumped somewhere. Though this is not a final indication (your account could have been hacked, but not dumped anywhere yet), it may sometimes be useful. Through the website, I knew about Yahoo! breach months before the company officially announced it.

• Implement strong passwords but be clear about how to create them: You might consider using spaces within passwords (whereas supported), because they make it much harder for an attacker to break the encryption. In other words, something like I don't like p@ssw0rd chang3s can be more effective than a random password like U6Tym9hHgGIM (much harder to remember). You might want to consider using password managers, too, but I won't recommend a specific product, as there are many equally valid alternatives around. CIA triangle has a specific role here, too. If you use very strong passwords which are meaningless to users who need to adopt them, they're going to jot them on sticky notes on their desks for everyone to see (yup, I've seen this, too, over my career).

• Regular backups: Ransomware can thrive because most organizations don't have an efficient backup policy in place. Regular backups allow an organization to face most problems resulting from a ransomware attack.

• Hire trusted and certified security professionals: If your organization lacks the necessary skill set to face the growing security threats, hire external professionals, but do your homework. Check who they are, what professional qualifications/certifications they have, their professional background, what works they've done in the past, ask around. If a pentester only runs automated tools and delivers an automated report generated by the tool itself, without adding any real value to the customer, that should raise a red flag. I know, you guys might think: "Here's the elevator pitch". Why not? You guys all do it and a company wouldn't surely find one like me on Yellow Pages. At least I'm honest about it and try to convey content along with it, not a mere click-bait.