Sarah Peters posted an interesting post, 17 Things We Should have learned in 2017, but probably didn’t.

Below is the summary:

1. You need to know what data you have, and where it is.  I agree and is the right thing to do, but is no small undertaking to complete and maintain in a large and dynamic environment.

2. How we respond to incidents is just as important as how we prevent them.

3. Social Security Numbers should not be used for anything but Social Security. Yes, but legacy applications and processes may still leverage SSN as an unique identifier.

4.Radio frequency communications need to be secured.

5. ICS/SCADA needs special security treatment

6. You need to deploy patches faster … no, really.

Equifax was compromised first in May, via the critical Apache Struts vulnerability disclosed in March. When news broke, attackers were already attempting to exploit the vuln and researchers urged anyone using Struts2 to upgrade their Web apps to a secure version. Clearly Equifax did not move fast enough.

In fairness, patching is hard, and March to May isn’t that much time for an enterprise Equifax’s size to complete the process. Organizations nevertheless must inject some jet fuel into their patch management processes because the vendors sometimes take their sweet time issuing fixes. Microsoft, for example, didn’t patch a Windows SMB bug until a month after an exploit for it, EternalBlue, was publicly disclosed. The EternalBlue exploit, which enables malware to quickly spread through a network from just one infected host, was soon used in both the WannaCry attacks in May and the NotPetya attacks in June. Despite the terrifying (and highly publicized) nature of WannaCry and NotPetya, a scanner created by Imperva researchers found in July that one of every nine hosts (amounting to about 50,000 computers from what they’d scanned) was still vulnerable to this exploit

7. The NSA might not be the best place to put your secret stuff.

8. Cybersecurity failures are beginning to have significant market impacts … sort of. I like this comment too:

Security researchers are investigating other ways to use market pressures to improve cybersecurity themselves. Meanwhile, organizations are getting smacked by regulatory fines and legal settlements, like Anthem Healthcare’s record-setting $115 million to settle its 2015 data breach

9. Integrity of data (and the democratic process) can be disrupted by more than “hacking. I agree. In healthcare, we have been focusing a lot on the confidentiality and availability of systems and data.  As more medical and personal / wearable devices become interconnected and integral part of providing healthcare, integrity of the data and device will be critical.

10. You really should refresh your DDoS defense and preparation plan.  To be effective, companies need to also refresh their business impact analysis data.  How badly will your operations, legal obligation or regulatory requirements be affected if an externally facing patient portal is not available for 15 minutes? What about 30 minutes? What about 2 hours? 1 day?

11.You can’t escape the effects of political and civil unrest.

12. Infosec workforce diversity is something you should actually care about.

13. Bitcoin is awesome, once you take away the part about currency.   I absolutely agree. I am excited and agree about the next comments too.  I want to explore this topic in future posts

 

…But the best thing about it is the platform upon which it’s built: Blockchain. The distributed ledger technology essentially allows for the creation of a list of records, each record cryptographically linked and secured, thereby enabling greater data integrity for all manner of applications. JP Morgan’s CEO Jamie Dimon called Bitcoin “stupid,” but his company got behind Blockchain in a big way this year, announcing a Blockchain-based cross-border payment network; IBM released a similar offering.

14. Encryption is great … except when it isn’t.

15. Firmware is your problem too.

16. No, malware does not mean no problem.

17. I want to include the last item in the full. This item requires a separate blog posting too.

Getting stabbed in the side is a bigger problem than getting stabbed in the back. We’ve known for years that attackers can break in through one poorly secured endpoint and laterally move through your network until they access the crown jewels from the inside. While attackers continue to get better at lateral movement, most organizations haven’t done anything to get better at preventing it. With better-managed access controls and microsegmentation, and the use of an automated lateral movement tool to help good guys (and others) quickly find the most vulnerable pathways, organizations might begin to help defend themselves against a variety of attacks, including nightmares like an Active Directory botnet.

The Takeways

1. Review blog post and update any plans