“I’ve been doing this for 22 years. I’m not seeing the root causes change at all.”
Greg van der Gaast, Head of Information Security at the University of Salford talks to Jeremy Swinfen Green about the degree to which the pandemic has changed the way that security teams need to operate.
Greg van der Gaast will be speaking at the teissR3 | Resilience, Response and Recovery summit taking place online, 15 – 24 September.
This year, the very popular teissR3 event focuses on how to improve your organisation’s cyber resiliency and adopt best-practice in incident response and crisis management in a post-COVID-19 world. Space is limited. Register your free place by clicking here.
Are there new vulnerabilities that are coming to light because of the pandemic, or is it just more of the same?
I think it’s been more of the same for about 25 years, to be honest. I’ve been quite adamant about this. And this is my personal brand. I’ve been doing this for 22 years. I’m not seeing the root causes change at all. And every time, it’s a sophisticated nation state attack. In industry chats on Whatsapp or whatever, it’s like, 20 pounds says it’s SQL injection from 1998.
Everything has to be deemed it’s everything is sophisticated, and scary, and highly, highly complex. No, it’s the same buffer overflow. It’s unpatched vulnerabilities. It’s people that have machines they didn’t know about or code on their machines they didn’t know about or didn’t inspect or a third party supplier they didn’t vet. It’s always the same things. It’s always the same things. And we just we just don’t focus enough on the root causes of those things.
If you look at all the big breaches, it’s all basics. It’s all a lack of asset management, lack of architectural standards, poor patching processes, things not being patched, code not being reviewed. It’s pretty much those four, five basic things that just come back and account for 95% of breaches.
And yet the human element with phishing is probably more prominent now than it ever was in the past. But they usually feed into those things. An attacker we’ll get a foothold and then spreads throughout the network because those things have been neglected. But it’s been the exact same things.
And it’s why I really believe the most important thing you can do in security is just do the basics or the fundamentals, as some people like to call them, doing them holistically and consistently, not a point in time, but make sure you’re doing them and doing them everywhere.
And that requires a huge level of business engagement and interaction and in many cases, influence, because they’re not necessarily happening in places that are security’s job. You will have to influence projects. You will have to influence IT. You will have to influence business processes. But if you can get that done, then you prevent all those things. I really haven’t seen much change over the last 20 years.
A lot of hype, a lot of hype, a lot of new AI and this and that, but fundamentally, if you dig deep enough, it’s the same stuff.
That’s good to hear and perhaps is not frightening. But I just wonder, are the issues around the scale of what’s happening, if you suddenly have 95% of your organisation working remotely, is there a danger that certain things just get overwhelmed because you haven’t necessarily planned for that change in scale?
See, I think organisations should have been built to manage assets remotely. And this is what a lot of people are waking up to, we have no way of updating or patching devices when they’re off the network. We don’t have enough VPN capacity. But stuff like VPN capacity, that was sort of in the first week. We need to buy more licences. We need to upgrade the kit. That’s not technically complicated.
Did if you have a VPN? Did you have the capability of working remotely? Where your processes– was home working integrated in your processes? If it was, then it shouldn’t really matter. Yeah, there’s a question of ramping it up. But everyone’s ramped up now. It took no more than a month. So I think we can stop harping on about there being different causes to breaches because of COVID, because we’ve not seen a COVID-related breach, have we?
No. That’s quite true.