As the annual RSA Conference approaches and vendors gather to sing the praises of their security products, let’s pause and reflect on some recent cyber-security news items.
Item: Oracle released a near-record number of patches in its quarterly Critical Patch Update: 270 in all, with 118 that are remotely exploitable in E-Business Suite.
Item: The same day, at the Oracle CloudWorld in New York City, CEO Mark Hurd told the assembled attendees that the average Oracle customer is 13 months behind in rolling out security patches.
This is meant as a reason to switch to cloud or software-as-a-service software, which can be patched and kept up to date with the latest security fixes. But still, that’s 270 flaws that had to be found and patched—for this quarter.
Of course, Oracle and its users are not the only ones having trouble keeping up. It seems there will never be an end of the patches for Adobe Flash. Windows sees a regular stream of updates. Apple this week released double-digit numbers of security fixes for both macOS and iOS. Millions of Android users are running insecure versions of the mobile OS as we speak.
Item: The security flaws as well as user errors helped account for a 40 percent rise in reported data breaches in 2016—1,093 incidents, up from 780 in 2015, according to the Identity Theft Resource Center. If the numbers seem low, that’s because many incidents are not reported or reported in a timely manner. If you doubt that, see Yahoo’s 2014 hack of 1 billion accounts that was reported in Dec. 2016.
For the most part, the security industry holds its end up, both in discovering flaws and in preventing breaches from happening. The state of siege of today’s enterprises may make it seem that security software is not effective. On the contrary, security solutions, firewalls and managed services are more effective than ever, given the billions of malicious events according every day.
But it’s not enough. Users need to be better educated about security threats and companies need to train their employees in best practices for online behavior and privacy.
But in the Post-Snowden Era and early in the Age of Trump, it’s become harder to determine what threats (as well as the facts and truth) are real or imagined. The Russian hacking of the Clinton campaign is one obvious example. We may never know what really happened.
But another little item recently had the same effect. Over the holidays it was widely reported that the Russians had infiltrated the power grid in Vermont. But over the ensuing days it was found out that the Russians did not hack the grid. In fact, the grid had not been hacked by anyone.
It really comes down to each individual person keeping vigilant about security. Not just security professionals but all people who know what they are doing should spread the word to family and friends on how to stay safe, online and off. Security basics will go a long way to protecting personal and corporate data, but also help alleviate fear and paranoia.
That’s pretty much the feeling of Retired Gen. Michael Hayden, a former National Security Agency and CIA director, as he speaks around the country. “Your government is and will remain late to need in providing security in the cyber domain,” he told attendees at a vendor event in New York last year. “You are going to be more responsible for your security [there] than you have been responsible for your security [in the physical realm] since the closing of the American frontier in 1880 or 1890.”
This is the same Gen. Hayden whose successors testified before the Senate Armed Services Committee this month that Russia was involved, only to see the president-elect doubt cast on their testimony. The more we know, the less we know.
The only people who are really in the know when it comes to cyber-security are the criminal elements themselves. It’s their game; they are in charge, and it really is every person, and business, for themselves.
So at RSA, let’s pay attention to the new solutions, threats and best practices, and embrace them. But let’s also not forget that we are still losing the battle.
Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. He has an extensive background in the technology field. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture, at TechTarget. Before that, he was the director, Editorial Operations, at Ziff Davis Enterprise. While at Ziff Davis Media, he was a writer and editor at eWEEK. No investment advice is offered in his blog. All duties are disclaimed. Scot works for a private investment firm, which may at any time invest in companies whose products are discussed in this blog, and no disclosure of securities transactions will be made.