There is a saying, "You can't lock the door and keep the windows wide open". For some reason, such apparent problems as pushing for compliance instead of meaningful security controls are one of many unforgivable security mistakes.
Protecting the wrong things
Cybersecurity is crucial in many businesses because it ensures data and intellectual property availability, confidentiality, and integrity. To simplify our work, we could apply the same quality and grade of security controls to all our applications. But would this approach support an organization's mission? The highest security architecture standards applied to all systems would waste too much money for organizations.
Another mistake is focusing on security and neglecting privacy. Organizations with outstanding network security in place but ignore data classification and data leak prevention entirely are increasingly vulnerable to data exfiltration.
As you can see, protecting the wrong things is relatively easy. A better approach to cybersecurity architectures is considering the context and use cases, including existing threats, before applying security controls.
Protecting the right things the wrong way
Complexity is increasing; organizations deploy new code faster to production, often resulting in lower-quality products that are increasingly vulnerable to attacks. Cyberattacks on all kinds of businesses are on the rise, and every company, no matter its size, is at risk. One frequent pitfall is developers use hashing but neglect adding random salt. Their good intention of storing encrypted instead of plain text passwords does not provide sufficient protection because when adversaries access these hashed passwords, they could apply rainbow table attacks to get the plain text passwords.
Protecting the right things, like passwords, the wrong way by using hashes without random salts creates a high-security risk, and in the worst case, it could give attackers access to all stored passwords.
Your Takeaway
History has shown that cybersecurity enforced through compliance is not adequate. Re-think your cybersecurity controls because, as outlined in this blog post, protecting the wrong or right things the wrong way will not improve your security posture. Remember that cybersecurity is a process and must become part of your planning and development process.
Keep up the great work!
References
Diana Kelley. Ed Moyle. (2023). Practical Cybersecurity Architecture. (2023).
Comments