The Colonial Pipeline Part II

Posted by rxit On June 14, 2021

The Best (Security) Things in Life are Free

I wasn’t sure there was any more to say here, and if you are reading this, I am totally riding on the interest in this news. Don’t click away just yet, I think there are some important lessons here that are missed in the hearings, the media and the analysis. Events like Colonial Pipeline offer us a window into how ransomware happens, that we don’t often get to see through. Lower profile companies don’t talk about ransomware events at all, and big companies worthy of the news cycle play fast and loose about “what happened” to manage their PR.

I know business executives do worry about these big media stories because they ask us, and so much of the time we have nothing specific to discuss as the details are secret. In this case, presumably due to the congressional hearings involved, we have surprising candor from the investigation both from the vendors investigating, and the CEO of Colonial Pipeline, Joseph Blount. By the questions and implied conclusions, we hear the familiar ring for need of more compliance, regulations and oversight. Maybe that is coming to your industry, perhaps it might even be effective. But the conclusion for you, the onlooker looking to protect you business interests? It’s completely ignored, too boring to talk about and too esoteric to implement. And it’s virtually free. What could that possibly be you ask? Culture and habits. I can see you nodding off already…

Before your nap, let me take just a brief step back to how we got here, where all the budget and fancy tools in the world leads us to an epic ransomware event, started from, to paraphrase Mr. Blount “Legacy VPN account not secured with multi-factor authentication (MFA) that wasn’t supposed to be in use”. I’m a very practical cybersecurity guy. Really I’m a straight IT guy trained in cybersecurity. I typically clash with the security guys. They want to talk about the tools and technology, the cool stuff! I want to talk about the basics. For about a decade I have been saying “don’t do the advanced stuff before you get the basics down.”

You see before about a decade ago, IT did mostly have the basics down. IT and security was the same team, the same people. It was a simpler time! The technician helping you was allowed to say “No, we can’t do that”. Along the way of turning technology to a business advantage (a good thing) that became unacceptable. IT is to serve the needs of the business and tech support needs to say “yes”. Even if perhaps, that “yes” compromises security. The response to this trend and the rise of hackers monetizing it, was to put cybersecurity into it’s own role or department. More specialized knowledge was needed, and the “no” people needed to be separated from the “yes” people. To save you the time, I won’t go into the myriad of problems this causes, and the reasons why. The bottom line is, you can’t simply bolt security on to the company or the IT dept. It doesn’t work. And we know this, because the failure here is not of the cybersecurity, or at least only partially. The real failure is of culture and habit, of IT and the organization as a whole. I’ve been doing tech for 22 years so allow me to speculate a little and restate Mr. Blount’s diplomatic quote for you: “An employee left the company but we didn’t disable their account, and we have this old remote access VPN hanging around that the account had access to”. There is probably a $100,000 tool the security dept. could buy to find and close that hole. Or you could, say, just disable former employee accounts and remove “legacy” remote access or secure it, which would be free. I am willing a bet real money there is at least one internal policy, and one compliance regulation applicable to Colonial Pipeline, that states “disable departing employee accounts”. All that is missing is the culture and habit to follow one’s own rules.

This situation is both disheartening to me, and personally a bit encouraging. I’m disappointed that these things happen as a whole, when we know the solution which comes down to basically doing what you say you will do, while the focus of the public story centers around more standards and regulation. But I’m encouraged personally that the work we are doing at Rx-IT is truly impactful. We aim to be accountable as IT and security for our customers, around managing the departed employees, old legacy systems, and other exceptions that open an organization these type of events. We make it our culture and habit. We set up systems where the exceptions have to be actively granted, where our staff is not overworked, they have the time and empowerment to bring up the issues and deal with them. We say “no” if it needs to be said. IT and security is the same team. It’s boring stuff and it’s free. Mr. Blount worries about how “the smaller and less sophisticated companies” avoid the same outcome of Colonial Pipeline. Honestly I am more worried about the big targets like Colonial, than Mr. Blount needs to worry about us and our customers. I’m not dumping on him. The larger the org the more complex the task. And we are far from perfect as well, there is much work to be done and we will keep doing it. My point is the solution is not one of budget and scale, it’s the same solution available to everyone.

What to do? Well if you outsource IT call Rx-IT! Had to get that in there. But seriously, gather your IT and security people together. Get them on the same team, formally or not. Make sure they have defined the “no” and “yes” lines for IT and empower them to enforce them. IT should be incented to call out the problems, those old accounts and legacy systems. Security has to hunt for those, the IT people on the ground already know they are there. It’s a problem, but it’s not their problem. You may need an audit to tell you where you are in following processes: If you have MFA does *everything* have MFA? What are the exceptions and who decided to take that risk? Are all accounts not in use being disabled? IT needs to answer to these. Security is there to guide the policies, but the processes belong to IT. There is little motivation in many cases to close these “holes” for IT, so you need to make it a priority however you do that in your organization. Lastly don’t understaff! IT departments frequently don’t have the manpower to do beyond solving helpdesk issues and keeping the lights on. We see similar issues with competitors in the outsourced IT space. It can be hard to describe to a CEO: staffing for doing the job right, and staffing level for attractive cost. It’s hard to tell the difference, but if you have not fallen asleep this far, now you know!

Uncategorized

The Colonial Pipeline Part II

Locations

Springfield (HQ)

Latest Articles

Investing in Professional Development: Growing Skills for Business Success

Browser Security for Enterprises: Balancing Accessibility and Protection

Securing Business Communication: A Guide to Email and Platform Safety

Company

Proud Member of