Page 19 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 19

A Common Weakness

            One area that is a common weakness in enterprise security is lack of attention to technology lifecycle
            management.  The  practice  of  keeping  a  meticulous  inventory  of  what  hardware,  software,  and
            applications an organization is running, and then making sure everything is up-to-date, patched, and then
            properly  retired  when  obsolete  or  no  longer  needed  is  not  one  of  the  more  glamorous  aspects  of
            cybersecurity, but it is a vital component to a successful security strategy.


            The results of poor tech lifecycle management were illustrated when the financial services firm Morgan
            Stanley was hit with a $60 million fine by the U.S. Comptroller of the Currency in October of 2020 for
            improper  disposal  of  servers  from  a  data  center  the  company  had  decommissioned.  Some  of  the
            equipment was sold to a third-party and found to still contain unsecured customer data for as many as
            15 million customers. That led to a class action lawsuit in which the courts found in favor of the plaintiffs
            for an additional $60 million announced on January 3, 2022.

            While it is unclear whether the personally identifiable information (PII) of those customers was unsecured,
            or if the security status of the data was simply unverifiable, authorities require evidence of encryption,
            and so the assumption is that the data was compromised. A thorough lifecycle management process
            would have prompted the data on those systems to be rendered unrecoverable, and with proper data
            management processes in place, actions like encryption and documentation would have provided an
            auditable record to satisfy regulators that security and privacy laws were followed.



            Meticulous Management

            That is why it’s important to meticulously manage data—and the systems that store and move it—in order
            to avoid these kinds of incidents. When older technologies become obsolete, and their makers decide to
            end support, those systems become vulnerable to cybercriminals who target organizations known to use
            them. The dangers of using old, unsupported tech were illustrated when, in early 2020, an unsupported
            version of a file transfer appliance sold by Accellion was the focus of attacks by ransomware gangs.
            Organizations  around  the  world  were  affected,  including  retail,  industrial,  healthcare,  academic,
            government,  and  financial  services.  (Coincidentally,  Morgan  Stanley  was  one  of  the  organizations
            breached by attacks on the vulnerable appliance.)

            Of course, technology lifecycle management is the responsibility of both the vendor and the user and
            information  from  a  vendor  is  critical  to  preparing  for  and  responding  to  issues  like  patching,  end  of
            support, and upgrades. While reports suggest that Accellion may have been less than forthcoming with
            the status of their technology, another vendor in the data management space demonstrated a more
            responsible posture when it decided to discontinue one of its products.











                                                                                                              19
   14   15   16   17   18   19   20   21   22   23   24