Page 19 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 19
A Common Weakness
One area that is a common weakness in enterprise security is lack of attention to technology lifecycle
management. The practice of keeping a meticulous inventory of what hardware, software, and
applications an organization is running, and then making sure everything is up-to-date, patched, and then
properly retired when obsolete or no longer needed is not one of the more glamorous aspects of
cybersecurity, but it is a vital component to a successful security strategy.
The results of poor tech lifecycle management were illustrated when the financial services firm Morgan
Stanley was hit with a $60 million fine by the U.S. Comptroller of the Currency in October of 2020 for
improper disposal of servers from a data center the company had decommissioned. Some of the
equipment was sold to a third-party and found to still contain unsecured customer data for as many as
15 million customers. That led to a class action lawsuit in which the courts found in favor of the plaintiffs
for an additional $60 million announced on January 3, 2022.
While it is unclear whether the personally identifiable information (PII) of those customers was unsecured,
or if the security status of the data was simply unverifiable, authorities require evidence of encryption,
and so the assumption is that the data was compromised. A thorough lifecycle management process
would have prompted the data on those systems to be rendered unrecoverable, and with proper data
management processes in place, actions like encryption and documentation would have provided an
auditable record to satisfy regulators that security and privacy laws were followed.
Meticulous Management
That is why it’s important to meticulously manage data—and the systems that store and move it—in order
to avoid these kinds of incidents. When older technologies become obsolete, and their makers decide to
end support, those systems become vulnerable to cybercriminals who target organizations known to use
them. The dangers of using old, unsupported tech were illustrated when, in early 2020, an unsupported
version of a file transfer appliance sold by Accellion was the focus of attacks by ransomware gangs.
Organizations around the world were affected, including retail, industrial, healthcare, academic,
government, and financial services. (Coincidentally, Morgan Stanley was one of the organizations
breached by attacks on the vulnerable appliance.)
Of course, technology lifecycle management is the responsibility of both the vendor and the user and
information from a vendor is critical to preparing for and responding to issues like patching, end of
support, and upgrades. While reports suggest that Accellion may have been less than forthcoming with
the status of their technology, another vendor in the data management space demonstrated a more
responsible posture when it decided to discontinue one of its products.
19