“Nobody is denying that the Internet is one of the most extraordinary innovations in history,” Phil Quade says, as he discusses a theme that runs throughout his new book The Digital Big Bang. “But that doesn’t make it perfect.”
As a leading cybersecurity expert, Quade balances his admiration for the development and proliferation of the Internet, with a surgeon’s view of its weaknesses, blind spots and serious liabilities. Throughout the book, he is joined by some of the leading voices in cybersecurity who offer expert insights into addressing these challenges.
“The five ideas that form the backbone of cybersecurity are authentication, data integrity, nonrepudiation, availability, and confidentiality,” writes Mike McConnell, former director of national intelligence. “The single most important is authentication.”
When the Internet was being developed as a communications tool for the Department of Defense, everybody knew everybody who was using it—they were all colleagues with high security clearances.
“The moment the Internet expanded its group of users, all sorts of grift, deception and manipulation became possible,” Quade said. “That’s why authenticating that people are who they say they are is so important. More than 92 percent of all malware is delivered by phishing.”
Once a vulnerability of a network or system has been exploited through lack of authentication, it needs to be patched.
“Patches are small pieces of software that are distributed after a vulnerability has been detected to close it back up,” Quade says. “But, as everyone knows, you actually have to install them. And it is shocking how often people simply don’t do it.”
“Nearly all successful attacks and network breaches start by compromising a vulnerable system for which a patch or update has been available for weeks, months, and sometimes even years,” writes Chris Richter, former vice president of global security at CenturyLink. “And yet one of the biggest misconceptions about patching is that it’s an optional task for protecting your organization from cyberattacks.”
These breaches include some of the most destructive cyberattacks in recent memory, including Heartbleed, WannaCry, NotPetya, Spectre, and Meltdown. All exploited vulnerabilities for which patches had already been issued. In other cases, attacks intensified because security patches were not installed even after the attacks became known.
“But for clarity, patching at this level is not just clicking ‘update’ on your phone and plugging it in overnight,” Quade says. “It can be a complicated process. And there is a direct connection from failure to patch to a lack of cybersecurity experts to maintain such complicated systems.”
“One of the most significant challenges facing today’s organizations is the cybersecurity skills gap,” writes Chris McDaniels, CEO of CT Cubed Inc. “There are too few qualified professionals to fill all of the available seats, and there isn’t really a suitable process in place to create them. To address this challenge, technical security training is a critical component of any business strategy, especially for an MSSP (managed security service provider), which needs a large, diverse, and skilled security staff.”
“When there is a scarcity of cybersecurity talent, it places a premium on those skills,” Quade says. “A war for talent erupts, with big companies able to pay more—leaving smaller companies without cybersecurity professionals. When smaller companies are forced to make do as best they can with limited resources, and they become points of entry for cybercriminals who work their way up to more valuable targets. It all comes back, once again, to the principle of connectivity.”
Reserve a copy of Phil Quade’s new book “The Digital Big Bang: The Hard Stuff, the Soft Stuff, and the Future of Cybersecurity.”