We talk a lot about layered security, but what about it’s nemesis, layered stupidity? That’s when you see badness at so many levels in a business structure, that there really is no point in testing or evaluating security, because until change happens, they’re like a bank with no locks, guards, or cameras.
So there’s this company, who shall remain nameless…
First layer, basic security. People have got to do the simple stuff, and at least make an attempt at the SANS Top 20. If your security neglects even the simplest checks, you well deserve your fate. Why was nobody in the company howling about this when hacking is in the news every single day?
The second layer in the cake is outsourced infrastructure and security. The hosting / security provider responsible, somehow managed to run a regulated security business with no log file retention. How can a security company not keep log files? It’s so fundamental that the absence is absurd.
Layer three is the auditors. Both of these companies, the provider and the client, are subject to regulatory security requirements. Both of these companies are required to utilize outside security auditing, so what went wrong? Did they hire incompetent auditors creating the perfect hat-trick of stupidity? Perhaps the auditors noted the deficiencies, and thanks to lax governmental oversight, nobody bothered to fix anything because they knew unless something went wrong, nothing would be done.
Four goes to the board members of both companies, at least one of which reads a newspaper or watches the news. Did they really think hacking is a golf affliction? Board members are supposed to be wise advisors providing oversight and advice about things like security and regulatory compliance, otherwise, why are they paid to be the board? If you’re a board members anyplace, ask about security and know enough to be able to spot fruit-loopery when you see it.
Lastly, the customers of both companies should have noticed something was amiss. Both have been in business for a fair amount of time, have large client lists, most of whom are also regulated, yet none of them noticed the glaring lack of security to either company.
This, then, is a perfect storm of stupidity. Every single link in the chain of responsibility is weak or broken. Every layer of the cake is rotten.
Solutions are so easy. Hire good people. Ask questions. Put some effort into it. Demand your vendors adhere to security standards at least as rigorously as you do. Make sure it’s right. Security isn’t difficult if it’s done right. It’s a money saver.