Ransomware and other large-scale cyber attacks are a direct result of criminals capitalizing on security debt, says Dave Lewis, Global Security Advocate at Akamai Technologies. What Lewis is referring to is the security community’s tendency to become distracted by the latest threats and newest technology rather than focusing on fundamentals like patching or secure device configuration.
The problem with keeping up with the fundamentals, said Lewis during a video interview at Black Hat, is that they’re not easy: “The ‘just patch’ mantra is a unicorn.” However, teams that haven’t kept up with the basics allow vulnerabilities in their environments to become pervasive, and that’s when the compromises begin.
To lessen security debt and improve risk management, Lewis says organizations must first look at assets. “If you don’t understand the assets in your environment, how can you prioritize which systems are getting prioritized, in what order?” An accurate accounting for assets is the first step in understanding then managing risks specific to the organization. This isn’t a one-and-done project, though; risk management is an iterative cycle which, Lewis says, relies on people and processes—not the technology and its capabilities and limitations.
To learn more of Lewis’ recommendations, check out this short video.