hackers aren’t getting better, so why do we keep getting hacked?
Over the last decade, it seems that hackers manage to get their hands on yet another several gigabytes of confidential data ever few weeks. From adult dating sites, to companies big and small, to credit agencies, to law enforcement and military agencies, to politicians and national governments, no one seems safe from the prowess of cyber criminals. Given media portrayals of hackers, you would be forgiven for assuming that these black hats are an unstoppable force of nature who make a sport of overcoming every roadblock thrown their way, from encryption, to two factor identification, to long, complex passwords. And you would be wrong. The reason why we keep getting hacked has little to do with the hackers’ prowess.
Now, this is not to say that extremely advanced and complicated hacks don’t exist, or that we haven’t seen some terrifying ways to bypass security at relevant conferences. There’s a thriving black market which sells newly found exploits used to fill unsuspecting users’ computers and phones with viruses and worms, and governments today are using those exploits to damage their adversaries’ capabilities and spy on them. However, if you dive into the postmortems of most data breaches in question, you’ll find people opening files they should’ve never opened, critical security updates delayed, administrators neglecting to change default login credentials, and well-known security bugs ignored or de-prioritized in favor of new features.
In fact, even in matters of national security, such as defending computers that control power plants and grids from foreign powers, researchers complain that virtually every threat faced today could be mitigated just by following some basic cyber security practices. Unfortunately, users refuse to employ strong passwords, encrypt their data, stop inserting random USB sticks found lying around in the wild into their computers, or enable multi factor authentication, and this attitude extends to the very top of major corporations and government agencies. Security gets a lot of lip service, and you may even be required by HR to sit through a tedious class on the subject, but its actual implementation is regularly shortchanged.
Coders are often rushed to develop new features at the expense of testing the software they’re writing because features are what sells while security is supposed to be baked in by default. Far too many crucial updates to servers and frameworks are ignored because testing and applying them is an expense that managers don’t want to have to justify. Even well documented bugs that can be used to steal data and track users are often put on back burners so management can push to deliver whatever was promised to executives and customers instead. This will vary from company to company, of course, but in shops where writing software is seen as a process of throwing enough bodies at a problem, these problems are endemic.
Far too often today, there’s a maniacal focus is on cutting costs and maximize profits. In and of itself, this isn’t a bad thing, but at some point, you have to start cutting corners to meet ever more aggressive and the end product suffers. Customers and employers with Dom Perignon tastes on a Natty Lite budget, and investors demanding ever growing mountains of profit and product to serve as a symbol of a thriving economy, flooded the world with cheap crap under glossy veneers. Store shelves are bursting from substandard products nobody really wants but has no choice but to buy thanks to runaway inflation and stagnant incomes, and our computers often run code created after aggressive cuts and rushed to completion.
As a result, hackers can employ automated scans to find old vulnerabilities and use common exploits, find unsecured endpoints, try default admin passwords to easily gain access to systems that should’ve been properly secured, and exfiltrate terabytes of sensitive and private data for fun and profit, while managers and bureaucrats put mitigations on to-do lists and go about their day. Add users who shrug at basic security hygiene and it’s no mystery why data breaches are now so common that we don’t even bother getting upset when they happen, assuming it’s just a matter of time before we’re affected by the next one. Forget the cat-and-mouse game of cyber security. The reality is more like shooting beer cans in your backyard.
How do we fix this sad state of affairs? The easiest and most blunt solution would be mandating stringent security reviews by regulatory agencies before software get released. Unfortunately, this would add significant overheads and legal risks for both companies and governments while doing nothing to stop users from ignoring security recommendations. A better approach could involve forcing users to enable multi-factor authentication and use strong passwords, creating standard security tools for programmers similar to encryption packages which can be plugged into any software, and major fines for companies that couldn’t keep customer data safe from known, common exploits.
At this point, there’s no defense against shortchanging or ignoring digital security simply due to greed and sloth. With so much of our lives either online or otherwise facilitated by computers, hackers constantly nabbing hard drives full of medical, financial, and personal data should be a scandal and dealt with like the five-alarm fire it is. It’s one thing if a cybercriminal invents a new way to break encryption or hijack an established security protocol. But if the last time a server update was performed five years ago and a hacker used a decade old script to get your users’ plaintext passwords, credit card numbers, and dates of birth, all because you wanted to a little bit of cash, you have to face real and serious consequences.