Many breaches could have been prevented or better mitigated if organizations took basic security steps, such as properly salting and hashing passwords, getting users to pick strong passwords, requiring two-factor authentication for access and patching critical vulnerabilities in a timely manner. But so many breaches continue to demonstrate how even these no-brainer security controls so often aren't employed (see Why Are We So Stupid About Passwords?).
As a result, it can feel like information security déjà vu all over again as security professionals fight so many of the same battles that they were fighting 10 or even 20 years ago, says Cris Thomas, a strategist at vulnerability detection system provider Tenable Network Security who's better known by his "Space Rogue" white hat hacker handle. "We have the knowledge and technology, but for whatever reason, it's not being applied. That still leaves people at risk," he says.
Furthermore, it's unclear how this problem might get remedied, despite the mega-breaches of Target, Home Depot, the U.S. Office of Personnel Management and countless others. "We've had hundreds of wake-up calls," he says. "Either the alarm is not loud enough, or [we] just keep hitting the snooze button."
In this interview with Information Security Media Group at the recent Infosec Europe conference in London, Thomas discusses:
Organizations' failure to sort out passwords, patches and securing critical data; Why the "defense in depth" model is irrevocably broken; The never-ending need for greater visibility into systems and networks; and Internet of Things security challenges.Before joining Tenable Network Security, Thomas served as threat intelligence manager at Trustwave and as the editor of Hacker News Network, which he created. He also was a member of pioneering security research think thank L0pht Heavy Industries and co-founder of internet security consultancy @stake.