The “Patch and Pray” Approach to Cybersecurity

On the front page of The New York Times of August 6, 2014, Nicole Perlroth and David Gelles published an article “Russian Hackers Steal Passwords of Billion Users: Data Still Vulnerable – 420,000 Sites, Big and Small, Were Targets, Firm Says.”

Usually I wait a week to two or even a month or more before commenting on such alarming news items. This gives time for the issues to percolate and ideas to form, as well as to see how others react, before presenting my own comments and views. However, I recently opined on Ms. Perlroth’s stark statements about the unenviable and untenable role in which many CISOs find themselves just one week after that pronouncement in the July 21, 2014 NYT. And I now find myself giving voice to my views on the uncovering on what is apparently the biggest known hack to date as described by Perlroth and Gelles, as well as some thoughts on the accompanying article by Molly Wood about “Keeping Confidential Personal Data Out of Hackers’ Hands.”

First off,  the reported method used to hack some 420,000 websites, namely, SQL injection, has been around for a long time (16 years according to Wikipedia), yet “injection” still remains at the top of the list for 2013 on OWASP’s  ranking of the top ten most critical web application security risks … see  You would think that, after 16 years, we would have at least resolved this security risk.

Secondly, Ms. Wood tells everyone that they should change their passwords and replace them with hard-to-guess anagrams, except that at the end of the article she poses the question “How can I stop my information from being stolen in the first place?” and answers it with the stark statement: “Increasingly, you cannot …”

The Perlroth/Gelles article ends with a quote by Lilian Ablon of the RAND Corporation, who says “The ability to attack is certainly outpacing the ability to defend … We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.” Since when has prayer become a tool of choice for InfoSec professionals?

Those who are knowledgeable about the dire straits in which cybersecurity finds itself, such as Vice Admiral Michael McConnell (USN, Ret.), have testified that nothing significant will be done to defend ourselves from cyber attacks until we experience “the big one.” I describe this in my March 29, 2010 BlogInfoSec column “Cybergeddon … Ho Hum.”

Is this attack “the big one”? I really doubt it. Theft of sensitive information is serious but generally not very dramatic. The inconvenience and suffering so administered tends to be private and minimally reported. No, “the big one” will be when a significant chunk, if not all, of the Internet is down and out for a long period of time … perhaps weeks.

With government and business having frittered away so many opportunities to do it right the first time by building security into the software development lifecycle, the problem has become so enormous that it would surely cost hundreds of billions, if not trillions, of dollars to retrofit strong security on all existing critical applications. Is there an appetite for such an expenditure, not to mention the huge inconvenience and loss of revenues, as unacceptable applications are dry-docked for repair and new applications are rescheduled for later (much later?) delivery? No. It happened for Y2K, but that was a much smaller issue which was easy to define and a specific deadline, and could be readily remediated, even though the cost was purportedly in the $200-$300 billion range. This time around, the problem is much more complex and difficult to deal with and would cost orders or magnitude more to try to fix.

So what is the answer? Patch and pray? Perhaps we need to add a member of the clergy to our cybersecurity teams. But remember, the bad guys also have access to clergy, and they are praying that their attacks will be successful!

One Comment

  1. Jessica Dodson Aug 26, 2014 at 2:46 pm | Permalink

    “No, “the big one” will be when a significant chunk, if not all, of the Internet is down and out for a long period of time … perhaps weeks.”

    I wonder how much money has to be lost for it to be the “big one.” If a bank were somehow compromised, not a retailer but the actual bank or credit card company, you can bet cybersecurity would get a big push to the foreground!

Post a Comment

Your email is never published nor shared. Required fields are marked *