5 Cyber Resilience Lessons We Re-Learned in 2021 (But Will Probably Forget)
With every year come new extraordinary technological innovations. Some of the most innovative, sadly, come from the minds of cyberattackers. And others help IT teams solve some old problems, but create new ones. But year in and year out, good fundamentals never go out of style.
2021 was no different. Here’s a look back at some of the year’s most devastating attacks, outages and cyber resilience failures, and the lessons we ought to learn from them (but probably won’t).
Beware of Misconfigurations. (And Segment Your Networks, Please.)
For six hours on Oct. 4, Facebook, Instagram, and WhatsApp went dark. Was it a sophisticated cyberattacker orchestrating a sophisticated denial of service? No. It was a simple routing protocol misconfiguration issue, exacerbated by a surprising lack of network segmentation.
Beware of ‘Valid Configuration Changes’ Sometimes, Too.
June 8, Reddit, the New York Times, Amazon and other major websites were disrupted because of an outage at edge cloud platform Fastly. “An undiscovered software bug” set off by a valid customer configuration change. According to Fastly, a software deployment in May introduced a bug that could be, and was, set off by a valid, normal configuration change made by one customer.
AWS is ‘Too Big To Fail,’ And That’s Very Bad.
Speaking of cloud outages, Amazon Web Services experienced three outages in December alone. December 7 a particularly bad outage disrupted wide swaths of the internet for more than seven hours. It affected EC2 and other AWS services, which caused disruptions and downtime for major AWS customers – like Netflix and Disney Plus – as well as Amazon’s own services, like Alexa, Ring, and its package delivery management. As Sid Nag, vice president of cloud services and technologies research for Gartner, told InformationWeek’s JP Ruth: “This was one of the largest since AWS started conducting business.”
The incidents raise questions about the reliability and resilience of the cloud and how to hold AWS and other major tech companies accountable for maintaining their infrastructure.
Patching Software is Hard. Make it Easier.
The complexities in the IT supply chain continue to make software patching more difficult. Security professionals’ 2020 holiday season, and much of 2021, was ruined by malicious security updates unknowingly administered by Solarwinds. A year later, another holiday ruined, this time with a vulnerability in widely used third-party code.
Insurance Can’t Save You from Ransomware Attacks.
The ransomware attack on Colonial Pipeline in May showed that businesses’ risk assessments may lead them to decide to swallow their pride and pay a ransom. It also showed that, when pressed, people will pour gasoline into plastic shopping bags and that cyber insurers are fed up with holding the bag for multimillion-dollar ransom payments. As Richard Pallardy wrote for InformationWeek in October, “cyber criminals have taken note of cyber insurance itself as a potential revenue source, sometimes penetrating insurers in search of their client lists — a rich source of targets. This liability is, of course, passed along to the customer.”