Years ago, while anchoring the CBS Evening News during an on-air mishap, Dan Rather made an offhand remark, observing that “To err is human. But to really screw up, you need a computer.”
His observation was, to be sure, somewhat facetious, although the power of digital technology to amplify small mistakes and oversights into massive ones is real. But its underlying truth is undeniable: today’s technology, particularly at a time of wholesale digital transformation, has expanded the threat surface exponentially, and it keeps expanding all the time, frequently exceeding the bandwidth of human operators to triage which threats are more critical. And what can appear as a ‘threat’; might be a false positive or negative, meaning a ‘fix’ just ends up blocking everything else.
Managing the functions of IT systematically is a huge challenge, and it has been made even more difficult by the accelerated pace of software development and delivery, a la DevOps. Not surprisingly, the combined effects of speed and complexity erode security practices, increasing the likelihood of sensitive information such as data, code, and credentials becoming exposed online. According to research conducted by Google (PDF), elite performing organizations typically deploy software updates to their end-users many times a day. That’s a lot of opportunity for error.
One of the biggest risks to organizations is from the teams of developers – both internal and external working on their IT projects. Research from the North Carolina State University (PDF) found that leaks of digital secrets – passwords, cryptographic keys, API, and access credentials to more than 100,000 private code repositories – take place on development platforms such as GitHub thousands of times a day. A prime example of this is Uber’s 2016 breach, which occurred when hackers discovered that the company’s developers had published code that included their usernames and passwords on a private Github account. Beyond that, employees can inadvertently commit sensitive technical data to public repositories too. This includes proprietary code, internal network details, and live code, and is particularly rampant when there are no clear internal security policies or guidance on what should or shouldn’t be shared.
What it amounts to is this: while there is a significant amount of cybercrime, and countless individuals and groups who maliciously attack the data of companies and institutions, their dirty work is often enabled by inadvertent errors of honest employees who are rushed to deliver software updates in an increasingly complex digital environment. And the opportunities for accidental exposure of sensitive information, while abundant, are often compounded by multiple stakeholders working together online using collaborative tools without the proper policies, oversight and security training.
At the same time, though, there are some reasonable and inexpensive steps an organization can take to minimize the threat of exposure. For example, monitoring for misplaced technical assets can be done either by a specialized contractor or using free, open-source tools such as Git Hound or TruffleHog, which search for and can help prevent data leakage. Also, when using software collaboration tools like GitHub or GitLab, it is essential to make sure security protocols are set to prevent activity from being posted publicly.
Automating the process to rapidly identify and remediate risks related to unwanted code exposure is another option with specialty services available from a number of providers in a rapidly growing market. And finally, there’s employee education and training. Many unintended leaks take place because an individual may not have been versed in company policy about securing technical data. Initial training and periodic refresher sessions can be a huge help in increasing awareness of potential leaks and preventing major new screw ups.
