Recently I was reading about a ransomware attack on a company known as CDK. CDK is a software company that specializes in software for car dealerships. They were recently hit with a massive cyber attack that was most likely a ransomware based attack.
CDK claims that it manages 2 Petabytes of transaction data regarding cars. That is 2000 Terabytes and 2000000 gigabytes. While it has not been confirmed how much of this, if any, the hackers made off with, this is very telling about a different philosophy on ransomware some hackers have adopted. Instead of attacking business endpoints, like an actual car dealership, you can cast a much wider net by breaking into the backends of those businesses. Specifically, the makers of software for those businesses.
It goes to show how much our infrastructure is dependent on technology and just how vulnerable it really is. If you want a more recent example, look at an outage caused not by a hack, but by a cybersecurity company in Crowdstrike.
Crowdstrike makes security software for enterprise systems. They pushed out an update recently that caused Windows PCs with this software on it to have a Blue Screen of Death. A lot of corporations use this software and its one of the only options that does what it does at the level it does. But that comes with the often overlooked vulnerability: human error. If you make a mistake in software you wrote, its not gonna be catastrophic. If you make a mistake in software used by everyone, that’s a going to be a disaster. In this case, human error got the better of someone and caused a downfall of a lot of the worlds IT systems.
Both of these instances have shown that the issues that cast the widest net are ones in software. Potential ransoms/damages are much bigger if you hit an enterprise software company used by companies rather than hitting a small time company where gain is smaller for basically the same amount of risk. Ransoming Google is just as illegal as ransoming a local grocery store chain.
Every year it feels like this year is the tipping point for cyber, but it never quite gets to the point where we consider the best way to fix it. That being to make tech less usable and less consolidated. Sure companies have been moving to the model of zero-trust, but because of the size of certain companies, especially software vendors, one problem can still become a big problem pretty fast. What needs to be done is the one thing no one wants to do as it will have the biggest effect on the bottom line: to add security measures that make things less usable.