IT infrastructure – how it started
Photo by Adi Goldstein on Unsplash
IT has come a long way since “The Turing Machine” was invented in 1936 by Alan Turing.
The increasing semiconductors performance as well as the sinking production costs (ruled by Moore’s Law and Rock’s Law) have made computing accessible to everyone and have contributed to unparalleled technological progress in science, business, and society.
Large companies as well as small and medium-sized businesses quickly seized the economic potential of these technological breakthroughs and equipped themselves with increasingly complex and interconnected IT infrastructures and cloud services such as Azure/Microsoft 365, AWS, or Google Cloud.
The major drawback of this undeniable technical progress are increased operating and maintenance costs, but above all, the near impossible task of keeping on-premises systems «up to date» with current security standards and protected against external attacks that have evolved almost exponentially in recent years (The Fascinating Decade in Cybercrime: 2010 to 2020).
One way to overcome these problems is to create new positions such as CTO (Chief Technical Officer), System Administrators (SA), System Engineers (SE), and especially CISO (Chief Information Security Officer) to manage and secure these new modern IT infrastructures, as well as the introduction of management and security software.
Major corporations have the resources to invest in staff and know-how alongside with the new systems, but what about small and medium-sized businesses?
Unfortunately, often due to implementation and software licenses costs, or sometimes a lack of professional advice from their IT provider, and despite having an excellent patching strategy to keep their systems up to date, small and medium-sized businesses are increasingly exposed to security breaches impacting their business activity causing liability issues.
In December 2021, the Log4Shell (Zero-Day vulnerability in Log4j) cyber-attack clearly demonstrated that neither large companies nor small and medium-sized businesses were prepared for a rapid response to the threat mainly due “Unknown Knowns” (the things we think we know, that it turns out we did not) and “Unknown Unknowns” (the things we don’t know to know) in their IT Infrastructure and running Operating Systems (OS) and software (see also our earlier blog post IT-Sicherheit 2021 – Ein Rückblick).
The software companies managed within a reasonably short period of time to provide patches and/or workarounds to fix the flaw, but the general feeling was that we were trying to fly a kite in a storm.
IT professionals soon realized that besides the lack of “a good overview” of the running environment they managed, that often outdated OS and software were in production and never were updated and/or renewed due to high costs, or absence of regular maintenance, or just for the sake of “Never touch a running system!”…
CTOs, SA, SE and CISOs quickly understood that to thwart future cyberattacks of this magnitude, the IT infrastructures that they managed, had to undergo security vulnerability tests, drastic OS- and software inventories with tools like Greenbone Vulnerability Manager, the main goal being to wipe out “Unknown Knowns” and/or “Unknown Unknowns”.
Greenbone Vulnerability Manager is able to scan an entire IT infrastructure (Networks, Switches, Firewalls, Routers, Physical and Virtual Servers and Clients) for security flaws against a daily updated database of Common Vulnerabilities and Exposures (CVE) and allows rapidly, on a short term, to prepare effective remediation tasks to meet security and compliance standards, and on a longer term to plan a better firmware, operating systems, and software life cycle strategy.
Of course, this change of strategy has costs, and the question is: Who will pay the bill?
IT providers will have to make their customers aware of the new security issues and threats. They will have to offer them new security products to protect their infrastructure and make them understand that these services cannot be included in the classical maintenance contracts because of the additional costs for human know-how required for their implementation and day-to-day operation. They will need to convince their custormers that the sums invested in these security products are minimal compared to the costs generated by a partial or total cessation of activity following a successful cyber-attack, not to mention the loss customer confidence and bad reputation, especially when caused by missing security patches and old firmware.
An indirect consequence of the implementation of these new strategies is that IT professionals will have to invest in new technologies and resources which in the short term could mean cash outflow. But in the long term, an unprecedented return on investment as well as a notable gain in reputation in the IT industry will follow.
At Nexpert we have made this strategy change, as our main goal is improvement and seek for excellence.
“To improve is to change; to be perfect is to change often.» (Winston Churchill)
“Some organizations prepare for the unexpected. We expect the unprepared.” (Nexpert)