CISA — the U.S. Department of Homeland Security agency responsible for strengthening cybersecurity and infrastructure protection — recently put out an advisory about the malicious use of legitimate remote monitoring and management software.

By gaining access to this software, hackers have the power to pull files, look at what you are doing, turn on your camera – in short, have full access to everything you have. 

Some of the commentary around this advisory centered on the possibility that insurance companies would use it as a hook to deny coverage to businesses that use this kind of software, suggesting it could become obsolete.  But that is unrealistic.  Personnel need the ability to remotely access users to conduct maintenance or troubleshooting.

So why are we issuing alerts and creating a negative buzz around an essential tool instead of addressing the need to tighten verification procedures dramatically?

Typosquatting presents the same kind of root problem.  Why do we continue to allow people to register domains without requiring verification, when it’s clear that their intention is to hurt the legitimate domain?  Why do we continue to trust the user by default?

It’s not very difficult to implement tools that restrain users from clicking on the wrong thing – at the very least, popups notifying them that they are about to perform a certain function and asking whether they really want to do that.  At least you’d have another stop sign that could help to prevent unwanted access.

Infrastructure and email service providers don’t have a major incentive to block malicious actors, because people are paying to use their platforms, and there’s a lot of money involved. What’s more, people have been conditioned to look at these problems not as something to be solved, but as something to be skirted by addressing the symptoms with some new tool rather than addressing the root cause.  As a result, the problems continue to snowball and there’s no end in sight.

I’m not saying we can eliminate these problems altogether, but if I can block them 80% or 90% of the time then the bad actors will be dissuaded, because their modus operandi is to strike where it’s easy, take the path of least resistance.  If you make it difficult for them, then the general population wouldn’t be a target, but only a small subset of targets. 

I’ve said this before, and I’ll say it again: The industry needs a consortium to act together to attack the root problem of overly easy access to our networks.  We need to put together a framework to help establish ways to push back, and as CISOs, leverage that unity to demand of providers and vendors that they conform with that framework as the cost of doing business with us.  It’s not enough to wring our hands over the situation.  We must take action against it in a forceful way; otherwise, we will continue to be part of the problem.