I read lists on the internet just like this one: “Top 10”… and they grab my attention. Lists are succinct and easy to read. When I read them, I breathe easy and imagine that cybersecurity is do-able. Here’s my list:
Attack your employees. Sorry. I wanted a catchy header for this one. But it is true, if you don’t subject your employees to phishing attacks, they won’t know what to do when they really do get phished. Put juicy emails in front of them and challenge them to not give up their credentials or click intriguing links. Your goal: paranoia. Sorry…again, but when it comes to email, paranoia is appropriate. Email is absolutely the easiest way into any organization. Some professional hackers or penetration testers (people who get payed to help organizations find security holes) say they haven’t had to use actual technical exploits in months because all they need to do any more is craft attractive phishing emails.
Patch. Duh. (See #9.) Apply software/OS updates. When you get done doing that, apply more updates software/OS. Rinse. Repeat. Why? Exploits are harder to find and script when software has been patched.
Look for trouble. I believe the technical term is ‘threat hunting’. Basically, it means doing the painstaking work of looking for things that aren’t right. It means asking a lot of questions about your environment. Should these resources be communicating with each other? Why does that keep happening? Is there a pattern here? Are those resources more exposed than we think they are? What do we expect to see when vendors connect remotely? Is that what’s happening here? Is anyone using the service that is running on that resource? Can we shut it down? If we don’t look for trouble, we won’t find it. And if we don’t find it, trouble will find us.
Make reporting safe. Make it safe to report security issues. Your people are your best sensors and if they’re not reporting what they see, a vast majority of issues won’t get addressed. If someone reports a security concern, listen and really try to understand what is happening. It may or may or may not be a big deal. What’s more important is preserving solid, reliable channels for communication. If your human sensors aren’t working, you’re finished.
Disagree. It’s okay to see things differently. Get in the habit of nurturing differences of opinion. This particular suggestion is easier said than done. It’s easier for everyone in the room to nod their heads in agreement. But this gets you mediocre solutions. Agreeing isn’t bad, but if agreeing is the goal, the right solutions or answers disappear.
Learn. This is my favorite. One big reason I enjoy working in cybersecurity is because learning is constant and unwavering. There’s no way you can defend the enterprise without curiosity and a desire to learn. Typically, attackers are curious, too, and if you’re not matching their curiosity with yours, it’s a lot harder to model threats and protect yourself. Also, make sure you don’t just read about security concepts. Take the time to work them out in practice. What does an attacker see when they run a port scan on one of your resources? Well, there’s only one way to find out. Do it yourself!
Layers are Better. Just like hiking in the wilderness when it is cold, layers are better. In cybersecurity, we are reliant on technology, training, and transparency. These are high-level layers. Within each of these layers are more layers. We may be protected 80% of the time by teaching our employees about phishing attacks (training), but for the 20% of the time when an attacker gets through, we fail over to things like behavior based detection technologies and network visibility tools (transparency and technology). And in may cases, our tools are useless if we don’t communicate. All these layers fit together. They are stronger together. And just like in hiking, you can find the perfect combination that will protect you from the elements and keep you from overheating.
Share Information. This goes along with learning, but is also a distinct ask. When we work in an area for a while, we tend to forget how much we know. It starts to feel like something that everyone knows or *should* know. Take stock of what you know and share it with others. Some of the most routine nuggets of knowledge are the most interesting to folks who work on other teams. “Have you seen how we use this security tool?” or “Would you like to see flow data that shows what resources are connecting to the system you own?” or “Would you like to see how this common, low-hanging-fruit attack is carried out?”
Remove Ingredients. (See #2.) Doing something to reduce surface area often doesn’t seem like a big deal. So much of diligence and risk mitigation is about taking out key ingredients. If an attacker would like to cook up an attack, they generally need several things available in their kitchen. It’s often hard to see how leaving salt or sugar sitting out is a big deal. But salt and sugar mixed with flour, water, eggs and the rest of the cake ingredients makes a cake (or an attack)! Whenever possible, don’t leave ingredients laying around or remove them altogether. Shut down that admin port if you don’t need it! Use multi-factor authentication!
Breathe. So this list was meant to make cybersecurity feel do-able. If it didn’t do that for you, I apologize. No matter how insurmountable things get, don’t forget to breathe! Take stock of what you know and what you don’t. Be honest with yourself and others! Sure, time is of the essence, but if you don’t collect your thoughts and breathe, you can’t think clearly and others won’t really want to work with you either. The more centered you are, the more centered the folks around you will be…and there will be no limit to what you can accomplish together. Good luck!
