I’ve always had an interest in humanities and social sciences, and how they affect other domain areas, through us, people. Science nowadays says that making mistakes is not only an opportunity for learning but also a time when our brains grow. So why do we keep making the same mistakes over and over again? The German philosopher Georg Hegel famously said: ‘We learn from history that we don’t learn from history.‘ Learning, however, might be one thing. Putting what you’ve learned into practice is another. On the other hand, good intentions do not always make good consequences. I like this quote from Albert Camus: ‘Good intentions may do as much harm as malevolence if they lack understanding.‘ In the case of cybersecurity, there is indeed a lack of understanding, but also negligence, disregard to some important aspects, and resistance to others, even though we’ve seen them before, and we know there are chances these are going to hurt us, again!
The bad guy’s toolbox hasn’t fundamentally changed over the past decade or so. Look at threat reports and what’s driving incidents and causing breaches over the years (in DBIR for instance), and you’ll realize how the same old foes (phishing, misconfiguration, authentication and privilege issues, etc.) won’t go away. We really need to get better at, first, admitting our mistakes and then learning from them. A phishing campaign, for instance, can be highly targeted to very well-researched victims and might deceive even the most experienced eye. You cannot possibly know those details in advance. A solid foundation though would be to take security awareness training (and re-training) seriously. In all of my jobs over the years, they make you watch the same information security video training year after year (a huge waste of time!), and sometimes they send test emails that are clearly not researched at all! It never took me more than a split second to disregard them. Everyone needs to put a lot more effort into that.
So here is a good list (from Trustwave) of some basic considerations in getting the foundation right. Those are the main errors in dealing with cyber risk, some of which keep popping up in threat reports and should be tackled first and foremost. It also takes into account the fact that the threat landscape and attack surface has grown enormously with the Cloud, IoT, mobility, and shadow IT… It’s a rather simple equation, the more assets, services, and applications there are, the less control you have, and the more holes there are for adversaries to exploit. One important aspect that’s missing from the list IMHO is what Michael Howard discussed in this article, almost 20 years ago, describing how we need to reduce the amount of code that is open to future attacks, by installing only the needed features of a product. This is even more critical today- apply that to all levels in your environment, as much as you can, i.e., always allow only the strictly-needed features of your environment, and keep monitoring it over time.
Working on the basics will also help with the attention deficit in cybersecurity. In almost all breaches and APT cases I have seen and read about over the years, IR teams do manage to find clear evidence of the attack in security controls logs and alerts. This means it’s not a tooling issue per se, although those details can be sketchy and far apart (hence the moving target description I’m talking about here). In many cases, these details are going unnoticed, are not well understood, or are simply not connected to a monitoring system at all. It’s also easier to see them and connect the dots with the benefit of hindsight! That said, a solid foundation would be to tighten up monitoring and fine-tune it to reduce the noise to the minimum. So if your endpoint protection, IPS, or whatever other control is screaming at you, you’d know you better pay attention.
My message here is, get the basics right first. Everyone will keep saying threats are getting more advanced and your attack surface is exploding. That will keep happening and is absolutely true, but you don’t need more tools for it, you need more discipline with the basics.