You Can't Operate In the Same Threat Environment Twice

A man cannot step into the same river twice, because it is not the same river, and he is not same man. -Heraclitus.

You can't operate in the same threat environment twice.

This is a message we have to deliver at Pythia Cyber and then pretend that we can't tell that people are rolling their eyes. At this point, we will try anything--even plagiarizing ancient Greek philosophers--to get people to take this seriously: cybersecurity is never done. You never get to say "steady as she goes." This is because what you are up against is always changing and you have to change with it or live with gaping holes in your cybersecurity.

What you are up against is the combination of new bugs in new or updated software, the bored hobbyists and professional criminals and state-sponsored hackers looking for those bugs and possibly old, yet-to-discovered bugs and aging hardware's vulnerabilities and new hardware's vulnerabilities and weather events and power grid issues and good old-fashioned well-meaning human errors inside and outside of your organization and even the odd angry or corrupt insider.

Not only is it depressing to dwell on all this, but it is a large number of words, which is why cybersecurity people so often use the soothing jargon of "threat environment." This is what we mean by "ever-changing threat environment." Which is less scary than that long list of things that could go wrong or be used against you, but which still refers to that long list of things that could go wrong or be used against you.

There are two senses in which the threat environment is changing: there are new threats posed by new people, software, hardware and ways of doing things. Let's call these "novel threats." There are also new threats caused by the passage of time. Let's call these "emerging threats."

Novel threats are probably easy for you to understand: someone has discovered a problem with something you use and bad people are exploiting that problem to do bad things. Something is new and it is bad and you should respond. You need to patch or update or replace or change your behavior or all of the above. Novel threats are tracked by lots of organizations and if you accept the fact that you have to keep an eye out and an ear to the ground until you retire, you should be able to stay on top of these.

Emerging threats are a bit trickier. Remember a few years ago when you chose that encryption standard for that particular job? No, you don't, because why would you? Back then the encryption you chose was fine: currently available computers needed years to break that standard, and that was secure enough. But over time computers have gotten faster, cheaper and easier to access. That standard, through no fault of its own, is now garbage. A random bored teenager can decrypt your messages in a matter of hours, if not minutes. You really should upgrade your encryption to something more current. But in order to do that, the following has to happen:

1. You have to remember or notice that these systems are out-of-date
2. You have to be able to upgrade or update BOTH ENDS AT THE SAME TIME
3. You have to have the bandwidth to make this a project or task and then do it

The icky part is step one: as paratroopers used to say, watch that first step because it is a doozy. The systems in question are running just fine (so far as you can tell). There is no instigating problem. There is not flashing red light or blaring alarm. There is just a change in the threat environment, a quiet, predictable, foreseeable emergence of a new threat, based on old assumptions.

Sometimes we are lucky and software self-checks. You get those annoying warning that you have to upgrade soon or things will stop working. You didn't plan for this, you need another thing to do like you need another hole in your head, but that's life in the business computing world. Don't curse these warnings, bless them. They are telling you things that you need to know.

The threat environment is ever-changing. If you are not changing with it, you are falling behind. Standing still is not an option. I am painfully aware that this sounds like a sales pitch, like an attempt to get an eternal revenue stream out of a vague sense of fear and dread. By all means, be an educated consumer and expect threat mongers to back up their claims. But don't rest on your laurels: cybersecurity laurels age like avocados: fine one minute and rotten the next.

Need someone to prod you and nag you to make time for novel and emerging threats? Let Pythia Cyber be your stern aunt, your grumpy grandpa, whoever we have to be to help you keep current.