The Never-Ending Story

As a cybersecurity practitioner, I have very specific responsibilities as part of protecting particular systems. But as a domain expert for Pythia Cyber, I cast a wider cybersecurity net.

As part of my Pythia Cyber duties I try to keep an eye on cybersecurity trends and advancements (and setbacks). There are sites dedicated to the nitty-gritty, but their content is not very accessible to the layperson. So every now and then I search the Web for "cybersecurity news" and then I try to characterize what I find the top stories.

This week what caught my eye was a story that made me wince, then made me grudgingly acknowledge some evil ingenuity and finally made me write this piece about the relentlessness of the cybersecurity onslaught.

The story was about a new spear-phishing attack by a well-known state-sponsored hacker. Since this story was on a site written by and for cybersecurity programmers the larger story was about the evolution of this hacker's tool kit and therefore the vulnerabilities within that hacker's reach. That is too technical a topic for here, but one of the examples of this hacker's recent work caught my eye: a spear-phishing attack in which the hacker spoofed the organization's cybersecurity account to send an "internal" email sternly admonishing the receiver to read the attached Standard Operating Procedure (SOP), with a rather suspicious reminder to change a setting in MS-Word to run a macro. Of course that macro did evil, malicious things.

The story made me wince because I could see how users might lower their guards because this email seemed to be from their cybersecurity folks. The story made me grudgingly admit that this was a very clever social engineering exploitation of the very sternness with which cybersecurity folks often treat unsophisticated email users in their organizations. The story spurred me to write this piece because it highlights something Pythia Cyber often harps on: the threat environment is constantly changing. We are waging a war on many fronts and the attackers are many and varied.

The "many fronts" is important because we call have areas of focus which means that we all have blind spots as well. I, for one, am a systems guy. I don't naturally think of the behavioral aspects of cybersecurity. It comes more naturally to me to consider possible loopholes in protocols or configurations than in human behavior. Some of my colleagues are just the opposite: they keep up with end user trends but don't read many manuals for network management appliances.

To succeed at cybersecurity you need to keep up with those many fronts. This is one reason why small organizations are so vulnerable: they usually have only one or two people in the cybersecurity program and sometimes those people are part-time.

But being a big, well-funded organization does not guarantee success, since a leader with tunnel vision often produces a culture with tunnel vision.

How do you find and fix your own blind spots? You use a methodology that is trusted and vetted and objective. We use the NIST CSF. You can use other methodologies: there are a few that are solid choices, but we feel that the NIST CSF is the most general.

But having a methodology does not guarantee success either, since even a perfect policy needs a good procedure and even a good procedure needs very good implementation.

Setting up an effective cybersecurity program that balances scope and cost is hard; we can help.