It’s become a regular habit now of when I go to any event, whether it’s an outing with friends, a family get-together, or any conversation really, and they ask what I do and I tell them I work in cybersecurity, that the conversation then goes one way.
They always say: “oh that must be interesting” and then they ask “What do you think of [insert latest breach here]?” In the recent months, it’s been “What do you think of Equifax?” I used to go into some rant about how big of a colossal screw-up it was, but I could tell about half way through my rant that I started to lose them because I started using terminology and phrases they weren’t familiar with. I would start talking about zero days, ignorance among end-users, patch management, cybersecurity’s budget, etc., and they looked completely lost. Now I just say “Well, how much time you got?”
When I take a step back and look at the big picture, though, that’s really what has become of the cybersecurity industry in relation to organizations – a bunch of geeks trying to explain to C level executives that have an MBA or finance background, why security needs this huge budget and why they shouldn’t be getting scraps of the budget.
The executives don’t realize that cybersecurity is one of those departments that if they’re doing their job right, you’ll never have much interaction with them, aside from (hopefully) security awareness training.
This isn’t me placing the blame on anyone though, because the entire model of security has changed drastically over the past 20 years and even more so in the past ten. Sensitive data and trade secrets used to be stored in a vault or safe somewhere but now they’re stored on a server. Gone are the days of [professional] bad guys trying to rob banks because now they just use ransomware and rarely have a chance at being caught while still stealing millions of dollars.
The point here is that there’s an entirely new way of being a criminal and most people don’t even realize it. The big problem here is the people who don’t understand the severity of the threats are those in charge of the budget, the company, the staffing, etc. Again, though, this isn’t to place blame on those individuals because it’s up to us in cybersecurity industry to effectively communicate with them and show them why our job and salary is necessary.
However, it’s become unfortunate that the biggest sign to the people in charge that cybersecurity is necessary is that their job is on the line in the event of a cyber incident. Equifax was such an eye opener to the corporate world about cybersecurity, not just because of the data that was stolen, but because executives started losing their jobs over it. Now that executives and decision makers are losing their jobs over cybersecurity events, the rest of the world is started to realize that they need to start paying attention to geeks that sit in the IT department.
The unfortunate fact of the matter is that the bad guys are winning not just because of ignorance, but in the addition to the fact that they only have to be right once. Equifax happened because they missed ONE patch. Granted, their data should’ve been encrypted and not on an internet facing server, but the breach happened because of one missed patch and this is just one company in charge of sensitive data.
There’s thousands of others that handle our sensitive data online, from local governments to small businesses and to think that they’re all “secure” is almost ridiculous because of the lack of awareness amongst the general population on cybersecurity, or even worse, the lack of caring.
To top it all off, the worst part of this is that it’s just scratching the surface of the threat landscape. Patching is part of one layer of security and security should be layered like an onion. Even if you patch regularly, correctly, and quickly, you’re still at high risk because of the other numerous avenues a cyber-criminal will take.
Zero-days are a serious threat that scare me greatly because by the time the vulnerability is disclosed to the public, it makes you wonder if you were ever hit by it.
Social engineering is another huge concern for the cybersecurity industry to worry about and companies that don’t have cybersecurity awareness programs or training are often the victim of such tactics.
That is just a few examples of the many attack vectors a cyber-criminal will use to get into a network or computer, and that’s why it’s scary when you take a step back and look at the fight that’s going on between good vs. bad in the digital world.
The bad guys have so many more opportunities and vectors to exploit and they only have to be right once, where the good guys have to deal with budgets, ignorance, fear of the unknown, training end users, training themselves, and the list goes on and on. In the ever-changing world that is cyber space, we’re fighting an uphill battle.
The question isn’t how do we defend against attacks, because there’s tons of solutions and programs to help do that, but in the world of cyber criminals who capitalize on every mistake in an industry whose budget is starved, the real question is where the hell do we start?
Ryan is a 24 year old information security analyst and penetration tester from Charlotte, NC. Ryan has been in IT for over 8 years with experience as a computer forensic consultant, system administrator, security engineer, and security analyst & penetration tester. Ryan has a passion for learning and teaching as well as writing about information security. Ryan graduates with honors from Norwich University at the end of 2017 with a Bachelor's Degree in Cyber Security.