Cybersecurity Reality Check
It's time to face some hard facts about cybersecurity.
Cybersecurity Data
Let's take a look at how hackers breach systems. Cybersecurity statistics vary wildly depending on which source you use as there is no central authority. It is also difficult to get accurate data since most companies don't release data regarding compromises. It's a hodge podge mishmash of misinformation. We looked a few reasonable sources1 and averaged out successful cybersecurity attacks based on the initial type of attack. Here's what we found:
| Attack Type | Description | Percentage |
|---|---|---|
| Phishing Attacks | Email,SMS,social media, & social engineering | 40% |
| Identify Based Attacks | MITM,Credential Harvesting/Stuffing/Stolen, Brute Force | 33% |
| Misconfiguration Attacks | Application Vunerabilities, SQL Injection, XSS | 19% |
| Insider Threats | Employees stealing credentials / data | 6% |
| Zero Day Attacks | Unknown exploit | 1% |
| Other | Third Party / Supply Chain | 1% |
Sources: 1 - Palo Alto Australia
UN International Computting Centre (UNICC)
Dark Owl
Centia Institute
Your Defenses Look Like Swiss Cheese
If you are in a midsize or large company, then you most likely have a very large cybersecurity attack surface. You have hundreds or thousands of employees which means hundreds and thousands of computers, cellphones & IoT devices. You also have many different systems & applications to secure and your defenses invariably have plenty of holes. No company has the time, money or resources to keep every system up to date. Many software vendors don't patch vunerabilities in a timely manner. There are old systems running that are no longer supported, but have yet to be upgraded. There is always a system that isn't patched to the latest & greatest software version. A vunerability in an old unimportant system could lead to access to a critical system if you aren't carefully managing the blast radius.
You're Pissing In the Wind
Even if a company manages to achieve the nearly impossible task of keeping their systems up to date, there are still so many exploits and vunerabilities to contend with like Zero Day Attacks, Phishing, Social Engineering, Viruses & Ransomware. The front door may be locked and secure, but the hackers are tunneling under the floor. Furthermore, even if a magic cybersecurity AI were developed tomorrow that could prevent all Zero Day Attacks, Phishing, Social Engineering, Viruses & Ransomware you're still not out of the woods because you have employees. The hackers are insiders and they're in the building right now. They could be your users, your vendors or your sys admins. Disgrunted employees have nothing to lose and everything to gain. This is what you're up against. This is what keeps a Chief Information Security Officer (CISO) up at night. In Cybersecurity only the truly paranoid survive unscathed.
Some Of Your Data Is Already Compromised
No matter how stringent your cybersecurity controls are, how many audits you've passed or what cybersecurity framework you're using, some of your data is already compromised. How? Because some of the data that you store & protect isn't really yours alone. Especially customer data like names, addresses, social security numbers, email addresses, phone numbers & passwords. All of that data you are so diligently protecting has already been leaked by some other inept company that wasn't focused on cybersecurity. You aren't really protecting anything as that data is rampant on the dark web.
Hackers Are Getting Smarter
With the rise of AI & smart technology, hackers are using increasingly advanced techniques. In recent examples, hackers targeted an employees' social media account and then used AI to clone their voice. Using the cloned voice, they then convinced help desk personnel to change the user's password and MFA to gain access to critical systems. Hackers can use AI recording devices to record meetings and automatically transcribe it into text. Hackers can wear smart glasses to screen record data directly to the glasses, no USB device is required to exfiltrate data.
Your Sensitive Data Isn't Where You Think It Is
We can pretty much assure you that you don't know where all of your sensitive data is stored. Everyone from the CEO, middle management, secretaries, help desk employees and sys admins have data in places that aren't secure & you aren't aware of. They have sensitive data stored everywhere from cloud storage accounts, USB drives, email, phones or their own personal computer. The CEO has probably emailed copies of sensitive documents to board member's AOL accounts who have then saved or forwarded those same documents using insecure methods. You're most likely not using encrypted email at all. We've seen this time and time again through various Data Classification Engagements. Cybersecurity Operational Security (OPSEC) is atrocious or non-existent.
You're Still Vunerable Because You Don't Go Far Enough
Ok, you have the best cybersecurity in the world, your data is uniquely yours and you absolutely know where all of your sensitive data is and have top notch OPSEC. Bad news, you're still cooked. Why? Because you don't go far enough. Snowden smuggled terabytes of data out of the NSA who had sloppy OPSEC.
Some OPSEC Questions & Your Likely Answers
| Question | Answer | Exposure |
|---|---|---|
| Do you have users not using physical hardware MFA keys? | Yes | Access Controls |
| Do you still allow links in emails? | Yes | Phishing, Malware |
| Do you allow USB drives to be used on your computers? | Yes | Data Theft / Exfiltration |
| Do you allow screenshots? | Yes | Data Theft / Exfiltration |
| Do you have employees? | Yes | Access Breach, Malware, Viruses, Ransomware, Data Theft / Exfiltration |
| Do you allow employees to use mobile phones at work? | Yes | Data Theft / Exfiltration |
| Do you allow employees wear glasses at work? | Yes | Data Theft / Exfiltration |
| Do you allow browser plugins? | Yes | Data Theft / Exfiltration |
| Do any of your employees to use social media? | Yes | Data Theft / Exfiltration |
| Do you allow outbound email? | Yes | Data Theft / Exfiltration |
If you answered yes to any of those, you're vunerable. Pucker up.
You're Always Swimming Upstream
In cybersecurity, you are always vunerable because you have an impossible task. You have to stop 100% of attacks, but hackers only need to pull off one. You have outside & inside threats to worry about. Everyone from state sponsored cyber attacks to disgruntled employees are eyeballing your systems and data. The cold hard truth is that if someone really wants your data, it will be very difficult to stop them.
So What Do You Do?
Since you can't really stop 100% of attacks & threats as we've discussed so what do you do?
- You identifiy all sensitive information, label & track it.
- You limit access to sensitive data & systems.
- You only allow access using physical MFA keys.
- You identify all critical systems.
- You limit your blast radius for all systems.
- You monitor all access to critical systems.
- You keep critical systems patched & updated.
- You encrypt all sensitive data.
- You audit everything & everyone.
- You implement & practice good OPSEC.
You do the best you can with the employees, knowledge & budget you have.
Cybersecurity Quotes
- "Amateurs hack systems, professionals hack people." -Bruce Schneier
- "It takes 20 years to build a reputation and five minutes to ruin it." -Warren Buffet
- "Encryption is the defense against the dark arts in the digital realm." -Edward Snowden
- "Cybersecurity is much more than a matter of IT." -Stephane Nappo
- "There's no silver bullet with cybersecurity, a layered defense is the only viable option." -James Scott
- "Phishing is a major problem because there really is no patch for human stupidity." -Mike Danseglio
- "When it comes to cybersecurity, you aren't paranoid enough." -JT Hazelwood