I’ve got to give credit where credit is due and, in this case, it’s definitely due. Near the end of his excellent book: Ransomware Protection Playbook
Roger Grimes rightly points out that the world of computer security defense is full of unranked lists. He’s also correct in implying that those of us who live in this world have been guilty of blindly accepting them.
This is his advice:
“Don’t blindly accept unranked lists anymore. Instead, force those lists to be ranked according to how much doing that thing will improve your defense and do the most impactful things first.”
I like that advice. It’s aligned with one of the core tenets of the 5shield mission:
Helping people and organizations do the FEW RIGHT things they SHOULD do when it comes to cybersecurity rather than the MANY GOOD things they COULD do.
So why is the world of computer security chocked full of unranked lists? Well, there are several reasons. One of them is something I call the “white flour / white paper” problem. Most people know that a major problem with white flour is that the nutrients have mostly been stripped out, so it gets “enriched” (I don’t even know what that means, I guess they spray it with synthetic vitamins or something) to make it healthy…again. We end up with a product with a longer shelf-life but may actually result in a shorter…life-life. The same can be said about many cybersecurity “best practices”. Specifically, the ones that are full of unranked lists telling you to go and fix / implement everything in order to be secure. We should have known this wasn’t a very good thing after entire organizations started springing up intent on helping other organizations implement / fix everything on the unranked lists. Much like white flour, these lists have one of the most important and valuable things stripped away from it…context. They were usually born from actual data that could prove insightful and helpful for many organizations, but once the context was stripped out and all that data from all kinds of different organizations was mixed together the result was a long list that basically said “do all the security things”. This usually means smaller organizations won’t do “any of the security things”, larger ones will perpetually be trying to “do all of the security things” ( a miserable state I like to call “STUCKurity”), and the few really large organizations that manage to “do all the security things” probably won’t do them for very long. If they do, they’ll likely get hacked anyways. I don’t know who “Frederick the Great” was, but he’s credited with saying: “He who defends everything, defends nothing.” Let’s pause for a moment to reflect on that….hmmmmm….yep, he’s right.
As a cyber defender there never is (nor ever will be) a shortage of options when it comes to where you can focus your cybersecurity efforts. Unfortunately, in my experience, the majority of cyber defenders are choosing the wrong ones. That includes you. I don’t know you, but when it comes to cybersecurity I have a strong feeling that you, like so many others, are doing it wrong. Look, if it helps, I have no problem sitting down with you, holding your hand, looking you in the eyes and compassionately saying: “You’re doing it wrong…the problem is you…you’re the problem.” Does that help? In all fairness I’ve been the problem too. The only difference is that I decided to change my ways and you’re still stuck in yours. But you don’t have to be anymore.
So how did I come up with this list of 5 top areas you should focus your cybersecurity efforts? Well, I looked at two things. First, I took the best available data I could find on real-world cybersecurity incidents specifically looking for the root cause(s). Second, I took an ordered list of the top 5 areas where I believe most cyber defenders focus their cybersecurity efforts right now and I turned it upside down.
Disclaimer – Even with all that I still lack something you have: your context. I’m confident these are probably the best areas most cyber defenders can invest their cybersecurity efforts, but I can’t be certain. You can be though. Take this list and combine it with your context to see if it makes sense for you. A word of caution though. One takeaway from the book Red Team is that we’re all terrible at grading our own homework. If you think you’ve done all you can in one area I encourage you to think again. You might just be using that as an excuse to avoid that area. Remember The War of Art? Resistance might be a good sign you’re on the right track. If you don’t feel like doing it, you probably should.
Without further ado, here’s the ranked list of the top 5 areas you should focus your cybersecurity efforts (probably):
1.) Education – Absolutely everyone in your organization (senior executives, IT staff, and everyone else) need to know how to recognize and defend against malicious social engineering (starting with phishing attacks). Put simply, this is the most important area that most cyber defenders should invest their cybersecurity efforts in, but instead it’s consistently the most neglected. Imagine how secure you’re organization would be if NONE of its employees could easily be deceived. My best advice here, you don’t need security awareness training, you need a security awareness training PROGRAM. If you’re a fan of the 80/20 principle this is the 80. The rest of this list is the 20.
2.) Email – This is where most of your cyber attacks are likely to come from. I’m willing to bet staff at your organization received 3 or more phishing Emails just while you were reading this post. Even well trained defenders (staff trained to recognize and defend against malicious social engineering attacks) shouldn’t have to be bombarded with low level Email threats constantly. Think of it like this. Your organization is the castle, malicious Emails are invading, and your Email security controls are your archers. Don’t get it? Watch some Lord of the Rings movies and come back (I recommend the Two Towers).
3.) External systems / services – Externally accessible (from the Internet) systems and services are most likely to be targeted by malicious cyber threat actors. These should be among your most protected assets (hardened, patched, monitored, etc.). Don’t neglect micro and macro network segmentation either. You allow VPN access so your sales team can use the internal CRM server while on the road? Good, but slap an ACL on their VPN profile to only allow that. Do you know who has accessed the VPN last week and from when and where? Not sure how to check? Find out.
4.) Endpoints – Even the best trained defenders might loose a fight from time to time. That’s ok, but when that happens they’ll need backup. Your endpoints should be a cyber bad guy’s worst nightmare. How? Most of them expect some endpoint “defaults” that will help them get an initial foothold, keep it, and move on from there. They expect default access to default installed tools at default locations with default ports available on other systems. Deviate from the defaults and they probably won’t know what to do. By the time they start to figure it out it, if you’ve done it right, they’ll already be on their way out.
5.) Everything else – At this point you can work do whatever suits your fancy. I get it, sometimes you just “need” to feed your desire to do something that’s fun and interesting (even if it’s probably useless). But if you’re going to feed that desire make sure you’re feeding it leftovers.
That’s it for now, good luck.
P.S. – I tried to get away with mentioning just one of Roger Grimes’ books but I just can’t.
Get this one, read it, study it, apply it. It’s one of the best cybersecurity investments you can make. I could go into more detail about it, but you aren’t REDI yet…stay tuned.