It's time to drop the collective ambivalence toward cybersecurity.
The #CyberAvengers are a group of salty and experienced professionals who have decided to work together to help keep this nation and its data safe and secure. They are Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma and Christophe Veltsos.
Watching the news and the debates during the past week felt pretty deflating. You must have heard about the entire who knew what when regarding the attempted Russian interference during the election. Much of what was said was fairly well known but with the new drips and drabs of information coming out into the open the past few days, political opportunism was bound to happen.
Despite this expected response, finger-pointing provides no true help to anybody in the world (and if we are being candid, not even within the Beltway). Sure, it is all interesting. And all of this chatter even provides a good spectacle. We even agree there are some serious questions that need to be answered, like who did know what when and why did they do (or not do) something about it.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
But ultimately, so much of it right now is irrelevant and it is darned near aggravating to keep this bad song on repeat.
Because while the hysteria is maxed out at full throttle, we still have these other problems going on: The country is getting its clock cleaned, its stuff stolen, its IP drained and its limited resources wasted and expended.
Forgot for a moment the reasons why the nefarious actors are behind their actions. If you own a shop and your inventory is getting smashed and stolen on a daily basis, you may be more concerned with making it stop than wondering why the bad guy is trying to do whatever he is doing. Intent comes later. It is like triage at a hospital. You want to stop the bleeding as soon as you can lest you find yourself dead in short order.
Or if your websites get vandalized (hello, Ohio), your priority is to get your pages cleaned up (as Ohio did) and not figure out why extremists want to carry out their evil and how they were able to hack your site (that is for others to do).
So let us figure out ways how to make the bleeding stop and where possible, avoid any bleeding at all.
If we dissect each major malware exploit, each major ransomware exploit, and even all the little ones, the reasons why we are losing the cyber battle are apparent. Really, you ask?
Here it comes: Attackers are determined while the rest of us are not. More specifically, the vast majority of the public is ambivalent. Sure, you may be “concerned” about your cyber safety when asked in a survey, but are you really doing anything about it? And how many times have you heard somebody say, “why would anybody want to target me?”
Unfortunately, professionals in industry and government still think they are not a target. And what is worse is that many of them are still convinced that the means they used to protect their networks five years ago still apply today.
News flash: They do not!
It is time to be honest with ourselves. We are behind the eight ball for good reason: It is our own collective fault. Stop blaming everybody else for a moment and look in the mirror. We #CyberAvengers try to do so every day and we try to support each other, even in our daily tasks. Sometimes, something even as simple as, "have you guys noticed any unusual spam today?” keeps our antennas up. Do you do that with your close circle of friends or colleagues?
The #CyberAvengers are all patriots. We are in this together for the good of the country and a united front on this issue would actually do us all some serious good.
We are going to get all sci-fi on you for a moment. Remember the movie "Independence Day"? You know why the aliens got their butts whooped despite their shatter-your-mind technological superiority? Humanity won because people decided to work together to bring down the space squids. And chances are most of you felt pretty darn good when there was that unified “we won” feeling.
No, this article is not intended to give you a chill down your spine the same way flying an F-18 into a spaceship does. Nor do we think it will make you question our sanity for comparing the cybersecurity challenge to a Hollywood movie (aside: “Shall we play a game?”).
By the way, as the story goes, President Ronald Reagan saw "WarGames" at Camp David and a week later at the White House asked his senior national security staff if something (like what happened in the movie) is possible to happen. Much of the staff and members of Congress tried not to laugh, apparently.
A week later, Gen. John W. Vessey Jr, chairman of the Joint Chiefs of Staff said, “Mr. President, the problem is much worse than you think.”
Back to the entire “united front” thing. This article is written in the same spirit that the movie "Independence Day" was, namely: The only way to stop some big bad evil thing from messing up our way of life is to work together (even with people we may not initially would have worked with) and may even have to make sacrifices.
We celebrate the Fourth of July because we declared independence. It is when a small group of people, now known as patriots and heroes, said enough. That is what we are asking of all of you this year: Say enough already with this cyber nonsense, do your bit to push back against this common threat, and do not let up.
How do you say enough to all of this?
With humans being responsible for 90-plus percent of all cyber incidents, just starting with the basics will do miracles.
1. Update and patch your networks, operating systems and devices promptly. “Critical” is “critical” for a reason. Do it within 72 hours of release.
2. Pretty please with a cherry on top, train your employees (and yourself) on how to detect spear-phishing attempts and what best social media practices are. Please! Quarterly training can reduce the risk by up to 90 percent in most cases.
3. Use multifactor authentication. We have effectively reached the age of password uselessness because of our poor habits. Passwords slow down bad guys who do not know what they are doing. Biometric solutions are great, but proceed with caution if you go this route because you now have data management and privacy concerns that must be addressed.
4. Backup regularly—daily, if feasible. Where possible, use the “1, 2, 3” backup rule: a segmented backup on site, one off-site and one in the cloud. No need to pay the ransom if you have a clean backup ready to be uploaded to your system.
5. Be cautious with older systems. Yes, you can repair them and we are fully cognizant that the upfront capital cost is something some cannot afford. But If these systems are past their “patch life,” when support stops, they become big, fat juicy targets for hackers.
6. Sometimes the best answer is the cloud. There are state-of-the-art hardware and software there, and cloud migrations have become easier, especially over the last two years. The cloud is not a savior. We admit that. And it comes with other issues, such as needing to learn what your obligations and responsibilities are, ensuring you have robust agreements with your vendors, and knowing what third-party sources will have access to your information.
7. Know how your intrusion detection and prevention system works (if you have no clue what we are talking about, find somebody who does). Is it signature-based? Perhaps it is behavioral-based? Maybe it is both? New cyber threats require new tools. This is where machine learning, cognitive computing, artificial intelligence, automation and orchestration all come into play. Internet data traffic is just becoming bonkers. No human is able to this on their own. We have reached the zettabyte age. What’s a zettabyte, you ask? That’s 1,000,000,000,000,000,000 bytes. Some #CyberAvengers work on that here.
8. If you cannot do much of what we suggested, consider a managed service provider or a managed security service provider. We know cybersecurity is not everybody’s cup of tea, but one ransomware attack on a server message block could be crushing. There are options out there to help you. It costs money, but you are buying peace of mind. Do your homework and find the right solution for you.
9. Do you drive your car without insurance? OK, if you do, do not admit that to us. Cyber insurance is not mandatory yet, but it may be in the future. And chances are if you are doing a lot of what we are suggesting, you will be on the low end of premium payments.
In closing, we have written two books (available here and here). We have a thwack of other writings (many available publicly from our LinkedIn pages or blog sites). We have attracted plenty of publicity and we thank all our supporters from all over the world (seriously, thank you!). Yet, our frustrations remain: We continue to struggle unnecessarily.
Clicking a “like” button on Facebook may make you seem cool and in “support” of something, but actually doing something is where your true support is shown ... and pays off.
Declare your independence from the malicious actors and do what you can to thwart them. We have given you a few easy steps how to do so. Imagine if we all did all smart part what a difference it would make.
A happy Fourth of July to all!