So i was watching youtube and wanted to find a video of a current Cybersecurity conference – instead this video made me realize that what Nick is saying has some value to repeat and expound:
The Five Laws of Cybersecurity | Nick Espinosa | TEDxFondduLac
So I reduced it to 4 because his number 5 is see #1.
1) If there is a vulnerability it will be exploited – ( I have made this argument several times oversitesentry post in 3/1/2015 )
The post from 2015 mentions a Seagate NAS storage device which has a vulnerability that makes it easy to exploit with Metasploit.
2) everything is vulnerable in some way – also made this argument – (oversitesentry blogpost from 7/31/2017 explains how SMBLoris is a new SMB flaw (Structured Message Blocks – used in Microsoft file server technology as well as others)
3) Humans trust even when they shouldn’t – so we have to go against the grain to secure our computers. (Don’t Trust and Verify blogpost from 3/10/2016) as mentioned the 8th layer in network technology (the human layer) will always be a hole to plug.
4) with innovation comes opportunity to exploit (Blogpost from 6/27/2016 IoT Botnet can DDoS Your Webserver)
The funny thing is that if we patched our systems regularly, backed up our systems properly (with offsite backups) and had proper social engineering training for employees (to combat phishing then we could most likely combat most attacks)
So to solve the above 4 maxims of Cybersecurity,
4 defense strategies which will keep you in business:
- Patch (update) your systems regularly – may have to test the patch first
- Backup your systems properly – full system as well as other backups, including offsite backups (if this was done right for everyone then ransomware would go away)
- Setup social engineering training for all employees
- Create a systemic method of handling all of the above (with a security policy)
- (added last minute) we do not spend enough time on cybersecurity – we should spend at least 5% with 10% preferable. Always have to improve as the attackers are always improving.
I was looking to make an image to represent the 4 points on both sides, but then I thought maybe we can add the 5th maxim as spending at least a certain amount of time on cybersecurity even though that is the column of problems. I think that the reason I added it is that we do not spend enough time on cybersecurity. So the point is made to start thinking about how much time and effort to spend on cybersecurity. And on the other side of the ledger there is no mistake – top management has to be involved in directing this issue.
And conversely the directive has to be from the top to bottom, the owner/CEO has to decide this is the best course for the company and has to know “why”, and this knowledge must be conveyed to all employees which study and make it their own precepts.
Everyone has to know that cybersecurity is important and has to be ‘solved’ or at least mitigated.