The Fine Art of Stepping on the Same Rake

The Fine Art of Stepping on the Same Rake
Author: Alex Holden, Founder and Chief Information Security Officer, Hold Security, LLC
Date Published: 5 August 2020

For more than half a decade I presented a talk about learning from current events in a “stepping on a rake” series. While the title changed slightly from year to year, the material was always fresh and there was no shortage of new topics to cover. I clearly remember my first presentation in this series, where one of the key topics was the lack of timely patches. Afterwards, a friend of mine who was in the audience told me that the topic was so basic that it needed no reminders. However, two months later I got a late-evening call from him asking for help. Guess what? The breach was over an unpatched system, which resulted in hundreds of hours of remediation.

Why are we still stepping on the same rake over and over again? Why don’t we learn from others’ mistakes? Is technology lacking or are we failing with our processes and procedures? Let’s take a look at the current threat landscape in this blog post, and then a deeper look during my upcoming virtual GRC Conference 2020 session later this month, when I will explore these themes in greater detail. (Editor’s note: The GRC Conference will take place 17-19 August).

First, let’s consider our adversary. No, they are not making better cyber criminals, nor are they getting increasingly smarter. They simply adapt with the times, and change their patterns to the path of the least resistance. They get better tools, better capacities, better tutorials. An average cybercriminal is more and more removed from the core technology which used to be a driving force in the past. Our standard adversary is not only a technologist but a social engineer, a relationship manager and a salesman.

The COVID-19 crisis is tough on our society; however, it is bringing out the best in cyber criminals, as they use their skills to harm us while sitting at home. They even have more money than before, as the pandemic has limited common spending of ill gains. Our first case study is of the most common attack in the COVID-19 era – phishing. It is not a simple scam, but a well-thought out crime using a COVID-19 precipitated crisis as an advantage to engineer a heist of hundreds of thousands of dollars. And then we have an opposite example, where years of good security culture helped another organization to step up their cybersecurity practice in the face of coronavirus, increasing their vigilance on every level of their organization.

We also live in an age where the bad guys do not necessarily need to breach your perimeter, but there is an army of researchers scanning your systems for any exposures. Some of them go overboard, nearly extorting any company that makes a mistake and accidentally exposes its data. It happens so often and sometimes to such a degree that there is a line blurred between the good guys and the bad. Let’s learn from someone else’s experience handling such a situation, which can help you avoid falling victim to technical mistakes. At the same time, on a positive note, there are ways to keep your vigilance through a good bug bounty program, internal empowerment, and constant monitoring.

In today’s environment, we read more about ransomware than any other type of cyber-attack. “I thought it would never happen to us” is what I keep hearing from victims nearly every day for the past several years. Yet it still happens. But why? I want to make sure that ransom and the ransomware process is not deemed a mystery, but rather a simple, predictable attack. As a cautionary tale, let’s look at a ransomware attack and make sure that you know how to detect, deter and properly address the situation.

Why are we still making the same mistakes? Because we are human … sometimes we try to learn from others, yet we learn better from our own mistakes. However, we are all striving to improve and to get practical advice that will save our data, our users, and give us better professional skills as cybersecurity professionals. I like to share my experience of not only the scary war stories but the great success stories as well. They are not fairy tales, but rather long-term strategies that are paying off and keeping us more secure.

Editor’s note: Did you miss ISACA’s 2020 North America CACS virtual conference? View highlights from the conference in our key takeaways report.