Topics in this article
When a person goes on a fitness kick, they may set a goal of ‘lose 5 kilograms’, or ‘run 10km in under an hour’ or possibly even ‘do 100 push-ups without a break’. In contrast, when a sports team sets a goal, they talk in terms of ‘winning a grand final’, or ‘being the best defenders in the league’. Fitness goals are usually absolute and pertain to things that are within the individual’s control. Sporting goals are relative and talk about beating other teams in competition. Put simply, if the Broncos train at 90% in 2021, and the other teams train at 95%, they might be able to lose weight, run a long way and do lots of push-ups, but they’ll still get beaten on game day.
Just like the NRL, cybersecurity is a contest of wills, skills and tactics. Cyber defenders must combine all of these things to defeat cyber attackers. Fitness is only half the battle – it’s necessary, but not sufficient to stay safe in cyberspace. Cyber fitness is about setting goals for regular and incremental improvements against recognized cyber standards (such as NIST). It’s definitely not a bad thing. Indeed, doing the basics right, like having users improve their password hygiene really helps to avoid breaches, as does (among other things) running regular rules checks on your firewalls with tools like AlgoSec or the Palo Alto Networks BPA, and conducting vulnerability scans and remediation with Qualys VMDR.
An excellent example of the dangers of doing the basics badly can be found in the 2016 account of Donald Trump’s Twitter hack (check out Episode 87 of Darknet Diaries for an engaging listen on this subject: Episodes – Darknet Diaries) – using a simple, easy to guess password (‘you’refired’) across multiple accounts and not changing it for at least four years might be considered a breach waiting to happen!
Cyber fitness can drive organizations to focus only on specialization that aligns with their standards-based goals (e.g., patch all critical CVEs within 24 hours) rather than their current environment. David Epstein describes, in his 2019 book Range, how Roger Federer dabbled in many sports – soccer, basketball etc. - before finally settling on tennis and becoming one of the greats. This dabbling, Epstein contends, is what made Federer great. The range of his skills from each sport meant that he was always ready for whatever the competition threw at him. Based on this logic, Federer probably could have gone on to be a world champion in any of the sports he practiced at an early age. Epstein’s contrast is Tiger Woods, who loved golf from the age of three and had swung a golf club many thousands of times before he was 10. Could he have been a champion tennis player?
In cybersecurity, how do companies pick the right discipline/s to focus their cyber fitness aspirations on? If they do it based on reasonably static goals alone, they may well become an excellent golfer in a do-or-die game of tennis! If they do it based on a broad, enterprise-wide view of business drivers and potential threats, their security posture will likely need to change as often as their business does (and in response to the rapid evolution of threats). But in doing so, their defenders will also develop ‘Range’ and be ready for whatever a cyber adversary throws their way tomorrow.
Cyberthreats change quickly – or at least the prevalence and volume of particular attack types does. Ransomware is not a new threat, but it’s certainly gone from relatively low volumes to extremely high volumes quite quickly over the last 18 months – just ask a cyber insurance company: 'In the first half of 2020 alone, we observed a 260% increase in the frequency of ransomware attacks among our policyholders, with the average ransom demand increasing 47%' (ransomware accounted for 41% of all cyber insurance claims in H1 2020 | ZDNet). It isn’t true to say that an organization focusing on cyber fitness wouldn’t be prepared for these changes (indeed, high maturity against NIST or the Essential 8 would help significantly!). However, if the organization is starting from a low base of maturity, a purely standards-based approach may see them focusing on the wrong controls in the short term and miss the shift in emphasis that is necessary to both get fit over time, and defend against the most likely and/or most dangerous threat/s of the day.
Perhaps a better way to think about cyber fitness is cyber sparring. Let’s not forget the imperative to drive improvements against our cyber frameworks over time – we know, for example, that doing the ASD Top Four (or the Essential 8) mitigates >85% of threats. However, let’s make sure that we also keep a strong focus on impending attacks through regular incident response exercises and continuous breach simulations (tools such as Mandiant Security Validation can help with this), and ongoing updates to risk profiles based on timely and quality threat intelligence. In other words, let’s keep an eye on what the adversary is doing and train accordingly so that the only cyber ‘punch in the face’ we receive is in a practice sparring match, not in the real world!