"Hardness" of your Cybersecurity

Here I go with some more, not quite?perfect?analogies. But then in most cases, being perfect is very hard. In the world of IT, especially with cybersecurity, being perfect is extremely hard if not impossible. In the world of geology, they talk about the?hardness?of a mineral and the?Mohs Hardness Scale?that was established in 1812, by German mineralogist Friedrich Mohs [1]. A material’s?hardness?is the resistance to being scratched. In this rocky?hierarchy :-),?there are relatively soft materials like talc (Mohs 1), moderately hard surfaces such as granite, and the diamond at the top of the scale (Mohs 10). Of the various interactions that us humans have with rocks, one of the most common activities is making or building something. One’s choice of material can be quite important for stability, resilience and looking great, even over time. The pyramids at Giza appear to be a wonderful example. Other important characteristics may be how well the substance performs or protects. For example, a diamond drill bit or a fort in the 1700s made of granite. Naturally, we humans also play a part in the ultimate creation and its resulting characteristics, in how well we utilize the materials, what items are mixed together, and how they are combined, to form the eventual product. Bringing this back to the task at hand, the aforementioned analogy, what would be the level of?hardness?of your organization’s cybersecurity???

The components that make up the cybersecurity posture of an organization will generally dictate the cyber?hardness?on which its IT environment stands. I am using the term “components” here quite liberally, so it also includes the all-important item, the people. The people that build, manage, and use the IT environment and its data. This is not all that different from a bridge built out of steel that requires people to make important materials and engineering decisions, and those people involved with periodic monitoring and maintenance to ensure that the bridge remains viable for years to come. Likewise, for cybersecurity the choices that are made in areas such as what hardware and software to utilize, type of architecture, the level of education and skills required, and the process for monitoring and operation, all play major roles in resisting damage. In other words, avoiding impactful security incidents. A bridge made of untreated pine spanning a river in the rough winters of the northern United States of America, will be easily weakened, and eventually damaged by the environment. A kitchen countertop made of graphite would not be nearly durable enough to remain unscathed by common kitchen activities. In the IT realm, a web server that inadvertently exposes its password file that was encrypted with MD5, would be an easy target for hackers to compromise. Therefore, not very resistant to impact.?

Unlike the hardness of a mineral, the hardness of things we build or create are not static in value. For example, masonry-built forts were a strategic asset of their day in protective strength, but by the mid 19thcentury, in an earlier iteration of the “arms race”, such masonry-built forts were rendered obsolete by exploding shells from rifled canons [2-4]. Information technology and cybersecurity are literally, constantly evolving and therefore require constant attention and iterative, sometimes radical, adjustments. For example, a critical vulnerability in a foundational component (i.e., sudo, Meltdown/Spectre) sends the industry scurrying to immediately assess, mitigate active environments, and make plans for more tactical or strategic changes [5][6]. One may only be required to inspect a bridge every two years, but IT needs daily attention to maintain appropriate levels of?hardness.

As you can tell, I’m a big fan of looking at things in different ways. Perhaps looking at your cybersecurity from the perspective of?hardness?will provide some interesting insights for you and where you might want to prioritize attention. Is it comprised of the right components, such as architecture, infrastructure components, security/management services, etc. (materials)? Are the right people with the right skill set in place and is everyone educated effectively? Do you have the right process and procedures in place for things like implementation, operation, monitoring, and response???How resistant is your IT environment to attacks, how easy can things be repaired, and will there be a major impact to your organization (reputation or otherwise) if your environment gets?scratched?

Hardness,?when it comes to cybersecurity:

·??????Being perfect is extremely hard (if not impossible)?

·??????Striving for perfection is very hard (but usually worthwhile)

·??????Being good is hard (worthwhile and usually expected)

·??????Working hard but in the wrong ways … spin roulette wheel, hope you stay lucky

·??????Being pretty good (average) is not so hard … spin roulette wheel, hope for the best

·??????Not trying or caring is easy … Don’t bother spinning the roulette wheel, even luck will not likely save you??

References

[1]?https://geology.com/minerals/mohs-hardness-scale.shtml

[2]?https://www.nps.gov/subjects/forts/about.htm

[3]?https://historicsites.nc.gov/all-sites/fort-fisher/plan-your-visit/exhibits

[4]?https://home.nps.gov/goga/learn/historyculture/american-third-system.htm

[5]?https://us-cert.cisa.gov/ncas/current-activity/2021/02/02/sudo-heap-based-buffer-overflow-vulnerability-cve-2021-3156

[6]?https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/