Since 2004, the President of the United States and Congress have declared the month of October as Cybersecurity Awareness Month. A month dedicated to raising awareness about the importance of cybersecurity and encouraging the public and private sectors to work together. This year marks 20 years of effort.
The Cybersecurity and Infrastructure Security Agency (CISA) puts forth snappy PDFs, infographics, partner kits, advertisements, etc. They make the rounds on television to talk it up.
So, how are we actually doing?
After 20 years, we should be able to show some serious progress, right?
Well, things are not so great. Any way you measure it we have not made meaningful strides in curbing cybersecurity problems.
Cyber concerns continue to be at the top of the lists of most private and public sector organizations.
Over the past three years, organizations have paid an estimated $1.9 billion in cryptocurrency to organized criminals due to ransomware attacks, according to a recent report by Chainalysis. As a result, those criminals are now better funded than many nation-states.
Last week, CISA and the National Security Agency (NSA) released a joint cybersecurity advisory (CSA) to highlight the ten most common cybersecurity misconfigurations.
If they had issued this CSA a decade ago, I bet it would have said many of the same things.
NSA and CISA: Top Ten Cybersecurity Misconfigurations
Default configurations of software and applications
Improper separation of user/administrator privilege
Insufficient internal network monitoring
Lack of network segmentation
Poor patch management
Bypass of system access controls
Weak or misconfigured multifactor authentication (MFA) methods
Insufficient access control lists (ACLs) on network shares and services
Poor credential hygiene
Unrestricted code execution
For example, looking at Number 3 - insufficient internal network monitoring. It’s impossible to protect something that you cannot see, yet this is near the top of the list.
We created the first version of PacketWatch more than five years ago to address this critical issue. Since then, it has grown into an amazing tool, allowing threat hunters to monitor and analyze network traffic in incredible detail.
I always enjoy watching our analysts brief clients on what is really happening on their networks.
“That can’t be!” is the common refrain, or, “We have a policy against that,"
Well, here is a packet capture (PCAP) to prove it!
So, while I am grateful to CISA for the cool infographics and toolkits each October, let’s get back to the basics and focus on these 10 items as the CSA urges.
Until then, let’s make every month cybersecurity awareness month. 1 out of 12 (or 8%) simply isn’t enough.