9. The Application of Cybersecurity: Principles and Practices 219 Cybersecurity is only necessary because of the existence of people who deliberately attack computer systems and networks. Therefore, adversarial thinking is central to cybersecurity. Chapter 6 focused on this principle as the fundamental skill of cybersecurity. The principle of adversarial thinking states that one must never forget about the existence of intelligent human hackers. Maintaining constant awareness of their technological capabilities, unique perspectives, and strategic reasoning skills results in more vigilant and better cybersecurity practice. Forgetting or underestimating the adversary results in naive choices that create vulnerabilities that can be exploited by hackers. Cyber defenders must be able to think like a hacker. Every security context, including cybersecurity, contains three fundamental components: bounty, barriers, and bad guys. The bad guys must breach the barriers in order to get their hands on the bounty. There is a temptation to focus on the value of the bounty and on bolstering the barriers while ignoring the bad guys. But, if we get so focused on any one cybersecurity best practice, technology, tool, etc., that we forget about the bad guys, we do so at our own peril. We need to frequently lift our eyes from the barriers and put ourselves in the shoes of the bad guys who are sizing up our defenses and looking for cracks. This principle does not downplay the importance of best practices—they are absolutely necessary—it just stresses that we should always do so while remembering the reason it all exists: hackers. Following the principle of adversarial thinking should shape everything an organization does. Onboarding new employees? They must be made aware of the cyber threat and how they can help keep the organization safe. Purchasing new technology? This increases the organization’s cyber footprint, so it must be installed with appropriate cybersecurity parameters and monitored for malicious activity. Writing new software? It must be designed and tested with cybersecurity in mind. The list goes on and on. Cyber vigilance naturally follows from keeping the cyber adversary at the forefront of one’s mind. 9.1.2 Depth Wins “We [being cyber attackers] put the time in …to know [the network] better than the people who designed it and the people who are securing it. You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network.” - Rob Joyce, former head of NSA’s Tailored Access Operations group In 2016 Rob Joyce, once known as the nation’s Chief Hacker, gave a rare public presentation in which he “gave away” the secrets of nation state hacking. His main message was that cyber attackers succeed because they know more than the cyber defenders—more about the target network and how the technologies work on that network. This is the depth wins principle. This principle states that the success of cyber attacks and cyber defense often comes down to who knows more.
RkJQdWJsaXNoZXIy MTM4ODY=