9. The Application of Cybersecurity: Principles and Practices 231 where. Imagine being put in charge of cybersecurity for a small organization—maybe a non-profit that does not have the budget to hire a seasoned expert and has virtually no cyber program in place. The task is daunting because the threat is real and there is so much to do. The principle of security as a process provides some breathing room. Not everything has to be completed on day one. Pick a place to start such as inventorying the organization’s cyber assets, implementing a new security process, or installing a piece of technology, and come back the next day and do a little more. Each day the goal is to be more secure than the day before. A strong cybersecurity posture is achieved over time through incremental improvements. This principle is also humbling in a helpful way. When it comes to cybersecurity, one never arrives. As organizations, technologies, and cyber attackers change, cybersecurity must adapt. Last year’s product or process may not be the best choice this year. Even best practices change over time as we learn more about what makes for effective cyber defense. Pride comes before the fall, and this principle inhibits pride. There is always more to learn and more to do. For example, new cyber vulnerabilities are discovered every day. Several free and publicly available resources are continually updated so that organizations can learn about the latest vulnerabilities (see Table 9.1). Technology such as antivirus software and vulnerability scanners rely on these resources to keep their databases up-to-date. Table 9.1 Catalogs and bulletins for cybersecurity vulnerability awareness. The Common Vulnerabilities and Exposures (CVE) catalog was established in 1999 and has become the primary source of information for cyber vulnerabilities. CVEs are published every day, describing newly found vulnerabilities in every kind of software product. They are the standard by which vulnerabilities are named and categorized—they keep everybody in the cybersecurity community on the same page. Without CVEs people would have different ways of referring to the same issues, preventing collaboration, dissemination, and the efficient flow of information. Some CVEs are famous because they became front-page news. CVE-2014-6271 (the 6271st CVE added in 2014) was coined ShellShock because it disclosed a vulnerability in Bash, a command-line interpreter used in many Linux systems (see Figure 9.7). It was easy to exploit, could lead to arbitrary code
RkJQdWJsaXNoZXIy MTM4ODY=