get breached? An attacker used an SSRF attack on a WAF to access S3 buckets. Why could the attacker use an SSRF flaw? The WAF was vulnerable. Why could the WAF (or a machine behind it) get to so much data? An IAM role had excessive permission. Why would they give a single role all those permissions? People told they not to. They did it anyway. Why did they do it anyway? The decision makers didn’t understand (or care about) the risk.
and risk assessments VPN attacks, RDP and SSH Brute force, CVEs, Zero Days, botnets Three-tier architectures, network security, encryption key management How malware works, cyber kill chain, threat modeling How your machine will be the pivot point into or within the cloud Why systems exposed to Internet is a serious risk, segregation of duties How attackers hide in network traffic – C2 tunnels, web shells, proxies IDS / IPS, SIEM, DFIR, chain of custody, governance, Etc. Etc. Etc.
know why. Security people tell developers to do things. Developers think it’s a big waste of time. Developers need cybersecurity training. Developers ARE your security team now! Train them so they make the right decisions. Developers are your cyber warriors.
know basic cybersecurity. Even if they did they don’t have a way to measure it. Cybersecurity at the end of the data is about risk. How can you measure risk if you don’t know what the risks are? How can you measure risk if you don’t have metrics? Executives understand complex financial reports. They can understand basic cyber well enough to evaluate risk. In addition – where to invest to effectively reduce risk.
full time and security awareness. Threat research, intelligence, and hunting. Security monitoring. Incident handling and response. Evaluating and auditing systems and architectures. Pentesters, red teams, bug bounties. And hopefully….security automation.
Takes time Govern what people can do Create alerts and auto-remediation Build in metrics to executives who understand what they mean Return on investment – lower cost of data breach
to understand what increases cybersecurity risk. Use security automation to prevent and detect errors and attacks. Measure cyber risk to understand where it exists within your organization and your level of exposure - so you can reduce it!