Observing Cybersecurity Awareness Month.
the cyberwire logoOct 2, 2023

What to make of Cybersecurity Awareness Month. (And whatever else it is, cybersecurity isn't a one-month season.)

Observing Cybersecurity Awareness Month.

October is Cybersecurity Awareness Month, and this year the US Cybersecurity and Infrastructure Security Agency (CISA) has announced a theme: “Secure Our World.” As CISA explains, “Not only will Secure Our World remain a consistent theme for every Cybersecurity Awareness Month in the future, but it will also launch as CISA’s new cybersecurity awareness program.” 

CISA wants to help us “secure our world.”

The idea behind the campaign is to educate Americans about simple ways they can improve their cyber hygiene. The four main recommendations are using strong passwords, activating multifactor authentication, recognizing and reporting phishing scams, and updating software to ensure all security patches and salutations have been installed. The agency has created a “Secure Your Business” web page that focuses on corporate cybersecurity advice, and a page dedicated to tools geared toward small and medium-sized businesses. CISA and the National Cybersecurity Alliance (NCA) joined forces to develop a Partner Toolkit complete with a PDF guide, a sample email to spread the word to employees, and a Cybersecurity 101 presentation to educate staff and other stakeholders. As well, CISA will be offering a series of free webinars throughout the month. 

NIST and the history of Cybersecurity Awareness Month.

The President and Congress first declared October Cybersecurity Awareness Month in 2004, meaning this year marks its 20th anniversary. In honor of this milestone, the National Institute of Standards and Technology (NIST) has shared a timeline summarizing the history of the agency’s cybersecurity program. NIST will also be offering a blog series covering various topics of interest, and hosting events throughout the month including a Block Cipher Modes of Operation workshop, a social media challenge, and Cybersecurity Career Week. 

A look at how the situation has changed over twenty years.

Arvind Nithrakashyap. Co-Founder and CTO at Rubrik, offered reflections on what’s changed in twenty years, and what’s remained the same. He began with three changes in the security environment that have made a marked difference:

  1. The mobile revolution. The iPhone wasn’t introduced until 2007. Today, there are more than 4.6 billion smartphones worldwide, according to Statista. Add the more than 14.4 billion Internet of Things devices – connected cars, smart appliances, smart city technologies, intelligent healthcare monitors, etc. – and you have a threat landscape that few could have imagined 20 years ago.”
  2. Digital payments. The growing popularity of digital payments over cash is not only changing how people interact with money, it has opened up new opportunities for phishing scams, card information theft, and payment fraud. And, cryptocurrency, which didn’t exist until the late 00s, accounts for the vast majority of payments to ransomware attackers.”
  3. AI. Everyone is talking about artificial intelligence in 2023, but that wasn’t the case two decades ago. Now, AI is giving cybercriminals a powerful new tool to execute attacks while also turning out to be an effective weapon against hackers.” 

And, symmetrically and appropriately, there are three areas Nithrakashyap thinks have remained much the same over the years.

  1. On prem data. Despite the rise of cloud computing, many companies continue to house critical data in their own private databases and servers. This means protecting on-prem data remains, then as now, a key part of the security equation.”
  2. Public infrastructure. ‘By exploiting vulnerabilities in our cyber systems, an organized attack may endanger the security of our nation's critical infrastructures,’ said the White House’s National Strategy to Secure Cyberspace in 2003. The nation still worries a great deal today about how to defend energy systems, dams, and other assets from cyberattack.”
  3. Security infrastructure. The cybersecurity industry used to focus on infrastructure security solutions involving the network, the applications, the end points, the cloud, the logs, etc. It still does. Those solutions remain core to a solid security strategy, though there is growing awareness that newer data security frameworks like Zero Trust are needed for fully realized defenses.”

Above all, Nithrakashyap believes that the enduring challenges remain centered on data. That’s generally recognized, and it’s generally recognized because it’s true: data are everything.

Awareness might not be enough.

Awareness without action is futile, just as action without awareness is blind. 

James Hadley, CEO and Founder of Immersive Labs, commented, "Cybersecurity awareness month has good intentions. But, if organizations are focused on awareness alone, they're losing. Awareness is not enough for organizations to achieve true cyber resilience. Resilience means knowing that your entire organization has the knowledge, skills, and judgment to respond to emerging threats, backed by data. Businesses need proof of these cyber capabilities to ensure that when an attack inevitably happens, their organization is prepared to respond.”

He argued that the go-to methods of training and certification have fallen short and will continue to do so. “Outdated training models and industry certifications that organizations have traditionally relied on have failed to make them safer and instead have created a false sense of security — which is why nearly two-thirds of security leaders now agree that they are ineffective in ensuring cyber resilience.”

He advocates a more thoughtful, comprehensive approach to training. “Continuous, measurable exercising across your entire workforce — from the store room to the board room — provides businesses with the insights they need to understand the current state of their cyber resilience and where their weak points lie. It also creates a more positive cybersecurity culture that encourages reporting rather than punishing employees when a breach does happen. With top-to-bottom cybersecurity education, organizations are moving beyond awareness and can ensure that their data is secure."

And one month out of the year isn’t enough, either.

James Lapalme, Vice President and GM for Identity at Entrust, believes it’s fine to observe the annual Cybersecurity Awareness Month, but a temporary gesture will do little to improve security.

"While we can recognize Cybersecurity Awareness Month, it's important that we prioritize cybersecurity all year round,” Lapalme wrote. “Threat actors are constantly threatening organizations in unique and rapidly evolving ways, and business leaders need to remain nimble to ensure that their systems and teams are prepared for these evolving risks.”

Since cybersecurity involves the things people do to one another with computers and networks, familiar families of threats persist and evolve, because their targets are human beings. Lapalme said, “As we’ve seen in the news in recent weeks, spear phishing and social engineering attacks have become a common way for bad actors to create realistic scams that can slip by even the most knowledgeable employee. And, with the advancements in generative AI, adversaries can accelerate the potential impact of these attacks to gain access to sensitive data. The reputational and monetary losses these organizations and their customers experience can be felt for years to come.”

Some sound practices can become misunderstood as panaceas, or used almost as talismans. “Organizations have become so reliant on credentials that they have stopped verifying identity, so to get access or reset access, all you have to do is to give a code or answer a secret question,” Laplame pointed out. They can lull an organization into a false sense of security. “While that is convenient from a productivity perspective, it leaves the door open to cyber-attacks, which is why we’ve seen these spates of compromises.

There are, however, methods and approaches that offer promising alternatives to the naive and simplistic reliance on credentials. “Rather than rely on individuals who are frequently too caught up in day-to-day tasks to notice the subtle nuances of these scams, organizations need to evolve their technology response and look to phishing-resistant identities. Methodologies to achieve a high assurance level of Identity verification are Certificate-based authentication for both user and device verification, risk-based adaptive set-up authentication, and implementing ID verification as part of authentication process (or as a high assurance authentication strategy) for high value transactions and privileged users are all ways for businesses to build out their Zero Trust, explicitly Identity verified strategies and ensure the security of users even as new threats continue to emerge.”

And again, awareness isn’t a one-time exercise. “It's important to understand that cybersecurity awareness is never really over. Good enough is not good enough. With the ever-evolving threat landscape, it's essential for organizations to stay ahead of the curve and continue to keep evolving their technology to protect and future-proof their businesses against the ever changing threat landscape."

Reflections on a career in cybersecurity.

It can’t be overlooked that cybersecurity requires people who specialize in the field, who put organizations in a position to enable their people to work and succeed securely. Georgia Weidman, Security Architect at Zimperium, offered some thoughts about how you might find a career in the field.

“Classically people have entered cybersecurity as network or system admins or as programmers,” Weidman wrote in emailed comments. “The admins traditionally come from a more technical training background (but not always) and the programmers traditionally come from a more Computer Science (CompSci) or Computer Engineering (CompEng) or Software Engineering (SoftEng) background (but not always).”

This kind of training can provide an initial advantage to those entering the field. “At the beginning of their careers, it’s often the more technically trained people who get out of the gates the fastest. They know the tools, they often know the techniques, and they have usually been exposed to many of the practices, so picking up a specific environment’s tactics, techniques, and procedures is pretty easy. The more generalist CompSci/CompEng/SoftEng folks have a good understanding of theory, but not so much experience at practice and their initial learning curve is often steeper and thus they get out of the gate more slowly. That said, as they move forward with their careers, the depth and breadth of knowledge they picked up in their degree programs will likely come into play for solving more complex problems.”

Such differences in background tend to wash out after a few years of experience: 

“For people who want to do nothing but the hands-on elements of cybersecurity, any of these paths work and after a few years in the trenches the individual practitioners do not really stand out on the basis of their respective backgrounds.

“However, it is often the case that, having spent time in the trenches, some practitioners will realize that their tools do not do all that they would like them to do, and they are inspired (or cursed) to attempt to build their own tools. Generally speaking, the programmers with those more general CompSci/CompEng/SoftEng degrees will have an easier time ramping up their efforts to actually write software instead of just use it. Writing performant, scalable, secure, relatively bug-free, user-friendly code is an entirely different skill set than cybersecurity, so building cybersecurity tools benefits from the theory and practice afforded by the more general degrees. Again, some folks from the admin path or the cybersecurity degree will excel at this, there’s no one true path, but in general, at sufficient scale, these principles are useful guides. 

“Some number of the folks will eventually decide that they want to move into management, and, I'm sorry to say, very little any of these college programs would have taught them anything about how to be an effective leader or manager–or that there’s a difference. 

“And some number who previously made the leap into tool makers will decide that they should be entrepreneurs and turn their tools into startups. God help them. Because like management, none of these college programs will have taught them a thing about the world of startups!” 

Thus there are many potential ways into a career in cybersecurity. Weidman offers some final advice for aspiring cybersecurity specialists. “In the end, the best bet is to thoroughly explore your options and find the degree program that truly resonates with your wants and desires. In cybersecurity, your career is informed by your degree but not defined by your degree.” And learning doesn’t end with degree or certificate completion. “Whichever path you take, the only real guarantee is that you will not know enough and you will be learning every day you pursue this career. So, learn to learn. And then get out here and help us make everyone more secure!”