A Cybersecurity Three Pointer: How Basketball Explains Risk in the Cloud
November 5, 2018
Basketball season is in full swing which means we’re in for some long-range Steph Curry three-pointers, savage Giannis Antetokounmpo dunks, and an endless supply of Gregg Popovich memes. Teams have to be ready for anything in the course of the season, and those most able to be agile and react to change are the ones best prepared to weather the long, 82 game season and ultimately come out on top in the playoffs.
Critics, philosophers, and guys sitting at the end of the bar have all attempted to correlate basketball with just about everything else that exists in our world. Why not cybersecurity? There’s drama, there’s movement; it’s both science and artistry. Both are populated with legendary flakes and characters, as well as serious students of their trade. And like any guard who has taken his eyes off of Steph Curry for even a microsecond knows, cybersecurity events can wreak havoc on your organization’s anticipated outcomes in the blink of an eye.
We also know that, much like the hapless Washington Generals, the state of cybersecurity isn’t pretty. Breaches and hacks continue to make regular news, and it’s often the same story — misconfigured virtual machines, inadvertently open repositories, DDoS attacks, and a host of offenses that somehow go undetected and lead to catastrophic results for organizations and the people whose data they are supposed to protect.
In recent weeks, Lynda.com discovered that Garmin had an exposed MongoDB database that contained hundreds of thousands of customer records. CRM startup Apollo was also hacked to the tune of 200 million stolen contacts whose data was stolen from virtual databases. The list goes on and it’s an all too familiar story. Yet, like die-hard fans who keep watching their team and wondering, “Why aren’t we winning?”, many observe what’s happening in the state of risk and threats and question why more isn’t being done to protect organizations and their people.
There aren’t easy answers. Some are due to lack of knowledge, some to organizational restrictions, and others are happy to plop their heads in the sand. But at stake is something more than a pennant; we’re talking about the health of a business and the privacy of individuals.
We’re all potential targets for hackers, but for organizations that have not made the necessary precautions to protect themselves, the game can shift in an instant.
Achieving some sense of control over bad actors and their criminal intentions isn’t simple, but it requires a game plan. The approach looks like this:
- Instill and use security best practices across all areas of the organization: This is mostly about human behavior, but when the notion of security is baked into people, they become vigilant and aware, which are probably the two most important ingredients of thwarting attacks. Besides keeping bad actors out of their applications, enterprises should make it hard to get into their buildings and insist that employees use complex passwords. Screen protectors that limit visibility to prying eyes, rules about “no piggybacking” into the office…these are all aspects of a group that truly cares about what they do acts in a way that supports that.
- Secure the cloud stack: All the benefits of the cloud…its agility, elasticity, scalability…all of this is built upon a flexible set of layers that make it a desirable solution for 21st-century enterprises. Inherent in that model are, by definition, multiple potential points of access that are best secured through behavioral requirements, policies, continuous monitoring, and automation of detection and remediation. By paying attention to the different pieces of the cloud stack and addressing its unique security needs with these preparations, your environment will be far more resistant to ransomware threats.
- Use a security and compliance platform to provide continuous monitoring and automation: You can’t manage what you don’t know. Enterprises have to progress beyond the security frameworks of their legacy systems that governed on-premise environments if they want to truly protect their cloud environments. Even if you’ve secured all the layers of your cloud stack, unless you’re continuously monitoring it, you just don’t know where the potential risks are. Far too many organizations treat security as a one-and-done proposition, which could be a killer.
A little-known, but wildly influential and thoughtful coach named Scotty McDonald once said, “Don’t try to out-rebound your man. Keep him out of the rebounding area, to begin with, and the rest is simple.” Keeping people — bad people — out of your cloud environment is hard, but it’s the essence of our job in the world of cybersecurity.
Basketball is bound by rules and operates within a defined framework. There are times, indeed, when a public cloud mirrors the four quarters of the hoops universe: a smooth playing surface, layers of protection, and even crafty actors who focus on disruption and deception. But the cloud can seem chaotic at times, and the way to address it is to apply an orderly framework; in this case, it’s a framework of security and compliance that can be applied as a full-court press.