Introduction to cybersecurity
Our dependence on the internet, corporate networks, and digital devices have far exceeded what was even imaginable only a few decades ago. Governments, corporations big and small, and individuals the world over rely on interconnected digital systems and technology for every aspect of their commerce, finance, and communication.
The challenge of securing personal information, intellectual property, and critical data has increased in parallel to our use of and dependence on technology. Motivated by politics, social activism, or greed, threat actors reach to every corner of the globe to intercept, exfiltrate, or disrupt the ever-increasing flow of data. Even wars today are fought in cyberspace.
Cybersecurity has become a pervasive need. A rapid increase in threats against data systems and breaches of sensitive information has created a deficit of individuals qualified to devise and execute sufficient security controls. There exists in the workforce today a recognized need for technically-capable people to join the ranks of cybersecurity professionals.
This guide is intended to provide an introduction to the field of cybersecurity. Beginning with a few of the relevant terms and expressions used in the industry, some important security principles, and providing a brief historical overview; the following will give those considering a career in this practice a bird’s-eye sketch of what to expect.
Cybersecurity terms, principles, and history
To understand the vast world of cybersecurity or any technical field for that matter, the learner must master the words and phrases unique to that specialty. These terms and expressions will often have a related, but not entirely accurate meaning in general non-technical use. Without a clear understanding of how security professionals use certain words and phrases, learning about this specialty can be very confusing.
Many words routinely used in security have such obscure origins that it is difficult to use them correctly without an understanding of their history. As an example, the term pwn, or pwned, is commonly used by hackers. To understand how threat actors use pwn, it is helpful to know that this word likely comes from a common mistyping of “own” as a result of the proximity of the letter P to the letter O on a keyboard. So if a hacker claims to have pwned a person or organization, they are laying claim to owning or conquering them.
The following definitions explain some of the terms, abbreviations, and acronyms commonly used in the security field.
Attack surface: The attack surface of a software-based system is the sum of the different locations (logical or physical) where a threat actor can try to enter or extract data. Reducing the attack surface as small as possible is a primary security measure.
AV: Antivirus is a type of security software that scans for, detects, blocks, and eliminates malware. AV programs will run in the background, scanning for known malware signatures and behavior patterns that may indicate the presence of malware.
Brute-force attack: A brute force attack is an attempt to decipher a username-password combination by trial and error. It is performed with software designed to try large samples of known username-password combinations. This method is an old attack method, but it’s still useful and popular with hackers.
Cryptoworm: A form of malware that spreads like a worm and encrypts victims’ data.
Data breach: A data breach refers to a security event where unauthorized users steal sensitive information from an organization’s IT systems. Often, stolen data is personally identifiable information (PII) or financial information, both of which are valuable on the dark web.
EDR: Endpoint detection and response is a type of security tool that focuses on detecting and mitigating suspicious activity on devices and hosts. The value of EDR is the ability to detect advanced threats that may not have a recorded behavioral pattern or malware signature.
Firewall: A firewall is a network security system that monitors and controls the network traffic based on specific security rules. A firewall usually establishes a barrier between a trusted internal network and an untrusted external network, such as the Internet.
Honeypot: A honeypot is a piece of software code designed to detect, deflect, and counteract attempts at unauthorized use of information systems. A honeypot consists of data appearing to be a legitimate part of the site but is isolated and monitored. The data seems to contain information, or a resource of value, to attackers, who are then blocked.
IPS: An intrusion prevention system (IPS) is a form of network security that works to detect and prevent identified threats. Intrusion prevention systems continuously monitor a network, looking for possible malicious incidents, then capturing and reporting information about them.
Malware: Malware is malicious software that propagates via an email attachment or a link to a malicious website. It infects the endpoints when a user opens the attachment or clicks on the link.
NIST: The National Institute of Standards and Technology (NIST) is a non-regulatory entity under the umbrella of the United States Department of Commerce. NIST Publication Series 800 provides a comprehensive listing of information security measures and controls based on extensive research.
Phishing/Spearphishing: A malicious email that tricks users into surrendering their user credentials. The email may appear legitimate as if coming from a bank and ask the user to reset their password. Phishing attacks take advantage of mass email programs. In a spearphishing attack, an individually-crafted email targets a specific key executive or decision-maker.
Ransomware: Ransomware is a class of malicious software that prevents the end-user from accessing a system or data. The most common form is crypto-ransomware. This type of ransomware makes data or files unreadable through encryption and requires a decryption key to restore access. Another form, locker ransomware, locks access rather than encrypting data. Attackers typically request a payment, often in the form of bitcoins, to decrypt files or restore access.
Ransomware attack: During a ransomware campaign, hackers often use phishing and social engineering to get a computer user to click on an attachment or a link to a malicious website. Some types of ransomware attacks, however, don’t require user action because they exploit site or computer vulnerabilities to deliver the payload. Once a system is infected, the attack will launch an on-screen notification with the ransom demand.
Risk management framework: A Risk Management Framework provides a disciplined and structured process that integrates information security and risk management tasks into the system development life cycle. Essential components of an RMF include identification, measurement and assessment, mitigation, reporting and monitoring, and governance.
Security misconfigurations: Security misconfigurations result from the improper implementation of security controls on devices, networks, cloud applications, firewalls, and other systems. They can lead to data breaches, unauthorized access, and other security incidents. Misconfigurations can include anything from default admin credentials, open ports, and unpatched software, to unused web pages and unprotected files.
SOC: A security operations center (SOC) is a central location where cybersecurity personnel carry out threat detection and incident response processes. They employ security technologies that make up an organization’s security operations.
SQL injection: A SQL injection is a technique that inserts structured query language (SQL) code into a web application database. Web applications use SQL to communicate with their databases. Attackers can use SQL injections to perform actions such as retrieval or manipulation of the database data, spoofing user identity, and executing remote commands.
Tor: Tor is free and open-source software used to enable anonymous communication. Its name is derived from an acronym for the original software project name “The Onion Router” and is sometimes referred to as such. Tor directs Internet traffic through a free, worldwide, overlay network consisting of more than seven thousand relays. It conceals a user’s location and usage from anyone conducting network surveillance or traffic analysis.
VA: Vulnerability assessment is the process of identifying, classifying, and prioritizing vulnerabilities in digital business systems. Assessments can focus on internal, external, or host-based vulnerabilities.
VM: Vulnerability management solutions identify, track, and prioritize internal and external cybersecurity vulnerabilities. They optimize cyberattack prevention activities such as patching, upgrades, and configuration fixes.
Principles of cybersecurity
An effective cybersecurity program must adhere to a set of sound security principles. How these principles are implemented within each organization will vary, but the basic principles remain consistent. While each individual principle may be articulated differently for any given organization, governing cybersecurity policies should include a close variant of the following four concepts.
Identifying and managing security risks
Organizational security-related risks are identified and managed under the direction of a chief information security officer. This leader identifies and documents the value of systems, applications, and information owned or controlled by the organization. As directed by the CISO:
- The required confidentiality, integrity, and availability of systems, applications, and information is determined and documented.
- Security risk management processes are embedded in risk management frameworks applicable to the organization and its mission.
- Security risks are to be identified, documented, managed and accepted both before systems and applications are authorized for use, and continuously throughout their operational life.
Implementing security controls to reduce security risks
Security controls must be developed, acquired, and applied to protect the organization’s systems, applications, and information. Methods by which enforcement and compliance can be monitored and reported must be devised. Security controls, or processes, used to reduce risk include:
- Systems and applications are to be designed, deployed, and maintained according to their value. This value calculation should include the system’s confidentiality, integrity, and availability requirements.
- Systems and applications must be delivered and supported by trusted suppliers and configured to reduce their attack surface.
- Systems and applications must be administered in a secure, accountable, and auditable manner.
- Security vulnerabilities in systems and applications are identified and mitigated promptly.
- Only trusted and currently supported operating systems, applications, and computer code can execute on systems.
- Information is encrypted at rest and in transit between different systems.
- Information communicated between different systems is controlled, inspectable, and auditable.
- Information, applications, and configuration settings are backed up in a secure and proven manner regularly.
- Only trusted and recently vetted personnel are granted access to systems, applications, and data repositories.
- Personnel are granted the minimum access to systems, applications, and data repositories required for their duties.
- Multiple methods are used to identify and authenticate personnel to systems, applications, and data repositories.
- Personnel are provided with ongoing cybersecurity awareness training.
- Physical access to systems, supporting infrastructure, and facilities will be restricted to authorized personnel.
Detecting and understanding cybersecurity events
Security events and anomalous activities must be detected and analyzed promptly. Tools and applications used to achieve these policies include:
- Intrusion Prevention System (IPS)
- Endpoint Detection and Response Systems (EDR)
Responding to and recovering from cybersecurity incidents
In today’s business environment, the likelihood of a cyberattack is relatively high. Being prepared to respond and recover is paramount. Policies around this capability should include:
- Cybersecurity incidents must be identified and reported both internally and externally to relevant bodies promptly.
- Cybersecurity incidents are to be contained, eradicated, and recovered from immediately.
- Business continuity and disaster recovery plans are to be enacted when required.
A brief history of cybersecurity
Cyber attacks span back through history to the 1970s. In 1971 Digital Equipment Corporation’s DEC PDP-10 mainframe computers working on the TENEX operating system started displaying the message, “I’m the creeper, catch me if you can!” Dubbed Creeper, this worm spread using the ARPANET, a forerunner to the Internet. It was created by Bob Thomas and was designed only to see if the concept was possible. Creeper laid the groundwork for viruses to come.
In response to the Creeper virus, Ray Tomlinson created Reaper. Reaper was the first antivirus software and was designed to move across the ARPANET and delete the self-replicating Creeper worm.
In September of 1983, the first cybersecurity patent was granted. Massachusetts Institute of Technology (MIT) was awarded this patent for a “cryptographic communications system and method.” It introduced the Rivest-Shamir-Adleman (RSA) algorithm. RSA is one of the first public-key cryptosystems and is widely used for secure data transmission.
In 1986 the Computer Fraud and Abuse Act (CFAA) was enacted to address hacking. It has been amended several times over the years to cover a broad range of conduct. The CFAA prohibits intentionally accessing a computer without prior authorization but fails to define what that means.
Also in 1986, Lawrence Berkeley National Laboratory systems manager Clifford Stoll learned that someone was hacking into the lab’s computer system. This discovery was made when Stoll tried to correct a 75-cent accounting error. Using a honeypot, Stoll determined that the lead hacker is Markus Hess, who had been selling information exfiltrated from hacked computers to the KGB. Hess and his accomplices were arrested by German authorities and convicted of selling stolen data to the Soviet Union. They only received suspended jail sentences.
In 1988 a Cornell University graduate student named Robert Morris released several dozen lines of code, which replicated wildly and spread to thousands of computers worldwide. The Morris Worm crashed about 10 percent of the 60,000 computers then linked to the Internet. Morris became the first person convicted by a jury under the CFAA.
Cybersecurity systems, as we think of them today, really started to become popular in the early 1990s. Antivirus (AV) software was the first mass-produced cyber protection application on the cyber landscape. They appeared in the late 1980s, but the masses did not convert to the idea that they were necessary for several years.
These first antivirus systems, initially called AV scanners, were simple in functionality. They essentially scanned all the compiled code on a given system. They tested them against a database of known malicious signatures. The thinking was that as new viruses were discovered, these databases would be updated to watch for the new malware.
Researchers soon found out, however, that staying ahead of the bad guys was no easy task. The number of malware samples to check against grew from tens of thousands in the early 90s to millions of new samples each year twenty years later. It is estimated that by 2014 as many as 500,000 unique malware samples were being produced every day.
These early software applications were resource-intensive and tended to bog down their host system. They also frustrated users with too many false-positive results.
Secure Sockets Layer (SSL) internet protocol is the security protocol that allows people to do simple things like purchase items online securely. Netscape released SSL 1.0 in 1994. After improvements, SSL became the core of the language for safely using the web known as Hypertext Transfer Protocol (HTTP).
In 1999, Kevin Mitnick pleaded guilty to four counts of wire fraud, two counts of computer fraud, and one count of illegally intercepting a wire communication. As the self-proclaimed world’s most famous hacker, he was sentenced to 46 months in prison plus 22 months for violating the terms of his supervised release sentence for computer fraud.
In his 2002 book entitled, The Art of Deception, Mitnick asserts that he compromised computers only by using user names and passwords that he gained by social engineering. He maintains he did not use software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security.
In 1998, Microsoft Windows 98 was released, and this ushered in a whole new level of accessibility for the novice computer user. This increase in computer usage paved the way for software security systems to become common. Many new releases, updates, and patches soon followed. Security vendors discovered the vast market for security products intended for home users.
In 2003 the first universally known hacker group, Anonymous, emerged on the scene. This group can be defined as a decentralized online community acting anonymously in a semi-coordinated manner, usually toward loosely self-agreed goals. Over the years, dozens of people have been arrested for involvement in Anonymous cyberattacks around the world. Support of the group’s actions and effectiveness vary widely. Advocates have called the group freedom fighters and digital Robin Hoods. In contrast, critics have described them as a cyber lynch-mob or cyber terrorists. In 2012, Time Magazine called Anonymous one of the 100 most influential people in the world. In recent years, however, Anonymous’s media exposure has declined, and they have largely vanished from the popular culture’s lexicon.
The late 2000s brought a whole new level of cyber-attacks. Bad actors had developed an appetite for stolen credit cards. The years 2005 to 2007 were plagued with in ever-increasing frequency of data breaches.
To stem the flow of stolen data, governments around the world began to implement regulatory solutions. In the US regulation required that authorities be notified when a breach was discovered and that funds be set aside to compensate victims.
The increased regulation of the 2000s proved to be too little, too late. The sophistication of hackers spiked as the profits seemed limitless. Even nation-sanctioned bad actors with access to enormous funding could be observed battling for cyber-turf and waring over such prizes as online betting or gaming sites.
This decade saw the appearance and rise of Endpoint Protection and Response systems (EPR). The systems replaced the legacy AV systems by including the same basic functionality but are radically improved and enhanced.
Instead of relying on a static signature to identify viruses, EPR scan for malware families. Malware samples follow a progression or mutation and so they can effectively be recognized as belonging to certain families even when no known malware signatures are detected.
Notable cybersecurity attacks
Each year brings with it a new spate of cyberattacks. Some reported by the victims in compliance with ever-stiffening government regulations and some uncovered by Security Analysts. Largely because of their news value, the size of reported high-profile attacks is undoubtedly trending upward.
Some attacks catch the publics’ attention because of the name recognition of the victim. In contrast, others swindle large segments of the general population. Below are a few of the more notable cyberattacks over the last decade-plus.
Adobe released information in October 2013 about the massive hacking of its IT infrastructure. Personal information of 2.9 million accounts was stolen. Exfiltrated information included logins, passwords, names, and credit card numbers with expiration dates. Another file discovered on the Internet later brought the number of accounts affected by the attack to 150 million. To access this information, the hackers took advantage of a security breach related to security practices around passwords.
Adult Friend Finder
In 2015, this dating site was attacked for the first time. The information revealed included pseudonyms, dates of birth, postal codes, IP addresses, and sexual preferences of 4 million accounts. This stolen data was made public on a forum only accessible on Tor. Malicious actors obtained these files; however, no banking data had been hijacked. The following year, Adult Friend Finder faced a new attack, even more severe than the first one. This time more than 400 million files were exposed. The stolen information was less sensitive, but in total, 20 years of personal information were taken.
This marketing analytics firm left an unsecured database online that publicly exposed sensitive information for about 123 million U.S. households. The information included 248 fields of data for each home, ranging from addresses and income to ethnicity and personal interests. Details included contact information, mortgage ownership, financial histories, and whether a household contained a pet enthusiast. Names were not included.
Equifax, an American credit company, revealed, six weeks after the fact, that it had suffered a cyberattack over the course of several months. Detected in July of 2017, it contained personal data such as names, birthdates, social security numbers, and driver’s license numbers. It also exposed 200,000 credit card numbers. Victims included 143 million American, Canadian, and British customers.
ILOVEYOU, sometimes referred to as Love Bug or Love Letter for you, is a computer worm that infected over ten million personal computers on and after May 2000. It started circulating as an email message with the subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.
Personally identifiable information from up to 500 million guests at the Marriott-owned Starwood hotel group was compromised, beginning in 2014. The rift was first detected in September 2018. Data exfiltrated includes payment information, names, mailing addresses, phone numbers, email addresses, passport numbers, and even details about the Starwood Preferred Guest (SPG) account.
Petya is a class of encrypting ransomware that was first discovered in 2016. The malware targets Microsoft Windows-based systems. It infects the master boot record and executes a payload that encrypts a hard drive’s file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin to regain access to the system.
Variants of Petya were first seen in March 2016, which propagated via infected email attachments. In June 2017, a new variant of Petya was used for a global cyberattack targeting Ukraine. The new variant spreads via the EternalBlue exploit, which was used earlier in the year by the WannaCry ransomware. Kaspersky Lab referred to this latest version as NotPetya to distinguish it from the 2016 variants, due to these differences in operation. Although it claims to be ransomware, this variant was modified so that it is unable to revert its own changes and release the hard drive.
Sony’s PlayStation Network (PSN) was attacked in April 2011. This attack leaked the personal data of 77 million users. The banking information of tens of thousands of players was compromised. After the intrusion discovery, PSN, as well as Sony Online Entertainment and Qriocity, were closed for one month. Unfortunately, in November 2014, a subsidiary, Sony Pictures Entertainment, was attacked by malware. The “Guardians of Peace” stole 100 terabytes of data, including large quantities of confidential information such as film scripts, compromising emails, and personal data of 47,000 employees.
Target, the second-largest U.S. discount retail chain, was the victim of a massive cyberattack in December 2013. Data was hijacked between November 27 and December 15 of that year. The information taken included bank card records of 40 million customers and personal data of another 70 million customers.
In March of 2007, TJX Companies (parent of TJ Maxx) confirmed with the Securities and Exchange Commission that it had been attacked. A network intrusion carried out on its systems resulted in the loss of 45.7 million consumer records, making it the most significant such breach on record at that time.
WannaCry Ransomware Attack
The WannaCry ransomware attack was a May 2017 worldwide cyber-event. This attack employed the WannaCry ransomware cryptoworm which targeted devices running the Microsoft Windows operating system. It encrypted data and demanded ransom payments. It propagated through EternalBlue; an exploit developed by the United States National Security Agency (NSA) for older Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a few months before the attack.
In 2014, Yahoo announced it had suffered a cyberattack that affected 500 million user accounts, constituting the most extensive hacking of individual data directed against a single company to that date. Names, dates of birth, telephone numbers, and passwords were taken. It is now thought that as many as 3 billion user accounts may have been affected by this attack.
In what many security researchers view as a victory, albeit a small one, the security industry has made substantial improvements in the ability to assign attribution for cyberattacks. While attribution, per se, is still challenging to achieve, vast knowledge about the various current attack techniques, how they are deployed, and who uses them has been accumulated. This understanding allows researchers to make highly accurate educated guesses about the origins of an attack.
Knowing that security professionals are much better at attribution, the adversaries adapt. It is becoming more common for nation-state hackers and cybercriminals to try and imitate each other in an attempt to foil attribution efforts. They also learn from each other to increase their capabilities. Primarily, however, their objectives remain different. Cybercriminals are generally more interested in money, while nation-state hackers are interested in stealing intellectual property and causing disruption.
While activism was once a prominent motivation for hackers, that has significantly subsided. Political and social cause activists use the Internet and modern communication tools to their great advantage but are less often seen interrupting services or exfiltrating data.
Today, we have reached the point at which cybercrime is so sophisticated that it seems nearly impossible to prevent. Scrutiny is placed on how an enterprise responds once breached – essentially a not “if” but “when” paradigm. Corporate leaders vie for the most talented Chief Information Security Officers. These CISOs are focused mainly on organizational resiliency so they can appropriately manage events surrounding what is considered to be the inevitable data breach. Organizations that would not have previously believed they needed a CISO are now hiring search firms to locate the best and the brightest. While the demand is high, they often require advanced infosec related degrees.
Across the board, security professionals are asked to increase their level of education, gain new skills, and hone their craft in response to the increased capabilities of their adversaries. Organizations, large and small, have accepted the fact that significant resources must be allocated to cyber defense. Security departments are enjoying a larger share of the enterprise’s budget. They can, therefore, spend more to hire people with the desired education and certifications.
At one time, some employers were known to hire real-world hackers and convert them from the “dark side” to work for the good guys. In recent years, however, college degrees have become near mandatory for penetration testers, and the demand for security professionals with offensive security skills is growing every year.
The storied cybersecurity skills gap is mostly being solved by increased security budgets. While this challenge presents itself as an overwhelming shortage of people with the right cybersecurity skills, it is being solved by attracting talented, educated, and experienced IT professionals from other specialties.
Active defensive strategies
Cybercriminals, nation-state hackers, and hacktivists are all finding new and innovative ways to compromise digital assets. Some of the more prolific examples include:
- Using PowerPoint slides to run malicious code
- Using Microsoft Word documents to run malicious code
- Installing trojans that can use computer resources to mine cryptocurrency
- Using email spam to trick users
Many security organizations are becoming more inclined to employ defensive cybersecurity strategies. Contrary to what some may imagine, active defensive strategies do not include attacking adversaries. Active defensive strategies are that category of strategies that include a proactive element, rather than just waiting to be attacked.
The use of Pentesters or Ethical Hacker is an example of an active defensive strategy. These proactive activities are used to test static defenses and allow them to be fine-tuned.
Deception-based cybersecurity systems and processes are the best examples of active defense. A honeypot is the most basic of deception-based security. In more sophisticated schemes, security professionals will put decoy data and what appears to be attack points all over their systems.
This strategy gives the security team the opportunity to monitor these decoy points and record the behavior of an adversary. Once the bait has been taken, the security analyst can choose to simply shut down the attack or to use forensic analysis to monitor the threat actor further. Since only decoy systems and data are at risk, much can be learned from the attack and then employed to protect the real data systems.
These deception-based security systems can also be used to test the organization’s playbook for automated and manual responses. These can then be updated to improve their effectiveness.
Future of the cybersecurity industry
Historically security has been treated as an after-thought or, at best, a side-track. Growing cybersecurity concerns have made it essential to clarify that security controls are a vital aspect of continuous delivery. To adapt to a philosophy that asserts that the entire development team is responsible for security, the role of DevSecOps was born.
DevSecOps stands for Development, Security, and Operations. Related to DevOps or SecOps, it is an idea that joins two previously separate functions into a consolidated framework. DevSecOps teams are accountable for producing conditions for continuous secure application development. Being a newer concept than DevOps, DevSecOps underscores the importance of IT security processes and security automation in the software development lifecycle.
Conventional DevOps processes do not include security. Development without an eye toward security means that many application development ventures that practice DevOps may have no security team. Or, they may test apps only after deploying them. This approach may cause significant delays in development and is not fit for agile DevOps practices with security included.
Going forward, security professionals need to be fully embedded in the application development process. Security professionals must learn DevOps skills, and DevOps teams must make room for these security experts.
While quickly becoming an overused, and little understood, buzz-word, machine learning, and its subordinate technology of artificial intelligence, hold great promise for cybersecurity. The ability to accurately predict future attack behavior based on historical data and identify vulnerabilities will greatly increase our defensive capabilities.
Tech writer Kayla Matthews addresses the promising use of machine learning in cybersecurity. In her article, Using Machine Learning to Evaluate Cybersecurity Risk, she acknowledges that machine learning or artificial intelligence is no replacement for human intelligence. She goes on to say, “Machine learning analyzes current and past data to identify possible weak points in a business’s cybersecurity perimeter. By pinpointing these risks, it aids information security in recognizing and resolving points of liability. This strategy also utilizes past and present information to find trends that are predictive of future occurrences. By reviewing data logs, AI finds suspicious activities and flags them as likely dangers, which cybersecurity professionals can then quarantine and investigate further.”
It is critical that Security Software Developers continually upgrade their skill sets. As cyber-attacks become evermore advanced, those charged with protecting digital assets must stay one step ahead.
Governments enforce stringent regulations to protect their citizens’ privacy — regulations like the E.U. General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act are raising the bar for compliance. Cyberspace has become a digital battleground for nation-states and hacktivists. The cybersecurity industry is continually innovating. It uses advanced machine learning (ML) and AI-driven approaches to analyze network behavior and prevent adversaries from prevailing. It’s an exciting time for the industry, and looking back helps us predict where it’s going.
The prognosis for cybersecurity professionals is good – better than good. Excellent. The other side of that coin, however, is that it is expected that threats and breaches will also increase. Most industry analysts agree that while we are not yet winning the war, we are making great strides toward shutting down all but the financially well-backed and highly educated threat actors. Gone are the days where a credible threat is likely to be launched from the proverbial teenaged hacker working from his parent’s dingy basement.
The good guys will win. It undoubtedly doesn’t seem that way to a CISO in the throes of defending his or her systems against an aggressive cyberattack or to a CEO facing the prospect of announcing a historic data breach, but it is nevertheless true.
In the end, enterprises take whatever steps are necessary and realign whatever priorities are needed to survive, and even thrive. The desire to be on the right side of this struggle for control in cyberspace has attracted some of the most capable minds in government, business, or academia.
Just as with physical threats, attacks, and wars, however, there will always be another threat actor scheming to exploit a perceived vulnerability for their benefit. This condition provides thoroughly satisfying career opportunities for those with a desire to master the relevant technologies and learn the appropriate skills.