Rust Never Sleeps: How Cybersecurity Is Like Maintaining a Vintage 4x4

Rust on a Land Cruiser is a pretty good analogy to hackers in a network: hackers and rust are both persistent, quiet and insidious.

About 20 years ago, I purchased an old Land Cruiser. I’ve had a lot of fun with it over the years – I do a lot of kayaking and scuba diving, and as you can see, this rig has been a terrific companion.

Figure 1 Land Cruiser

Figure 1: My 1975 FJ40 Land Cruiser

The problem is, because I’m always in and around salt water, I’ve introduced a lot of corrosion agents to it.

Figure 2 Rust on Land Cruiser

Figure 2: The FJ40 showing 45 years of rust and abuse

In cybersecurity terms, I didn’t properly protect my attack surface, thus allowing a bunch of threat actors to take hold. I think it’s useful to compare my Land Cruiser to many of today’s organizations: they’re busy “hitting the road” to do business every day. As each day goes by, an organization presents an attack surface, and threat actors – sometimes called threat agents – work to exploit that surface.

Rust on a Land Cruiser is a pretty good analogy to hackers in a network: hackers and rust are both persistent, quiet and insidious. They also can spread quickly and eat away at your infrastructure like cancer. Rustoleum, the time-honored paint company, has a motto: “rust never sleeps.” It’s a great catch-phrase.

What Rusty Land Cruisers Have to Do with Cybersecurity

As you can see, I really had let my Land Cruiser go, in terms of rust. Mechanically, it’s very sound; I’ve updated the brakes, the steering is solid and I’ve got a healthy 350 V8 engine that is ready to roar down the road at any moment. Just like any good business, it’s ready to serve.

But, when it comes to rust, I have some serious problems. I have something of an excuse, at least in my mind.  Over the years, I’ve traveled the world quite a bit for CompTIA. So, when I get home from a trip, I really want to get out and have some fun with the family and the Land Cruiser; I just felt I didn’t have time to maintain it properly.

I also don’t have enough money to restore this thing to its classic rock, bell-bottom jeans-era, 1970’s original condition. I even asked a respected auto restorer how much it would take to do this. The answer? She wanted just north of $50,000. You read that right. She wanted a good year’s wage just to remove the rust on my Cruiser. So, when it came to just maintaining my FJ40, I just kind of felt defeated. As a result, I kept on using it and having fun with it. I didn’t even wash or wax it properly.

That’s the case with many organizations. Often, they are just too busy to do a lot of in-depth cybersecurity. Most organizations are very responsible. Probably more responsible with their security than I have been with my rig’s rust problem. But many organizations don’t have the money, time and skills to create the cybersecurity equivalent of a completely restored Land Cruiser.

I talk with a lot of small to medium-sized business leaders, and they simply don’t have the time to create a security operations center (SOC). Nor do they have the team to create a fully functional security information and event management (SIEM) environment or enable security automation and orchestration (SOAR). As a result, some organizations let things slip a bit further, mainly because they feel they just can’t move the needle enough to try.

Focus on the Most Vital Attack Surface(s)

That said, I think that any organization can do what I did: address the most serious problems, and then slowly work on smaller issues before they get out of control.

 Figure 3 Grinding away rust

Figure 3: After grinding away rust and doing some painting

I haven’t done anything near restoration-quality work. It’s not perfect. See the holes and the crease in the side? But, given my budget and the time I had, it’s a lot better. I’ve addressed the attack surface, and I’ve eliminated all of the rust. At least for now.

5 Foundational Cybersecurity Principles

Today’s organizations can address their cybersecurity concerns by concentrating on the following foundational principles:

Address the Root Causes of Cybersecurity

For years, I stored my Land Cruiser outside, under a simple awning. I’ve now moved it into the garage, where moisture will have a harder time getting at it. The root cause here is that my car could never really get dry. No amount of rust removal, new paint or new parts would address the root cause of excess moisture.

Similarly, if your organization operates and communicates in ways that fundamentally defeat security, no simple software fix will work. You’ll need to change your processes.

Increase Monitoring

See that crease in the side panel, circled in the picture below? I did that while I was four-wheeling my way to a really good beach so I could go scuba diving. That crease is ugly. More importantly, it’s an ideal breeding ground for body-eating rust. My solution? Because I don’t have the money to replace that entire side panel, I’m just going to have to monitor it carefully moving forward.

 Figure 4 Crease in side panel

Figure 4: The damage from 4-wheeling on the beach

Implement Network Segmentation

This reminds me of a story a friend of mine told me about how he discovered malware that had been installed on about 15 Windows 10 devices. These computers were used to control the oil drilling equipment in the middle of the North Sea. The malware was starting to spread laterally, and was opening up ports that allowed an intruder to control the systems.

My friend, quite reasonably, ordered the IT workers to shut down the Windows 10 systems and remove the malware. But there was a problem: the oil company executives canceled the order, saying that it was impossible to shut down those computers.

Why? Because that would mean that oil would stop flowing completely for several days. That, the company said, was just not possible; they couldn’t afford the full fix.

What was the solution? My friend enabled enhanced monitoring of the affected systems and segmented the affected network.

The result? The company’s cybersecurity professionals could verify that the Windows 10 systems still had the malware installed, but no one had been able to log in. Eventually, the company systematically replaced the suspect Windows 10 devices, and all was well.

Create and Practice an Incident Response Policy

One of the first areas where I removed rust was the roll cage. As you know, a roll cage helps keep you safe if your car rolls over, so I wanted to make sure that it wasn’t compromised in any way by rust; the last thing I want to happen is have this thing fail during an accident. Sure enough, I found some pretty serious rust.

 Figure 5 roll cage

Figure 5: Removing rust on my FJ40 roll cage

Thankfully I was able to resolve the problem. If I had waited much longer, I would have had to get another cage. This is a major problem because these days, original FJ40 roll cages are made of what some folks call “unobtainium.” That’s right: they’re hard to find. As you can see, I was able to get all of the rust out, and it’s ready to protect the driver.

 Figure 6 Restored Roll Cage

Figure 6: The roll cage ready for re-install

In some ways, a roll cage is a bit like a cybersecurity incident response policy. An incident response policy – complete with well-practiced steps – helps keep your organization safe in case a hacker is able to defeat your security measures.

Imagine if something catastrophic happens while you’re going down the road (or that deep-woods trail) in that Land Cruiser, and it rolls over. You obviously wouldn’t have time to install a roll cage during that accident. It’s similar to an incident response plan. If something catastrophic happens, you won’t have time to create a policy, or a plan.

You also won’t have the time to practice it or make sure that everyone knows what to do; just like a roll cage on a 4x4 vehicle, you need to have your incident response plan firmly in place and well-practiced. You don’t want any rusty execution to defeat your plan and give the hackers the upper hand.

Figure 7 Road-Ready Land Cruiser

Figure 7: The FJ40 today: Not fully restored, but ready for the road

Know When It’s Time to Bring in a Third Party

When it comes to my Land Cruiser, as I mentioned earlier in this article, the cost of outsourcing the work outweighs the benefits for me – at least for now. In the same vein, organizations need to decide if what they are able to do in house is good enough or if they need help from a third-party vendor.  

Getting Ready to Go!

Well, that about does it for my Land Cruiser and cybersecurity analogies. I’m convinced that if you take the time to prioritize and work systematically, you’ll be very surprised at how much progress you’ll make.

Now that I’ve spruced things up a bit on my Land Cruiser, it’s time to get it out where it belongs: delivering me to another kayaking site. It’s been a while, and I’m curious to see how well all of the newly-refreshed components will cope with all the salt, mud and rocks I plan on throwing at them!

Get the cybersecurity skills employers are looking for with CompTIA Security+. Download the exam objectives to see what's covered.

Read More from the CompTIA Blog

Leave a Comment