Get Started
Contact Us
Resources
Fundamental security controls you should implement this year; their widespread adoption would have prevented cybersecurity failures that made headlines over the past five years.
By Christopher P. Grady, CyLogic’s CTO
Information System Security (INFOSEC) is a perception. You can follow all the rules and best practices, implement the best technologies, check all of the boxes, and still get hacked. During the last decade, that risk has only increased, and threats have evolved becoming more sophisticated and harder to detect. While a positive Security Assessment Report might be appreciated, it shouldn’t lead to a sense of complacency. In fact, a positive report may lead to a false sense of security because all it really measures is compliance and not effectiveness. The result is an era where public sector entities ignore critical vulnerabilities and are subsequently hacked in the most public and embarrassing ways. Even commercial organizations find themselves desperately defending against state-sponsored attacks of unprecedented speed and sophistication. Global tensions have continued to rise and nation states have increasingly found cyber warfare to be an effective weapon in their arsenal. AI has exponentially amplified nation-state cyber capabilities which have accelerated into highly sophisticated, stealthy, and targeted cyberattacks with increasing effectiveness in achieving both their financial and political objectives. This has dramatically increased the effectiveness of zero-day exploits, and introduced sophisticated deepfake impersonation campaigns.
Your information systems, regardless of the resources expended on security, have critical vulnerabilities that haven’t been discovered yet.
AI-powered attacks are becoming increasingly sophisticated, allowing cyber adversaries to adapt in real time, bypassing traditional defenses, and exploiting vulnerabilities faster than human hackers can analyze and adapt. Threats now also include realistic deepfakes that can impersonate the voice and image of people in video or voice calls, automated phishing campaigns tailored to individuals, and AI-driven malware capable of changing its behavior to avoid detection.
Security is a rapidly moving target that occasionally defies the laws of physics or probability. Welcome to 2025 – this is the sobering lesson of the Arup AI cyberattack where, during a live video call, the cyber adversaries so convincingly reproduced the voices and appearances of company executives, that they deceived an employee into transferring $25 million to external accounts.1
To successfully navigate a hostile cyberspace, a solid cybersecurity strategy — not a check the security control box mentality — is required. Consider the complexities of a multi-tenant cloud or even just a virtualized environment. As soon as tenant two is introduced, securing both customer tenancies across a common infrastructure and the underlying management systems becomes exponentially more complex.
In 2018, while taking CyLogic’s cloud systems through the early Federal Risk and Authorization Management Program (FedRAMP) process 2, assessors from our Third-Party Assessment Organization (3PAO) conducted desktop exercises with the author’s Cloud Operations Team. After a long session, the lead assessor said “I have one last exercise. It’s called the zombie apocalypse, and in a zombie apocalypse anything is possible.”
A zombie apocalypse desktop exercise is an efficient way to test systems in a manner that rapidly identifies architectural and process weaknesses, but has a near-zero probability of occurring in real-life. It lowers the defender’s readiness by turning the exercise into something that feels like a game. Concurrently, it enhances creativity and acceptance of bizarre incidents that would never happen in real life.
For example, zombies might attempt to penetrate systems logically using the latest, or futuristic, strategies. If the zombies can’t breach the systems logically, they might physically attack the datacenters by starting a fire. If they can’t physically breach the datacenter, they might set adjacent buildings on fire causing a 3-alarm fire that ultimately engulfs the datacenter. They can bring down the main power substation feeding your data center then flood the fuel pump room so that backup generators, safely installed on the highest floor – safe from the possibility of flooding, run out of fuel within hours, not days. They can flood the entire data center in less than four minutes, fully submerging it and killing all the employees. They can even drive an SUV up the grass security berm, flying over the perimeter fence and parked cars, and crashing directly into the main power transformer, causing two cascading power failures that result in the chillers not being able to re-start thus turning the data center into an overheated oven in a matter of minutes..
Anything is possible in a zombie apocalypse desktop exercise. The problem is, these six scenarios actually happened to large enterprises. No zombies required.
In retrospect, this Zombie Apocalypse Desktop Exercise was an effective method of preparing for the threats today that few have predicted. However, in 2025, a more powerful version of the zombie apocalypse has emerged. Now equipped with AI level processing and communication, the "zombies" are no longer just mindless attackers – they’re AI zombies.
These AI-enhanced versions of zombies are capable of lightning fast execution, adaptation and attacks based on a global repository of attack scripts, strategies and methodologies from a massive database library called the internet. Through a massive repository cataloging breaches, AI can know what companies are utilizing what technologies, wait for vulnerabilities for those specific technologies to be released, scan for vulnerabilities of those technologies before attacking and create interference (malware) to avoid detection. When met with any resistance AI does not just continue mindlessly forward - it pivots quickly to a new mode of attack.
AI does not need to go in the front door. Instead, it generates a deepfake video requesting access to the system or voice-cloned phone calls to coerce employees into opening backdoors and inviting them in – whether that be access to the IC system for a power grid, flooding emergency communications channels with false reports, or a coordinated misinformation campaign to cause mass panic.
It has become important to think about security in the context of an AI cyber zombie apocalypse and not just compliance. After all, who would have ever thought that virtually every computer in the world had a vulnerability hidden in it that could expose the most sensitive private memory areas of the OS kernel through JavaScript code running in a browser?
Zombie apocalypse desktop exercises help to generate a cultural shift toward providing and prioritizing effective confidentiality, integrity and availability capabilities through the exploration of a wildly unexpected series of physical or logical events. If such exercises are a cultural bridge too far, organizations should make required reading The Art of Cyber Conflict, by Henry J. Sienkiewicz, the former CIO and Designated Approval Authority (DAA) of the Defense Information Systems Agency (DISA. Sienkiewicz presents modern cybersecurity as a conflict, using timeless strategies from Sun Tzu’s The Art of War.
While a zombie apocalypse is an effective way to test real-world information security and instill a powerful cybersecurity culture, its results are developed over time and organizations need help now. The following are security controls that can and should be implemented immediately, with the goal of keeping an organization out of the headlines.
These fundamental security controls could have significantly reduced cybersecurity headlines over the past five years.
Lessons learned about the security controls missing in major security breaches that would have remediated the vulnerabilities exploited remain relevant today because these past exploits provide a roadmap of successful strategies for malicious actors.
By the time a system’s risk has been assessed, the assessment is already outdated.
According to the FedRAMP program, if an information system’s vulnerabilities aren’t identified at least every thirty days, it’s at risk. This is the core of FedRAMP’s continuous monitoring program and is a necessary improvement to United States government certification and accreditation processes that assess systems on a triennial basis.
“Continuous” within the FedRAMP context means that systems are scanned at least every thirty (30) days to identify vulnerabilities and that identified vulnerabilities are communicated to the relevant vendors, the responses tracked, interim compensating controls planned (if required), testing completed, and patches or configuration changes applied as needed. FedRAMP continuous monitoring requires critical vulnerabilities to be remediated within thirty (30) days from identification. Moderate vulnerabilities must be remediated within ninety (90) days.
While the 30-day check-in for system vulnerabilities is still the baseline, FedRAMP’s new 20x initiative is pushing things forward with a bigger focus on automation and real-time monitoring. The goal is to make the approval process faster and security stronger by using smart tools and modern best practices.1
Thirty days is a lifetime
In 2017, what was then one of the largest data breaches in IT history occurred. The Equifax breach alone resulted in the theft of personally identifiable information (PII) impacting over 143 million people. The breach sent shockwaves throughout industries of all sectors. If Equifax could suffer a loss of this magnitude, anybody could.
The root cause of the breach wasn’t related to a sophisticated state-sponsored attack, a flaw in the technical implementation of their architecture, a Snowden-like insider or something worthy of a zombie apocalypse desktop exercise. The breach was due to a failure to implement a patch for a known critical vulnerability in the Apache Struts web-application software.
Since the Equifax breach, both the frequency and scale of cyberattacks have grown dramatically. In January 2024, over 26 billion records spanning nearly 4,000 breaches were leaked in what has infamously become known as the "Mother of All Breaches" (MOAB). What made this breach, so devastating was that it wasn’t tied to a single event, instead, it was a massive aggregation of previously compromised data from thousands of sources, including major platforms like Tencent, LinkedIn, Twitter, Adobe, and several government agencies.
While much of the data originated from breaches that occurred between 2007 and 2021, researchers confirmed that the collection also included newly exposed records that had not been previously identified or publicly linked to any known incident. The breach included usernames, passwords, email addresses, and other personal information, significantly heightening the risk of credential stuffing, phishing, and identity theft on a global scale.
Still, 30 days is a lifetime for a high value target since attackers already know where IT systems are, what they’re running, and who the key personnel are. Such information can be acquired through active scanning or by analyzing resumes and LinkedIn profiles of current or past employees that list technologies and skill sets. From this, attackers can derive useful knowledge of the target’s infrastructure. Attackers are just waiting for a vulnerability related to a technology used by a target so they can launch an attack.
Vulnerability scanning and remediation
The Vulnerability Scanning FedRAMP security control (RA-5)3 requires the identification of vulnerabilities vertically across the OSI stack 4 and horizontally across operating systems, web applications, databases and appliances, at regular, periodic intervals.
Identifying, reporting, testing and applying patches for known vulnerabilities isn’t trivial. Identification doesn’t mean that a vendor is going to provide hardware, firmware or software patches in a timely manner. This is especially true with appliances. Vendors may refuse access to their appliances and unapproved access may void the warranty.
If a vendor providing a solution as a hardware appliance won’t permit vulnerability scanning with root access, that appliance poses a significant risk to your infrastructure.
An organization’s relationship with vendors in vulnerability remediation should be professional, consistent, persistent and produce results that continuously reduce risk across all IT assets. Additionally, an organization’s IT staff should be on a first name basis with the vendor’s key support personnel, with escalation paths to upper management clearly defined.
It should be made clear to vendors that, at a minimum, on a specified day of each month they can expect to receive a list of identified vulnerabilities and that they are expected to respond within a specified time with a plan and schedule for remediating each item on the list. They should also understand that follow-up is expected until a patch is issued. Similar expectations should be clearly communicated to computer and storage vendors, just as they are to firewall vendors. Often, computer and storage vendors treat management interfaces as separate from primary systems and may respond slowly to issues concerning these functionalities. This slow response increases vulnerability to insider threats, which are responsible for about 43% of all breaches.5 This is what happened to Sony Pictures in 2014 ahead of “The Interview”.
In March 2025, Oracle underwent a massive cyberattack which led to the theft of 6 million records from its secure cloud services. A hacker who identified under the alias "rose87168" boasted that they had exploited an unnoticed weakness in Oracle's login systems which allowed them to access sensitive data, including encrypted single sign-on (SSO) credentials, Lightweight Directory Access Protocol (LDAP) passwords, and key files. The successful attack affected tens of thousands across various industries who trusted Oracle with their data.
Thirty days is still too long
For high-value targets, even the thirty-day scan period is inadequate. Monitoring should take place more frequently. Whether it is bi-monthly, weekly, bi-weekly, daily or every time your scanner vulnerability database is updated depends on the organization’s internal capabilities.
By the time this article is published it is likely that FedRAMP will have a 15-day critical vulnerability remediation requirement.
Scanning takes time and, if the environment is large, full production system scans can take multiple days to complete. In this situation, a dedicated “scan farm” of baseline configurations deployed for the servers, application stacks and devices within the production environment should be established which can be scanned in a matter of minutes. This will provide a near-real time view of existing vulnerabilities and make scanning feasible every time a new vulnerability database update is released.
Vulnerability remediation goes beyond using scanning tools to identify known common vulnerabilities and exposures (CVE) and patching requirements. Security operations staff should be actively monitoring many (dozens or even hundreds) of information feeds such as News, CERT (US-CERT, DoD CERT, IC CERT), Gartner Cyber Incident Response Team, SANS Computer Incident Response Team, etc.
In 2025, the process is largely driven by automation, cloud-native tooling, and continuous integration/continuous deployment (CI/CD) practices.
Instead of scanning live systems during business hours, some organizations now maintain a dedicated scanning environment that operates continuously. This setup can be scanned often and quickly, allowing teams to detect vulnerabilities shortly after new threat intelligence or scanner database updates are released. These improvements make continuous monitoring more realistic and dramatically reduce the exposure for critical systems.
The broader impact of proper vulnerability scanning
Vulnerability management, when properly implemented, also assists the organization with other critical security controls, including:
A senior government official responsible for the certification and accreditation (C&A) of some of the first commercial cloud products offered to federal agencies (prior to the official creation of FedRAMP) once said “Any CSP [cloud service provider] who cannot prove that they have mastered Configuration Management has no business delivering service to the U.S. Federal Government”.
Vulnerability scanners and other related systems require strict configuration management (CM) because they have administrative access to every device on the network as they are required to perform fully authenticated scans. Security is therefore paramount and configurations for operating systems, applications and the scanner management interface must be reviewed and managed properly.
All vulnerability scanners can be set to ignore and exclude certain known vulnerabilities from their reports. This is often used for vulnerability remediations that have been identified as operationally required. Exceptions should never be allowed in scanning tools. Every vulnerability, even if accepted as operationally required or with compensating controls in place, should show up in every report every month. Security operations should still verify the status of all vulnerabilities with every vendor, every month, even if they have stated that they never intend to remediate.
In addition to maturing other controls such as CM, change control, risk assessment, maintenance, penetration testing, contingency plan testing, incident response testing, and security testing and evaluation, vulnerability scanning will also mature the automation of key processes. This is critical, given that attacks are now happening at the speed of automation and artificial intelligence. Information system automation should be positively impacted or improved in about 40 different areas.6
Multi-factor authentication
In March of 2014 and June of 2015, the U.S. Office of Personnel Management (OPM) suffered one of the worst, if not the worst, breach ever disclosed by the government. As a result of this breach the background investigation records of approximately 21.5 million people (about the population of New York)7 who had undergone security clearance checks were exposed.
In the aftermath of the breach, it was discovered that OPM had not implemented basic security required by Homeland Security Presidential Directive 12 (HSPD-12), requiring assurances that every person granted access to facilities or information systems is the person they claim to be.
The days of castle and moat protection are over. Multi-factor authentication (MFA) is a necessity, not just at a system’s authorization boundary, but also for every asset behind the authorization boundary including operating systems, applications, remote access cards, switches, and firewalls. Insider threats are real, and the number is growing. Consequently, administrative access to vulnerability scanners must have MFA implemented, as these scanners must have root level access to all systems to properly assess vulnerabilities and risk.
Nearly a decade later, the lesson is still held. The era of relying solely on perimeter defenses is long over. Today, multi-factor authentication (MFA) is not just a recommendation, it is an antiquated critical requirement. Technologies such as microsegmentation and other zero-trust technologies are now the norm that work to protect not only at the initial point of login, but also internally across key systems, including servers, databases, applications, network equipment, and cloud management portals.
Conclusion
The fundamental security controls mentioned throughout this article could have stopped some of the largest breaches in IT history (including the OPM breach), the JP Morgan Chase breach (which impacted 76 million households and 7 million small businesses8), Target (impacting up to 110 million people9), Heartland Payment Systems breach (exposing 134 million credit cards10) and Equifax (exposing the personal information of 143 million consumers11). |
Organizations unable to perform cyber zombie apocalypse desktop exercises should, at the least, follow FedRAMP’s guidance and implement a disciplined Vulnerability Scanning and Remediation program and allow it to mature the other key security controls so that the organization does not wind up in the headlines.
Since 2010, based on lessons learned from the DISA Rapid Access Computing Environment (RACE) project – the DOD’s initial foray into highly secure cloud computing, CyLogic has been working to bring the highest level of security in a cloud solution to public and private sector organizations.
CyLogic, Inc. produces CyCloud, a FedRAMP high-compliant high-performance true cloud platform with the most comprehensive set of cybersecurity capabilities available on the market. CyCloud implements every fundamental security capability noted in this article (and hundreds more) and is also available to U.S. commercial customers to protect critical corporate infrastructure.
The next critical vulnerability is coming and with FedRAMP’s 20x vision becoming reality, the bar for security has never been higher. Automation, real-time scanning, and zero-trust by design are not futuristic anymore, they’re expected. The question isn’t if your organization will be targeted, but whether it will be ready. At CyLogic, we’re already running zombie apocalypse desktop exercises to prepare. What will your organization be doing?
Sources
This article was originally published on the United States Cybersecurity Magazine
https://www.uscybersecurity.net/csmag/can-systems-survive-cyber-zombie-apocalypse/