The Good the Bad and the Ugly of Cybersecurity

by · May 12, 2025

A Spaghetti Western Tale for the Digital Age

“In the world of cybersecurity, there are two kinds of people, my friend: those who prepare and those who regret.”

Clint Eastwood’s iconic 1966 film The Good, the Bad, and the Ugly is more than just a classic Western – it’s a parable for modern cybersecurity. In a landscape where adversaries lurk behind every digital bush, and organizations are caught in a three-way standoff between protection, exploitation, and chaos, the lessons from this Western epic echo through the digital canyons of today’s threat landscape.

Let’s saddle up and explore the good, the bad, and the ugly of cybersecurity. This isn’t just about cowboys and shootouts – it’s about CISO strategy, nation-state actors, ransomware gangs, compliance mandates like ISO/IEC 27001 and the ongoing battle to protect Controlled Unclassified Information (CUI) in a hostile digital frontier.

Act I: The Good – Heroes of the Cyber Frontier

In the film, “The Good” is Blondie (Clint Eastwood), a bounty hunter with a code of honor and a sharp eye. In the cyber world, “The Good” are the defenders – security professionals, federal agencies, Chief Information Security Officers (CISOs), ethical hackers, and organizations that uphold privacy, resilience, and trust.

The Cyber Sheriffs: NIST, NSA, ISO and CMMC

The good guys in cybersecurity don’t ride horses – they ride frameworks, policies, and technologies. For example, agencies like the National Institute of Standards and Technology (NIST), the National Security Agency (NSA) and the International Standardization Organization (ISO) serve as the sheriffs in town, publishing detailed guidelines and controls that help maintain law and order in cyberspace.

National Institute of Standards and Technology (NIST)

NIST SP 800-171 Rev. 2 sets the stage for protecting CUI in non-federal systems, enforcing rules that ensure defense contractors and federal partners take proper security precautions. This includes controls for access control (AC), incident response (IR), and system integrity (SI).

NIST SP 800-53B, on the other hand, introduces baselines for federal information systems, promoting a risk-based approach tailored to system impact levels (low, moderate, high), enabling organizations to implement security and privacy controls with precision.

National Security Agency (NSA)

Another useful resource, are the NSA Cybersecurity Advisories, often informed by SIGINT and red/blue team operations, provide real-time intelligence on vulnerabilities exploited by nation-state actors – arming the good guys with actionable data.

They offer real-time cyber threat intelligence and mitigations through public advisories and guidance, helping defenders prepare for nation-state-level attacks and advanced persistent threats (APTs). In addition, they promote secure configurations, encryption recommendations, and advanced hardening practices critical to defending national infrastructure.

ISO/IEC 27001 and 27002

ISO enters the cyber town not with a six-shooter, but with a globally respected badge of information security governance.

ISO/IEC 27001 is an international standard for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Similarly, ISO/IEC 27002 provides actionable controls and guidance for implementing ISO 27001-aligned practices across domains like access control, asset management, cryptography, and supplier relationships.

Many global organizations adopt ISO 27001 as their primary framework for aligning business operations with security goals, often integrating it with NIST or CMMC requirements. This is especially common in multinational defense contractors who must comply with both federal regulations (NIST/CMMC) and international expectations (ISO 27001 certification).

Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification 2.0 aligns with both NIST 800-171 and, implicitly, ISO principles – enforcing structured cybersecurity maturity across different sectors.

Furthermore, the Cybersecurity Maturity Model Certification helps ensure defense contractors achieve and maintain appropriate cybersecurity maturity, aligning practices with NIST controls to create a supply chain that can be trusted in the fight against espionage and disruption.

In short, these standards and frameworks are the Marshall’s badge in a lawless digital town – respected, feared, and essential.

The Town Watch: Security Operations and Threat Intelligence

Good cybersecurity is proactive. Modern-day defenders operate Security Operations Centers (SOCs) that monitor endpoints, cloud infrastructure, and networks 24/7, leveraging threat intelligence and AI-driven detection to stop threats before they draw.

For instance, intelligence-driven cybersecurity, guided by NSA recommendations, uses indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and behavioral analytics to anticipate and disrupt threats. It’s the modern equivalent of watching for dust on the horizon – signaling an incoming gang.

Risk Management as a Moral Code

Good defenders don’t just chase threats—they anticipate them through structured Risk Management, often integrating ISO/IEC 27005 or NIST SP 800-30 methodologies. Like Blondie, they stay calm, gather intelligence, and weigh options before taking decisive action.

Effective organizations:

  • Classify assets and risks using a combination of ISO and NIST standards.
  • Map controls across ISO 27001 Annex A, NIST 800-53, and CMMC Level 2 to build unified policies.
  • Build security cultures where awareness and vigilance are part of daily operations.

These organizations are not just “compliant.” They are resilient, responsive, and strategic – ready to stand tall in the town square when the outlaws ride in.

Act II: The Bad – Outlaws in the Digital Wild West

If Blondie represents justice, Angel Eyes (Lee Van Cleef), the calculating mercenary, represents the bad – sophisticated cybercriminals and nation-state actors who operate with ruthless precision.

The Ransomware Cartels

Ransomware is the bandit of the modern age. Operating like organized crime syndicates, groups like LockBit, Cl0p, and BlackCat (ALPHV) execute highly coordinated attacks. They breach networks, encrypt files, and demand payment in cryptocurrency.

Their tactics mirror Angel Eyes: planned, efficient, and completely devoid of empathy. These groups target:

  • Hospitals and healthcare systems
  • Educational institutions
  • Critical infrastructure (Colonial Pipeline, anyone?)
  • Defense contractors (risking the compromise of CUI)

Also, the bad actors use Ransomware-as-a-Service (RaaS) models, much like hiring a mercenary. For example, even a low-level threat actor can purchase access to a ransomware toolkit, magnifying the scale of attacks.

NSA advisories routinely warn of ransomware groups leveraging unpatched software, misconfigured Active Directory environments, and credential reuse. Therefore, it is the lack of vigilance that opens the town gates to raiders.

Nation-State Cowboys

Unlike ransomware gangs, nation-state attackers aren’t just after money – they want secrets, influence, and long-term strategic gain.

For example, China (APT 40, APT 41), Russia (APT 29, Sandworm), Iran (APT 33, APT 34), and North Korea (Lazarus Group) run cyberespionage campaigns targeting U.S. government networks, defense contractors, and even critical infrastructure.

Their weapons include:

  • Zero-day exploits (used against Exchange Servers, Pulse Secure VPNs, etc.)
  • Supply chain compromises (e.g., SolarWinds)
  • Social engineering and spear-phishing
  • Living off the land (LOTL) techniques that avoid detection

These attackers are like Angel Eyes: patient, methodical, and often hiding in plain sight. They aren’t always looking for a quick kill – they want to infiltrate, observe, and strike when the time is right.

Act III: The Ugly – The Collateral Damage of Poor Cyber Hygiene

Tuco (Eli Wallach) is “The Ugly” – unpredictable, reckless, and sometimes dangerous to both allies and enemies. In cybersecurity, “The Ugly” is the mess left behind by poor cyber hygiene, non-compliance, and organizational apathy.

The Cost of Complacency

Despite the warnings, many organizations still:

  • Reuse weak passwords
  • Fail to patch known vulnerabilities
  • Ignore multi-factor authentication (MFA)
  • Delay compliance with NIST or CMMC mandates

Negligence creates an environment where even unsophisticated threat actors can succeed. The ugly truth is that many breaches are preventable.

For example, consider the Equifax breach (2017). In this case, an unpatched Apache Struts vulnerability and lack of internal segmentation allowed attackers to exfiltrate the personal data of over 147 million Americans. It wasn’t a zero-day – it was “ugly” cyber hygiene.

Or the MOVEit Transfer vulnerability in 2023, where hundreds of organizations were impacted due to lack of segmentation, insufficient logging, and delayed patching.

Shadow IT and Insider Risks

Like Tuco, shadow IT is chaotic and often overlooked. Employees spinning up unauthorized cloud apps or storing sensitive data on personal devices creates visibility gaps that defenders can’t control.

Insider threats—whether malicious or accidental—represent another ugly risk. According to the 2024 Verizon DBIR, insiders were involved in nearly 20% of breaches. Whether it’s a disgruntled employee selling credentials or an admin misconfiguring a cloud bucket, the damage is real.

The Ugly Side of Supply Chains

Furthermore, even with defenses up, partners might be the problem. Third-party vendors often have access to data, systems, or APIs. The SolarWinds Orion breach was a wake-up call: one weak link in the chain can compromise thousands.

NIST 800-171 and CMMC Level 2 emphasize flow-down requirements for CUI. That means if your subcontractor isn’t compliant, your entire organization is at risk—not just reputationally, but contractually.

The Cyber Shootout – Response, Recovery, and Redemption

In the final act of the movie, the three characters engage in a tense standoff over buried gold. Similarly, in cybersecurity, the “gold” is data – intellectual property, PII, CUI, and national secrets. Every actor – good, bad, and ugly – wants it. The question is: who will walk away with it?

When a breach happens, the response must be swift, strategic, and well-practiced.

Incident Response Playbooks (IRPs)

Like a gunslinger’s draw, an effective Incident Response Plan (as defined in NIST SP 800-61r2) includes:

  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident lessons learned

In addition, NSA guidance emphasizes the importance of logging, endpoint detection, and coordination with cyber incident reporting agencies and other entities.

Business Continuity and Resilience

What if the worst happens? Do you have backups? Can you recover operations quickly? How can you be prepared?

For instance, NIST SP 800-53B control family CP (Contingency Planning) that mandates system-level plans, recovery point objectives (RPOs), and regular testing. The heroes of the cyber tale have redundancy and resilience built into their town’s infrastructure.

Riding into the Sunset – Building a Future-Proof Cyber Strategy

In the end, “The Good” walks away – not because he’s lucky, but because he’s prepared. Organizations that survive the modern threat landscape are those that take compliance seriously, invest in training, and adapt constantly.

The Five Lessons from the Digital Wild West
  1. Follow the Frameworks – Align with NIST 800-171, 800-53B, ISO/IEC 27001 and CMMC 2.0. These aren’t just checkboxes – they’re survival guides.
  2. Know Your Adversary – Use NSA threat advisories and cyber intelligence to stay ahead of evolving TTPs.
  3. Secure the Supply Chain – Demand compliance and visibility from every third party handling your data.
  4. Patch and Prepare – Basic hygiene saves lives. Multi-factor authentication, patch management, and least privilege go a long way.
  5. Be Resilient – Assume compromise. Plan for disaster. Rehearse your incident response like it’s high noon.

Closing Credits

“There are two kinds of organizations, my friend: those that have been breached, and those that will be.”

In the great cybersecurity standoff, every organization plays a role. Will you be “The Good,” upholding the law and protecting your digital town? Or will you become “The Ugly,” undone by carelessness and chaos? Because “The Bad” is always out there – watching, waiting, and ready to exploit any weakness.

It’s time to pick a side. Holster up, configure your firewalls, and ride out into the cyber frontier. Because in this digital Wild West, survival depends on your code – your source code and your moral code.

Tags:

You may also like...

Categories

April 2026
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
27282930  

Disclaimer

The views and opinions expressed on this blog are those of the author(s) and do not necessarily reflect the official policies, positions, or beliefs of any individuals, organizations, or companies referenced herein.

The content provided on this blog is for informational purposes only and should not be construed as professional advice.

By reading this blog, you acknowledge and accept that the content is provided "as is" and that the author(s) are not liable for any damages or losses resulting from the use of any information contained herein.