Welcome! You’re here because you know I say things that let you ridicule me to your coworkers or because you happen to have a morbid curiosity about human suffering. If it’s the second one, then please skip directly to the vile pictures at the end of the article to get your jollies.
Now I’ll say that really obvious thing that sets the tone for most of article up until I realize I’ve argued my way into a hole and change it as if I were only kidding. So here it is: defense is hard.
Yes, defense is hard, I’ve just said in my profound wisdom. I’m the first to say it too, in this article. But there’s a catch. And usually I’d save that for the end, but since you’re my friend and follow me on Twitter I’ll tell you early: the twist is that there’s no twist, defense is hard.
The reason why defense is hard is because society frowns upon it. Yes, whenever we get “defensive” we are apparently such jerks that society wants us to feel bad about it. So, we spend a lot of our time trying to look like things don’t bother us.
Movies portray strong hero-types as those who remain cool and indifferent while being attacked, and then walk slowly away from explosions. They show tough, outdoorsy people like lumberjacks unblinkingly staring down bears, wolves, and raccoons with just a red, plaid shirt for protection.
So, while Hollywood teaches us all that not defending yourself is the way to show strength, the reality is that it’s just a way to show breachiness.
Furthermore, defense is hard because attacks seem really complicated and well planned, especially since attack research is constantly happening while the defense types may remain static for many years.
So if you’re standing in place and everything else is moving ahead, it will feel like you’re just falling backwards. Defenders will quickly feel overwhelmed and lost. When that happens, it’s a chore just to get out of bed, let alone go to work and fight a losing battle day after day.
The thing is, humans have a hard time with defense because once it extends past their two main defensive tactics 1. covering up with their arms and 2. hiding, they’re a bit lost. Which does, however, explain why the two most popular cyber defenses are firewalls and encryption.
The popular opinion is breaches are happening because defense is hard. That’s not exactly true. Breaches are happening because some people believe that defense is not hard.
When you think that cyber defense is a software you install or just a matter of cyber hygiene where you patch, change passwords, and update your products then you’re missing holes big enough drive a packet through.
Yeah, I know, but that’s all it takes. And if I exaggerate now just to be funny you’re going to think I’m exaggerating other places in this article too, and I’m not. Because defense is just not that simple.
Take a moment to reflect on the difference between security practices today and those from 20 years ago. What’s the difference? Do we know more about what makes something secure? No. The difference is that security has become less about effort and more about products. But it’s for a good reason.
Since the days of battle axes and Zip Drives, technology has gotten broader, faster, more invisible, and ubiquitous. It has gotten beyond the average human’s control to not only know how to secure what they have, but even to identify what is a computer.
The Internet-of-Things (IoT) isn’t a problem because it’s a lot of things that are inherently insecure, but because it’s a lot of inherently complicated things to manage. Just like two cars isn’t a lot of cars to deal with, but if you had 20 cars to clean, insure, and maintain you’d quickly fall behind in maintenance. Add to that five more cars that you didn’t know were cars or that you were supposed to take care of them and that slope gets slipperier.
Hardening a web server takes a bit of effort. Hardening 10 of them and you’d make some scripts. Hardening 200 of them and you’d get a firewall. A firewall is a computer where we trade the inefficiency of having a choke point for the greater inefficiency of having a person maintain a lot of computers. The fact is that because of volume and ubiquity on our networks today, we need computers to manage computers. Effort alone just doesn’t cut it anymore for security. There’s not enough time or enough manpower to do all the securing that needs to be done.
But the effort doesn’t disappear, it is shifted over to architecture and analysis. We now need to put more effort into designing proper infrastructures that can handle the additional bandwidth and storage space of our security management products and all the new data they get us. Then we need additional effort to analyze all that data, even with more software to do so, and figure out how we respond to the results. Yes, the results themselves generate far more effort than just fixing the problem. Depending on the type of problem, they will trigger a whole bunch of events outlined in the incident response, vulnerability handling, forensics, or disaster recovery plans we had to put all the effort into making. And that’s not fun effort like exploring new operating system controls or studying a malware infected computer. No, it sucks. Most security people suffer under that effort.
So the truth is: Your cybersecurity is made from human suffering.