Plugging vulnerabilities is like trying to kill a mosquito on the inside of your windshield while driving. The mosquito is a clever beast that has survived millions of years by taking advantage of our weaknesses. Software vulnerabilities, much like mosquitoes, have survived millions of years by also taking advantage of our weaknesses, mostly our inability to second guess what stupid thing a person might really want to do with the soft...
Apologies for the interruption. I was just asked by a co-worker if I really enjoy watching the Twilight movies so loudly or if I just have it on as a deterrent to keep people from talking to me. I said I couldn’t hear her and then kept typing this article. But now it made me think about cyber deterrents and how our focus on cyber hygiene has completely taken over the reality that this is a battle we fight 24/7 and not a war on tartar build-up. Every day somebody is trying to take your stuff off your systems and most of the time it’s not even a person, it’s a mindless bot trying to suck up whatever it can so that some human somewhere can sift through it for gold. But really, think about it. Imagine it:
You wake up to a noise at the door. There’s someone on the porch. They can’t get in. They try other doors and windows but no luck. You peek out the window and see that their car has foreign plates. Now what? You start to panic but they leave and go to your neighbor’s house. As you make your way back to your room you hear another set of footsteps on the porch. And then another. And another. Some are looking in windows, some are trying millions of different keys on the door. Some are throwing themselves against the door. Some are just blocking the path to the door. There’s a line down the driveway and another line of cars all the way down the street. Doesn’t look like you’ll be sleeping tonight. Or ever. Then just as you are about to put it out of your mind and get some rest, the door bursts open, and in run some round, dark figures like tiny Roombas, spilling across your living room floor and sucking up whatever they can find. A few try to get in other rooms but can’t. Then as quickly as it started, they’re gone. You look around not really sure if they got anything or not. Good thing you keep a clean hygienic house, right? But really you don’t even know if there are any still hiding in there. You keep hearing whirring bot noises but maybe it’s your mind playing tricks on you.
If you want to apply cyber hygiene best practices to prevent bots from entering your home, turn to page 109.
If you want to search the room for the bots to eliminate them for good, turn to page 109.
If you want to buy a threat detection service to protect your home from future attacks, turn to page 109.
If you want to do nothing and just pretend you don’t hear bots in your living room, turn to page 109.
Security is about practicing good hygiene as much as professional wrestling is about having a good costume. Sure it helps toward success but it’s nothing without ass-kicking skills. Historically, World War I was as much about maintaining hygiene for the soldiers as it was about killing the enemy. That war introduced the soldiers to mad amounts of trench fungus, anthrax, and syphilis which were knocking them down faster than bullets. So without hygiene, the fighters were much less effective. But without bullets, the soldiers would have been completely ineffective. And that’s what I’m getting at. Cybersecurity is missing solid, professional deterrents like we have in the physical world by playing Twilight loudly at an odd number setting or carrying a loaded raccoon.
Of course, the only thing most people think of by cyber deterrents is hacking back. “If the enemy knows we’ll strike back then they’ll think twice before they penetrate our network!” says someone you know as their ridiculously underdeveloped security strategy.
But the enemy isn’t deterred by that because even basic attribution online is so hard that even nation-states fumble it. It’s so hard that lawyers have built a standard defense tactic of “a person is not the computer” and sandwiched it between crime of passion and low blood sugar in their quick and easy guide for defense claims. Which is why hacking back is not really a useful deterrent.
Other non-useful Internet attack deterrents include obfuscation, crowd-sourced anything, firewalls, the law, and yelling at your screen.
The point is that there are very few actual deterrents that may work, and most of them are more annoying than effective: tar pits, honeynets, default 200s, TCP service-only responses, slowed responses, and online shaming. In the world of info warfare, these are really just a mix of misinformation and blank stares. They don’t actually make attackers think they better stay away and move on to a different target. Where are the big guns?
So my nosy co-worker just read this over my shoulder and says that the big guns are multi-factor authentication and encryption, both of which are deterrents to many types of attacks. I know you were thinking the same thing. But I’ll tell you the same thing I told Miss Nosy Noserson, security controls are not deterrents because they don’t stop anyone from trying an attack. No attacker looks at multi-factor auth on your network and thinks, “Oh no! They’re using multi-auth! Run!” If they did then it would be a legitimate deterrent. Because a deterrent is a means of preventing an attack not preventing a successful attack. You want the attacker to not even bother to try. You know like those “Protected by Some Secure Brand Name” images on online shopping sites wish they could do.
Until then, at least we have cyber hygiene, which is like the consolation prize 2nd place gets in Survivor, any industry except academia, and in my house. But someday, we will really be able to choose a real cyber deterrent:
If you want to scare the crap out of all potential attackers so they all stay away, turn to page 2.