This is the first of an on-going series where we will explore basic cyber security topics.
Cyber security is a war – a war that that the good guys are losing and the bad guys are winning. Why is that?
First let’s look at the definition of “asymmetrical warfare” as I use it in this article. Asymmetrical warfare is when a war is fought where one side has an overwhelming advantage (money, resources, weaponry) and/or where the rules for the two sides differ. The “War on Terror” is asymmetrical for both reasons. The “good guys” have overwhelming weaponry at their disposal – but in almost every case are unable to use it! The “bad guys” on the other hand have less firepower but play by their own rules – international condemnation does not phase them.
In Cyber Warfare the “bad guys” do not need to play by any rules – they are a law unto themselves. They can bribe and blackmail staff within organisations to deploy malware or steal data – however organisations are restricted in terms of ensuring their staff remain honest (there are very few organisations that would be allowed to run routine polygraphs on their staff!).
Cyber Criminals also only need to find a single vulnerability to exploit – and only once. Organisations have to expend enormous resources maintaining their defenses and need to repel every attack – every time. In other words – organisations have to contend with the asymmetry of resource allocation – we need “a man on every wall, every hour of every day” while a criminal only needs to look out for the one wall without a guard, for a single moment in time. Every James Bond film and John Wayne spaghetti western uses this trope – the lone individual sneaking into a fortified area that’s heavily guarded. The femme fatale who distracts the guard with a wink and a smile while Bond sneaks behind him. It’s a well-worn trope for a reason – it works.
The first of our asymmetries of the war on Cyber Crime is budgets and objectives. This is an asymmetry in terms of resources – more pointedly, the allocation of limited resources towards cyber security. Most legal organisations attempt to create as much defense for as little spend as possible. This is in sharp contrast to cyber crime organisations whose key objective is to breach systems for as much gain as possible. It may be clearer with a simple example:
Company A is a mid-sized enterprise with an ecommerce website that collects large amounts of user data, including payment information. They are vulnerable to cyber threats and also hold data that a cyber criminal would be interested in stealing.
Hacker B is a cyber crime organisation that steals data and then encrypts systems for a ransom. They are well known and have been responsible for a number of high profile data breaches in the past 12 months.
Company A has a fixed budget for expenses (as do we all!) and view cyber security as just one expense item – it is also not an expense item that generates revenue. Company A could for example expand their line of products, improve logistics to be able to ship faster, and could rebrand their web site to keep it fresh and appealing in an effort to attract new customers. Since Cyber Security has no immediate payoff, the bulk of the budget goes to expanding product lines, logistic improvements and web site rebranding. Meanwhile Cyber Security receives far too little budget to provide adequate protection. Company A has stacked their budget towards meeting their objective – and that objective is to be a market leader with the slickest web site and fastest shipping times. Cyber security for them meets no objective and reduces the budget for items that do meet their objective.
Meanwhile, Hacker B also has a number of expenses to budget for (remember that hacking groups are often fully fledged organisations run as for-profit companies). They need to budget for staff (more hackers) and office space. They often also have web sites (usually a forum on the Dark Web). They decide to spend the bulk of their budget on hackers – foregoing expensive web sites (their web sites are usually of a low quality – it is not important to them). They also have no real need for compliance and regulatory expenses like GDPR or PoPI . For Hacker B the objective is simple: compromise as many systems as possible in order to drive up revenue. Spending money on cyber security (as the aggressor) is key to their objective and they gladly spend it.
This brings us to our first asymmetry: Company A sees cyber security as an expense that is begrudgingly paid and that fails to meet the organisation’s objective, while Hacker B sees cyber security as an investment that generates revenue and fulfils the organisation’s objective. It is not too difficult to see that this places legitimate organisations – like Company A – who are defending their networks at a severe disadvantage.
The second asymmetry is in terms of “acceptable practices”. Legal corporations acting within the law are required to abide by regulations governing their market sector, they need to comply with HR requirements and they need to be seen by their clients has ethical and fair in their dealings. And that is all as it should be – the “good guys” need to be good. However, the “bad guys” have none of those constraints. Let’s go again to a fabricated example:
Company A (our ecommerce site from earlier) employs 20 staff – mostly developers and sales people – at their Head Office, and operate shipping warehouses in 3 cities that each employ between 20 and 30 staff to fulfil orders – many of these are minimum wage earners and often employed for short periods of time only. In order that the organisation can protect itself from cyber threats and so as to ensure it meets regulatory requirements, it must ensure that each of these employees are trained in cyber security, physical security and information protection. Even the staff in the shipping department need to know the basics as they deal with customer information on shipping labels for example. In addition, each of these staff are a possible vulnerability – they can be tricked with phishing scams, they can be bribed, and they can be blackmailed. This problem is more complex than it may at first appear. Imagine the logistical task of meeting staffing requirements for Black Friday where a large number of part-time staff are employed for a short period of time. In many cases (but by no means all), shortcuts are taken in the employment process in deference to expediency. We can all hear the words “there is no point spending a long time training the temps as they won’t be here that long”. A tacit acknowledgment that cyber security incidents are only caused by long term staff (tongue in cheek!)?
Hacker B on the other hand loves chaos. They thrive on shortcuts and business expediency as these create opportunities for them. Cyber crime rocketed in the pandemic lockdown as companies struggled to link their work-from-home staff to corporate networks – this “new normal” was paid for with short-cuts and expediency. Severe financial losses born by staff on short-time, seasonal workers who suddenly had no jobs, and spouses of your staff who lost their jobs created a flood of opportunity for hackers looking to bribe staff. They could – with impunity – attempt to bribe staff to inject malware onto systems or to steal data. We are well advised to remember that ““There are only nine meals between mankind and anarchy”
This asymmetry is again in the favor of the cyber criminals. Untrained staff are not aware of cyber threats and can be easily compromised. Temporary workers may not recognise their managers – especially in large organisations and especially on a voice call – and can be tricked into performing actions that compromise an organisation; and lastly, over-indebted people are susceptible to bribery. Organisations are often hamstrung in their efforts to ensure staff remain honest.
The last asymmetry I want to discuss in this article is that of the sheer amount of surface area the “good guys” must protect versus the single failed control that the “bad guys” are looking for. This can be summed up as: The good guys need to defeat every attack, every time, every day. The bad guys just need to catch you on the one day you let your guard down. Let’s return to our Company A once again and see how asymmetrical the attack surface is.
Company A, as we know, is an ecommerce web site. As such the web site is hosted on the public internet and anyone in the world can access the web site at any time of the day. This means that if they are operating out of London, their developers are asleep when Los Angeles is eating lunch. Company A would need to employ 24/7 staff to maintain systems, action outages and react to security events. This is difficult to achieve logistically and comes at an expense. Do you employ nightshift staff in London? Do you open an office in Chicago and employ developers, security specialists and managers? Is there sufficient justification to swing the Board to approve these expenses when the Board may see it as an unnecessary expense? In addition, Company A has numerous systems scattered across the country – from Head Office, to distribution centers, to remote staff working at home. Their senior staff have work phones with 24/7 access to the corporate email server, most middle and senior management have laptops that they travel with and carry home every day. Each of these opens another opportunity for a hacker, and requires additional resources (time and money) to maintain, update and protect. And to top it all off its a bank holiday today and Microsoft just released an urgent patch for its operating system for a critical vulnerability. Company A is stretched to its limits.
Meanwhile, over at Hacker B, the senior hacker has just arrived at work after a leisurely breakfast. He sits at his desk with a cup of coffee and launches an automated script that scans Company A’s infrastructure looking for a vulnerability. The entire process might take a few minutes. All the hacker is looking for is an opening. His colleague comes in with a doughnut and asks if he has seen the new Microsoft vulnerability yet? Its only an hour later and they have already crafted an exploit to target the new vulnerability and launched it against Company A. And they are in! All it took was one middle manager who had not yet updated his laptop because “he had an urgent meeting that could not wait”.
In the above scenario – fictitious but based in reality – Company A simply stood no chance. There was simply no time to patch what could be hundreds of machines across multiple time zones before the hackers had the chance to breach just one. All Company A’s cyber security team could do to prepare for this was build a defense-in-depth, limit the damage (something we will discuss in a later article) and pray for the best.
We are at war with cyber criminals – and they are winning. And they will continue to win while we fight an asymmetric war. We and our business partners who are not all in IT, need to continue to educate ourselves every day as to the threats and what measures can be put in place to help make it a level playing field.