In June’s edition of Phish and Ships, John Donald, Cyber Adviser at AXIS Capital, compares two different forms of attack; The ‘physical’ one, coming from a military point of view; The ‘digital’ one, meaning cyber attack. He highlights why the cyber attacker has an advantage when attacking and the industry’s vulnerabilities to attacks.
Specifically, Mr Donald notes that a rough rule of thumb in military circles is that an attacker needs a 3 to 1 advantage in manpower and firepower in order to successfully defeat a defender. Defenders, not attackers, typically have an advantage because it is normally easier to protect and hold than it is to move forward, to destroy and to take.
On the contrary, in the cyber worlds, it is common that the attacker has the advantage; Today’s vulnerabilities when it comes to cyber attacks is mostly because the Internet’s goal was primarily to share information, and not prevent its flow.
Cyber attack is a common phenomenon due to the fact that it’s low-cost and high payoff.
Moreover, the attacker has an advantage as the Internet and IT systems have a complex software, enabling the attacker move inside the cyber world and the user facing difficulties.
The attacker and the defender are looking for open windows to find vulnerabilities, either to attack, or to be protected from. Yet, the number of vulnerabilities grows exponentially with the size and complexity of the system. The defender has little chance of finding every single vulnerability and patching it before the attacker finds one to exploit
Mr Donald, on the contrary highlights that
Offensive techniques can be used for defensive purposes since the skill sets required are the same. Malware becomes obsolete quickly (hence the value of zero day exploits) and once it has been identified it can be rapidly defeated.
In light of Internet development in a fast pace the defender is now able to succeed, being protected from factors such as authentication, password managers and keychains, disposable ʻone-offʼ credit cards, cloud computing and faster patching cadences.
Although no organisation is fully-protected from attacks, those with a good cyber hygiene, educated users and well-configured systems can increase an attackerʼs costs significantly.
In cyberspace, defence is more about best practice than best products.
