Cyberfortress vs. low-hanging fruit
My 9/21/06 “Zeichick’s Take” about automotive security brought several letters-to-the-editor, one of which made an excellent point that applies well in the physical security world, but which in my opinion falls down in cybersecurity.
Steve Brewin wrote,
“Apparently the vast majority of crime is committed by amateurs chancing on an easy opportunity. The simple lock removes the easy opportunity, amateurs will look elsewhere. Professionals play for much higher stakes and while they can easily bypass such simple security mechanisms, the probability of an attack from them is massively less. Most targets are not worth their time. For most, the cost of installing systems capable of thwarting their attacks is disproportionate to the risk.
The insurance assessor explained that while most viewed their offer as a marketing exercise, their statistics told them that the discount they were offering was small compared to what they expected to save in the cost of claims alone.“
That’s very true. Professionals can unlock cars, remove The Club, jimmy house doors open, even break a laptop security cable with a small bolt cutter. So can a determined amateur, who can pick up the right tools, or practice simple techniques. But what about the casual amateur? The kid walking through the parking lot who sees an brand-new iPod sitting in a car? For that kid, a locked door may sufficient to make him move on.
In other words, if someone is bound a determined to steal YOUR things, locks probably won’t help. But if they’re just looking to steal SOMETHING, they’ll pick the lowest-hanging fruit. Your security system simply ensures that your fruit isn’t the lowest-hanging target.
But that falls down when it comes to cybersecurity — because of the shotgun approach. Even the most casual script kiddies use sophisticated ports scans, SQL injection, worms and other automated techniques. Those are the equivalent of trying to break into every car in the parking lot simultaneously. I’m not sure that hoping that someone else’s computer is a lower-hanging target is enough. It’s unfortunate, but our neworks, servers, desktop AND applications have to become fortresses. At every layer of the stack, we’re being targeted.