The Two Approaches to Internet Security – Internet Attack vs. Internet Defense

In pretty much any security situation, there is an arms race between attack and defense. A particular side might enjoy an advantage for a period, but then there is a change in technology, and the advantage jumps over to the other side. And then back again.

The Military Example:

Let us consider the history of military tactics and technology. More than two centuries ago, military defenders had an advantage, since attacking the opponent line was far more dangerous than defending your own. Napoleon was perhaps the first commander to figure out how to mount an effective attack by using the weaponry of the time.

However, by the time of the First World War, firearms – particularly the machine gun – had become so sophisticated and powerful that the advantage went back to the defender; trench warfare could prove devastating for the attacker. This tide shifted again during the Second World War, with the advent of Blitzkrieg warfare, handing the advantage over to the attacker, once again.

How the Modern Day Internet and Computer Facilitate the Attacker:

Today, both with the internet, as well as with computers in general, the advantage lies with the attacker, for the following reasons:

  • Things are easier to break than to fix.
  • Complexity is the arch-nemesis for security, and, as it happens, our systems keep getting more and more complex.
  • The very nature of computerized systems allows attackers to find a singleexploitable vulnerability. On the other hand, the defender needs to identify and address every vulnerability in the system. In other words, the defenders need to be right every time, while the attacker needs to be right just once.
  • Attackers can focus on a specific attack and dedicate all their efforts to it, while defenders need to provide against every possibility.
  • Software security, in general, is quite poor; we still struggle to write foolproof software and create secure systems.
  • Since computer security is quite technical, the average user can get it wrong and end up subverting whatever security they have.

The Argument for Security:

The above analysis by no means implies that defense (that is, internet security) is useless – far from it. While attack is easier, defense is not impossible either. With good security, many attacks can become harder, costlier, and riskier. Against attackers that are not adequately skilled, the right kind of security might even offer complete protection.

Risk Management:

In the world of internet and computer security, decisions are made on the basis of ‘risk management’. This means that you identify your risks or vulnerabilities, as well as any reasonable protection against those risks. So, if you have a personal computer, you should install a strong antivirus program, switch on automatic updates to ensure that your software remains updated, and steer clear of any shady websites or dodgy e-mail attachments from people you do not recognize, and maintain good backups. These steps, along with a few other essential but easy to implement ones, will help you ensure that you remain sufficiently secure against common hackers and cyber-criminals.

However, if you are a Ukrainian, Syrian, or Chinese political dissident trying to avoid being assassinated or arrested, you need to take more comprehensive security measures. The same applies if you are a criminal trying to throw the police off, a businessman resisting corporate espionage, or a government embassy wanting to stifle military espionage. If your particular concern is about corporations getting hold of your data or information, you will require a different and more comprehensive set of security measures.

For a lot of organizations, security boils down to fundamental economics. In other words, if the cost of security measures is less than the possible cost of losses or breaches as a result of a lack of security, organizations will go ahead and take the security measures. However, if the security is likely to cost more than the possible losses resulting from inadequate security, organizations will roll the dice and accept the losses should they occur.

For individuals, however, internet security decisions are based on a combination of economics and psychology. Individuals might not be able to place a dollar value on privacy breaches, or being a part of a government’s watch-list. The general idea, however, remains the same – benefit vs. cost.

Random vs. Targeted Attacks:

Of particular importance to the above analysis is the distinction between random and targeted attacks.

It is important to remember that almost every criminal attack is opportunistic. During 2013, hackers made their way to Target Corporation’s network, and stole personal information (such as credit card details) belonging to almost 50 million people. At the time, this attack was considered the biggest of its kind, and, naturally, was devastating for the company – so much so that the CEO, Gregg Steinhafel, ended up resigning.

However, the cyber-criminals did not have any ideological reasons behind targeting Target. They simply wanted to obtain credit card numbers for the purpose of committing fraud, and pretty much any organization’s database would have served this objective. If Target had more robust security, these criminals would have turned elsewhere. Cyber-criminals are much like typical home burglars, who, although might have certain preferences with regards to the type of home and neighborhood, they do not really care about the specific home that they choose. As a homeowner, your job is to ensure that the burglar finds your neighbor’s house more attractive than they find yours. In other words, as far as undirected attacks go, good security is pretty much relative.

Compare the 2013 attack discussed above, to the attack on the New York Times that was mounted by Chinese hackers during 2012. In the latter case, the hackers knew that they had to target the New York Times, since they could not have gotten their required information from elsewhere. Against such directed attacks, the absolute level of security is what matters. In other words, the kind and level of security that your neighbors have is irrelevant; you need to make sure that you are sufficiently secure against your attacker’s capabilities, since you know that your house is the only one under threat.

A second example: Google performs a scan for every Gmail ID, and then uses the obtained information to perform targeted advertising. Naturally, this process is not being performed by a Google employee, but rather by a computer. So, if your e-mail contains some obscure language that Google is unable to translate automatically, you will be safe against Google’s algorithms – since Google will not consider translating the e-mail ID worth its while. However, if you are an FBI target, you can rest assured that the officers will put in the time and effort required to decode the emails.

Final Word:

To sum up, while ‘attack’ might hold the advantage in the world of internet and computer security, the adequate defense can provide considerable protection in most cases. The kind of security measures that you need to take will largely depend on whether you are looking to safeguard yourself against a random attack, or are seeking security from a targeted one.

To learn more about internet security, and how you can keep yourself secure against cyber-attacks, please feel free to visit our website.