I have been thinking a fair amount about Information Security recently; probably because I am in the middle of a SANS course which is rather more interesting than most IT courses I have been on. As I was walking in this morning, I was pondering how I would explain what I do to a distant ancestor. Not exactly the easiest of tasks given that what we do involves what would seem to be magic to someone from the distant past.
But an analogy did occur to me: What we do is somewhat similar to the militias that used to protect walled towns and cities in the medieval era; particularly during periods of the medieval era when central authority was somewhat lacking. Such as England’s “Anarchy”.
In the distant past (and in some cases, not so distant past), towns could be at risk of being sacked by brigands for profit or for some “military” purpose. Those living in towns were obviously somewhat reluctant at this possibility, and in many cases would arrange for protection by hiring soldiers to protect them; the defences would often include city walls, a militia (paid or voluntary), etc.
Which is somewhat similar to what we do – we’re the soldiers hired to protect the “town” (a company or some kind of institute), and we build town walls (firewalls), and other defences. Obviously it is easy to take the analogy too far – we don’t get to fire crossbows at our attackers. But neither is it completely inaccurate, or indeed uninteresting.
Today we expect our central governments to arrange physical protection for us – we don’t expect to need to organise a militia to protect our cities; neither do we expect to held up at gun point to turn over our valuables. Yes there are exceptions, but they are sufficiently unusual that they are greeted with astonishment. And yes some companies with especially high value assets do arrange for additional protection over and above what is usually provided by the state.
But when you compare physical security with information security, it becomes apparent that we are still in the medieval era when it comes to information security. States are only just beginning to look at “cyberwarfare” and offer little other than advice to individuals or organisations looking for protection; it is common to hear that the police are simply not interested in looking at an issue unless the costs are less than £1 million.
If someone suffers financial harm through a phishing attack, our standard response is to blame them for being “stupid”. Whilst most phishing attacks do involve someone doing something stupid, it seems odd to blame the victim – who would blame the victim of a mugging?
Similarly when an organisation has some attackers break in, steal a whole bunch of database files which in turn contain tons of clear text passwords, or hashed passwords, we blame the victim. How could they be so stupid as to not protect that data? After all, it costs more to be careful.
So perhaps I could explain what I do as being an old warrior who has settled down in a town and runs the local militia.
Now if you’ll excuse me, it’s time for bed – time to hang up the crossbow and take off this horrible chain mail.