Security Lessons from Military History
History repeats itself more often than we think. Let’s take a look at some military lessons through the ages and see how they can apply to our modern-day cyber security challenges. Many of the same fundamental requirements for a successful military campaign are no different than those of an IT manager’s battles. They both take strong leaders, ample funding, high morale, good planning, excellent weapons, and a capable crew.
Blind spots – a lesson from pirates.
Innovative hackers will always seek to attack where defenses seem either weak or nonexistent. When Sir Francis Drake raided the Spanish Empire’s Pacific coasts in 1578, his single ship (after his fleet was reduced from five!) met almost no resistance simply because Spanish authorities didn’t expect any attack from this attack vector. An English pirate ship operating in the Pacific was unheard of in 1578, but not after. The Spanish Empire’s error was not being prepared for potential threats on all their attack vectors until it was too late.
As long as we stay complacent, smart hackers will run circles around us and eventually get something they want. If you thought trusting employees to use strong passwords not reused elsewhere was enough, you’ll be disappointed sooner or later. It’s where you’re not expecting it that will be the most destructive attack (Forbes ranks Ser Drake as the second highest-earning pirate at USD $115 million in modern money). Basic idea: target via unexpected route – make massive fortune. Hackers are always evolving their tactics and changing their attack vectors. If you have a $1 million firewall, why would anyone attack it? It’s easier to find an undefended route.
Defense coordination is key.
In 1805, the Austrian army marched against Napoleon Bonaparte in the War of the 3rd Coalition. But the Austrians didn’t wait for their allies (who would be crucially needed against Napoleon’s massive Grande Armée). Then, Napoleon feinted his movements to give Mack a sense of false security (while in fact the French army was quickly surrounding it from the rear). General Karl Mack von Leiberich’s trapped Austrian forces hoped that General Mikhail Kutuzov’s Russian army, their far-away ally, could rescue his surrounded army. But the Russian allies were still too far from the battlefield. And so, General Mack surrendered his entire army (casualties: 60,000 men!) to the Emperor Bonaparte, just six weeks into the war (Chandler, D. G. (1967). “The Campaigns of Napoleon”).
Lesson: coordinate with your teams! Management, IT team, vendors, managed service providers, users – everyone must be coordinated in their defense against the never-ending onslaught of cyber criminals. Is management allocated sufficient funding for a proper cyber security defense? Are end users aware of common and advanced risks? Employees typing their corporate passwords into unsecure public Wi-Fi networks? Are managers falling prey to clever social engineering? Will one of the thousands of employees accidentally click one of those thousands of daily phishing emails?
And never get complacent – when you feel safe, it might not be enough, especially against a determined enemy whose only goal is to win. The margin of error between a cyber incident and not is slim!
SPEED: Unprepared security posture.
While the Napoleonic Wars raged in Europe, the United States declared war on Great Britain in 1812, British troops in Canada received news of the declaration even before U.S. troops knew! Secretary of War, William Eustis sent a letter informing General William Hull to prepare for war. But a letter written on the same day with news of the actual declaration of war arrived a week later because it was sent by regular mail. Therefore, this allowed British Major-General Sir Isaac Brock to take the initiative for Canada. The result: the U.S. was unprepared for the war and greatly miscalculated time required to organize fighting units.
Let’s say 2FA isn’t budgeted for this year and a hack occurs within the next 365…just weeks shy of prevention! Don’t let a few days, weeks, or months destroy years of accomplishments. How long should you leave the door unlocked? Probably never. Quick hackers will immediately exploit the little time between setup and changing the password from the weak default password. All hacking incident involves timing as a crucial factor in many way. Better preventative measure could have been set up sooner, downtime could have been shorter, etc. Here’s a low-hanging fruit for hackers: someone buys a security camera, sets it up, and doesn’t change the default password. The hacker can just look up the default password. In conclusion, every minute delayed in changing the default password is a greater chance some malicious hacker will gain access.
By the way, if you don’t have 2FA already, you should get that checked off ASAP. Double your security. A strong password is not longer enough in 2021.
Unencrypted messages are bad.
During World War I, General von Hindenburg, and his Chief of Staff, Major General Ludendorff, led German forces to decisive victory at the Battle of Tannenberg. Russian objectives were initially discovered by the Germans in the form of a written order on a fallen Russian officer. Then, the information was confirmed by an unencrypted intercepted radiogram sent by the Russians. Lesson one: encrypt and keep tight control over sensitive information and where it is being stored (and transported) by end users. Even passwords written on paper and thrown in the trash could be picked up by some malicious actor. Don’t let employees write passwords down! Don’t meekly give up the pursuit of a strong password culture. Lesson two: don’t send unencrypted messages that others can eavesdrop (the Germans weren’t even looking for Russian messages, they happened upon them)! Opportunity creates incidents.
Every cyber security expert warns people not to connect to Wi-Fi networks (without a VPN). Cyber criminals can exploit public Wi-Fi networks to “sniff” messages and emails (able to read your emails and messages). Eavesdropping is a serious issue in modern cyber security. Use encrypted emails and never connect to any Wi-Fi without using a VPN to mitigate risks. Proactively prevent eavesdropping – you never know who’s listening and/or watching.