Security lessons from history.

Security Lessons from Military History

History repeats itself more often than we think. Let’s take a look at some military security lessons through the ages and see how they can apply to our modern-day cyber security challenges. Many of the same fundamental requirements for a successful military campaign are no different than those of an IT manager’s battles. They both take strong leaders, ample funding, high morale, good planning, excellent weapons, and a capable crew. Moreover, we can learn from some lessons of history to avoid becoming a modern-day lesson to others.

Blind spots – a security lesson from pirates.

Innovative hackers will always seek to attack where defenses seem either weak or nonexistent. When Sir Francis Drake raided the Spanish Empire’s Pacific coasts in 1578, his single ship (after his fleet was reduced from five!) met almost no resistance simply because Spanish authorities didn’t expect any attack from this attack vector. An English pirate ship operating in the Pacific was unheard of in 1578, but not after. This was the case of a vulnerable attack vector. The Spanish Empire was not prepared for potential threats on all their attack vectors until it was too late – a bad error.

As long as we stay complacent, smart hackers will run circles around us and eventually get something they want. If you thought trusting employees to use strong passwords not reused elsewhere was enough, you’ll be disappointed sooner or later. It’s where you’re not expecting it that will be the most destructive attack (Forbes ranks Ser Drake as the second highest-earning pirate at USD $115 million in modern money). Basic idea: target via unexpected route – make massive fortune. Hackers are always evolving their tactics and changing their attack vectors. If you have a $1 million firewall, why would anyone attack it? It’s easier to find an undefended route.

Military history lessons applied to cyber security.

Defense coordination is a key security lesson.

In 1805, the Austrian army marched against Napoleon Bonaparte in the War of the 3rd Coalition. But the Austrians didn’t wait for their allies (who would be crucially needed against Napoleon’s massive Grande Armée). Then, Napoleon feinted his movements to give Mack a sense of false security (while in fact the French army was quickly surrounding it from the rear). General Karl Mack von Leiberich’s trapped Austrian forces hoped that General Mikhail Kutuzov’s Russian army, their far-away ally, could rescue his surrounded army. But the Russian allies were still too far from the battlefield. And so, General Mack surrendered his entire army (casualties: 60,000 men!) to the Emperor Bonaparte, just six weeks into the war (Chandler, D. G. (1967). “The Campaigns of Napoleon”). Lack of coordination is deadly.

Security lesson: coordinate with your teams! Everyone must be coordinated in their defense against the never-ending onslaught of cyber criminals – management, IT team, vendors, managed service providers, and end users. Have sufficient funding? Are end users aware of common and advanced risks? Employees typing their corporate passwords into unsecure public Wi-Fi networks? Are managers falling prey to clever social engineering? Will one of the thousands of employees accidentally click one of those thousands of daily phishing emails?

And never get complacent – when you feel safe, it might not be enough, especially against a determined enemy whose only goal is to win. The margin of error between a cyber incident and not is slim! Have you ever spoken to someone responsible for a data breach under their watch? No on envies that person…

SPEED: Unprepared security posture.

While the Napoleonic Wars raged in Europe, the United States declared war on Great Britain in 1812, British troops in Canada received news of the declaration even before U.S. troops knew! Secretary of War, William Eustis sent a letter informing General William Hull to prepare for war. But a letter written on the same day with news of the actual declaration of war arrived a week later because it was sent by regular mail. Therefore, this allowed British Major-General Sir Isaac Brock to take the initiative for Canada. The result: the U.S. was unprepared for the war and greatly miscalculated time required to organize fighting units. Reaction times are crucial during cyber security breaches and incidents.

Still don’t have 2FA yet? Don’t let a few days, weeks, or months destroy years of accomplishments. How long should you leave the door unlocked? Probably never. Quick hackers will immediately exploit the little time between setup and changing the password from the weak default password. All hacking incident involves timing as a crucial factor in many way. They needed preventative measures sooner. Downtime could have been shorter, etc. Here’s a low-hanging fruit for hackers: someone buys a security camera, sets it up, and doesn’t change the default password. The hacker can just look up the default password. In conclusion, every minute delayed in changing the default password is a greater chance some malicious hacker will gain access.

By the way, if you don’t have 2FA already, you should get that checked off ASAP. Double your security. A strong password is no longer enough in 2021.

Unencrypted messages are bad.

During World War I, General von Hindenburg, and his Chief of Staff, Major General Ludendorff, led German forces to a decisive victory at the Battle of Tannenberg. The Germans initially discovered Russian objectives in the form of a written order on a fallen Russian officer. Then, the information was confirmed by an unencrypted intercepted radiogram sent by the Russians. Lesson one: encrypt and keep tight control over sensitive information and where it is being stored (and transported) by end users. Even passwords written on paper and thrown in the trash could be picked up by some malicious actor. Don’t let employees write passwords down! They could lose the paper they wrote it on. Someone could take a picture of it. Another person could share the password with some other unauthorized person. Don’t meekly give up the pursuit of a strong password culture.

Lesson two: don’t send unencrypted messages that others can eavesdrop (the Germans weren’t even looking for Russian messages, they happened upon them)! You never know who’s listening. Opportunity creates incidents. Then, some lessons in security continued being learned by some during World War II.

Every cyber security expert warns people not to connect to Wi-Fi networks (without a VPN). Cyber criminals can exploit public Wi-Fi networks to “sniff” messages and emails (able to read your emails and messages). Eavesdropping is a serious issue in modern cyber security. Use encrypted emails and never connect to any Wi-Fi without using a VPN to mitigate risks. Proactively prevent eavesdropping – you never know who’s listening and/or watching. Be smart, be preventative, and learn from the lessons of the past.

Capterra Best Value for Authentication Jun-20
Capterra Ease of Use for Authentication Jun-20

See GateKeeper proximity access control in action.

Take a self-guided tour of how you can evolve from passwords. Then you're really saving time with automation.