VIEW 8
Evolutionary arms race
Change is the only constant, the saying goes. Heraclitus, a Greek philosopher, expressed this first in 500 BC when he wrote:
“No man ever steps in the same river twice, for it is not the same river and he is not the same man.”
The river is not static but dynamic—it flows—and people are the same because they age. This is a good metaphor for corporate computer systems, which are constantly changing as new kit is added.
When it comes to people, all companies have staff turnover—leavers and joiners must be deleted and added to the systems. Keeping the HR database and the IT user database in sync is often a problem—old user accounts that should have been deleted are a common attack vector.
The philosophy behind cyber security needs to be dynamic, not static.
But taking a step back, we can extend beyond the river metaphor and look at the landscape as a whole. An important point to note is that the change is not random, but cyclical. If it is a river, then it’s a tidal river near the coast that ebbs and flows. Just like a tidal cycle, dominance shifts between predator and prey. Think of foxes and rabbits. The rabbit population booms, so the foxes have a plentiful supply of food. That means that the fox population also booms. But then the predation of the rabbits increases so much that the rabbit population crashes, and subsequently so does the fox population. It’s a continuous process, with the two cycles being half a step out of sync with each other.
The cyber world is the same. In this ecosystem the predators, the cyber criminals, constantly come up with new attack vectors and methods. The defenders, in this case, are not just the corporates but also the large tech companies that have a vested interest in keeping the cyber realm secure. Excessive predation by the attackers leads to the development of new defensive technologies. When these are successful, attackers switch to exploit a new, different attack vector.
You can see the cycle being played out in the realm of passwords. Hackers exploited the fact that people used the same “easy to guess” password for every site. So, tech companies came up with password managers, which generated automatic complex passwords for each site.
In response, hackers upped their phishing campaigns—why bother trying to crack a complex password when you can get a user to just give it to you with a well-crafted scam email? And in response to that tech vendors came up with MFA, or multifactor authentication… and so on. Dominance seesaws back and forth in an endless cyclical arms race.
