Common security analogy: “When you’re chased by a bear, you just have to run faster than the guy next to you!”
I continue to hear this analogy, and like pretty much any analogy it has holes if you look too closely. So the contrarian in me gets restless when I hear it (or insinuations of it) a few too many times. Lord knows I’m sympathetic to analogies and try not to get too far beyond the spirit of their point, but the over-used ones lose that privilege eventually!
1. Assumption: the bear is rational. I’ll run (pun unintended) with this further…
2. Assumption: the bear will survey all of his possible targets and choose the one most accessible. The bear may not know all of the possible targets, or not even bother trying to make himself aware of all the possible targets.
3. The bear may not properly evaluate the targets he does see.
4. Again defying rationality, the bear may just go after whomever for strange reasons. Maybe the last target he ate that was wearing a blue vest tasted good.
5. Assumption: the bear will stop after he takes yoru buddy down. If a blanket, automated malware campaign is released, it will probably not stop at one success, but rather keep going to get as many as possible.
6. Assumption: there is only one bear. I’m pretty sure there are more attackers than just one mean ol’ bear.
7. Assumption: that you even realize there is a bear about. Let alone where he’s coming from, how fast to run, how the bear will respond, or whether the bear learned how to shoot a crossbow. (Yes, a crossbow.) The game may not be about outrunning the threat.
8. What about the bears of opportunity? Not every bear is a threat, but if you get complacent because the last 10 bears just ambled on by with barely a sniff, doesn’t mean the next one won’t take a swipe as he lumbers near. Can you tell a bear from a boar in the dark as it shuffles around? Or do you just run from everything that may be a threat…including your customers?
Blah, blah, blah. I had to get that off my chest a bit. Maybe this is a better picture. You’re in the woods. You and some buddies and about 500 other people. There are lots of animals and it is dark, the foliage is thick, noise is everywhere. There are also 100 bears. Some of these bears are large and obvious, but others kinda look a lot like your buddies or other people. Strange, I know! But the point is really that you can’t plan your security around simply being better than the others in your industry. In fact, others in your industry, strictly speaking, shouldn’t even be an influence (in reality, they are, but that is just good strategic management-thought).
This has always been the most retarded analogy in infosec.
And by retarded, I mean, _seriously_ retarded. Like imbecile. Like idiotic. Like “no clue”.
If we were smart, we would band together and destroy our enemies. But instead, our enemies band together and rape us. They rape us. Actually, they rape your customers — but you don’t care!