Source:
SC Magazine
In the early 13
th Century, the besieged Château Gaillard fell to King Philip of France when a soldier found a way into the castle through a latrine chute. As unpleasant as this must have been, that was all it took to gain access and open the gates. The castle fell and, because Château Gaillard guarded the route into Normandy, three hundred years of Norman independence ended a few months later. The Château's castellan had ignored the latrine chute's vulnerability and left it unguarded, instead choosing to rely on the castle's walls, high ground and barricades. Compounding this, the castellan had made no preparations to repel anyone who did find their way in.
In 800 years, it seems, our approach to security hasn't shifted far: we expect that robust defences will protect us from attacks, and fail to prepare for when a breach does occur. An attacker does not need or want to bash his head against firewalls, intrusion detection systems and thorough network segmentation. The vast majority of cyber attacks are automated, indiscriminate and target known vulnerabilities. A single cyber criminal can be responsible for hundreds of attacks per day, without any specialised training.
Most organisations don't have impressive defences like Château Gaillard – as Target and several other recent breaches demonstrate – which means that today's cyber attackers don't have to be as resourceful as the French in 1204, or as sophisticated as those who target choice economic and strategic organisations. Clearly, cyber security should not be the end-goal – this is akin to hiding behind the walls of Château Gaillard. What organisations should be aiming for is cyber
resilience – the ability to respond to and recover from cyber attacks. However effective you may think your outward-facing defences are, today's cyber attacker will find a way in – and, if you have made no preparations for responding to a breach, you will suffer severe damage.
Continue reading >>>