Attackers strike where defenders least expect it — in cybersecurity, certainly, but in the world of physical warfare as well. As a former military officer, I think it's particularly instructive to look at military battles from the cybersecurity defender's perspective. Military battles bring direct lessons and, I find, often serve as a reminder that attack surface blind spots have been an Achilles' heel for defenders for a long time. They remind us that we have to rethink our assumptions, habits, and biases to operate at our best.
One notable example occurred in 1204 at Château Gaillard. The château provided the English a seemingly impenetrable stronghold from which to defend their claim in the Normandy countryside. The base of the keep was built out of natural rock, and all possible approaches were guarded by impressive towers and walls. Undaunted, the French laid siege, and for eight months, continued their constant frontal attack, despite the heavy toll to their forces.
Everything they tried failed to topple the English — until finally they decided to attack the castle's weakest point, one that was completely unmonitored and protected: the latrines. By climbing through the sewer, the French were able to sneak into the chapel in the inner castle. A medieval special-ops team snuck through this opening and set fire to the inner castle.
Cybersecurity attackers follow this same principle today. While most are not diving through sewers, they do show up in unexpected places, seeking out portions of an organization's attack surface that are largely unmonitored and undefended. Companies typically have a sizable number of IT assets w ..
Support the originator by clicking the read the rest link below.
