This post is broken into two sections:

  • A description of how an attacker views your organization and where they’ll target
  • An exploration on why every organization over-invests in some areas and is wildly negligible in others

The short version is that attackers are resource constrained and will choose the path of least resistance, which will naturally be where defense is the poorest. This part is so often repeated in infosec that it’s practically cliché. The piece that isn’t so well discussed is why organizations tend to spend vast sums of money and years of effort in some areas while others go completely untouched, and what we should do about that.

This is entirely based on my 10+ years consulting for every type of organization under the sun, alongside general industry trends. It is not based on any single organization; practically any non-trivially-small organization exhibits this.

Attacker mindset: going after “Steve from accounting”

No attacker has unlimited resources; even Mossad will take a low-cost option if it exists.

The ideal human target looks like this:

  • Not overly computer/tech savvy, knows just enough to be dangerous
  • Therefore, likely works in some kind of business role: legal, finance, sales, operations, etc
  • Has been at the company a while, say 7 years. Organizations are great at provisioning access to resources and terrible at revoking it. You want someone with excessive ambient access. Having moved teams a few times is great for collecting group membership
  • Definitely doesn’t specialize in security. Infosec folks are hilarious bad at their own operational security sometimes, but we’re still an inherently paranoid bunch so it’s not worth the risk
  • Is junior enough to be doing a lot of routine type work that you can convince them to perform an action without raising red flags. Is easily convinced by someone that sounds “above their paygrade”
  • Is senior enough to have access to higher-privilege systems and data. You don’t want a Tier-1 support desk technician who can only test whether the internet works

The ideal technical target looks like this:

  • Is not a core business function or product:
    • If you’re Netflix, it’s not your streaming system
    • If you’re Fidelity, it’s not your iOS app.
    • If you’re Ford, it’s not your in-vehicle entertainment system.
    • All of those things will have vulnerabilities and could be targeted, but there are far far easier targets
  • It’s outdated and poorly maintained, because it’s not seen as a core product and therefore not direct revenue generating, so not heavily invested in
  • It’s probably not customer-facing
  • It’s not fun or hip. Your top engineers don’t want to work on it

The reason attackers pick these things is because they’re known to be severely lacking the engineering and security attention they deserve, and therefore are the easiest way to achieve an objective.

Defender mindset: Defense-in-dissimilar-depth

Organizations naturally defend their most prized possessions; the things that they stand to lose the most from if compromised. It is totally reasonable for a bank to invest heavily in ensuring their consumer-facing web application is rock solid before securing their Juicero network, but when the application of security becomes so uneven that they’re leaving a wide gaping hole elsewhere, attackers will notice.

A perfect example of this is the twitter hack which saw Bill Gates, Elon Musk, and Joe Biden’s twitter accounts hijacked. Twitter has had well over a decade to build systems to defend against classic web application attacks like XSS or SQLi (both of which can practically be eliminated as bug classes in 2022) so this type of front-on attack is simply not worth it. Security engineers love solving these types of deeply technical problems in high-profile core products. It’s a thousand times less sexy for security engineers or VPs alike to invest in securing the janky “internal-only” PHP web application developed by an intern in 2003, but that’s where the attackers are being almost immediately routed by force of obvious resistance elsewhere.

So, what to do?

Invest in the security of the unsexy tech and non-“rockstar” folks in your org. Maybe not as much as your keystone products, but much more than you probably are today. Security is largely about loss avoidance. Whilst the Return On Investment (ROI) case may not stack up for updating the UI of that decades-old sales CRM, the Loss-Avoidance-Potential On investment (LAPOI) case very likely does.

Ask if you’re evenly distributing security resources to where the risks are, rather than where it feels good to spend your limited time, energy and money.