+++ title = "Bear attacks, no-win situations and cybersecurity" author = ["George Jones"] publishDate = 2020-03-19T00:00:00-04:00 lastmod = 2022-02-26T08:44:34-05:00 tags = ["cybersecurity", "secuity", "privacy", "perspective", "bears"] categories = ["blog"] draft = false +++ I spend a good amount of time hiking in Shenandoah National Park and surrounding areas. I've seen quite a few #bears and I've followed one down the trail. I've been growled at by a mother bear when I unknowingly came between her and her cubs. This is going somewhere related to #cybersecurity. I promise. You can't outrun a bear. Climbing a tree won't help. If a bear actually decides to attack you, the odds are not in your favor, but fortunately they almost never attack. The old joke goes "I don't have to outrun the bear, I just have to outrun you" because, presumably the bear will catch your slower partner, stop, and not bother you when you both decide to run for it in violation of bear encounter best practices. This hints at any number of cybersecurity principals: - Know your threat model. - Know and follow best practices. - Don't let fear (or adrenaline) dictate your response. - Know and practice situationally appropriate responses (Grizzlies: if attacked play dead. Black Bear: if attacked fight for your life) - Be prepared (bear spray, first aid kit) - Practice deterrence (make noise, travel in groups) - Prevention costs less than recovery. By far. - And, of course, make sure the other guy is an easier target. Run faster if you run. Apply patches, have good backups (Hello, ransomware !), have layers of defense, decoys, monitoring, DLP, practice threat hunting, etc. For a decade or so, I've been reflecting on the fact that defensive cybersecurity is a loosing igame. The red team (attackers) always win. I don't like no-win situations. There's a lesson here: Don't feed the bears : They become habituated to humans, loose their inhibition, become a nuisance and sometimes have to be relocated or killed. Nobody wins. OK, not that lesson. Lessons like: Follow best practices : Following best practices CAN help avoid problems. Not following best practices WILL invite problems. Have an incident response plan : If you see a bad thing happening, if it is coming straight for you, what do you do? Line up the right resources : Do you know how to triage wounds? Do you have a cell phone? Are you in range of cell towers? If not, do you have a SPOT to call for help? Where is the nearest hospital? Are you prepared to shelter in place if need be? It's not just you : Feeding the bears or failing to store food properly might result in perfectly good backcountry shelters being torn down. And here we are, 20 or so years after it became clear that that allowing spoofed packets out of your network enables #DDoS #attacks and we **still** do not have widespread adoption of reverse path forwarding checks. **Please** stop spoofed packets at your border ! So it maybe true that few people win in the face of an actual attack, but, it turns out, there are still good reasons to play the game. ## 1 For Further Reading {#for-further-reading} Numbers of bear attacks : In North America, only 2-5 people are killed annually by bears: vs (Worldwide) 10 killed by sharks, 50,000 by snakes and 725,000 by mosquitos. U.S. Forrest Service : "Be bear aware" Internet safety 101 : "Internet safety 101: 15 tips to keep your kids and family safe online" . Sure they want to sell you antivirus software, but this is generally good advice. Ultimate Guide to Cybersecurity : "Your Ultimate Guide to Cybersecurity: At Home, at Work, and on the Go." . A little more in depth. CIS Critical Controls : "The Center for Internet Security (CIS) Critical Security Controls" - More in depth. For enterprises.