> By contrast, an attacker’s entire job is to attack the system. There is no other purpose they are serving, no secondary masters or considerations that need to be used to weaken their attacks.
This seems like a serious misconception. Cyber attacks absolutely have purpose, whether that’s to steal data, disrupt services, whatever. Your viewpoint might apply to unsophisticated actors who just want to break things and cause chaos, but it’s completely ignorant when considering nation-state actors and financially motivated criminals.
Yes, but that purpose is accomplished by way of attacking the system. By comparison, most cyber security defense gets in the way of the purpose of the defenders. We know this, and even joke about it openly. The ultimate secure system is a computer unplugged, sealed in a lead vault, encased in concrete and buried a mile beneath the surface. It might not be useful, but it is completely secure.
Even less flippantly though, we inherently know this. How many things do we do every day that could be "more secure", but "more secure" gets in the way? Do you use memorize 256 character unique passwords for every site and system and refuse to record them even in a password manager? Do you use GPG encrypted emails and only E2E encrypted messaging services? Are all your home network devices independently fire walled, with strict in AND outbound rules ensuring they can only talk to the specific devices they should be able to talk to and only on specific well defined ports? Have you hardened your home network against data exfiltration via DNS queries? Is all network traffic fully encrypted with mutual client and server cert validations? If you've answered no to any of these questions, you have chosen to prioritize something else over better cyber security defense. And it's probably a good bet that at least some of that is because doing these things would actively get in the way of doing what you actually want to do with your electronic devices. You've knowingly chosen a weaker defensive stance to do something else instead.
Attackers on the other hand have no need to choose weaker attacks on your defenses in order to do something else instead. The attack is the point of their usage of their devices (and yours).
You might argue that the attacker might choose a lesser profile in order to remain hidden and beneath detection, but I would argue this still isn't the same choice. Given the option, no company would spend any time or money on resources for cyber defense. They would rather spend all that time and money on their actual business. But Attackers would spend time and money and resources on their attacks because those attacks directly serve their goals.
> If you've answered no to any of these questions, you have chosen to prioritize something else over better cyber security defense.
To add to this: I get irrationally irritated when some hack occurs and someone makes the comment: "Their databases weren't even encrypted! Amateurs!"
Okay mister wise-guy, let us see you "encrypt" the database at an organisation where that database produces a billion dollars of revenue annually.
Are you sure you aren't going to lose the encryption keys? Many billions of dollars sure?
Okay, you've made sure that the keys are safely backed up! Good job! Now rotate them. On a schedule. That's a process you will be required to hand over to a secops team to avoid you being a "bus factor of one". Good luck with writing out that process so nobody ever screws up.
Now provide access to the encrypted data to... everything and everyone. Because that's the point of business data. It's supposed to be consumed, reported on, updated, saved, exported, imported, and synchronized. Not just to systems you control either! To the CFO's tablet, to the third-party suppliers' ERP, and to every desktop in the place. There's a hundred thousand of them, across every content bar Antarctica.
It's surely because they're amateurs that they haven't figured this all out already: cheaply, robustly, and securely!
And the reason it was made is because the encrypted database may as well be a shrine to a dead god; it makes you feel awe, but it's otherwise completely useless.
I mostly just see "not even encrypted" by way of password stores and PII though — stuff no employee or CFO is ever going to need to visually examine — and those we have a lot of best practices to fall back on about keeping always encrypted all the time.
This seems like a serious misconception. Cyber attacks absolutely have purpose, whether that’s to steal data, disrupt services, whatever. Your viewpoint might apply to unsophisticated actors who just want to break things and cause chaos, but it’s completely ignorant when considering nation-state actors and financially motivated criminals.