The human is the weakest link in any chain of defense; however, the human is also the strongest link in any attack chain. Why is that? Maybe they’re not talking about the same human?
In chess, statistics show that he who makes the first move (“white” player) has at most a 56:44 advantage over his opponent (“black” player), all other factors between the two players being equal.
On a modern physical battlefield, where much of what happens is hidden or secret and there are no rules, I would venture to say that the side that takes the initiative has a greater advantage than the first mover on a chess board, where all moves occur in plain sight and only the intentions are hidden.
In cyberspace, where everything is invisible except for the effects of successful attacks, the attacker has an incredibly large advantage over the defender by virtue of the fact that he makes the first move. After a breach, more often than not, an attacker enjoys complete freedom of operation inside the organization for four months or more, before being discovered.
In these examples we can see how the attributes of a playing or battle field may confer advantages to an attacker or a defender. Actually it would be more accurate to say that the attributes of a playing or battle field accelerate the advantages of the attacker and exacerbate the disadvantages of the defender.
What are the advantages of an attacker?
- He only has to find one vulnerability in his opponent’s defense. He doesn’t have to find all the vulnerabilities.
- He gets to decide how (how fast and how many), when, and where to attack.
What are the disadvantages of an attacker?
- He doesn’t know what to expect inside his opponent’s defenses.
- If his attack doesn’t succeed, he may not be able to defend himself or retreat. He is outside his safety zone.
What are the advantages of a defender?
- He is inside his safety zone.
- He knows his own defenses intimately because he built them himself.
What are the disadvantages of a defender?
- He has to defend against every possible vulnerability in his defenses. It only takes one vulnerability to permit a breach.
- He cannot choose how (how fast and how many) and when to defend. He needs to commit all of his resources all of the time.
Is there something about a human that makes him a better attacker than defender? Humans are analog creatures. Their thought processes are fuzzier than precise. They have limited attention spans and have trouble attending to details. When he is building his defenses, he’s more likely to say “whatever” than to inventory all his assets so that he might provide adequate protection where it’s needed. He’s not likely to take on a project that might last longer than a year, and the people making the decisions can’t be bothered with the details. As an attacker, a human only needs a long enough attention span to find one asset that’s inadequately protected and to hell with the consequences, and everyone knows that fuzzy favors the attacker, since almost only counts in horseshoes and hand grenades.