In security, we talk about asymmetric attacks all the time. If you don’t know what that means, here’s an easy definition and some examples from the real world. We have to be careful not to conduct asymmetric attacks on ourselves, because frequently we inadvertently do just that.
An asymmetric attack is an attack that’s substantially more expensive to protect against than to launch. This makes them a common challenge in security.
My favorite asymmetric attack example: candy
Candy is my favorite real-world example of an asymmetric attack. It costs kids’ grandparents a dollar to load them up with candy. The kids are happy, the grandparents are happy because they made the kids feel good, and everyone wins. But guess who wins even bigger? The dentist. It costs their grandparents a dollar to sugar up my kids, but it costs me $100 to fix a cavity.
It’s not all roses for the kids either. Getting a filling is a lot less fun than eating that candy bar was.
Asymmetric attacks on ourselves
My favorite example of conducting asymmetric attacks on ourselves is moving SSH off port 22. I’ve seen plenty of people recommend doing it, because it’s really easy to do, and they think it really slows down an attacker. They’re right that it’s easy to do, at least on a single system. They underestimate how much time it takes to do at scale. They also overestimate how much it slows down an attacker and they underestimate the headache it causes your system administrators, who have to remember what random port you put SSH on. Sure, you could move it to port 222 or 2222 to make it easy to remember, but guess what the second and third ports are that attackers are going to try?
Anyone who can use Nmap can find your SSH service running on the nonstandard port in minutes. It took me three minutes to use Nmap to scan my entire /24. Since that’s probably less time than it takes to find the document that has the remapped ports in it, your sysadmins will likely resort to using Nmap to find your remapped SSH port. It wastes their time and frustrates them, contributing to burnout and turnover. All for a negligible security improvement.
And guess what? Any attacker is going to use Nmap to find your systems running SSH, since they probably don’t have a map of your network and even if they do, they don’t believe it. So you’re just forcing your attacker to do something they were going to do anyway. Nmap is something we all brag about knowing how to use on Linkedin, but if that impresses you, it shouldn’t. I’m more impressed if someone can use the vi text editor.
And if you think it’s a compensating control in your external space, let me introduce you to this thing called Shodan.
Let’s have a word about Nmap? Is it an example?
I could even argue that Nmap itself is an example of an asymmetric attack. Nmap is nowhere near as big and mysterious and difficult as people make it out to be. You can get a GUI version for Windows that makes it completely pointy and clicky. You don’t have to get access to a Unix or Linux host and know your way around Unix to use it. But even if all you have to work with is a command line, two minutes worth of web searches will give you a nice cheatsheet that tells you all you need to know to use it competently. And in a matter of minutes, the attacker has a better network map than you probably do.
But look at all the things we do to protect against Nmap. We spend thousands of dollars per year closing unnecessary ports. Thousands of dollars on security awareness training to teach our users how to make good passwords. Thousands more enforcing that password policy. All to protect ourselves from a tool that’s slightly harder to learn to use than a hammer.
Also, it’s important to remember Nmap isn’t a malicious tool inherently. It’s all about intent. I own a crowbar. I bought it when I had to tear out a water-damaged basement. Thieves use crowbars too, but crowbars are only malicious when being used to commit crimes. Tearing out water damage before mold could set in is good. Nmap is the same way.