I have often heard that if you are the target of a directed hacking campaign by
ID: 658164 • Letter: I
Question
I have often heard that if you are the target of a directed hacking campaign by say, a team of government hackers (whether Chinese, NSA, etc.), there is no way to prevent being hacked if they highly value the information they wish to retrieve.
If they're willing to throw their, for these purposes essentially unlimited (is that right?), resources into hacking your server specifically, then you're done. There is nothing you can do to stop them. Even country vs. country it is difficult, since the cost to defend against possible attacks is higher than the cost of developing successful attacks.
So, two questions:
1. Is it correct that targeted attacks from highly trained and well-funded hacking groups are practically impossible to defend against?
2. Is there a rule of thumb for what the cost to attack vs. cost to defend against an attack is? Is the cost to defend typically higher?
Explanation / Answer
The issue is that an attacker typically has unlimited time, and thereby has unlimited resources to eventually find a way in.
It's an error in logic to then conclude that they cannot be defended against. Of course you can defend, which increases the time it would take them. More importantly then, is your ability to RESPOND to an attack, successful or unsuccessful. That's where you have the most important leverage.
As for cost/benefit ratios, it all depends on your organization and the value of the asset. That is something that only the asset owner can determine. Regarding what I said above, a part of that calculation is the response necessary if an attack is successful.
As an example, I always calculate the cost/benefit of no defense at all but simply to replace the targets quickly (data from backups, wipe and re-image workstations/servers, etc.) and then compare that to the loss of the asset. Then I calculate the costs of defending against the most likely threats and figure out the difference between the new situation and the 0-defense scenario. It really focuses the costs, efforts, and understanding of the threats and what can be done.
This kind of response is also a defense, and must be considered. In this way, there is always a way to respond to attacks. Instead of building bigger and thicker walls, treat your Info Sec defense more like an immune system.