What the Mongols Can Teach Us About Cyber Security

In the 1200’s, the Mongols, led by Genghis Khan, attacked and pillaged hundreds of cities in their raids across the steppes of Central Asia. These cities were attacked multiple times over a period of years, each time failing to adequately prepare for the next attack. History repeats itself because the mindset of these city rulers was similar to that of modern-day business owners and their relationship to hackers. These shared beliefs include:

  • Believing they are too big and powerful to be attacked.
  • Quickly forgetting the devastation of the most recent attack and doing nothing to prepare for the future.
  • Preparing for future attacks but not properly vetting their allies.
  • Preparing for future attacks but losing due to holes in their defenses that more nimble attackers could exploit.

Case in point: Sony Pictures’s cyber attack in 2014.

Just three years prior to the devastating 2014 online security breech at Sony Pictures, there was a massive attack on Sony’s PlayStation platform. At the time, critics said that Sony was arrogant and believed their system was flawless. Unfortunately, the truth is that Fortune 500 companies are far from invincible, and prominent businesses make highly attractive targets. One wonders what security lessons have been learned and implemented by Sony this time around.

Sony says studio hack cost it $15 million in fiscal third quarter
– Los Angeles Times

In 1240, the king of Hungary was worried about the Mongol threat. He begged the papacy and other Western European rulers for help to defend his kingdom. Finally he formed an alliance with the Cumans, nomad warriors of the Eurasian steppes, who were also sworn enemies of the Mongols. Due to infighting between Hungarian groups and the Cumans, the Cumans rebelled leaving the Hungarians defenseless against the Mongols who swept down and handily defeated them.

In our modern era, there are thousands of MSSP’s (Managed Security Service Providers) who want to become your online security ally. The landscape is complex and confusing to most business leaders, making it hard, yet crucial to select a security partner. The right combination of alliances is critical to ensure that your data will be safe across your enterprise. It’s important to understand that attacks can come from a variety of areas, such as email, careless employees, software vendors, external networks, etc. These various issues should be factored in to any security strategy.

Case in point: Home Depot and Target were both impacted by similar versions of malware.

Malware is malicious software implanted in a website or software application that can disrupt computer operation, gather sensitive information and gain access to private computer systems. The Target attack in 2014 exposed 40 million debit and credit card accounts.

The Mongols were experts at inserting spies into foreign populations in order to understand them better and take advantage of weaknesses. The Mongols created a “Yam” system that served as a rapid communication network. When important news and events happened, the news traveled at the high speed of 200-300 miles per day directly to Genghis Khan who could exploit it to deliver blows to his enemies. A comment by “JJ” at the popular Krebs Security blog said this about the Target attack:

“2 days after a major breach, the “secured” checkout server of Home Depot website failed a very basic, ancient PCI compliance test – SSL V2 and weak ciphers.”

The key to defense is not ignoring the past and deluding yourself into believing that it won’t recur. Businesses must shore up defenses with vetted security technology, getting outside of an IT-centric approach to include things like HR processes that are also vulnerable areas of exploitation. There is no reason why an aware enterprise can’t protect itself from attacks with a holistic approach to corporate security that incorporates lessons learned from the misfortunes of others.

If you’d like to listen to some fascinating podcasts about the Mongols, I strongly recommend Dan Carlin’s Wrath of the Khans.

Richard Parr
by Richard Parr
Posted: May 13, 2015