InfoSec Blog - Information Security Offense and Defense: Which side are you on?



July 10, 2017

In general, offense is easier than defense.  This is true in many sports; defensive players have to cover all the bases, while offense players just have to find one weakness to exploit. Terrorists use this unfortunate imbalance to wreak havoc among innocent citizens not in a position to defend themselves.  The disparity between attack and defense was true for medieval castles as well. Their defenses included moats, drawbridges, guards, gatehouses, tall walls, and intelligence gathering.  When an attacker figured out a new weakness – such as roofs vulnerable to flaming arrows, they responded by covering roofs with slate tiles instead of straw. To give attacking intruders fewer advantages castle builders designed stairs to be narrow, clockwise, and with uneven steps. (1)  But the defenses had to be complete. All the roofs had to be slate; the wall could have no breeches; the moat no dams, etc.   In addition, in the event of an attack, everyone jumped on board with the defensive measures.

Information Security has similar challenges. A criminal only has to get a “foot in the door”, i.e. control of an infected computer or access to a compromised account, which they can then use to leverage access to more information resources. However, in analogy with the castle, defenses have to be comprehensive. We cannot leave large undefended holes.  In the sports analogy, we have to be tough to play against. On top of all that, breaking the sports and castles analogy, our attackers do not have be present; they can attack from anywhere in the world where there is an internet connection. Nevertheless, rather than despairing about the mismatch, there is a lot we can do. Here are some examples:


What the University is doing on both defense and offense:

  • The University has a growing number of defenses to help keep you feeling safe. Without giving too much detail, these include firewalls, threat detection, security incident alerting, private (not directly exposed to the internet) networks, and proactive workstation and server protection.
  • The University actively monitors for external attacks, partners with some external monitoring agencies for monitoring, and has a good incident response mechanism.
  • The University has some good data protection policies and processes.
  • Central servers, data warehouses, and other services with private information or security needs make their home in a protected data center.
  • Offensively, the University monitors for vulnerabilities weekly and runs internal or external “penetration tests”, essentially authorized attacks to see where we need to shore up our defenses.


What you can do as part of the defense team:

  • Maintain awareness of and abide by campus policies, such as the Acceptable Use Policy.
  • Maintain your accounts, access, and computing devices in a secure manner.
  • Report any Security Incidents or Privacy breaches to the appropriate area. (2)
  • Educate yourself by taking the Security Awareness Course (about 70 minutes) and the Ransomware module (about 7 minutes) on CourseLink.
  • Take a Phishing Quiz. Do not be ashamed if you get some wrong; use it as a learning opportunity.
  • Take a few minutes and browse the other resources at


Brave New World

A few words about the Information Security future. The widespread connection of ‘everything’ to the internet is still recent in the greater scheme of things. The reason castles are still an appropriate analogy is that information security defense is still an organizational and individual responsibility. This likely will change, as more hacking originates within criminal enterprises and as law-enforcement increasingly cooperates internationally to catch the criminal kingpins responsible for the attacks. It will also change as nations increasingly deploy full-featured defensive solutions to help keep us safe, while honouring our privacies. However, until this more civilized approach becomes the norm, we do need to be vigilant as an institution and as individuals.


Written by: Gerrit Bos (IT Security Officer, CCS Information Security)
Image Source: Wikimedia Commons



  1. A fascinating description here:
  2. These three bullet items are detailed in our “Roles and Responsibilities for IT Security” policy.