Christmas Turkeys and Cyber Security Aren't That Dissimilar

by Nigel, on 03/12/2018 12:56:00 PM

What Brush Turkeys Have Taught Me About Information Security

It is that time of year again when a male brush turkey has made my backyard his home, tearing apart vegetation to make his nesting mound. While this is a source of frustration, on the positive side, it has given me new ways to think about information security.

Adult male (foreground) and female (background) wild turkeys (binomial name Meleagris gallopavo) crossing a grassy area in opposite directions, Warrenville, Illinois, in spring (foreground focus)

When the brush turkey first invaded my backyard, I would run at it with my arms flailing in the air to scare it away. While this is effective in the short term, the turkey would simply wait till I went away and then return; after all, he didn’t have to go to work so what else was he going to do? Cyber criminals also have a habit of returning as soon as they are able. It is their job to get your information so they are highly motivated and won’t give up very easily. You can’t be there 24 hours a day to protect your network and this is why technical controls such as firewalls and the use of automated systems, as described below, are essential for round-the-clock security.

Both brush turkeys and cyber attackers like to keep their respective activities from being out in the open where they can be seen. Clearing away overhanging vegetation will discourage a brush turkey while monitoring, logging and alerting systems will help detect attackers. It is important to note that it is not sufficient to simply generate an alert, a person needs to investigate an alert for it to provide any value.

Receding pattern of chain-link fence (shallow depth of field), for themes of dependability, safety, protection, and transparencyBrush turkey nests are made from vegetation and ground litter that accumulates throughout the year. If these leaves and twigs are removed, the turkey is discouraged from nesting in a yard because there is nothing of value there. Similarly for your information security, clearing away things of value means less damage will be done if you are compromised. Information including business secrets and personal information are of obvious value so these should be deleted if no longer needed. However, your computers themselves are valuable too as they can be used in spam botnets or for mining Bitcoin. Hardening and patching your computers, both workstations and servers, will reduce your level of risk.


Another way to reduce the damage caused by an intruder is to put up barriers. I have used heavy branches and logs to make it difficult for the turkey to extend its nest-making activities to the entire yard while a similar principle can be applied to your IT system. Network segmentation through the use of LANs, internal firewalls and traffic flow control will mean that if one part of your network is compromised, the attacker does not automatically get access to your entire network. Limiting each server to a single function, e.g. using separate machines for web applications and databases, means that compromise of one server does not mean compromise of many servers. Reducing the number of functions a computer provides also allows you to remove more software, reducing its attack surface.

Despite my efforts, the brush turkey ended up winning: he found love and now a cute brush turkey chick roams around our yard. Unfortunately, a cyber attacker is unlikely to be so benign and could easily end up causing catastrophic damage to your organisation in the form of a data beach, damaged systems or reputational damage. Implement some good network security and keep the attackers out of your back yard.

Topics:InsiderRed TeamingRisk Assessment


Finally, an actionable blog

The purpose of this blog is to make available the real-world lessons, experience, observations and mistakes that are part of the daily life of a group of cyber security professionals.

Read about:

  • What mistakes organisations are making (anonymously of course!)
  • What effective actions are available to quickly and economically achieve effective protection (without buying new kit)
  • Trends we're seeing, via our incident response and forensic investigation capabilities
  • And sometimes, just frustrations about what is wrong with cyber :|

Subscribe to Updates