• United States




Security lessons taught by goats

Oct 05, 20174 mins
Data and Information SecurityTechnology Industry

Trying to contain farm animals who are surprisingly creative and adept at getting around barriers has a lot to teach us about how to approach our efforts at protecting data from crafty users.

If I’ve learned anything in my two decades of working in the InfoSec industry, it’s that the practical application of securing data can be challenging. Every time I start to feel like I have a pretty good grasp on how to protect my data, something will occur that makes me realize how much a seemingly simple error can cause big problems.

I’ve found no better metaphor for these errors than my constant battle to keep our farm animals contained. In certain circles, it’s a common truism that “if your fence won’t hold water, it won’t hold a goat.” Many of us who’ve tried to protect data for and from humans will recognize this sentiment. Both critters and computer-users are astoundingly adept at going through barriers in creative and unexpected ways.

No matter how complex or how old the vulnerability is, patch it anyway

We became aware of a hole in our fence that was accessible only by entering a narrow alley that was protected by a gate, which was bungeed in place. Our goats had gotten stuck in this alley a couple of times, and it unnerved them so much that I figured they wouldn’t bother exploring it further. A few months later, one of the goats figured out that not only could he move the gate if the sheep offered “assistance” (read: head-butting the goat because he’s in the way), but if he stood up and turned the other way round, he could comfortably shimmy his way out of this hole.

While it might seem like this convoluted turn of events would be a one-time fluke, it happened twice in 12 hours. If the reward is sufficiently great, they will find a way.

While raising our first clutch of ducklings, I had read that you should wait a few months before clipping their flight wings. So we waited the recommended period of time, erring on the side of waiting a little longer just to be safe. Two days after the specified date, the ducks flew into the neighbor’s yard.

In retrospect, it seems obvious that I should have investigated further to see if there were a way to visually assess when they were ready. When a subject is new and sensitive, it can be tempting to just accept the word of experts without question or to draw incorrect conclusions based on mistaken assumptions. When you train users, or get training yourself, make sure that “why” is covered as well as “what”, “how” and “when”.

Risk assessment should be an ongoing task

One morning as I was feeding the chickens, I accidentally startled a hen. Her alarm calls unnerved a twitchy, young rooster, who flew towards the netting around their enclosure. I hadn’t realized that during the previous night a leaf had fallen onto the netting and created a gap between two sections that was just wide enough for him to fly out.

It doesn’t take much to make a change big enough to cause problems: by constantly monitoring our assets, we can help mitigate new risks.

Multiple defenses can balance security and functionality

It would be lovely if we just could let our animals roam as they please. But I have it on good authority from the local rabbits and deer that our neighbors’ roses are delicious, and that there are hungry predators nearby. As such, we deploy multiple levels of protection for the benefit of our critters and for the neighbors’ gardens, considering their relative level of risk and need.

The risk of predation is greatest at night, which is also when their need to roam (and our ability to supervise) is lowest, so we lock our beasties in secure enclosures before sunset. During the day, our critters have access to larger areas, but can still hide in their shelter if need be. Beyond that, our whole property is fenced in case they escape their individual enclosures. In each of the incidents I describe, no harm came to the critters because we had a series of barriers and alerts, so there was no one point of failure.

We also can’t underestimate the psychological angle: our animals all know where their safe areas are and will go there if they feel they are at risk. If they get out of those areas, they quickly get our attention and we put things right.

No matter whose statistics you use, you’ll find the majority of security breaches are due to human error. Those mistakes are often made by accident, not by malice. By understanding the risks, preparing for mishaps, and letting our users know they can come to us in times of trouble, we can make our workplaces safer for everyone.


Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all this change can be difficult for even the most tech-savvy users, she enjoys explaining security issues in an approachable manner for companies and consumers alike. Over the years, Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.

The opinions expressed in this blog are those of Lysa Myers and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.