Skip to content ↓ | Skip to navigation ↓

A wise man once said, “Even jest has a root in truth.”

Thankfully, information security professionals have a good sense of humor. I saw a great tweet that got me thinking:

What are some things we can learn from fish and reptiles that we can apply to information security?

Building a Scalable System

shutterstock_81615112Business and schools of fish are a lot alike. They can grow fairly quickly. As such, the information security team needs to be able to scale to meet the requirements of the organization. As the business acquires assets, the information security team needs to have enough resources to protect those assets.

Integrating a Security Ecosystem

One of the primary ways fish defend against predators is by traveling in schools. They use safety in numbers to help each other out. The fish near the edge of the school serve as lookouts to alert the rest of the school of any threats, predators or suspicious activity.

As soon as danger is detected, the school is warned to take evasive action. As soon as an authorized change is detected, the entire school can swiftly take evasive action. Similarly, in information security we should all work together as a community to alert each other when new threats are identified.

We do a good job of this today with social media, conferences, etc. Where we generally fall short is being able to maneuver evasively when a threat is detected. Many organizations lack the detective controls necessary to catch the unauthorized change activity of an intruder. This prevents the information security team from swiftly denying further penetration of the intruder.

Hardening The System

Reptiles are a great example of system hardening. They often have a thick skin or a thick shell (one they don’t let others get into!) to protect themselves from attackers. Similarly, in information security, we need to harden our systems to prevent attackers from invading our networks.

Systems with default configurations are very easy for an attacker to navigate. Hardening a system involves changing the default configurations to a more secure state.

One more area of concern for information security professionals in this section is called “configuration drift.” Systems when deployed may have a secure configuration, but how do we still know that over time the configuration isn’t changing to a non-secure state?

Information Security teams should have controls deployed to monitor for configuration drift and ensure the systems are compliant with the company’s information security polices throughout their life cycle.


Another great way both fish and reptiles hide from their attackers is through camouflaging themselves into their surroundings. Predators may be looking right at them, but won’t even notice that they are there. Data encryption is great way to mitigate data theft that is both in transit and at rest.

Of course, the encryption algorithms need to be implemented correctly (which we will leave for another post).


shutterstock_81313780When attacked, many fish have some sort of defense mechanism. Some are quick to flee, while some burrow into holes in the ground. Some prefer an offensive type of defense with spikes or poison. They wouldn’t make for a very tasty meal and attackers are definitely deterred when looking at them.

As information security professionals, we can ensure that our attack surface is limited by remediating vulnerabilities within our environments. Once we have control over our attack surface, we can deploy things like honeypots or other countermeasures so that attackers don’t look at our systems as a tasty meal anymore. Even if they come in for a bite, the effect won’t be as pleasurable!


On the other hand, many crustaceans have an outer shell that they shed every so often. They outgrow their shell and lose mobility. Similarly, businesses tend to outgrow themselves and lose their mobility.

I don’t know about wildlife, but in information security, leaving your shell out in the open is a great way to get hacked!


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Images courtesy of ShutterStock