How would Sun Tzu defend computer systems? Poorly. A new era needs new thinking.

Summary:  The theft of the Federal government’s personnel data has brought information security back to the front pages. Along with the usual cries of “off with their heads” for the guilty and promises of Total Information Security in the future, as the signal to noise ratio in the media drops towards zero. To help restore our sense of proportion, here’s an article from the past by two well-known experts discussing the difficulty of e-defense in the 21st century.

This is a follow-up to About the theft of the Federal government’s personnel records: sorting fact from fiction, another in a series about a new age of conflict in which the old ways no longer work.  {1st of 2 posts today.}

“As we shall show, defense is a stronger form of fighting than attack. … I am convinced that the superiority of the defensive (if rightly understood) is very great, far greater than appears at first sight.”
— Clausewitz, On War, Book 1, Chapter 1

 

“InfoSec, Sun Tzu
& the Art of Whore“

By Steve Tornio and Brian Martin.
At Attrition, 2 July 2010.

Posted with the authors’ permission.

 

Lately, you can’t swing a dead cat without hitting someone in InfoSecurity who is writing a blog post, participating in a panel or otherwise yammering on about what we can learn from Sun Tzu about Information Security. Sun Tzu lends the topic some gravitas and the speaker instantly benefits from the halo effect of Ancient Chinese Wisdom, but does Sun Tzu really have anything interesting to say about Information Security?

In The Art of War, Sun Tzu’s writing addressed a variety of military tactics, very few of which can truly be extrapolated into modern InfoSec practices. The parts that do apply aren’t terribly groundbreaking and may actually conflict with other tenets when artificially applied to InfoSec. Rather than accept that Tzu’s work is not relevant to modern day Infosec, people tend to force analogies and stretch comparisons to his work. These big leaps are professionals whoring themselves just to get in what seems like a cool reference and wise quote.

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”  { The Art of War}

This seems to make sense on its face. If you focus on making your systems and networks invulnerable to attack, then you don’t need to worry about attackers. So, on any modern network where people actually need to get work done, can you make systems invulnerable to attack? If not, does this particular advice tell us anything useful? Maybe Sun Tzu was trying to say that we need to spend more and more money on IPS/SIEM/firewalls/antivirus, even if we don’t see a particular need to upgrade or improve those areas.

Information security is not warfare (leaving aside actual warfare, of course). The bulk of security practitioners are working to protect private and public networks and do not strike back against any enemy.

Even penetration testers conduct their ‘battles’ within a limited scope, under supervision and governed by laws. A pen test is absolutely NOT knowing your enemy. Turning your own people, or agents you employ, against your own networks to test their security tells you nothing about your attacker. It is an exercise in better knowing your own strengths and weaknesses. It’s also not “thinking like your enemy.” If you can’t identify who your enemy is, you can’t think like him. All you can do is apply your own offensive techniques against your own position.

The only application of Sun Tzu’s work today might be relevant for the bad guy attacking a specific target.

Sun Tzu makes many statements about victory in war, none of which apply to InfoSec, since the war cannot be won. We don’t have one enemy, we have an inexhaustible supply of a wide variety of enemies, and most don’t even care who we are. Do you know your enemy? If you answer ‘yes’ to that question, you already lost the battle and the war. If you know some of your enemies, you are well on your way to understanding why Tzu’s teachings haven’t been relevant to InfoSec for over two decades.

Do you want to know your enemy? Fine, here you go. your enemy may be any or all of the following:

• 12 year/old student in Ohio learning computers in middle school.
• 13 y/o home-schooled girl getting bored with social networks.
• 15 y/o kid in Brazil that joined a defacement group.
• 16 y/o student in Tokyo, learning programming in high school.
• 18 y/o high school drop out in the Ukraine.
• 19 y/o college student putting class work into practice.
• 20 y/o Taco Bell employee bored with the daily grind.
• 21 y/o man in Mali working for an international carding ring.
• 23 y/o mother in Poland, trying to supplement income.
• 24 y/o black hat intent on compromising any company encountered.
• 25 y/o soldier in the North Korean army.
• 26 y/o military contractor in Iraq.
• 28 y/o Chinese government employee, soon to be mother.
• 29 y/o vegan in Oregon who firmly believes in political hacktivism.
• 30 y/o white hat pen tester who has not let go of her black hat origins.
• 31 y/o security researcher who finds vulnerabilities on live sites.
• 32 y/o alchoholic in New Zealand, with nothing to lose.
• 34 y/o employee who sees a target of opportunity.
• 35 y/o officer in MI6.
• 36 y/o “consulate attache” that may be FSB.
• 40 y/o disgruntled admin, passed over for raise 5 years in a row.
• 42 y/o private investigator looking for dirt on your CEO.
• 43 y/o malware author, paid per compromised host.
• 45 y/o member of a terrorist group.
• 55 y/o corporate intelligence consultant.

What’s more, these enemies have our networks under siege, which Sun Tzu says is no way to win a war.

The rule is, not to besiege walled cities if it can possibly be avoided. The preparation of mantlets, movable shelters, and various implements of war, will take up three whole months; and the piling up of mounds over against the walls will take three months more.  {The Art of War}

Um, yeah. Sun Tzu’s not helping us here. How about that popular one about knowing your enemy?

Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.

But of course, there is no winning. You can take the time to try to know all the different kinds of attackers hitting your networks, but you can never claim victory. If we board up our windows against a hurricane, we don’t “win” if our homes and windows survive the storm.

It would make more sense for InfoSec practitioners to learn from hurricane or flood preparedness than Sun Tzu. For most of us, attacks on our networks are more like the constant and varied attacks from weather, and rather than try to wrap ourselves up in the glorious wisdom of Chinese philosophy and the excitement of some amorphous global “cyberwar”, we should probably focus on the mundane, boring details of maintaining and monitoring our networks. …

————————  Click here to read the rest  ————————

Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphics courtesy of Cupcake and Lyger.

About the authors

Brian Martin (edited from his LinkedIn profile), aka Jericho

Martin has been poking about the hacker/security scene for over 19 years. No degree, no certifications, just the willingness to say things many in this dismal industry are thinking but unwilling to say themselves. He founded attrition, and is a senior officer at the Open Security Foundation.

Steve Tornio

Steve has been active within the security community for the past 17 years, most prominently as a moderator for the Open Source Vulnerability Database (osvdb.org) and as a contributor to the Metasploit Framework. With Sunera, Steve has led war dial, wireless, network and web application vulnerability and penetration assessments with the specific goal of identifying and exploiting vulnerabilities. Prior to Sunera, Steve worked in the banking/finance sector as a network and security engineer, managing a team composed of network, systems and communications engineers providing 24×7 monitoring and response, technical support and documentation for a multinational capital management firm. Steve is a Certified Information Systems Security Professional (CISSP) and an Offensive Security Certified Professional (OSCP).

For More Information

If you liked this post, like us on Facebook and follow us on Twitter. See all posts about Cyber-espionage and Cyber-war! , especially these

• Parsing Cyberwar: The Best Defense is a Good Defense, by Marcus Ranum.
• The Best Defense Is a Strong Defense. Never Fight a Land War in Cyberspace, by Marcus Ranum.
• Cybercrime: Now More Profitable Than The Drug Trade. by Irfahn Khimji and David Bisson.

To learn more about this vital subject, here are some useful books:

• Kevin Mitnick’s Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker,
• Andy Greenberg’s This Machine Kills Secrets: How WikiLeakers, Cypherpunks, and Hacktivists Aim to Free the World’s Information,
• Brian Krebs’ Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door.
• Kim Zetter’s Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, describing the new era of war and preparing you for the next attack (see a review here).