Site icon Fabius Maximus website

How would Sun Tzu defend computer systems? Poorly. A new era needs new thinking.

Larry Kummer, Editor

Summary:  The theft of the Federal government’s personnel data has brought information security back to the front pages. Along with the usual cries of “off with their heads” for the guilty and promises of Total Information Security in the future, as the signal to noise ratio in the media drops towards zero. To help restore our sense of proportion, here’s an article from the past by two well-known experts discussing the difficulty of e-defense in the 21st century.

This is a follow-up to About the theft of the Federal government’s personnel records: sorting fact from fiction, another in a series about a new age of conflict in which the old ways no longer work.  {1st of 2 posts today.}

“As we shall show, defense is a stronger form of fighting than attack. … I am convinced that the superiority of the defensive (if rightly understood) is very great, far greater than appears at first sight.”
— Clausewitz, On War, Book 1, Chapter 1

Available at Amazon.

 

InfoSec, Sun Tzu
& the Art of Whore

By Steve Tornio and Brian Martin.
At Attrition, 2 July 2010.

Posted with the authors’ permission.

 

Lately, you can’t swing a dead cat without hitting someone in InfoSecurity who is writing a blog post, participating in a panel or otherwise yammering on about what we can learn from Sun Tzu about Information Security. Sun Tzu lends the topic some gravitas and the speaker instantly benefits from the halo effect of Ancient Chinese Wisdom, but does Sun Tzu really have anything interesting to say about Information Security?

In The Art of War, Sun Tzu’s writing addressed a variety of military tactics, very few of which can truly be extrapolated into modern InfoSec practices. The parts that do apply aren’t terribly groundbreaking and may actually conflict with other tenets when artificially applied to InfoSec. Rather than accept that Tzu’s work is not relevant to modern day Infosec, people tend to force analogies and stretch comparisons to his work. These big leaps are professionals whoring themselves just to get in what seems like a cool reference and wise quote.

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”  { The Art of War}

This seems to make sense on its face. If you focus on making your systems and networks invulnerable to attack, then you don’t need to worry about attackers. So, on any modern network where people actually need to get work done, can you make systems invulnerable to attack? If not, does this particular advice tell us anything useful? Maybe Sun Tzu was trying to say that we need to spend more and more money on IPS/SIEM/firewalls/antivirus, even if we don’t see a particular need to upgrade or improve those areas.

Information security is not warfare (leaving aside actual warfare, of course). The bulk of security practitioners are working to protect private and public networks and do not strike back against any enemy.

Even penetration testers conduct their ‘battles’ within a limited scope, under supervision and governed by laws. A pen test is absolutely NOT knowing your enemy. Turning your own people, or agents you employ, against your own networks to test their security tells you nothing about your attacker. It is an exercise in better knowing your own strengths and weaknesses. It’s also not “thinking like your enemy.” If you can’t identify who your enemy is, you can’t think like him. All you can do is apply your own offensive techniques against your own position.

The only application of Sun Tzu’s work today might be relevant for the bad guy attacking a specific target.

Sun Tzu makes many statements about victory in war, none of which apply to InfoSec, since the war cannot be won. We don’t have one enemy, we have an inexhaustible supply of a wide variety of enemies, and most don’t even care who we are. Do you know your enemy? If you answer ‘yes’ to that question, you already lost the battle and the war. If you know some of your enemies, you are well on your way to understanding why Tzu’s teachings haven’t been relevant to InfoSec for over two decades.

Do you want to know your enemy? Fine, here you go. your enemy may be any or all of the following:

What’s more, these enemies have our networks under siege, which Sun Tzu says is no way to win a war.

The rule is, not to besiege walled cities if it can possibly be avoided. The preparation of mantlets, movable shelters, and various implements of war, will take up three whole months; and the piling up of mounds over against the walls will take three months more.  {The Art of War}

Um, yeah. Sun Tzu’s not helping us here. How about that popular one about knowing your enemy?

Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle.

But of course, there is no winning. You can take the time to try to know all the different kinds of attackers hitting your networks, but you can never claim victory. If we board up our windows against a hurricane, we don’t “win” if our homes and windows survive the storm.

It would make more sense for InfoSec practitioners to learn from hurricane or flood preparedness than Sun Tzu. For most of us, attacks on our networks are more like the constant and varied attacks from weather, and rather than try to wrap ourselves up in the glorious wisdom of Chinese philosophy and the excitement of some amorphous global “cyberwar”, we should probably focus on the mundane, boring details of maintaining and monitoring our networks. …

————————  Click here to read the rest  ————————

Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included. Custom graphics courtesy of Cupcake and Lyger.

About the authors

Brian Martin (edited from his LinkedIn profile), aka Jericho

Martin has been poking about the hacker/security scene for over 19 years. No degree, no certifications, just the willingness to say things many in this dismal industry are thinking but unwilling to say themselves. He founded attrition, and is a senior officer at the Open Security Foundation.

Steve Tornio

Steve has been active within the security community for the past 17 years, most prominently as a moderator for the Open Source Vulnerability Database (osvdb.org) and as a contributor to the Metasploit Framework. With Sunera, Steve has led war dial, wireless, network and web application vulnerability and penetration assessments with the specific goal of identifying and exploiting vulnerabilities. Prior to Sunera, Steve worked in the banking/finance sector as a network and security engineer, managing a team composed of network, systems and communications engineers providing 24×7 monitoring and response, technical support and documentation for a multinational capital management firm. Steve is a Certified Information Systems Security Professional (CISSP) and an Offensive Security Certified Professional (OSCP).

For More Information

If you liked this post, like us on Facebook and follow us on Twitter. See all posts about Cyber-espionage and Cyber-war! , especially these

To learn more about this vital subject, here are some useful books:

 

 

Exit mobile version