As a security professional, I spend a fair bit of time keeping up on the latest issues, threats, hacking techniques and so on. For pleasure I read mostly military history, which has had a marked impact on my view of information security. I modestly offer a few lessons from military history for the IT security professional. I am leaving aside the general area of information warfare, except to note that there is a military subspecialty focused on the defence (and attack) of information systems. I also note that many approaches to information security are focused on risk management rather than the “attacker/defender” constructs of warfare.
■“He who defends everything defends nothing.” – Frederick II of Prussia.
Many security professionals believe they have to defend all access points to the network while the bad guys have to find only a single way in. However, resources are finite and boundaries often exceed resources. Trying to plug every hole prompts the question: “What is worthy of defence, why, and against what threats?” To apply finite resources to maximum defence, you need to pick your turf.
One of the security teams I work with thought I was insane when I asked them how US marines took Guadalcanal in the Pacific Ocean in 1942/43. I gave them a blow-by-blow description of the battlefor Guadalcanal: how the marines took and held the airstrip against persistent attacks. Hold the airstrip; hold the island. The airstrip was strategic because of the ability to mount an air defence from it, making the field a virtual aircraft carrier. The team got the relevance to our product strategy.
Even a risk management approach to security needs to include not only the most important assets to defend, but an analysis of the “strategic points of the network” that enable beachheads by attackers or a dominant position by defenders.
■Intelligence has value only if you act upon it.
The battle of Midway in June 1942 was arguably the turning point of the Pacific war. The victory hinged in part on intelligence that the Japanese were going to attack Midway, gleaned by the US breaking the JN25 naval cipher. having Admiral Nimitz, the US commander, sent two carrier task forces to Midway to ambush the Japanese navy. (A second lesson is the hubris of assuming ciphers and codes are incapable of being broken.)
Security professionals have many means at their disposal to determine the “landscape” of their networks (through network mapping), their state of readiness (whether systems are locked down and adequately patched) and the types of probes being attempted (through intrusion detection systems).In short, there is “network intelligence” available to them, if they choose to use it.
But some organisations neither use the intelligence they have nor act on it; for example, manyrganizations turn off auditing, or never review the logs they collect, or they deploy intrusion detection systems but ignore the alarms. (A military example is, alas, Pearl Harbour where radar picked up the incoming Japanese planes but was ignored.)
■The importance of interior defensive perimeters
One of the truisms of the security landscape is the disappearance of the network perimeter through “ubiquitous computing” and increased extranet access. The model of hardened perimeter and wide-open interior no longer applies.
I recently talked to a start-up claiming to prevent the spread of worms and viruses inside the network. As they attempted to articulate what they did I said: “You don’t know what you do. I can tell you. You build dynamic network redoubts.” I described the defence of Rorke’s Drift in South Africa in 1879 where 150-odd British soldiers held off 4,000 Zulus by defending the inherently indefensible: they created both a defensive perimeter and interior makeshift redoubts (barricades) from sacks of grain and biscuit boxes. They had fallback positions and used them. A large defensive perimeter is not defensible if it is breached, because the rest of the network is wide open. Today administrators segment networks with interior firewalls. Tomorrow the network may be able to create dynamic redoubts in response to intrusion or worm and virus invasion.
The military routinely conducts war games. One reason we (and other companies) have an ethical hacking team is to break our own products and networks before the bad guys do. The “attacker/defender” model helps us build better security and the “attacker knowledge” is codified in secure coding standards and training to “think like a hacker”.
Finally, a lesson of military history is the power of individuals to shape it. In the battle of Midway, Lieutenant Commander Wade McCluskey’s decision to search beyond the range of his SBD aircraft (“following a hunch”) led to his finding the Japanese carriers with their aircraft on deck, fully fuelled and loaded. As a result, the US Navy set three Japanese carriers on fire in six minutes, and Japan never recovered from the loss. Strategies are set by admirals and generals, but battles can be and are won by individual tactical decisions and initiative.
Mary Ann Davidson is Oracle’s chief security officer