I just finished up this great book The Art of War, by Sun Tzu. There are many different versions the one I read was “The Art of War for Managers; 50 Strategic Rules”. I wanted to share some quotes from Sun Tzu and how I think they tie to Information Security.
Quote: The skilful General does not raise a second levy, neither are his supply wagons loaded more than twice. Once war is declared he will not waste precious time in waiting for reinforcements, nor will be turn his army back for fresh supplies, but crosses the enemies’ frontier without delay.
My Thoughts: Assuming that organizations have their planning right, they will be prepared for a wide range of attack vectors. However, the attacks will be distributed, unannounced &rapid. So its important that organizations balance the amount of effort that is put into repelling attacks consistent with the outcome the organization needs.
Some of the attacks will be unexpected, so organizations must assume that some of their security standards, may fail as a result. If the whole premise of survival is only defense and the organization therefore relies on the cyber equivalent of holding the proverbial City walls, there is really only two probable outcomes:the walls hold and are their position is sustained or; the walls collapse and they are overrun.
Most of the advice I have read on approaches to cyber-security commonly says that, when attacked, organizations should not break the law themselves in responding to the attack. This advice could be construed as only allowing the holding of the City wall. So maybe it is time that organizations actively discuss responses to cyber-attack that are not just defense but are active or offensive.
Quote: The experienced soldier, once in motion, is never bewildered; once he has broken camp, he is never at a loss. Hence the saying; If you know your enemy and you know yourself, your victory will not stand in doubt; if you know heaven and know earth, you make your victory complete.
My Thoughts: Security attacks are executed across a very broad range of terrain including hardware platforms, operating systems, networks, communications protocols and applications. If organizations are not aware of all aspects of their organizations critical systems they may be disorientated when responding to security incidents.
Many organizations use outsourcing to effectively manage and run much of the organizations “terrain”. The nature of their contractual agreements and service level agreements may not cover their roles and responsibilities in dealing with security attacks. For example, some organizations have experienced a situation in which their outsourcing partner agreed to a set of availability targets and, during a security attack, had to continually delete firewall logs to keep the firewalls online and to meet the organizations availability target.
The impact of this action was to destroy a critical piece of evidence needed to identify the attacker and secondly prosecute them. In an increasingly outsourced world, organizations must make special efforts to ensure that they know the full extent of their terrain.
Quote: Knowledge of the enemy’s disposition can only be obtained from other men. Knowledge of the spirit world is to be obtained by the divination; information in natural science may be sought by inductive reasoning; the laws of the universe can be verified by mathematical calculations; but the dispositions of the enemy are ascertainable through spies and spies alone.
My Thoughts: The cyber equivalent of spies is covert malware like Trojans and rootkits. The popularity of this type of code in spam attachments and on infected websiSun Tzu quotes from The Art of War