Editorial, By Brian Boyko
Editor, Network Performance Daily
Sun Tzu once wrote that “the general is skillful in attack whose opponent does not know what to defend”
Last June, the Chinese military hacked into the Pentagon and U.K. military computers. This fueled speculation that the next major conflagration (not that any of the current conflagrations aren’t major) will be fought with information warfare. Coupled with yesterdays’ anniversary of the gruesome attacks six years ago, and the general fear of the unknown (except for a smart few, computer hacking qualifies as “the unknown,”) and you start to deal with fear. Fear of China shutting down military defenses. Fear of a terrorist network intentionally disrupting the computer infrastructure behind the U.S. economy.
I’ve never liked fear. Fear can lead you to stupid conclusions. Fear can lead you to bad decisions. Fear is the mind-killer. Fear is the little-death that brings total obliteration.
So, how do you deal with fear? First of all, you “know yourself and know the enemy.”
Battlefield advantage can be found by destabilizing a military computer, it’s true, but military computers are well defended with the near infinite resources, manpower, and budget of the Dept. of Defense. But if someone – whether a large state or rogue group, were to attack, they would probably choose targets which would do the most damage with the least effort and risk. Those might be corporate systems.
While it is impossible to predict what a terrorist will do – because there are many different types of terrorists with different motivations even within the same terror group – it is possible to anticipate what a rational attacker would do. Ts`ao Kung said that an effective attacker “Emerges from the void, strikes at vulnerable points, shuns places that are defended, attacks in unexpected quarters.”
(Continued…)
Corporate systems do not have the nearly unlimited resources of the U.S. military to ensure computer security. The U.S. military doesn’t care about controlling costs and cutting corners to preserve a profit margin, while every company is tasked with improving the bottom line first and foremost. Sure, security is important, but each dollar spent on computer security is an expense without return. It is an insurance policy against attack. It is a bet that you do not want to win, but which you cannot afford to lose.
What this soberly means is that a determined attacker whose main focus is crippling a business system can throw more of its resources at the attack, while the business, whose main focus is not defending against attack but rather, making money, can’t throw all of its resources at defense.
Since the resources of companies are much more limited than the resources of the attacker, defense needs to be extremely efficient. The one advantage here is that companies are on defensive ground. So use that to advantage – know your network inside and out. Take good baselines, know what’s on your network, and use traffic analysis and anomaly detection software to find out when there is unusual behavior, if rogue traffic is on your network, and get early warning if you’re being attacked. Doing this counters the attacker’s advantage of “emerging from the void.”
Sun Tzu also wrote that “if victory is long in coming, then men’s weapons will grow dull and their ardor will be damped. If you lay siege to a town, you will exhaust your strength.” Perhaps your company might not have the ability to completely fend off a determined attacker with fewer resources, but you can certainly do your best to choose the type of battle, and no hacker wants to get caught in a protracted siege. Each minute of a siege increases the risk to the attacker of being detected and thwarted.
In the end, the important thing is preparation without panic. Get the data. Assess the risks. Act from a position of knowledge, not from a position of fear.
No comments yet.