[ISN] Davidson: Lessons of warfare for IT security

[InfoSec News]

http://www.fcw.com/article91127-10-17-05-Web

By Mary Ann Davidson
Oct. 17, 2005 

As a security professional, I research the latest issues, threats and
hacking techniques. For pleasure, however, I read mostly military
history, which shapes my view of information security. As a result, I
offer the following lessons from military history for federal agency
information technology security professionals.

Most security professionals attempt to implement programs to defend
all access points because intruders need to find only one way in. But
because agency resources are finite, boundaries typically exceed
resources. To best apply limited resources to maximize defense
success, carefully select your turf.

Risk management approaches to security must move beyond identifying
and defending the most important assets to include an analysis of a
network's strategic points where intruders could attack.

Here are some IT security lessons from military history.


* Intelligence has value only if you act on it.

The Battle of Midway in June 1942 was arguably the turning point of
World War II in the Pacific rim. The victory hinged partly on U.S.  
code crackers' breaking JN25 naval cipher to learn that the Japanese
planned to attack Midway. Adm. Chester Nimitz, commander of the U.S.  
Pacific fleet, sent two carrier task forces to Midway to ambush the
Japanese Navy.

A second lesson is the hubris of assuming that enemies cannot break
ciphers and codes.

Security professionals have many means of defense at their disposal.  
Through network mapping, they can determine the landscape of their
networks. Knowing how many systems are locked down and adequately
patched, they can assess their readiness. Using intrusion-detection
systems, they can know the types of probes the enemy has attempted.

But some organizations don't use or act on the intelligence they have.  
Many turn off their auditing systems, fail to review the logs or
ignore alarms. A military parallel is Pearl Harbor, the attack in
which the United States ignored radar detecting the incoming Japanese
planes.


* Interior defensive perimeters are critical.

The network perimeter has disappeared as ubiquitous computing and
extranet access have surged. The model of hardened perimeters and
wide-open interiors is no longer adequate.

During the 1879 defense of Rorke's Drift in South Africa, about 150
British soldiers held off 4,000 Zulus by defending the inherently
indefensible. They created makeshift barricades from grain sacks and
biscuit boxes to secure the perimeter. They had fallback positions and
used them.

Security professionals can learn from this example. A network is not
defensible if attackers breach the perimeter and the rest of the
network is wide open.

Today, administrators segment networks with interior firewalls.  
Tomorrow, networks may be able to create dynamic barriers in response
to worm and virus invasions.

Admirals and generals set strategies, but individuals who make
tactical decisions and take the initiative win battles. Every federal
agency employee has a responsibility to make IT security a priority.

Davidson is Oracle's chief security officer.