Davidson: Lessons of warfare for IT security
To best apply limited resources to maximize defense success, carefully select your turf
- By Mary Ann Davidson
- Oct 17, 2005
As a security professional, I research the latest issues, threats and hacking techniques. For pleasure, however, I read mostly military history, which shapes my view of information security. As a result, I offer the following lessons from military history for federal agency information technology security professionals.
Most security professionals attempt to implement programs to defend all access points because intruders need to find only one way in. But because agency resources are finite, boundaries typically exceed resources. To best apply limited resources to maximize defense success, carefully select your turf.
Risk management approaches to security must move beyond identifying and defending the most important assets
to include an analysis of a network's strategic points where intruders could attack.
Here are some IT security lessons from military history.
Intelligence has value only if you act on it.
The Battle of Midway in June 1942 was arguably the turning point of World War II in the Pacific rim. The victory hinged partly on U.S. code crackers' breaking JN25 naval cipher to learn that the Japanese planned to attack Midway. Adm. Chester Nimitz, commander of the U.S. Pacific fleet, sent two carrier task forces to Midway to ambush the Japanese Navy.
A second lesson is the hubris of assuming that enemies cannot break ciphers and codes.
Security professionals have many means of defense at their disposal. Through network mapping, they can determine the landscape of their networks. Knowing how many systems are locked down and adequately patched, they can assess their readiness. Using intrusion-detection systems, they can know the types of probes the enemy has attempted.
But some organizations don't use or act on the intelligence they have. Many turn off their auditing systems, fail to review the logs or ignore alarms. A military parallel is Pearl Harbor, the attack in which the United States ignored radar detecting the incoming Japanese planes.
Interior defensive perimeters are critical.
The network perimeter has disappeared as ubiquitous computing and extranet access have surged. The model of hardened perimeters and wide-open interiors is no longer adequate.
During the 1879 defense of Rorke's Drift in South Africa, about 150 British soldiers held off 4,000 Zulus by defending the inherently indefensible. They created makeshift barricades from grain sacks and biscuit boxes to secure the perimeter. They had fallback positions and used them.
Security professionals can learn from this example. A network is not defensible if attackers breach the perimeter and the rest of the network is wide open.
Today, administrators segment networks with interior firewalls. Tomorrow, networks may be able to create dynamic barriers in response to worm and virus invasions.
Admirals and generals set strategies, but individuals who make tactical decisions and take the initiative win battles. Every federal agency employee has a responsibility to make IT security a priority.
Davidson is Oracle's chief security officer.