Davidson: Lessons of warfare for IT security

To best apply limited resources to maximize defense success, carefully select your turf

As a security professional, I research the latest issues, threats and hacking techniques. For pleasure, however, I read mostly military history, which shapes my view of information security. As a result, I offer the following lessons from military history for federal agency information technology security professionals.

Most security professionals attempt to implement programs to defend all access points because intruders need to find only one way in. But because agency resources are finite, boundaries typically exceed resources. To best apply limited resources to maximize defense success, carefully select your turf.

Risk management approaches to security must move beyond identifying and defending the most important assets to include an analysis of a network's strategic points where intruders could attack.

Here are some IT security lessons from military history.

  • Intelligence has value only if you act on it.

    The Battle of Midway in June 1942 was arguably the turning point of World War II in the Pacific rim. The victory hinged partly on U.S. code crackers' breaking JN25 naval cipher to learn that the Japanese planned to attack Midway. Adm. Chester Nimitz, commander of the U.S. Pacific fleet, sent two carrier task forces to Midway to ambush the Japanese Navy.

    A second lesson is the hubris of assuming that enemies cannot break ciphers and codes.

    Security professionals have many means of defense at their disposal. Through network mapping, they can determine the landscape of their networks. Knowing how many systems are locked down and adequately patched, they can assess their readiness. Using intrusion-detection systems, they can know the types of probes the enemy has attempted.

    But some organizations don't use or act on the intelligence they have. Many turn off their auditing systems, fail to review the logs or ignore alarms. A military parallel is Pearl Harbor, the attack in which the United States ignored radar detecting the incoming Japanese planes.

  • Interior defensive perimeters are critical.

    The network perimeter has disappeared as ubiquitous computing and extranet access have surged. The model of hardened perimeters and wide-open interiors is no longer adequate.

    During the 1879 defense of Rorke's Drift in South Africa, about 150 British soldiers held off 4,000 Zulus by defending the inherently indefensible. They created makeshift barricades from grain sacks and biscuit boxes to secure the perimeter. They had fallback positions and used them.

    Security professionals can learn from this example. A network is not defensible if attackers breach the perimeter and the rest of the network is wide open.

    Today, administrators segment networks with interior firewalls. Tomorrow, networks may be able to create dynamic barriers in response to worm and virus invasions.

    Admirals and generals set strategies, but individuals who make tactical decisions and take the initiative win battles. Every federal agency employee has a responsibility to make IT security a priority.

    Davidson is Oracle's chief security officer.

  • Featured

    • People
      Dr. Ronny Jackson briefs the press on President Trump

      Uncertainty at VA after nominee withdraws

      With White House physician Adm. Ronny Jackson's withdrawal, VA watchers are wondering what's next for the agency and its planned $16 billion health IT modernization project.

    • Cybersecurity

      DHS floats 'collective defense' model for cybersecurity

      Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

    • Defense
      Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

      Mattis: Cloud deal not tailored for Amazon

      On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

    Stay Connected

    FCW Update

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.