Davidson: Lessons of warfare for IT security

To best apply limited resources to maximize defense success, carefully select your turf

As a security professional, I research the latest issues, threats and hacking techniques. For pleasure, however, I read mostly military history, which shapes my view of information security. As a result, I offer the following lessons from military history for federal agency information technology security professionals.

Most security professionals attempt to implement programs to defend all access points because intruders need to find only one way in. But because agency resources are finite, boundaries typically exceed resources. To best apply limited resources to maximize defense success, carefully select your turf.

Risk management approaches to security must move beyond identifying and defending the most important assets to include an analysis of a network's strategic points where intruders could attack.

Here are some IT security lessons from military history.

  • Intelligence has value only if you act on it.

    The Battle of Midway in June 1942 was arguably the turning point of World War II in the Pacific rim. The victory hinged partly on U.S. code crackers' breaking JN25 naval cipher to learn that the Japanese planned to attack Midway. Adm. Chester Nimitz, commander of the U.S. Pacific fleet, sent two carrier task forces to Midway to ambush the Japanese Navy.

    A second lesson is the hubris of assuming that enemies cannot break ciphers and codes.

    Security professionals have many means of defense at their disposal. Through network mapping, they can determine the landscape of their networks. Knowing how many systems are locked down and adequately patched, they can assess their readiness. Using intrusion-detection systems, they can know the types of probes the enemy has attempted.

    But some organizations don't use or act on the intelligence they have. Many turn off their auditing systems, fail to review the logs or ignore alarms. A military parallel is Pearl Harbor, the attack in which the United States ignored radar detecting the incoming Japanese planes.

  • Interior defensive perimeters are critical.

    The network perimeter has disappeared as ubiquitous computing and extranet access have surged. The model of hardened perimeters and wide-open interiors is no longer adequate.

    During the 1879 defense of Rorke's Drift in South Africa, about 150 British soldiers held off 4,000 Zulus by defending the inherently indefensible. They created makeshift barricades from grain sacks and biscuit boxes to secure the perimeter. They had fallback positions and used them.

    Security professionals can learn from this example. A network is not defensible if attackers breach the perimeter and the rest of the network is wide open.

    Today, administrators segment networks with interior firewalls. Tomorrow, networks may be able to create dynamic barriers in response to worm and virus invasions.

    Admirals and generals set strategies, but individuals who make tactical decisions and take the initiative win battles. Every federal agency employee has a responsibility to make IT security a priority.

    Davidson is Oracle's chief security officer.

  • The Fed 100

    Read the profiles of all this year's winners.

    Featured

    • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

      'Buy American' order puts procurement in the spotlight

      Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

    • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

      White House taps old policies for new government makeover

      New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

    • Shutterstock image (by Everett Historical): aerial of the Pentagon.

      What DOD's next CIO will have to deal with

      It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

    • USAF Gen. John Hyten

      General: Cyber Command needs new platform before NSA split

      U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

    • Image from Shutterstock.

      DLA goes virtual

      The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

    • Fed 100 logo

      The 2017 Federal 100

      The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

    Reader comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above

    More from 1105 Public Sector Media Group