Security's Everyman

Security's Everyman

Friday, August 17, 2007

Sun Tzu got this one wrong. :(

I finally ran across an Art Of War quote from my handy calendar that definitely does not apply to information security. Even if vendors try to convince you otherwise.

If you carry on alliances with strong countries, your enemies won't dare to plot against you.
Alliances with strong countries (i.e. security vendors) will NOT protect you from the attempts of the bad guys to get into your network, application or systems. I would even venture to say that for some of the black hats they consider it a challenge and the stronger the defense the harder they work to penetrate it. Especially if they think that there is something worthwhile waiting on the other side.

Sun, I'm sorry to say that you have let me down on this one. I can see Amrit smiling now. :)

10 comments:

Kai Roer said...

Hi Andy,
IMO, it depends on how you define country, now, doesn't it? What if you say security industry on one side, and hackers&terrorists on the other? Then the choice is not one of the vendors anyone, but one of sides? ;)
And Sun would still be right... It is all a question of your point of view.
K

Security Catalyst (Michael) said...

Interesting, I've never considered an alliance with security vendors. Rather, if you build a strong and powerful allliance with your users...

OH SNAP - Sun Tzu and Awareness in the same post? Amrit's gonna _love_ that.

Amrit aside - any security team that doesn't forge a strong alliance with the business and users is a failure and will clearly be overrun and defeated. Align with the business, ally with the users and you'll be fine.

kurt wismer said...

perhaps it is not sun tzu that has failed you but rather your source that has...

with all due respect to your calendar, that quote does not seem like sun tzu... starting with the maxim that all warfare is based on deception, it seems obvious to me that the in order to separate you from your strong allies your enemies should try to frame you in such a light as to make your allies amenable to breaking their ties with you...

also, i can't find anything equivalent to that quote in the lionel giles translation at the internet classics archive...

rybolov said...

Seems to me that in our world, the more you side with powerful allies, the more people want to plot against you, either through state-sponsored hacking or because they don't like your political leanings. =)

kurt wismer said...

just as a further data point, there appears to be no analog to that quote in the version of sun tzu's work that's in the appendix of "sun tzu's art of war: the modern chinese interpretation" by general tao hanzhang...

that makes two sources (the previous being the lionel giles translation in the internet classics archive that i was sure i posted a comment about before) that fail to corroborate the quote...

Allen Baranov, CISSP said...

Nice post.

But the Art of War is just about that - war.

So far, information security has been mostly about passive prevention.

If you get portscanned, you don't go out and DOS the scanner...you just make sure that your Firewall keeps the traffic out. If you get spammed, you just accept the mail and delete it without taking it further. There is no active seeking out the attackers.

I think that as hacking moves more toward "crime" as opposed to "hobby" and more money gets involved governments are going to get more tough on the action part of Information Security rather than the passive defense part.

Laws will be put in place, cyber-cops will be put in place and finally we can fight back against hackers.

Once this is done your quote will make sense. Choose a country to work in (align yourself with) that has tough anti-hacking laws and a police force able to uphold the laws and hackers will think twice about attacking you.

Andy, ITGuy said...

Allen, You have some good points but I have 2 comments. 1. Wouldn't it be great to DDoS anyone who came at you. :) 2. The "country" I'm referring to is vendors. Of course since AoW is about War the concepts have to be adapted to IS.

kurt wismer said...

@allen baranov:
"So far, information security has been mostly about passive prevention. "

from chapter 4 (tactical dispositions):
"Sun Tzu said: The good fighters of old first put themselves beyond the possibility of defeat, and then waited for an opportunity of defeating the enemy."

sounds to me like there's some passive prevention going on even in war...

@andy:
"Wouldn't it be great to DDoS anyone who came at you. :)"

no, it wouldn't be great at all... DDoSing them wouldn't get you any closer to defeating them, it would only engage you in a potentially prolonged battle which no one would benefit from...

Andy, ITGuy said...

Kurt, Just to make sure that there are no misunderstandings I was joking about DDoSing the enemy. It would be fun but counter productive. Remember what happened when the anti spam company Blue something or another got blown off the net from a spammer?

kurt wismer said...

@andy:
it was blue security... they tried to fight a war of attrition against the spamvertizers but due to the fact that part of the system was centralized they were vulnerable and that vulnerability got exploited by the spammers... i actually think they could have been effective if their architecture had been better, but knujon and similar operations that utilize actual law enforcement as their offensive arm occupy the ethical as well as tactical high ground by comparison...

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.