As a security professional, I spend time researching the latest issues, threats and hacking techniques. For pleasure, however, I read mostly military history – which, in turn, impacts my view of information security.
He who defends everything defends nothing
To best apply limited resources to maximize defense success, carefully select your turf. One of our security teams questioned my sanity when I asked how the U.S. Marines took Guadalcanal in the Pacific in 1942/43. The strategy: hold the airstrip; hold the island. The airstrip was strategic, because the U.S. could mount an air defense from it, making the field a virtual aircraft carrier. The team understood the relevance to our product strategy.
Risk management must mean moving beyond simply identifying and defending the most important assets to including an analysis of the strategic points of the network that enable beachheads by attackers or a dominant position by defenders.
Intelligence has value only if you act upon it
The Battle of Midway in June 1942 was arguably the turning point of the Pacific War. The victory hinged in part on U.S. intelligence, gleaned by breaking the JN25 naval cipher that the Japanese planned to attack Midway. Admiral Nimitz, the U.S. commander, sent two carrier task forces to Midway to ambush the Japanese Navy (never assume ciphers cannot be broken.)
Security professionals have many ways to know the landscape of their networks, their state of readiness and the types of probes attempted.
But some organizations neither use the intelligence they have nor act upon it – they turn off auditing, fail to review logs, or ignore alarms generated by IDSs.
The importance of interior defensive perimeters
One security truism is the disappearance of the perimeter.
During the 1879 defense of Rorke's Drift in South Africa, 150-odd British soldiers held off 4,000 Zulus by defending the inherently indefensible – they created both a defensive perimeter and makeshift interior barricades from grain sacks and biscuit boxes. Security professionals can learn from this example. A large defensive perimeter is not defensible if it is breached – the rest of the network is wide open.
Today, administrators segment networks with interior firewalls. Tomorrow, the network might be able to create dynamic redoubts.
A final lesson of military history lies within the power of individuals. Strategies are set by admirals and generals, but battles are won by individual tactical decisions and initiative. Every employee has a responsibility to make IT security a priority.