Sun Tzu's 13 lessons to combat hackers

In January, it was discovered that more than 75,000 computer systems in 2500 companies around the world were hacked in one of the largest and most sophisticated attacks by cyber criminals.

And a month later we saw the Australian Parliament website shuttered by hackers protesting the Federal Government's ISP internet filter.

A company's digital presence can be attacked for social and political reasons ("hactivism"), for extortion, espionage and digital graffiti.

To defend ourselves against cyber assaults, we look to military doctrine because much in information security stems from concepts such as need to know, least privilege, defence in depth, diversity of defence, choke point and other war strategies.

When considering the topic I thought of Sun Tzu's Art of War, the 2500-year-old Chinese military treatise. It teaches that success depends on timely information, preparation, organisation, communication, motivation, execution and leadership. General Sun Tzu said wars were won by those who have the greatest competitive advantages and who make the fewest mistakes.

Start your journey through 13 principles from The Art of War applied to cyber warfare by clicking over the page to the first lesson, defending your virtual shop front or dip in at any point using the drop-down index below.

About the writer

Keith Price is the national director of the Australian information Security Association. He started his career more than 20 years ago and he now specialises in ICT risk management, strategy and governance. His experience spans consulting, banking, insurance and utilities in Australia, Britain and the US.

Defend your virtual shop front

"The art of war is of vital importance to the State.  It is a matter of life and death, a road either to safety or to ruin. Hence it is a subject of inquiry which can on no account be neglected."

If your digital presence, your business shop front to the online world, is the lifeblood of your company then it must be defended. For example, online banks have no physical shop window and if customers can't reach their online presence during a distributed denial of service attack, that company can't process transactions and their viability is threatened.

Ask yourself: How long could you survive?

As part of your company's business continuity plan, a cyber incident response should be written to counter cyber attacks against your critical IT systems and assist management to identify, mitigate and recover from such assaults.

It's the business that owns such risks, including those related to IT. It should set the mandate for the risk-management program, provide resources to support a plan to protect critical systems and monitor how well risks managed. For ICT governance to be effective, senior management should review and approve the plan, agree priorities and commit resources.

The IT Governance Institute recommends that an executive committee with representation of all stakeholders review and approve the plan for the board of directors.

Is your virtual shop front secure or are you at risk of losing custom?

Recruit your spies on the hacker frontier

"Thus, what enables the wise sovereign and the good general to strike and conquer, and achieve things beyond the reach of ordinary men, is foreknowledge."

Sun Tzu was talking about knowledge of the enemy's dispositions and what they mean to do.  In Sun Tzu's world, the only way to get this information was to employ spies or agents.

Today, our agents are researchers and companies that provide a wealth of security intelligence and they provide much of this intelligence for free:

• Bruce Schneier, an internationally renowned security technologist and author.
• Marcus Ranum, an internationally renowned security technologist and author. 
• IBM Internet Security Systems X-Force Report
• Symantec Global Internet Security Threat Report
• Cisco Annual Security Report
• For many more, Google "internet threat report"

They analyse attacks, review vulnerabilities and detail the latest developments in malicious code.

You will better defend yourself once you learn what attackers are after and how they attack.

Experts such as Bruce Schneier keep you abreast of your adversaries.

Be wise, prepare for peril

"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable."

Many organisations have the attitude "it won't happen to us" and many are right, they may never experience a cyber incident.  But cyber attacks are happen daily and many have paid dearly as a result.

Sun Tzu advises to be prepared.

One of the best ways to prepare is to follow a disciplined, structured, flexible, extensible and repeatable process for achieving risk-based protection related to the operation and use of information systems. One of the best sources for such information is the US NIST risk-management framework.

Managing the risk posed to information assets requires:

• A clear, communicated policy
• Classifying and labelling information
• Identification and valuation of ICT assets
• Processes for use, distribution, storage and disposal
• Awareness of threats
• Awareness of your security state
• Security training
• Detection and reporting of intrusions and misuse
• Correcting problems
• Periodic assessment

Pretending there's no problem is no answer to computer security.

Change your game plan as the enemy changes his

"He who can modify his tactics in relation to his opponent and thereby succeed in winning, may be called a heaven-born captain."

If you follow the evolution of cybercrime, you know the bad guys change their tactics but that means the good guys are (almost) always a step behind.

The past year or two saw attack vectors favour vulnerabilities in web browsers and associated technologies. Now even once-trusted websites have iframe and cross-site scripting vulnerabilities that may infect visitors.

When we opened our networks, we put in firewalls. When the bad guys started manipulating the protocols allowed through firewalls, we installed intrusion-detection systems.

When the time from breach to booty capture shrank, we put in intrusion prevention systems.

Now we're putting in web application firewalls.

We modified our tactics by mandating certified security professionals such as those holding CISSP, CISM, CRISC or GIAC work with these systems. And we're doing more background checks for personnel handling sensitive information.

We also modified our processes to reduce human error and to ensure the design, installation, operation, and maintenance of our infrastructure complies to policies, standards and architectures.

Revise your tactics regularly.

Complexity is your enemy, simplicity is your ally

"He wins his battles by making no mistakes.  To secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself."

The complexity of technology is the enemy of information security especially where it converges into a system. And it's easy to make mistakes through misconfigurations and process omissions.

Technology convergence has business advantages such as initiating change and efficiencies, so we'll see more of it.

From a risk-management perspective, it is a way to integrate risk and compliance processes. The simplicity of a single framework should lead to lower risk because it is easier to understand and control.

In security, as in battle, mistakes in strategy or tactics are devastating. Our goal is to ensure that our security strategies and tactics are well thought out, implemented properly and routinely verified.

This puts a heavier burden on our attackers.

Although bad guys are clever and skilled, they will only spend so much time on a target before moving on to an easier target. 

Even for bad guys, time is money.

An element out of place can open a door to hackers. photo: Nate Cochrane

Make management understand the risks

"Hence the skilful fighter puts himself into a position which makes defeat impossible."

Position is the preparation necessary to defend ourselves.

It includes reducing vulnerabilities in operating systems and applications, managing technology convergence and process assurance to reduce the chance of human error and assessing the security state of our environment.

An information security management program focuses on critical components organisations need to protect information assets.

Each will have a unique security management program but there are fundamentals that most share. One of the most important is executive management support, which begins with them understanding risks faced by the business:

• Sophistication of cybercriminals
• Insider threats
• Operating system and application vulnerabilities (more than 6600 last year)
• Corporate governance and compliance
• Lack of skilled resources

Next, write information security policies, develop security awareness and education campaigns, assign ownership and accountability of the security function to individuals and, through job descriptions and remuneration, make security everyone's responsibility.

Security is everyone's responsibilty

A disciplined IT team is a creative organisation

"The consummate leader cultivates the moral law and strictly adheres to method and discipline; thus it is in his power to control success."

The "moral law" relates to attributes of the management team who lead by example.

The operating principles they found are methods and discipline that organise "troops" into divisions, management hierarchy (the graduation of rank among officers), tools and supplies and finances for "campaigns".

Discipline and control is how we produce consistent, quality results and high productivity. One of the most important control regimes is IT change control, which requires adherence to approved processes to ensure changes are lodged, reviewed, approved, communicated, tracked and closed by authorised personnel.

Controls are not handcuffs restricting innovation and creativity. Well disciplined design and build functions provide in the long term solutions that are easier to maintain than those that bypass policies and standards. We need proof-of-concept testing but it must be isolated from production systems.

Rigorous change controls keep systems standardised such that everyone can use them.

Ask yourself: In your business, how do you roll back an unauthorised, undocumented change causing problems to the quarter-end run on a production server when the tech who made the change to boost performance is absent?

Imagine the extended outage and wasted hours troubleshooting this critical system to find what caused the failure owed to a lack of method and discipline.

Disciplined teams with clear controls are at their most creative.

Lure the cybercriminal to learn from his actions

"Rouse him, and learn the principle of his activity or inactivity. Force him to reveal himself, so as to find out his vulnerable spots."

Honeypots are decoy systems that attract attackers so we can watch what they do.  They've been around for 20 years since Clifford Stoll described them in The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage.

In the early internet days (like back when we saw the Apple II operating system viruses spread through pirated computer games at Texas A&M University around 1981), honeypots were valuable ways to learn how networks were breached.  We're still learning but we're struggling to keep up with the cyber weapons used by highly financed, highly organised international cyber gangs

The battle is not over and the intelligence challenge continues. By keeping current on how attackers operate, we can train people and build processes, technology and strategy to counter attacks.

A honeypot traps an attack for analysis.

Defence in depth, diversity of defence

"The clever combatant looks to the effect of combined energy and does nort require too much from individuals..."

... or systems. Requiring too much from systems introduces significant risk.

This introduces the concept of dedicated functionality, a strategy where security devices serve a sole purpose.

For example, routers route traffic, and although you can add access control lists (to block RFC 1918 addresses), that does not make them firewalls. 

You need to use real firewalls, access control devices that enforce policy through allow and block rules. 

Firewalls also provide network address translation and maintain state-on connections, something traditional routers can't do, which provides for the analysis of packets at the network, transport and session layers for deeper protocol understanding. 

Keeping track of these layers creates virtual sessions of connectionless protocols used by UDP and RPC applications.

Regarding "combined energy", convergence of security functions into unified threat management devices has gained momentum, especially for small and branch offices.  These devices consolidate security functions (firewall, intrusion prevention, anti-virus capability, and Internet content, among others) in a box managed through an interface.

Other security strategies, defence in depth and diversity of defence, are important.  Defence in depth creates concentric layers that an attacker must penetrate while we watch their activities (like a honeypot). Diversity of defence provides prevention and detection controls that work independently.

Aircraft carriers rely on concentric circles of defence and variety of weapons    to ward of attackers, a wise move for information security strategies.

Match your adversary with smarter resources

"We can form a single united body, while the enemy must split up into fractions.  Hence there will be a whole pitted against separate parts of a whole, which means that we shall be many to the enemy's few."

Organised crime gangs are well funded and organised. But those they attack, all of us, are larger in number. By uniting, we learn from each other and leverage each other's strengths to compensate for our weaknesses.

And there are organisations and resources to assist. First, establish your incident-response capability. Start by writing a policy, develop a stepwise plan and hook into local, state and federal agencies.

One of the best sources for help is CERT Australia, the national Computer Emergency Response Team and the primary Australian contact for cyber security incidents on Australian networks.  Another source is the Australian Federal Police High Tech Crime Operations.

Cybercriminals are well organised and well-funded and so must you be.

Plan for attack even if you don't feel you have to

"In the wise leaders plans considerations of advantage and of disadvantage blend."

If you've never been attacked, that's great. But the fact that you've never been attacked is not evidence that you never will be attacked. 

If you have an internet presence and information of value, then you're a possible target. In your business-continuity planning, you should consider scenarios of electronic attack through malware or breach by a human attacker.

Following Sun Tzu's advice, the best time to plan for your disadvantaged state is when you're in an advantaged state. That is, do it before you're (finally) attacked.

Conduct a business-impact analysis to identify and prioritise your critical ICT systems.  Learn the impacts to your business and how long your systems can be down. Determine your recovery priorities because, under attack, you won't have the resources to bring all systems back on line at the same time. 

Review your preventive, detective, and correction controls for adequacy against the attack scenarios. Finally, develop and test your recovery strategies.

For more information, visit the Business Continuity Institute.

The time to plan for attack is when you don't have to.

Train hard, fight easy

"If you know the enemy and know yourself you need not fear the result of a hundred battles."

To know our capability to resist attack and how prepared we are we test ourselves by rehearsing an incident-response plan.

We begin with workshops for key stakeholders to walk them through worst-case scenarios. 

It gives them the chance to assess their recovery capabilities and how well they work with each other.

We can tweak the plan then move to a simulation, which executes a disaster scenario.

The team now identifies key outcomes and deficiencies to update the plan.  And we do this periodically or after significant changes to our IT environment.

Co-ordinated, rehearsed teams swing into action when danger strikes.    photo: Australian Army

Know what's coming into and leaving your network

"Move, not unless you see an advantage; use not your troops unless there is something to be gained; fight not unless the position is critical."

The sports strategy of "the best defence is a good offense" doesn't work for organisations on the internet.

If you have valuable information (credit card numbers or intellectual property) that is exposed you're a sitting duck. If someone wants to attack you, there won't be much you can do to prevent it. But you can defend yourself when it comes.

Firstly, know when the attack has started, and you better know fast. The time between the attacker's entry and the compromise of information goes undiscovered and uncontained for weeks or months in three-quarters of cases.

Cyber attackers want access to your systems and they will try extortion through distributed denial of service attacks.

To monitor for nefarious activity you need security information and event management tools that work on the concept of "all-source data fusion" used by military intelligence for 50 years.

To know what's going on in your infrastructure, monitor your mission-critical systems, integrate data feeds from devices and correlate the data to identify the few events that are important. 

It's a necessity to detect stealth attacks.

Conclusion

Many businesses with significant online presences are prime targets for cyber attack.  Every few days it seems we read another story about privacy breaches, stolen intellectual property, compromised credit card numbers or financial fraud.

Studying military doctrine and applying proven security strategies to our people, processes, technologies and organisational strategies and structure can help. 

Norad monitors air and space threats to the US.