Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Information security: Seeking Sun Tzu's guidance

Angel S. Averia Jr. | Nov. 22, 2012
There is a raging war in cyberspace. Hackers launch attacks for various objectives: hacktivism, extortion, fraud, or espionage. Targets may be random or targeted. It's only a matter of when one will fall victim to an attack

There is a raging war in cyberspace. Hackers launch attacks for various objectives: hacktivism, extortion, fraud, or espionage. Targets may be random or targeted. It's only a matter of when one will fall victim to an attack

Concern has been rising as global cyber criminal activities rake in hundreds of millions of dollars annually and could cost more as systems operations are disrupted, intellectual property stolen, and organizations face legal consequences.

As malevolent actors take advantage of the cloak of anonymity and operate in the formless expanse of cyberspace, we can look to Sun Tzu's Art of War for guidance on how we can establish our cyber security posture.

Know thy Enemy

Sun Tzu says, "If you know your enemies and know yourself, you will not be imperiled in a hundred battles... if you do not know your enemies nor yourself, you will be imperiled in every single battle."

Kelly Jackson Higgins, classifies hackers into (1) hackers who "operate more as big-box, thrifty enterprises with bargain-basement mini-botnets and commodity malware" who "hide in plain sight, but try to maintain a foothold in their victims' organizations" and (2) hackers who "stage camouflaged, commando-type raids to grab and run off with valuable financial information." (Profiling The Cybercriminal And The Cyberspy, www.darkreading.com)

"When a general, unable to estimate the enemy's strength, allows an inferior force to engage a larger one, or hurls a weak detachment against a powerful one, and neglects to place picked soldiers in the front rank, the result must be a rout."

Available in the cyber crime underworld are tools such as anonymizers, botnets, malware, and exploits, among others, freely downloadable, for sale, or rent. Advanced hackers develop custom-built malware. Indeed, an assortment of attack tools is available to hackers in the open cyber crime market. Attacks may even be outsourced. Absent a concrete measure of the adversaries' capabilities, it is best to assume that hackers will harness available resources to build up strength."

"Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness."

Hackers seem to follow Sun Tzu's treatises. Battles are fought with deception. Social engineering is one. This and anonymity in cyber space are the friends of hackers, allowing them to achieve formlessness and soundlessness. And so should we learn from it.

Knowing Oneself

Organizations, increasingly becoming aware of the dangers in cyberspace, have, to varying degrees, adopted security measures like installing firewalls to protect their networks and implementing anti-virus solutions. These actions may not be enough. Cyber criminal activities are well organized and so potential targets should likewise get organized. Best practice dictates an assessment of the organization's security posture through the conduct of a gap or SWOT analysis. Typically, the assessment will look into people -- knowledge and skills present or absent, processes -- the existence or absence of policies, standards, procedures, and/or guidelines that will dictate how we operate, and technology -- the solutions, hardware and/or software, that are already in place or that may be required to enhance protection of the ICT infrastructure.

 

1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.