John Robb's Brave New War provides an excellent summary of the major security issues that military, governments and businesses have to deal with. Robb explores the asymmetries in information, technology, intelligence, and agility that can give a small, disgruntled band of people certain advantages over very large and powerful systems. His excellent blog is rife with these examples.
Due to a number of technological factors, small groups of people can bring very powerful weapons to bear on large systems, due to our hypermedia age, Robb's so-called Global Guerillas can learn from each other in an open source type way, Robb gives examples of the Iraq IED marketplace where IED entrepreneurs learn how to improve techniques from each other.
There are many parallels with the above and computer security. In computer security, enterprises have to defend thousands of machines and connections. An attacker need only find one exploit. It is very likely that the attacker knows far more about the security vulnerabilities in your operating system, app server, web server, and database than the person who is administering it. This is an information asymmetry that can be(and is) exploited. In the computer security world we typically think of things in white hat and black hat ways. I tend to think of Robb as the physical world's uber Black Hat and Thomas Barnett as the White Hat (heck he even advocates for a sys admin approach).
Sadly, another parallel is investment in security. While the US military fights guerillas, the Pentago invests in more battleships and submarines. While enterprise IT connects millions of customers and partners throughout their systems, IT security buys firewalls and network secuity gear. This is not just fighting the last war, this is fighting in the last century.
The last part of the book "Rethinking Security" was the most interesting for me. Robb points out that you cannot really expect to deal with all the threats. Attacks evolve. As Pete Lindstrom says there are three reasons for this
1. Intelligent adversary
2. Intelligent adversary
3. Intelligent adversary
So instead of assuming the naive "patch and pray" approach, Robb advocates for survivability as the centerpiece for a 21st century approach to security. This was quite a nice surprise to find at the end of an already enjoyable book. One of my favorite people to work with, Howard Lipson has been beating the drum for computer security to deal with survivability for awhile. Howard's three R's for survivability are:
Resistance - ability of a system to repel attacks Recognition - ability to recognize attacks and the extent of the damage Recovery - ability to restore essential services during attack, and recover full services after attack
Of course, as I blogged yesterday the Anasazi were pretty good at this stuff a few hundred years ago. Wonder when computer scientists will catch up?
Great design and so informative site!
Posted by: milana | July 22, 2007 at 02:24 PM