The Ancient Art of Security: Part One

by James “McTzu” McMurry

I like to think of computer security as a digital analog to war. It’s a good analogy in many different ways, from the tactical aspect of securing local systems to the strategic aspect of creating a high level strategy for protecting an entire enterprise [1701?]

Perhaps some of that has come to light in the recent cyber attacks we are seeing proliferated by both freelance players (think of them as mercenaries) and nationals (very much like national armed forces).

In war, you try different tactics. A good general knows what has worked in the past and remembers the different failure modes for future strategies.. For example, let’s consider the most famous tactic of all: Blockades.

Blockades are great. You basically erect a physical barrier against the enemy. Used in the correct configuration, they are quite effective. Unfortunately, they can also be compromised.

As an example, consider a famous strategy the French used during WWII against the Germans. To provide time for their army to mobilize in the event of a German attack, the French erected a fortification called the “Maginot Line”. The Maginot Line was believed to be so effective that it would repel any invasions from the East. While the Maginot Line did prevent direct attacks, it was ineffective as a strategic solution. The Germans simply went around it via Belgium and swept through France, conquering it in 6 weeks. The failure was so complete that today the term “Maginot Line Mentality” is used to describe a strategy that people believe will work but will fail miserably in the end.

Historically, there are reasons to believe that if the French had adopted some newer tactics (The Maginot Line was really a WWI-style defense), that their strategy might have worked. The trouble was that they did not consider this and instead relied on something they automatically assumed would work because it had in the past.

Blockade tactics do work to a certain extent, as evidenced by the extremely successful Allied Submarine Blockade in WWII. By utilizing new tactics involving mines and torpedoes, the Allied submarines inflicted tremendous damage on the Axis naval forces. This tactic was styled around a basic idea of a war of attrition. The enemy had limited resources and the goal was to deprive them of what they had. The Allied Submarine Blockade was a perfect adaptation of an older strategy to a practical goal.

Another strategy you’ve probably heard of is the “Trojan Horse”. This tactic is extremely old and is described by Virgil in his epic poem “Aeneid”. The story goes that, after a 10 year effort by the Greeks to attempt to conquer Troy, they decided to construct a giant wooden horse. After hiding a force of men inside the horse, the entire Greek army sailed away. The Trojans, rejoicing at the perceived defeat of the Greeks, pulled the giant horse into Troy as a trophy. That night, after the revelling was done, the Greek force hidden inside the horse snuck out and opened the gates for the rest of the Greek army, which had secretly sailed back under cover of night. The Greeks entered Troy and destroyed it, ending the war.

The story of the Trojan Horse illustrates the tactic of social engineering as applied to breaching a nearly impregnable defense. What is interesting about this tactic is that variations of it have been used throughout history. Terrorist tactics rely somewhat on this with the added effect of not providing the enemy with a coherent target to strike back at.

The devastation caused to our republic on September 11, 2001 by Al Qaeda is the result of a Trojan War tactic. They concealed sleeper agents in our midst, deploying them in a coordinated attack to inflict both physical as well as emotional devastation, eroding our sense of invulnerability. The U.S. not being able to strike back at a single enemy was an important part of their strategy.

A response to 9/11 was tightened security at airport checkpoints but, even with that, new ideas for replicating terrorist attacks using simple items like explosives hidden in shoes or liquid bombs resulted in a spiraling response in terms of restricting what we could travel with. This kind of response to variations on the original style of attack did not necessarily eliminate the threat, but it did provide a sense of security even though the core issue of Trojan attacks has not really been addressed in a comprehensive way.

In today’s cyber security world, we have similar scenarios.

The kind of defenses we have seen work in the past; firewalls, cyphered communication and even physical isolation, are not quite sound without some modifications for today’s world. For example, physical access via social engineering can allow access to locations where security is weakest. Wireless access can provide remote attack opportunities that are nearly undetectable.

Trojan attacks using phishing emails and compromised USB drives can infect systems from within. The resources to implement and mount these attacks are not substantial and to the attacker the risk is minimal. As I have blogged previously, even an innocuous USB stick can be plugged into a logged-in machine and in seconds open all sorts of security gates for outside attacks. Tracing such an attack is quite difficult.

One of the more recent Trojan threats is the Finfisher toolset. Finfisher has created a set of “tools” (Trojans, spyware, viruses) that caters only to government and law enforcement agencies. They claim it is used to monitor specifically targeted computers. These Trojan programs can do a wide range of things, like break WPA encryption, spy on your Facebook and Webmail activities, and even identify hidden networks and steal passwords. The worst thing about Finfisher is that its use by the government is an entirely legal, albeit unethical invasion of privacy.

In enterprise scenarios, there are lots of assumptions that are made based on past experiences, but the biggest mistake you can make is to not adapt those assumptions to new requirements. A detailed analysis of how your organization works is critical if you are to adapt conventional security policies into use.

For example, if you have a lot of wireless devices and portable storage devices, you really need to have an endpoint security strategy and not just rely on a firewall. If you have people operating remotely and using VPN, you might want to consider subjecting that VPN traffic to analysis to make sure nothing out of the ordinary is happening.

Even in scenarios where everything seems above board, you still want to observe bandwidth throughout your network as a precautionary measure to any suspicious activity. The Sony Hack consisted of Terabytes of data! If you see a bunch of data like that moving to a single location, you should definitely have cause for concern.

In Security, experience counts for a lot and, given the pace of change, working with someone who tracks that change closely is critical. At Milton we’ve been doing just that for a very long time. Let us help you deal with tactical and strategic security threats.

My next post will continue along the same theme, going over tactics in warfare, and the concept of Blue Team vs. Red Team.

Call us today for more details on how we can keep your data safe.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *