How to win the IT security war: think like a soldier

Is it time for the enterprise to step up and start employing military-grade IT defences, asks Davey Winder...

IT Pro recently reported how MPs had questioned the armed forces' readiness to deal with cyber security attacks and suggested that the MoD needed to do more to guard against such a threat. But it's not just the military and our Critical National Infrastructure providers that are being targeted by those who would steal data, hack systems and deny service; your enterprise is well within the cross-hairs.

OK, so hackers breaching the average business network isn't a threat to national security but maybe it's time for the enterprise to 'go to war' against the cyber-criminal threat nonetheless. IT Pro asked a bunch of security experts whether the war analogy was a valid one. Read on to find out what we discovered...

Bob Ayers, commercial director at Glasswall Solutions, is a former US intelligence officer and thinks we don't need to ready our weapons just yet. "The question of whether an enterprise should 'go to war' against cyber-criminals suggests a basic lack of understanding of the problem" Ayers insists.

He adds: "As for any other crime, the obligation of the victim of a cyber-crime remains the same – to report it to the police, not unilaterally to wage war on the criminal. Vigilantism, even in cyber-space, represents a break down in the law and order of a civilised society. In the real world, when a nation state wages war its goal is to destroy the enemy’s military forces and supporting infrastructure. Does waging war on cyber criminals translate to the actual physical destruction of the criminal and his supporting infrastructure? I hope not, as I would hate to see my 12-year-old son and his desk-top computer vaporised by an irate company who mistakenly believed my son was a cyber-criminal. I apologise for this example, but use it only to illustrate the insanity of using terms like 'waging war' on cyber-criminals."

Not everyone agrees with him though. Take Lt. Col. Chris McIntosh of the Royal Signals (Ret’d) who is now CEO of ViaSat UK and told IT Pro that "to an extent, enterprises have always been at war with cyber criminals: it’s just that they didn’t realise it.

In order to adapt to this battlefield, enterprises need to make sure they adopt a defensive posture. They should start with the assumption that they have already been compromised and from there take the necessary actions and precautions. Failure to take this stance will greatly increase the risk of falling foul of an attack..."

Darren Turnbull, Fortinet's vice president of strategic solutions, also thinks that it's a valid suggestion that enterprises take a more military approach to cyber crime. "Long gone are the days when cybercrime was the preserve of rebellious teenagers and single rogue crooks" Turnbull explains.

"Today cybercrime is complex, sinister and highly organised involving hierarchical business models and employing leaders, engineers, infantry and hired money mules. With the enemy increasingly aggressive and organised, a passive or complacent approach to cyber defence is not good enough," he adds. Not that Turnbull is suggesting that the enterprise should go on the attack. Using the vigilante analogy used by Bob Ayers earlier, he insists that is the job of national defence agencies. "But the enterprise needs to do its bit for the war effort" Turnbull concludes. "It needs to Keep Calm and Carry On."

But that doesn't mean that you shouldn't *think* like an attacker, as Peter Wood who is member of the London Chapter ISACA Security Advisory Group and CEO of First Base Technologies, points out. "Organisations often underestimate the devious nature of today’s attacks: criminals don’t play by the rules and simply try to exploit a known vulnerability. Yet defenders don’t always think like attackers – frequently they follow best practice and rely on received information."

So patching systems, deploying firewalls and encrypting data is no longer enough according to Wood, instead he insists that to truly protect the enterprise you have to think like an attacker, to understand what goes on in their heads. "You also need to decide who will have a reason to attack you, where and how" Wood continues "this requires some serious thinking, using threat and risk modelling – not a theoretical model, but real analysis in your organisation with help from the business. Rather than working with “best practice” checklists, sit down with each department in the business and talk through the threats in a workshop environment – work with real-world scenarios and determine where the real threats are coming from and what needs to be done to protect your critical information."

Lessons learned

OK then, so what can the enterprise actually do, what can it learn in a very practical and real-world sense, from the strategic Critical National Infrastructure (CNI) military defence thinking? Not a lot from CNI if you listen to Lt. Col. McIntosh who reckons that "the strategy used by many Critical National Infrastructure providers is a good example of what not to do".

Certainly, CNI providers have been quick to adopt internet connectivity into their systems, but McIntosh argues that they have been slow to improve their levels of security. "In fact, in my opinion, our critical national infrastructure is woefully unprotected" McIntosh told IT Pro, adding that one US attack "took out a power plant for three weeks: if this can happen to CNI, enterprises need to study where exactly they take their security strategy guidance from."

Turnbull, on the other hand, thinks that CNI strategy "makes very reasonable, sensible and obvious recommendations which all enterprises would be well advised to take note of". As for the military cyberwar defence strategies, Turnbull thinks we should be realistic and accept that even at government level defences can be breached. "The lesson that should be learned here" Turnbull says "is that enterprises should never be complacent and no defence strategy is flawless. The criminals will always be two steps ahead" and that if we can learn anything from a war analogy it's that "the corporate world is being blitzed and like London, it needs to have its barrage balloons, anti-aircraft defences and fighter cover in place. But the Heinkels will always have the advantage, so enterprises need to have the sandbags in place and the windows taped up."

Crossing the line

Isn't the truth though, that the enterprise has already crossed the line in terms of adopting military-grade IT security defences, even if it doesn't realise it? Si Kellow, CSO at Proact, doesn't like the 'military grade' descriptor and argues that history shows all this means is that someone is using "an incredibly narrow subset of the capabilities of a technology, in a manner which is procedurised to within an inch of its life." 

That's how the military gained the security advantage, Kellow says, concluding that "in some respects you could say that compliance areas such as PCIDSS are very prescriptive, and therefore could have been developed with the military way of doing things in mind.”

Perhaps, not too surprisingly, Lt. Col. Chris McIntosh disagrees. While admitting that the enterprise lags behind the military when it comes to IT security, McIntosh insists that it is the military’s approach to IT security, rather than any specific device or piece of software, that will most benefit enterprises.

"This involves taking a holistic approach to the entire IT system" McIntosh says. "Every point of weakness and potential interaction with the outside world needs to be identified; whether it is how passwords are stored; moving data across unsecured lines; remote access points; or even company policy regarding the use of personal devices.

"It is then a case of implementing technology and procedures that will ensure that none of the technology works in isolation, but combines to ensure that there are no backdoor entry points vulnerable to attack.  If you think of your IT system as Fort Knox, targeted cyber criminals are not going to focus on the front gate: they will go for weak points in the structure, or tunnel in, or disguise themselves as the US army, or simply bribe the guards: in short, any point of weakness."

Marcus Chambers, a member of the London Chapter ISACA Security Advisory Group and also a former Royal Signals Lt Col, agrees that a holistic and multi-agency approach as set out on page nine of the Executive Summary of the UK's Cyber Security Strategy is what's needed. "Whilst firms may now upgrade their defences to 'military grade' it is the multi-agency response which will really deter future attacks by sophisticated criminals" Chambers says, continuing "large enterprises must not be encouraged to conduct surgical e-strikes against hackers, but must instead join forces with the police, government, professional bodies, consumers, multi-national organisations and, of course, the media. It's time to move from the Cyber Wild West to a rule of (international) law based system where the victims know e-justice can be done."

The last post

In conclusion then, the jury is still out as far as the whole going to war against cyber-crime argument is concerned. However, no matter what your opinion on the matter, it may be something of a moot point as Don Smith, director of technology at Dell SecureWorks, reminds us. "A military style approach is an effective one, but most budgets will not make it possible to achieve this on an on-going basis for an organisation’s entire IT system. Determining what a company’s most sensitive data is, keeping tabs on where it is stored, and minimising who needs to have access to it, is a key part of a solid IT security strategy. 

"There’s no benefit to be gained from spending more on security than the information is worth.  In creating one ‘locked-down’ area on a network, businesses will gain the benefit of a military-grade approach without incurring massive costs as only the most sensitive data needs to be behind a virtual barbed wire fence. Cyber criminals conduct highly targeted attacks and so a targeted defence is warranted."