[BreachExchange] Sun Tzu's 'The Art of War' for Cybersecurity

[Audrey McNeil]

https://www.infosecurity-magazine.com/opinions/sun-
tzus-art-of-war-cybersecurity/

An ancient Chinese military treatise from the 5th century BC, The Art of
War by Sun Tzu, is considered a definitive work on military strategy and
tactics. Through the ages, military leaders have been inspired by it, even
to this day.

Beyond the military, its advice on how to outsmart opponents has been
applied to various competitive fields from business to sports.
Increasingly, as warfare moves from the battlefield to the realm of
cyber-space, its principles are being seen as especially applicable to
cybersecurity.

Despite being written thousands of years ago, these classic defense
strategies are undoubtedly still relevant for the modern defender of IT
infrastructure. The principles of Sun Tzu are not only relevant to defense,
but also for understanding the approach of attackers.

Know the Enemy and Know Yourself
One of the most often quoted Sun Tzu quotes has enduring resonance for many
situations in life, including cybersecurity. To understand how a hacker is
likely to operate, we must first understand their motivations and what they
are trying to achieve. When we know what assets they are likely to target,
we can better focus on effectively protecting them.

To be properly prepared for cyber-incidents, we must also have a clear
understanding of our own business and infrastructure – where is our data
held? What software are we running? Is everything patched and maintained?
What’s more, is the proper training in place for staff? Attackers will
always ‘strike at what is weak,’ and employees are often the weakest link
in the security chain.

All Warfare is Based On Deception
Many of the methods used by attackers are based on deception – whether
that’s phishing, spear phishing, whaling or social engineering. Often used
to trick unsuspecting employees into engaging with malicious attachments or
links, phishing attacks are becoming increasingly sophisticated – with
hackers now tricking employees by posing as more senior members of staff
and even CEOs, requesting funds to be transferred.

Recent ISACA research has found that 1 in 5 UK office workers have fallen
prey to phishing scams, while over half said their employer has not
provided any cybersecurity awareness training. Employee training and
awareness is key to limiting the risk of deception by malicious attackers –
and as the above example demonstrates, this training needs to be rolled out
to the most senior staff, too.

Attack him Where he is Unprepared, Appear Where you are Unexpected
While employees can be a weak link in the chain, they are not the only
route inside an organization. It’s important to remember that attackers
will also have been trained to know their enemy and, in preparation for an
attack, will have done their homework on all possible routes and
weaknesses. Organizations should therefore consider all avenues of access
and what vulnerabilities they might have.

Fortunately with exercises such as penetration testing, organizations are
now able to assess their own security before a hacker does. Through this
exercise, organizations can not only scan their systems for
vulnerabilities, they can also test employee knowledge and awareness by
simulating a real-world attack scenario.

Just As Water Retains No Constant Shape, In Warfare There Are No Constant
Conditions
Attackers are agile, so organizations need to be as well. As organizations
become wise to traditional attack methods, hackers will only develop new
ones in a constant arms race for supremacy.

At the same time, businesses are continually evolving and adapting –
whether that’s upgrading systems, introducing new technologies or changing
business models. Businesses should be mindful that all of this change can
introduce new cyber security risks, or remove old ones. One of the best
ways to be prepared is to keep up to date with the latest best practice
frameworks for enterprise IT, such as COBIT 5.

In the Midst of Chaos There Is Also Opportunity
When it comes to cybersecurity breaches, the rule is always ‘when,’ not
‘if.’ When breaches occur, organizations should focus on the lessons they
can learn and improvements they can make as a result. The root cause should
be identified and changes should be swiftly implemented to address this,
with the lessons learned shared with all relevant staff.

Suffering a breach can provide the opportunity to reflect and revisit the
strategies organizations have in place. Why not apply strategies that have
been tried and tested over millennia? As Sun Tzu says, “The opportunity to
secure ourselves against defeat lies in our own hands”.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170602/1ef112cb/attachment.html>