The Art of War by Sun Tzu is among the most famous works on military strategy. Over the coming weeks, Accellis will adapt many of these timeless lessons to the modern cybersecurity theater. By understanding fundamentals of security and military theory, firms will be in a better position to respond to these threats.
Sun Tzu said, “…water shapes its course according to the nature of the ground over which it flows…just as water retains no constant shape, so in warfare there are no constant conditions.”
Tzu is imploring generals to shape their course of action by the conditions of the field. “The soldier works out his victory in relation to the foe whom he is facing.” Also, “To secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy.” And, “Do not repeat the tactics which have gained you one victory, but let your methods be regulated by the infinite variety of circumstances.”
We have heard variants of this advice: “Empty your mind. Be formless, shapeless – like water. Now you put water into a cup, it becomes the cup. You put water into a bottle, it becomes the bottle… now water can flow or it can crash… Be water my friend.” -Bruce Lee
The military truths here are that to win any engagement, you must be prepared for any scenario, any threat, at any time. Your systems, controls, and training provide an almost infinite flexibility in dealing with the multitude of threats you face. Leverage them. There are no constant relations in warfare. How you were attacked last time is a matter of history, not regularity. Do not ride on your laurels.
If your systems harbor data gold, and you understand the attack vectors to that warehouse, you are in a position of significant strength. The Defense in Depth methodology utilizes layered security, providing a framework of cybersecurity and response that is up to the task. If I were to count 30 steps linearly, I would end at 30; if I were to count 30 steps exponentially, I would end at 1.07 billion. Layering security controls makes entry into your system exponentially harder.
Each threat you face must be integrated into an overarching security framework: patching & exploits, DDoS, spear phishing, ransomware, socially engineered attacks, rogue employees. Each specific attack is a unique case, never to be fully repeated in the same way. By designing your data, software, hardware, and human (policies, access controls, etc.) systems with a variety of layers, one on the other, when a person, system, piece of hardware, or firm policy fails, it is “caught” by the safety net of other controls. This is the “art of war [which] teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him.”
Our next posts will include lessons drawn from the following famous quotes:
- Sun Tzu said, “…there are not more than [three] primary colors…yet in combination they produce more hues than can ever been [sic] seen.”
- Sun Tzu said,“…he wins battles by making no mistakes…making no mistakes is what establishes the certainty of victory.”
- Sun Tzu said, “…supreme excellence consists in breaking the enemy’s resistance without fighting.”