What can cyber security professionals learn from Sun Tzu’s ‘The Art of War’?
April 9, 2018
Warfare, after land, sea, air and space, has entered the fifth domain: cyberspace. Cyber warfare is a reality. Yet, how studied are security technicians in the history of battle and war strategy?
As part of our cyber warfare focus at TEISS, we recently met with Chris Pogue, Head of Services, Security, and Customer Integration at Nuix, who explained how the ancient teachings of Sun Tzu can prepare enterprises for the war on cybercriminals.
Chris highlighted a mantra he's always stuck to from the ancient military treatise The Art Of War, "If you know the enemy and know yourself, you need not fear the result of a hundred battles."
This cardinal rule forms the genesis of the Nuix Black Report – a survey of professional hackers which examines the security landscape from their perspective.
In an attempt to figure out what is continually going wrong with our cyber security, Chris rigorously studied a range of security strategies and realised that there is always someone missing from the table. The legal team is there, IT is represented, there'll be a risk officer – but who is never there? The adversary.
"We call it social lubricant or liquid diplomacy," Chris explains. He conducted his research for the Black Report in an unconventional way - by throwing a party. "We went to DEFCON and threw a party with an open bar for hackers hoping to receive some answers from the people who are not conventionally at the boardroom table."
Chris highlights: "We do a good job of knowing ourselves; we know our weaknesses and we know what we should do – but we don’t know our enemy." He continues to say that we presuppose or superimpose what we believe onto the cyber warfare adversary and think that’s what they're going to do, as opposed to researching the enemy properly and asking them directly what they are going to do.
By bringing the hackers to the table, Chris gained unique insights around the current threat landscape and practical steps organisations can take to combat cyber-attacks. Some of the results he expected, but others came as a surprise. For instance, hackers admitted that patch management is the number one security barrier; hacking into a system is not difficult – they exploit vulnerabilities to get into the system – but when patches are in place, the adversary has to look harder and longer.
Other research garnered was that data breaches take an average of 250–300 days to detect—if they’re detected at all—but most attackers admit they can break in and steal the target data within 24 hours.
Chris is the author of the Nuix Black Report – a survey of professional hackers which examines the security landscape from their perspective. One of the key predictions from the Black Report was the emergence of ransomware-as-a-service.