The most elegant and beautiful of the basic forms of lightsaber combat was form II. This form emphasizes clean moves, parries, and thrusts rather than the blocking and slashing of other forms. There is a discipline within information security that can claim the title of being so beautiful and so difficult to master: risk management.
A master of risk management meticulously calculates the probability of some event happening, the damage that can be done from that event, and how much effort the organization must put into mitigating that threat. No wasted movements, no throwing money at the problem to make it go away. If some event manages to do damage to his information, he can rest assured that he put precisely the right amount of effort into stopping that event and go on with life. Practitioners of other forms might beat themselves up for not preventing it from happening.
There are several hallmarks of form II information security combat. The form II practitioner is more likely to develop and use metrics to measure the effectiveness of the controls that have been put in place. This person is also likely to use finance and statistic tools like normal curves and Net Present Value to estimate what must be done to protect the network. Although regulatory compliance is not strictly related to risk management, you will often find that masters of form II are well versed in PCI, HIPPA, Sarbox, GLBA, and other regulations that affect their organization.
Form II is not without its weaknesses. Principle among them is that there is little focus on developing a deep bench of security controls. Once your numbers have justified a control to mitigate some risk, it is difficult to justify more money to mitigate that same risk. This is typically the domain of form III lightsaber combat.
Practitioners of form II are typically senior manager types or security professionasl that come from an accounting or finance background. The accounting and finance field lends itself to the deep analysis required for mastering form II.
As an information security Padawan, I feel that I haven't come close to mastering any of the basic forms of combat. However, I feel that I am strongest in form III. I have only recently become aware of the power and elegance that comes from form II. I intend to study form II more carefully and start trying to incorporate form II into my combat style and possible even master the form.
Showing posts with label lightsaber. Show all posts
Showing posts with label lightsaber. Show all posts
Tuesday, August 19, 2008
Wednesday, August 13, 2008
Information Security Jedi: Form 0 Lightsaber Combat
I'm going to put my Star Wars nerd cap back on and talk about the parallels between information security and the star wars universe. In previous posts on the topic I introduced the concept that in our world, information is like the Force. Our tool kits become our lightsabers and how we choose to use those lightsabers can be compared to the various forms of combat used by the Jedi.
We cannot neatly tie each form of lightsaber combat to a discipline in the information security field, but there are a couple that do fit nicely that I'd like to point out. In this post, I'm going to talk about Form 0 lightsaber combat.
For the Jedi, Form 0 was not a form of lightsaber combat in the typical sense of the word. It has no attack forms because Form 0 is a term used for the defensive techniques a Jedi used to avoid lightsaber combat. It was the art of finding alternate means of solving a problem.
This is a very noble and important skill for a Jedi to have, but it doesn't really have any place in the world of information security. I mean, if someone is going to steal your data you're not likely to have an opportunity to talk them out of it. What do we call it when someone doesn't secure a system and instead tries to prevent anyone from attacking it to maintain security? Well I call it Security by Obscurity, and it is the bane of information security professionals everywhere.
I'm not going to spend any time talking about Form 0 in the information security world because it is completely useless to us. It doesn't help us to meet any regulatory compliance, it certainly doesn't help to keep anything secure (since by nature it is a lack of security mechanisms) and it isn't very effective since it is pretty much assured that someone is going to work their way through your obfuscation. It was the same way for the Jedi. Form 0 was great for avoiding conflict, but if someone swung a blaster around to a Jedi, he or she would quickly pull out their lightsaber and use a different form.
In the toolkit of a Form 0 practitioner expect to find lawyers that will sue anyone trying to research their product. Form 0 masters might use defensive techniques such as running services on non-standard ports, or changing file extensions so that it isn't obvious what the file is for.
We cannot neatly tie each form of lightsaber combat to a discipline in the information security field, but there are a couple that do fit nicely that I'd like to point out. In this post, I'm going to talk about Form 0 lightsaber combat.
For the Jedi, Form 0 was not a form of lightsaber combat in the typical sense of the word. It has no attack forms because Form 0 is a term used for the defensive techniques a Jedi used to avoid lightsaber combat. It was the art of finding alternate means of solving a problem.
This is a very noble and important skill for a Jedi to have, but it doesn't really have any place in the world of information security. I mean, if someone is going to steal your data you're not likely to have an opportunity to talk them out of it. What do we call it when someone doesn't secure a system and instead tries to prevent anyone from attacking it to maintain security? Well I call it Security by Obscurity, and it is the bane of information security professionals everywhere.
I'm not going to spend any time talking about Form 0 in the information security world because it is completely useless to us. It doesn't help us to meet any regulatory compliance, it certainly doesn't help to keep anything secure (since by nature it is a lack of security mechanisms) and it isn't very effective since it is pretty much assured that someone is going to work their way through your obfuscation. It was the same way for the Jedi. Form 0 was great for avoiding conflict, but if someone swung a blaster around to a Jedi, he or she would quickly pull out their lightsaber and use a different form.
In the toolkit of a Form 0 practitioner expect to find lawyers that will sue anyone trying to research their product. Form 0 masters might use defensive techniques such as running services on non-standard ports, or changing file extensions so that it isn't obvious what the file is for.
Tuesday, August 5, 2008
Information Security Jedi: Lightsaber combat
It's been a while since I wrote about my observations comparing information security to the Force and its practitioners to the Jedi and Sith. I've talked about the information that we protect and how that can be likened to the Force and how the toolkit that we use to protect or exploit information can be thought of as our lightsabers. So now we should take a moment to talk about lightsaber combat. This introduction will kick off a series of posts about the various forms of lightsaber combat.
The Jedi and Sith both mastered different styles of lightsaber combat. Their chosen style was a reflection of their teaching, their physiology, and their personalities. All Jedi were trained in the basic forms of lightsaber combat but very few of them mastered each form. I believe that it is the same for the information security practitioners of today. There are several ways of defending information and exploiting information, but few people have mastered all of them.
This is a realization that came to me when I was reading about the various forms of lightsaber combat. I saw that some of the forms were similar to some of the disciplines in the information security field. I've mentioned before that I am a lowly Padawan in the world of information security, and I confess to sometimes feeling overwhelmed by the various ways that things can go wrong. Sometimes it seems like there are a million things that you need to know if you're going to be an information security professional. But then I realized that even the Jedi Masters were not masters of every form of lightsaber combat. Surely I cannot be expected to master risk management, penetration testing, forensics & IR, and industry compliance. Much like the Jedi Masters of old, I will attempt to learn each discipline of the information security industry, but I will only attempt to master two, possibly three.
I will not attempt to draw a direct comparison between each form of lightsaber combat and a discipline in the information security field, but there are a few interesting parallels that I will explore in future posts.
Form 0
Form II
The Jedi and Sith both mastered different styles of lightsaber combat. Their chosen style was a reflection of their teaching, their physiology, and their personalities. All Jedi were trained in the basic forms of lightsaber combat but very few of them mastered each form. I believe that it is the same for the information security practitioners of today. There are several ways of defending information and exploiting information, but few people have mastered all of them.
This is a realization that came to me when I was reading about the various forms of lightsaber combat. I saw that some of the forms were similar to some of the disciplines in the information security field. I've mentioned before that I am a lowly Padawan in the world of information security, and I confess to sometimes feeling overwhelmed by the various ways that things can go wrong. Sometimes it seems like there are a million things that you need to know if you're going to be an information security professional. But then I realized that even the Jedi Masters were not masters of every form of lightsaber combat. Surely I cannot be expected to master risk management, penetration testing, forensics & IR, and industry compliance. Much like the Jedi Masters of old, I will attempt to learn each discipline of the information security industry, but I will only attempt to master two, possibly three.
I will not attempt to draw a direct comparison between each form of lightsaber combat and a discipline in the information security field, but there are a few interesting parallels that I will explore in future posts.
Form 0
Form II
Thursday, July 10, 2008
Information Security Jedi: Lightsabers
Over the last couple of weeks I've been making comparisons of the information security profession and the Jedi of the Star Wars Universe. I've talked about the Force, the Jedi, and the Sith. Today I'd like to talk about the primary weapon of the Jedi and the Sith, the lightsaber.
A lightsaber is essentially a laser sword that will pass cleanly through almost anything except for another lightsaber and certain exotic metals. It was used almost exclusively by people that were sensitive to the force because it was not very easy to use. Without proper training the lightsaber could be fatal to the person using it. And even if the person was able to use a lightsaber without killing himself it is hard to use it effectively unless you have the reflexes of someone strong with the Force. With all of these limitations, you might wonder why anyone would use this weapon. Well, in the hands of someone who is well trained and strong with the force, there is no finer weapon. It can slice through almost all melee weapons with no effort whatsoever, and it can be used to deflect blaster shots. A skilled Jedi could even throw the lightsaber short distances making it into a ranged attack weapon. It was elegant, small, lightweight, and became the very symbol of the Jedi order.
The lightsaber was as much ceremonial as it was functional. One of the major tasks of a Jedi or Sith apprentice was to construct a lightsaber. The apprentice would spend a significant amount of time building the lightsaber hilt, selecting the perfect crystal, and using the Force to improve the efficiency of the device. The shape, size, and weight were often determined by the species of the owner, and the style of lightsaber combat favored by the owner. I'm going to spend some time in the upcoming weeks talking about forms of lightsaber combat because that was what really sparked my interest in comparing the Jedi to information security professionals. For now, lets just say that there are different ways to use a lightsaber depending on your strengths, weaknesses, and goals.
For the information security professional, it is the tool kit that becomes his lightsaber. Think about it, you spend a great deal of time selecting which tools you want to assemble. Some of them are pretty standard, like nmap or nessus, and others are more specific to the work you do, such as the sleuth kit. An information security professional carefully decides which tools he is going to master, which ones he will keep a working knowledge of, and which ones to discard. This becomes the lightsaber of the information security professional. It is this toolkit that will be used to defend the information of the organization.
Using the lightsaber of information security, our Jedi can redirect attacks that are aimed at them, and in some cases, prevent attacks from occuring just by making his or her presence felt. An information securty Jedi will spend as much time practicing with his or her lightsaber as any Jedi did in the Star Wars Universe.
How does this comparison help you with your career? Remember that the set of tools that you use is the very weapon of your trade. Work hard to master the utilities in your toolkit, and remember that you probably don't have room for everything. If you become a master with your lightsaber, you will find that you don't have to use it as much, which will help you to advance in your career, and when you do have to use it you will be able to put down problems much more quickly.
As an example, I would point to my early days as a security Padawan. We had a worm spreading around our campus and we needed to eliminate it. As with most malware, Symantec antivirus was able to detect it, but wasn't doing anything to prevent machines from getting infected. I had one individual working with me who is much more experienced with the tools of information security, although IT security is not his full time job. I attaked the problem by gathering a sample of the malware, and installing it in an isolated virtual machine. I then used tools like filemon, regmon, and wireshark to find out what the program was doing on the wire. I discovered that after a machine was infected, it would make a DNS request for a particular host. I then set up a rule in snort to look for any DNS requests for that host and used the alerts to identify machines that were infected. My co-worker examined packet captures and looked for common elements among the machines. He determined that the worm was making use of a bug in VNC that was just under 1 year old. He then used nmap to scan our entire IP space for machines listening on the VNC port, and then ran the results through Nessus to find out which machines were vulnerable so they could be updated.
We each took a different approach to solving the problem, and while both were effective, his mastery of tools allowed him to put down the problem much faster and in a more proactive way. We were able to patch machines that hadn't been infected yet, which is always the best way to fix a problem. Thus his mastery of the lightsaber allowed him to eliminate an attack more quickly and was also able to prevent some attacks from happening at all.
A lightsaber is essentially a laser sword that will pass cleanly through almost anything except for another lightsaber and certain exotic metals. It was used almost exclusively by people that were sensitive to the force because it was not very easy to use. Without proper training the lightsaber could be fatal to the person using it. And even if the person was able to use a lightsaber without killing himself it is hard to use it effectively unless you have the reflexes of someone strong with the Force. With all of these limitations, you might wonder why anyone would use this weapon. Well, in the hands of someone who is well trained and strong with the force, there is no finer weapon. It can slice through almost all melee weapons with no effort whatsoever, and it can be used to deflect blaster shots. A skilled Jedi could even throw the lightsaber short distances making it into a ranged attack weapon. It was elegant, small, lightweight, and became the very symbol of the Jedi order.
The lightsaber was as much ceremonial as it was functional. One of the major tasks of a Jedi or Sith apprentice was to construct a lightsaber. The apprentice would spend a significant amount of time building the lightsaber hilt, selecting the perfect crystal, and using the Force to improve the efficiency of the device. The shape, size, and weight were often determined by the species of the owner, and the style of lightsaber combat favored by the owner. I'm going to spend some time in the upcoming weeks talking about forms of lightsaber combat because that was what really sparked my interest in comparing the Jedi to information security professionals. For now, lets just say that there are different ways to use a lightsaber depending on your strengths, weaknesses, and goals.
For the information security professional, it is the tool kit that becomes his lightsaber. Think about it, you spend a great deal of time selecting which tools you want to assemble. Some of them are pretty standard, like nmap or nessus, and others are more specific to the work you do, such as the sleuth kit. An information security professional carefully decides which tools he is going to master, which ones he will keep a working knowledge of, and which ones to discard. This becomes the lightsaber of the information security professional. It is this toolkit that will be used to defend the information of the organization.
Using the lightsaber of information security, our Jedi can redirect attacks that are aimed at them, and in some cases, prevent attacks from occuring just by making his or her presence felt. An information securty Jedi will spend as much time practicing with his or her lightsaber as any Jedi did in the Star Wars Universe.
How does this comparison help you with your career? Remember that the set of tools that you use is the very weapon of your trade. Work hard to master the utilities in your toolkit, and remember that you probably don't have room for everything. If you become a master with your lightsaber, you will find that you don't have to use it as much, which will help you to advance in your career, and when you do have to use it you will be able to put down problems much more quickly.
As an example, I would point to my early days as a security Padawan. We had a worm spreading around our campus and we needed to eliminate it. As with most malware, Symantec antivirus was able to detect it, but wasn't doing anything to prevent machines from getting infected. I had one individual working with me who is much more experienced with the tools of information security, although IT security is not his full time job. I attaked the problem by gathering a sample of the malware, and installing it in an isolated virtual machine. I then used tools like filemon, regmon, and wireshark to find out what the program was doing on the wire. I discovered that after a machine was infected, it would make a DNS request for a particular host. I then set up a rule in snort to look for any DNS requests for that host and used the alerts to identify machines that were infected. My co-worker examined packet captures and looked for common elements among the machines. He determined that the worm was making use of a bug in VNC that was just under 1 year old. He then used nmap to scan our entire IP space for machines listening on the VNC port, and then ran the results through Nessus to find out which machines were vulnerable so they could be updated.
We each took a different approach to solving the problem, and while both were effective, his mastery of tools allowed him to put down the problem much faster and in a more proactive way. We were able to patch machines that hadn't been infected yet, which is always the best way to fix a problem. Thus his mastery of the lightsaber allowed him to eliminate an attack more quickly and was also able to prevent some attacks from happening at all.
Subscribe to:
Posts (Atom)