Sun Tzu and The Art of Information Security

By Steven Fox, Founder of SecureLexicon

This is the first installment of a weekly series exploring the Sun Tzu paradigm. I expect that some of you asked this question after reading the teaser headline.

While not the only treatise on military strategy, it does offer relevant insights that can be applied to our field. This week we will discuss the concepts of invincibility and vulnerability.

“Invincibility is in oneself, vulnerability is in the opponent” - Sun Tzu

Dictionary.com defines invincibility as being “incapable of being conquered, defeated, or subdued.” In the context of The Art of War, this is accomplished through self-defense.

Individual self-defense requires awareness of one’s tactical and strategic strengths and vulnerabilities.

Once this awareness is developed, one projects the image that reduces the risks created by potential opponents. While different in scope, this model is applicable to a corporation.

Dictionary.com defines vulnerability as being “capable of or susceptible to being wounded or hurt, as by a weapon.” Interestingly, this is viewed as being a function of the opponent.

This perspective seems inaccurate until you consider that vulnerabilities are discovered when a system is viewed from the perspective of an attacker. It is difficult to see the vulnerabilities in a process or system through the eyes of a user.

So how do I apply this to my environment?

In practice, it is unrealistic to build an invincible security plan for your organization.  However, there are things that can increase the attack costs for potential attackers:

1. Give your employees a stake in the business. On 3/15 I will post a discuss on business-case centered security awareness training.  Your team must understand the value of security to the success of the business and know they are enabled to act to ensure that success.
2. Understand the core competencies of the business and how your IT infrastructure supports them. This will allow you to connect securty investment to business goals.  Learn to view security risk from a business risk perspective.
3. View the organization from an attacker’s perspective. Now that you understand the value of your assets, put yourself in the shoes of someone who wants to control or disrupt those assets.  This will allow you to identify process and IT vulnerabilities that could be exploited.
4. Finally, encourage a movement towards tactical and strategic agility. The threats that face your organization are evolving. These threats may take the form of physical, cyber, or competitive threats that don’t currently exist.  You must be ready to identify and prepare for those threats.

In the next installment I will discuss how invincibility and vulnerability apply in the context of cyber warfare.

According to Sun Tzu, victory can not be manufactured, it can only be discerned.

Steven is an independent information security consultant. He holds a Masters in Business Information Technology from Walsh College, an NSA recognized Center of Excellence. He serves on the board of the Detroit ISSA chapter and is a columnist for the ISSA Journal. He is also the founder of SecureLexicon , a security advisory firm addressing the unique security concerns of nonprofit organizations.

He can be contacted at sfox@securelexicon.com
Follow him on Twitter - @SecureLexicon
Join Steven’s LinkedIn Network

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here:

Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, Insider Threat, PCI, Sarbanes-Oxley, Steven Fox, Uncategorized, national security, privacy 

Comments

• ISR Headline Index

  • Quick Tips for Using Secure Shell
  • Consolidate Compliance With Open Source
  • DoS Attack Reveals Widespread Vulnerabilities
  • Study Shows Employees Put Data at Risk
  • Tracking Google’s Script Kiddie Hackers
  • Newbie Introduction to Digital Forensics Part 2
  • Simple Log Review Checklist Released
  • Press F1 for Help? Microsoft Zero Day Threat!
  • A Newbie’s Introduction to Digital Forensics
  • Security Best Practice: Trust But Verify…
  • Google, Adobe, and Big Oil Under Attack!
  • Building your OWN Malware Lab (Part 2)
  • How Twitter Spam Steals From Google, Yahoo!
  • Tech Stocks Week in Review Featuring iPad
  • DoD Endorses Certification for Hackers

• Recent Comments

  • Ryan Aslett on Data Loss Prevention Has Jumped the Shark
  • Tom on (Lack Of) Encryption and The HITECH Act
  • ADMIN on Patriot Hacker Hits Jihad With DDoS Attacks
  • Robert Siciliano on Data Loss Prevention Has Jumped the Shark
  • Karen J. Cox on Data Loss Prevention Has Jumped the Shark
  • Scot McLeod on Outsourcing Breach Response Lowers Costs
  • John Marke on Gartner Tells CIOs to Embrace Social Media
  • Social Engineering and Enterprise Security | CIO – Blogs and … | Enterprise Engineering Addict on Gartner Tells CIOs to Embrace Social Media
  • From Russia, With Smartphones on Top 8 Social Media Security Threats
  • Judith Hoffman on Scam Alert: Rogue Gmail Account Phishing
• 
  

  Information Security Resources

  Top network security blogs

• Categories

  • Anthony M. Freed (26)
  • Bill Brenner (2)
  • Bob Violino (1)
  • Bozidar Spirovski (23)
  • Breach (540)
  • Britt Womelsdorf (5)
  • By Dr. InfoSec (2)
  • Cara Garretson (7)
  • CCCNews (1)
  • Chorey Taylor & Feil (8)
  • Christophe Veltsos (2)
  • Christopher Burgess (7)
  • CIOZone (26)
  • Class Action Lawsuit (111)
  • Cloud computing (106)
  • Coby Royer (5)
  • CTO Forum (9)
  • D&O Liability (594)
  • Daniel Wallace (5)
  • Danny Lieberman (11)
  • DataLine (10)
  • David Alexander (2)
  • Derek Crawford (1)
  • Doug Pollack (7)
  • due diligence (303)
  • Fame Foundry (1)
  • FEATURE ARTICLE (428)
  • Financial (580)
  • Fred Leland (7)
  • Gene Kim (3)
  • Government (366)
  • Greg George (5)
  • H1N1 (15)
  • hackers (532)
  • healthcare (127)
  • Heather Bourgoin (1)
  • HomeATM (8)
  • identity-theft (528)
  • IDExperts (17)
  • Ike Z. Devji (1)
  • Infosec Island Network (31)
  • Insider Threat (483)
  • Internet Crime Complaint Center (1)
  • Internet Security Alliance (64)
  • ISR News (321)
  • Jacqueline Herships (2)
  • Jenni Hesterman (3)
  • John M. Salomon (2)
  • John Watkins (7)
  • John-Patrick Skaar (2)
  • Kaliber Data Security and Compliance Consultants (3)
  • Kat Sanders (2)
  • Ken Leeser (3)
  • Kevin L. Jackson (10)
  • Kevin M. Nixon (21)
  • Larry Ketchersid (1)
  • Laton McCartney (7)
  • Lauren Taylor (1)
  • Linda McGlasson (1)
  • malware (494)
  • Mark Smail (1)
  • Mark Wright (1)
  • Mel Duvall (3)
  • Michael Eggebrecht (3)
  • Michael Lohr (1)
  • Michael O'Conner (4)
  • MicroSolved (1)
  • Mike Duncan (3)
  • Mike Meikle (4)
  • Mike Spinney (1)
  • Military (204)
  • national security (446)
  • PCI (301)
  • PCI Security Standards Council (32)
  • Physical Security (11)
  • privacy (545)
  • Rachel James (10)
  • reach (4)
  • Rebecca Herold (16)
  • Richard Stiennon (44)
  • Robert Siciliano (34)
  • Sarbanes-Oxley (495)
  • ScamStop (2)
  • Sean Wilkins (2)
  • Semyon Dukach (1)
  • Simon Heron (14)
  • Software Associates (11)
  • Steven Fox (19)
  • SUPERAntiSpyware (3)
  • Sybase (6)
  • Symplified (5)
  • The Jester (8)
  • The Privacy Professor (16)
  • Thomas R. Fox (8)
  • Tom Groenfeldt (2)
  • Tom McLain (2)
  • Trefis (14)
  • Tripwire (18)
  • Uncategorized (621)
  • virtualization (94)
  • Webcast (49)