I write this article in one of those rare moments when I indulge in the belief that computer security is something that should be taken seriously. I do not want to disrespect the many professionals who try to work by seriously helping customers and employers to “keep the ship going”. Nor, however, can I pretend to ignore what the cybersecurity market was and has become. Without many hackers, there would not even be the slightest improvement in security caused by these stunts.
Crime’s apology? Incitement to commit a crime? No, merely stating an objective fact: in the field of computer security, it is not the fines that induce legal compliance.
This video shows the different penetrating power of various pistol caliber and gives a useful tip for those who (claim to) work in the IT security field: when setting up a perimeter defense, the “penetrating power” of the attack should be taken into account.
In other words, there is no “one-fit-all” solution when it comes to building a digital bulletproof vest, and if somebody thinks that a fancy leather jacket might be the very same than a kevlar vest with ceramic plates, he might be wrong. Deadly, as it would be the infrastructure he claimed to protect.
Time and Space are two key factors in any strategy, whether offensive or defensive. ? This is true regardless you are involved in large scale, symmetric conflict, in an ambush or in a direct attack. There are, though, serious differences among the possible reactive approaches according to the different factual circumstances.
An empty hand attack can be handled by taking into account to be hit as a way to “close the distance” and gain a tactical advantage. This is best exemplified by the way boxeurs manage the opponent: maybe they get partially hit by a jab, but in the meantime they set themselves in the right position and time to hit with a devastating cross.
Knife sparring – let alone actual “fighting” or self-defense – requires an entirely different approach. In such kind of training it is mandatory not to be hit because a hit actually means a “cut”. Therefore the training is focused on being as far as possible from the blade, and hitting the opponent’s hand with the defendant’s knife (this is called “defang the snake”.) In knife sparring everything is faster and the reaction’s options are very limited, as you don’t backstep and then hit back, or try to catch&parry a knife flying around your face or guts, as you would with just a bare fist.
This key difference matches a common underrated assessment when designing an ICT security model: is the infrastructure able to sustain a hit and remains operational while the “defense team” is summoned (as in the Boxing Sparring)? Or the infrastructure is not designed to act like that and, once hit, its operational capability is progressively hampered (as in the Knife Sparring)?
The answer to this questions is important because it helps the security manager to better define the structure, the roles and the budget of the incident management team.
A lot of ICT security musings don’t take into account that before being “ICT”, security is first “security”. This means that in designing a strategy, the “security architect” should know the basic meaning of the word: preventing threats and, in case the worst happens, terminate the threat as fast and ruthlessly as possible. Continue reading “On Killing (A disturbing attitude on ICT Security)”