What Boxe and Knife Sparring teach about ICT Security

Time and Space are two key factors in any strategy, whether offensive or defensive.  This is true regardless you are involved in large scale, symmetric conflict, in an ambush or in a direct attack. There are, though, serious differences among the possible reactive approaches according to the different factual circumstances.

An empty hand attack can be handled by taking into account to be hit as a way to “close the distance” and gain a tactical advantage. This is best exemplified by the way boxeurs manage the opponent: maybe they get partially hit by a jab, but in the meantime they set themselves in the right position and time to hit with a devastating cross.

Knife sparring – let alone actual “fighting” or self-defense – requires an entirely different approach. In such kind of training it is mandatory not to be hit because a hit actually means a “cut”. Therefore the training is focused on being as far as possible from the blade, and hitting the opponent’s hand with the defendant’s knife (this is called “defang the snake”.) In knife sparring everything is faster and the reaction’s options are very limited, as you don’t backstep and then hit back, or try to catch&parry a knife flying around your face or guts, as you would with just a bare fist.

This key difference matches a common underrated assessment when designing an ICT security model: is the infrastructure able to sustain a hit and remains operational while the “defense team” is summoned (as in the Boxing Sparring)? Or the infrastructure is not designed to act like that and, once hit, its operational capability is progressively hampered (as in the Knife Sparring)?

The answer to this questions is important because it helps the security manager to better define the structure, the roles and the budget of the incident management team.

On Killing (A disturbing attitude on ICT Security)

A lot of ICT security musings don’t take into account that before being “ICT”, security is first “security”. This means that in designing a strategy, the “security architect” should know the basic meaning of the word: preventing threats and, in case the worst happens, terminate the threat as fast and ruthlessly as possible. Continue reading “On Killing (A disturbing attitude on ICT Security)”

When Security Becomes Service Disruption: the Banca Popolare di Bari Case

The message reads: For security reasons, this ATM doesn’t provide cash between Friday, 16,30 and Monday, 09,00. We are sorry for the inconvenience.

This way of looking at IT Security reminds me of those Security “Managers” who were use to advise to unplug the Ethernet cable at the daily close of business, to put it back the very next day.

Security can’t be a way to make the customers’ life more miserable. The challenge of a Security Manager is exactly the opposite: let customers doing their business while keeping the environment safe.

 

After Apple, Facebook Is the Next Target of Judicial Orders to Cooperate With Prosecutors

According to a statement published on the Brazilian Policia Federal’s website, a criminal court issued a “mandado de priso preventiva” (roughly, pre-emptive arrest order) against Facebook’s representative in Brazil, charged of not having cooperated in providing information about a Facebook page.

The Brazilian Court, unlike the San Bernardino’s one in the Apple case, chose to put its white gloves off and go straight for the jugular, leaving no doubt about the fact that cooperation with the public prosecutor is a mandatory duty for everybody, tech-companies included.

By comparing the Apple and the Facebook cases (and Google’s public position about the topic) a disturbing trend emerges: Internet companies (at least the so said “Over The Top” – OTT) “think different” about themselves. Why the OTT should be let alone, when an ISP is burdened (often for free, BTW), to provide a public prosecutor with wiretapping, data-retention, forensic support, and data-mining services? Like it or not, corporate criminal liability and obstruction to justice regulation still work for the OTT too, and the OTT must live with it.

This Facebook case further supports the opinion I’ve expressed about the true issue at stake: by one side, the lack of confidence is our social and legal system as a whole and thus the fact that you can’t actually trust a magistrate and a law enforcement agency; by the other side the “ubermensch” syndrome that affects (not only high-tech) companies and that leads them into thinking that they have the “right” (or the power) to part the right from wrong.