Wednesday, February 24, 2010

The Cyber Warrior Mentality - The Security Warrior

“The basic difference between an ordinary man and a warrior is that a warrior takes everything as a challenge while an ordinary man takes everything either as a blessing or a curse.”

-Carlos Casteneda, American author 1925-1998

I have been thinking about the warrior mentality a lot lately. It started several weeks ago when someone I was speaking to (yes you, Stewart) about cyber security referred to something I said as being indicative of having a warrior mentality. It struck me as interesting because my business partner talks about having a warrior mentality a lot, and as I had this discussion I was more than a little taken aback by the uncanny parallels between myself, my business partner, and this complete stranger I was discussing security with. Partway through our conversation I began predicting what he was going to say, based on my understanding of the situation, and it was dead on every time.

It was like he was reading my mind.

Yet this was not what I found strangest of all. As I began "gathering intelligence" in my attempt to better understand the vendor space in the cyber security landscape (needs, requirements, activities) as it relates to The Smart Grid, I consistently ran into two distinct types of people. One was the more marketing oriented type, who simply discussed security in a manner that was indeed befitting of the vendor (a security apologist if you will), and the other was the security contempory - or the "Security Warrior" as I now like to call it.

Okay, I know this may sound odd to some, but for those who fit into the category I am sure it makes perfect sense.

As a security professional who began his security career as an administrator who was thrown into the battle due to outside attacks on the company network, I was charged with fixing the problem, and I was given very few tools (and even less time) to do so. My boss did not want to hear anything about expensive firewall hardware, or outside consulting, or anything like that. I was in charge of IT, so it was my job to fix the problem, and to do so within the confines of the limited budget I had available to me.

Oddly enough, I did not view this directive with frustration or with disdain. I simply took it as my marching orders and did the best I could with it. I had been sent out to the jungle with a book of matches and a pocket knife, and it was my duty to survive with those tools, and my wits. Come to think of it, I loved it!

Having less to work with really makes some people think hard and "outside of the box". Not all people, however. Some people simply cannot cope with the situation, and give up. Others pretend that things are going to miraculously work out through some sort of cosmic intervention, and simply wait for things to change. Sometimes this inaction mentality works out for them, but it is not because of divine intervention (although I do believe in God, but that is another discussion), but it is often because someone else picks up the slack.

When given a limited toolset, the warrior does not fret. He (or she) simply takes inventory, and then begins studying the enemy, beginning with the enemy within. Fear, shame, guilt, doubt, and other such feelings and mental states are identified for what they are and dealt with promptly and effectively. The warrior studies the landscape and determines where the danger zones lie at every given moment (because they are always changing), and what to do to stay out of danger. The warrior immediately determines what threats are real, what threats are not real (but are actually more perceptions than real threats), and what threats may come, and prepares accordingly. If the threats come from other people (the biggest threat of all), then the warrior does all he can to study the perceived enemy to determine both the level of the threat and the mental state of the potential enemy. If the warrior determines that the enemy is indeed real, he does NOT rush to kill the enemy. The warrior then studies the enemy and determines if the enemy himself is indeed a true warrior as well.

THIS IS IMPORTANT !!!!

The most effective players in the cyber battle are those with a warrior mentality, ON BOTH SIDES OF THE BATTLE. A warrior views the most effective enemy as a CONTEMPORARY, who is fully capable of being just as strategic and calculating as he is (if not more so). A warrior will watch his enemy take control of a battle and marvel at the strategic nature of the enemy with deference, and then file that away as another tool in the arsenal. He may never use this tool, but he will understand it enough to know when it is being used (or about to be used) again, and will know exactly what to do to either prevent it from being effective, or prevent the enemy from using it to begin with.

Let me return back to Earth for a moment and discuss my first major security breach as a CIO. I was in charge of a medium sized retail operation, with lots of remote retail locations logging the point of sale system into our corporate serves to perform transactions (using the Remote Desktop Protocol). It was an elegant solution that worked marvelously...most of the time. One afternoon I began receiving lots of complaints from the store managers because the system had slowed to a crawl. I asked one of my team members to look into it, and he found nothing out of the ordinary, but did indeed notice a spike in outgoing traffic that seemed to be sustained. Outgoing traffic spiking was not unusual, but sustained spikes were indeed out of the ordinary.

As I shifted to the hands-on approach, I noticed the traffic was on one particular port (I do not remember the port number), and it was not one of our known ports (21, 80, etc.), so I knew something was up. I was completely fascinated at this point (although I knew someone uninvited had entered our network), and began investigating. I narrowed the culprit down to one particular server, and a careful study of the server logs revealed activity going on in the recycle bin.

Huh!!!

As it turns out, someone from Korea (I traced the IP address to Korea) had installed an FTP server in the recycle bin on the Windows server, and was serving pirated Hollywood movies from my network. ABSOLUTELY BRILLIANT !!!

I was literally tickled pink by this feat of trickery. Why had I never thought of that back in my early days of "file sharing" cat and mouse gamesmanship? Touché indeed my Korean enemy. Well played!

Of course, I knew simply getting rid of the server was not the solution to my problem. It simply treated the symptoms (slow traffic). I had to then discover the weakness in my network "armor" that had allowed the infiltration to begin with. As it turns out, it was one of the many recently patched security holes common to Windows based systems (at the time), and I had been hit prior to the patch. I fixed the patch, and then made it my mission to very carefully monitor system changes on a very granular level, which led me to the discovery that attacks on my network were happening on a very regular basis (port probing, hammering, etc.). It allowed me to study and learn my enemies' tactics, and I soon discovered that there were a lot more attempts than there were victories. Yet when the victories happened (and they did indeed happen), I learned how to stop them, and they did not happen in the same way ever again.

You see, dear reader, I placed an ENORMOUS value on the victories, because they exposed my weaknesses. One cannot effectively determine a correct strategy unless one clearly understands their weaknesses. However, a warrior who has the ability to swallow his pride can significantly reduce the number of victories the enemy has if the warrior is willing to take a step back and enlist the advice of contemporaries who have already lived through the battles, and especially the ones who have the battle scars to prove it.

As I speak to more of the people who have enlisted in the battlefront in the cyber war, I consistently run into those who have been forced to deal with security as an additional headache to deal with, and those who have a true warrior mentality. What I have found is that warriors are very good at spotting other warriors, and can usually do so almost immediately. The conversation, at this point, takes a completely different tone. Even though I am coming to them (in part) as a consultant who is trying to win brownie points with my client, who is trying to determine market opportunities (after all, everyone needs to pay bills), we immediately move past that as the discussion now becomes far more temporal. We begin discussing the evolving threat landscape, the strategic nature of the environment, and the tenacity of the enemy. We laugh heartily (yet respectfully) at the hyperbole, and focus on the true threats to our mission, which we often determine, in part, come from our side of the battle (cost constraints, time sensitivity, corporate politics, lack of transparency, etc.). We sometimes venture off into discussions that have nothing to do with our current positions, and recount tales of battles past, and battles yet to come.

It is, I surmise, much like soldiers getting together on leave or after a war. Not having been an actual soldier I cannot say this from an experiential viewpoint, but I have known enough soldiers and watched them interact with each other to know that the similarities are indeed valid. I can tell you that it is also much like parents discussing the battles and victories in raising children, which is something I am indeed achingly (and pleasantly) familiar with.

So this brings me around to a very positive understanding of the battle from a US Government/Military being involved perspective. We often hear that the US Government is not very good at dealing with cyber security (and they have indeed admitted their shortcomings in that space), and that we are in big trouble because of that. I would tend to agree with such fear mongering if it wasn't for the indisputable fact that the US Government is arguably the best IN THE WORLD at gathering warriors to fight its battles. The US Military has spent literally hundreds of years perfecting the art of war, and despite their lack of understanding of the artillery (bits, bytes, laptops) or the enemy tactics (hacks) in the ever evolving battlefront, they are certainly quite good at understanding the warrior mentality. That is why, for example, I believe we are well served by having Michael Assante serving as the head of cyber security for NERC. His job is to separate what is "real" from what is "not real", and to manage the ever evolving battle plan, and make sure that every soldier (i.e vendor, utility, etc.) in the battle is following the plan. Nearly everyone I have spoken to that falls under what I deem the "Security Warrior" mentality finds Mr. Assante's assertions to be dead on. Mr. Assante, by the way, served in the US Navy for 6 years.

Some may argue that our US Military is nothing to be proud of, but I think they are missing the point if they do. We do not win every military battle we fight it, nor are we always justified in what we do militarily (which is subject to opinion), but we definitely are very effective the majority of the time. Moreover, we have certainly succeeded to the point where Americans find the prospect of domestic battle so foreign that something horrific (like the 911 incident) is seemingly incomprehensible. Yet foreign countries throughout the world deal with their own versions of the 911 incident every day. Our combined defenses and offenses have indeed managed to generate some ill will both foreign and domestic, but they have also managed to make us not only feel safe, but actually BE SAFE!

So I am hopeful and indeed confident that as we engage this cyber war with more of a warrior mentality that we will indeed manage to both survive and indeed thrive and feel quite safe as the battle evolves. We will engage the enemy, learn from the enemy, and indeed prove triumphant if we all swallow our self-serving interests long enough to take some cues from those who have received the battle scars.

...and frankly, I am excited about the opportunity to be a part of it.

1 comment:

'Scratch said...

Loved the Castaneda quote. Great post!