RE: Castles and Security (fwd)

["Marcus J. Ranum" <mjr () nfr com>]

Lance Spitzner wrote:
> I feel that in general, the
> blackhat community does use guerilla tactics.  Find an easy kill,
> move swiftly, and disappear.  I'm going to have to play with this one
> some more.

I think there's a subtle distinction between terrorists and guerillas,
FYI. Guerillas (according to my dog-eared copy of Mao, anyhow)
focus on destruction of infrastructure and are organized as military
units. Terrorists focus on media manipulation, target "soft" and
splashy victims, and are usually organized in cell structures.
Guerillas are generally ideologically united, while there are some
terrorists that are apparently more interested in just causing damage
than in serving any particular cause.

In other words, I wouldn't dignify the hackers by calling them
"guerillas" ;)

> However, I still feel castles make an excellent analogy when you want to 
> demonstrate how defense in depth can be applied.  Many organizations feel
> that by throwing up a firewall they are secure.  Castles use defense
> at every layer, networks should follow a simillar concept.

Absolutely. Carcassone (S France) is a great example of early walled
city construction, and has multiple layers of walls. Many of the walls
have fail-safe points - weaknesses are covered by backup walls that
have specific hardpoints from which to counter-attack if the wall is
penetrated. Lots of sneaky stuff: break through one door and behind
it is _another_ door. So in order to break the next door you have to stand
in this small room between the doors - a room that has slots in the
ceiling for pouring boiling oil. Ow. The medievals were not as nice to
their hackers as we are, today.

But let's look to the future. For now, the idea of perimeter defense
and defense in depth hold. What happens if those break down? Is
it possible that we will move into an environment in which defense is
_impossible_??  I think we're on our way there thanks to "firewall
friendly" applications, downloadable execution paradigms, and
reams of readily-available hackerware. The walls don't count for
anything because the attackers are able to transparently flow
through them. In a medieval castle, when you were under attack
you could close the gates. In a modern .COM website, when you are
under attack, you are trying to still interact with your customers!!

Classical anti-guerilla operations involve identifying infrastructure
targets and guarding them. Typically, they also identify "free fire
zones" - which allows the defenders to address the targeting problem
by simply assuming that anything in the FFZ is a target. In a terrorism
environment, it's much, much harder because you can't identify an
FFZ - there are civilians there carrying out their lives. So targeting
the bad guys is nearly impossible - you have to wait for them to stand
up and start shooting before you can go after them. And they have
complete freedom of movement (generally) in small numbers.

So I don't think you're defending a castle against hackers. I think
you're defending a city about the size of London, England. With a
perimeter that is about as well defined as London's. Within the
city, there are a huge number of targets, ranging from the obvious
big ones like Lords' (Hey, I was born Nov 5, OK?) down to every
waste bin that can hold a bomb and every parking space that can
hold a car bomb. Every person entering or leaving the city could
be a terrorist or a component of a terrorist cell. And, because it's
a living, breathing city, you _can't_ control people's movements.
There - do you feel _secure_, yet?

> > Right now, we're working in an environment where it's nearly impossible to tell
> > a "good guy" from a "bad guy".  In fact, a bad guy could probably mount a
> > credible defense for a while by merely claiming to be a good guy. That's not
> > possible if the target definition is a bit crisper.
>
> I've noticed more hacked websites have posts where the badguys say they
> just modified the index.html page to prove a point.  An attempt to legitimize
> their actions.  Just check out the hacked sites on attrition.org,
> makes for an interesting read.

Terrorists are full of excuses, too.

This is another important consideration in terrorist/counterterrorist operations
vis Guerilla warfare. In dealing with terrorists it is absolutely critical to do whatever
you can to isolate them from the media. Because the message they are trying
to deliver is what they're willing to kill for. The dynamic they are trying to
achieve is to get the forces of authority to react to them, and thereby destabilize
the political situation by appearing (or being!) heavy-handed in response. As
soon as the "good guys" are so jittery that they start searching people on the
street or cracking down on people because they look or walk funny, they
have accomplished their goal of separating the people from the authorities and
making the authorities look scared and ineffective. Now, I'm not saying that
law enforcement is _scared_ of hackers, but ineffective might be a word that
would fit. The hackers today have the ear of the media to a much greater
degree than security practitioners (because they're such snappy dressers?) -
so there are lots of parallels.

The next question is: what to do about it? The answer's obvious, of course. :)

mjr.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards