I just finished my most
recent stint as the IO SME for a Joint Public Affairs Contingency Course. As a
part of the operational play I had to devise an influence campaign to try and
stop a BN CDR from attacking the capitol city as ordered by his BDE CDR.
I must admit I wasn’t the
best map-reader in the Army. I always tried to pair myself up with someone who
was good at it. However it was clear to me that even before I could even
develop my own MISO CONOP I had to understand the military operation. This
meant assessing the convoy route, determining how long the convoy would be
allowed to travel before being attacked from the air, etc. This analysis
complemented the media analysis of how to reach the unit’s leadership.
Many people feel the same way
about the cyber realm. In developing a graduate course for American Military
University (AMU), “Cyber & The Intelligence Cycle” I have one lesson which
is a practical exercise. I thought it would be appropriate to provide some insight
into cyber attack and defense along the lines of a class military piece on
small unit tactics. My version is a
couple of pages and can be found below.
In this version I’ve brought
it up to date and analogized the small unit infantry tactics to the cyber world
of today.
There is a USMC authored Rand version for Information Operations
Practitioners which is 50 pages worth and can be found at: http://bit.ly/2oL1XRI
First Dream
“Do not put off defense” can be interpreted
to mean employ an active, layered defense or defense in depth means to employ a
number of complementary security products and services in your defense. These
include multi-factor authentication, firewalls, intrusion prevention systems,
etc.
“Locals” we can define to be contractors,
visitors, temporary employees and similar stakeholders. In the defense context
the principles relating to ‘locals’ means that you treat everyone as a security
risk who must adhere to the same policies and procedures as employees and who
must be subject to the same sort of cybersecurity technology products and
services as others. Security needs to be uniform across all personnel seeking
to access the organization’s information technology resources.
“Tents” in the cyber context means insure
that all devices and networks have at least a minimum amount of security to
avoid casual use by unauthorized personnel and to discourage would be cyber
trespassers.
Second Dream
The second dream makes a strong case for
cyber concealment and deception. Techniques here can include honey-pots and
sandboxes. Honeypots and sandboxes are technical means whereby systems and/or
networks are set up that are totally isolated from actual systems and networks.
They are designed as decoys to attract, study, and entrap attackers. Both of
these induce the attacker into an area where they can do no harm.
As to locals in this dream – the implication
is that the organization treats the employees well so that they don’t covet the
contractor’s position. Contractors should not be given favorable treatment to
include the need to cover shifts beyond the normal day shift/week day work
schedule.
Third Dream
The third dream makes the case for stringent
‘local’ management. This may also alluded to the 21st century
enchantment with Social Media and that family members might unwittingly be
security risks or even targets. Executives and those in sensitive positions
need to take special care to insure that the organization’s sensitive data,
prototypes, plans, etc. are not accidently exposed on social media by family
members. This bid for OPSEC means that family members should be aware of the
dangers of social media and should have clear guidelines as to what they cannot
do.
Comments with respect to trenches can be
taken to mean that there is a need for advanced security architecture.
Architecture should also consider how organizations should maintain security in
the face of advances in smartphones, tablets, etc. Systems should be designed
with cyber security as a core foundational element rather than as an add-on
feature after the systems or applications are fielded.
Fourth Dream
There are
several key points contained in the 4th dream. First of all, the
dream correctly realizes that cyber is everywhere. This is especially critical
given the growth of the Internet of Things (IoT) as the 21st century
version of Supervisory and Data Acquisition (SCADA) systems. Advice about
guarding your rear could easily be interpreted as watch out for intentional
(created by bots perhaps) or unintentional backdoors. Today’s software is
highly complex and contains tens of thousands of lines of code. Product flaws,
whether or known or unknown, can offer inviting entry points for attackers.
Huddling the
men could be interpreted as meaning - don’t put all your sensitive data in one
spot. This principle is a driving force behind cloud architectures software as
a service. Data Centers are giving way to web services for a variety of reasons
with cost reduction being a primary consideration and advanced security such as
provided by Amazon Web Services (AWS) being another. Not that AWS is impregnable.
They make it clear that the client bears a heavy responsibility for security as
well.
Concealment
needs to be addressed physically and logically. Physically it is not a good
practice to make it easy to find your data center. Data centers should be concealed
to add to their security and they should be buffered with appropriate physical
security measures.
Interestingly enough the 4th
Dream makes a case for penetration testing – “Look from the enemy’s view.” As a
practical matter, penetration testing should be holistic. While employing white
hat (good guy) hackers to test your IT security postures is a good idea, Human
Intelligence (HUMINT) operatives should be considered to test resistance to
social engineering and other people based efforts.
Fifth Dream
Makes a case for deception. Read
industry expert Bruce Schneier’s brief summary at: https://www.schneier.com/blog/archives/2014/08/us_air_force_is.html.
Sixth Dream
Use everything you have learned
in all the other dreams to come up with the best possible cyber defense in your
own situation.