Monday, January 13, 2014

What Ender's Game Teaches About Information Security

I was reading Ender's Game to my son several months ago…probably my fifth time through the book. I came across a passage that really resonated with me. Ender is at Command School and he just got the crap kicked out of him by Mazer Rackham for no reason that Ender could discern.

Ender was angry now, and made no attempt to control or conceal it. "I've had too many teachers, how was I supposed to know you'd turn out to be a--"

“An enemy, Ender Wiggin,” whispered the old man. “I am your enemy, the first one you’ve ever had who was smarter than you. There is no teacher but the enemy. No one but the enemy will tell you what the enemy is going to do. No one but the enemy will ever teach you how to destroy and conquer. Only the enemy shows you where you are weak. Only the enemy tells you where he is strong. And the rules of the game are what you can do to him and what you can stop him from doing to you. I am your enemy from now on. From now on I am your teacher.”[1]

This is threat analysis - understanding your assets; understanding your enemy. Predicting what they going to go after and how they are going to do it. For intended, malicious threats, the adversary chooses his target assets and which attack methods he will use to compromise each asset – no one else. He chooses the battles that protectors of infrastructure will fight. He chooses the attack methods and, ultimately, he chooses the defenses that must be implemented to protect the infrastructure. Which enemies will attack your systems? Which of your systems will each enemy attack? What compromise methods will each enemy employ?

Securing an organization’s assets efficiently and effectively requires knowing the answers to these questions. Organizations that know the answers to these questions deploy the right controls to the right assets at the right time. They are flexible in their approach, changing their control structure to match the threat – adding new controls, enhancing existing controls, and scraping controls that no longer provide value. Every control in the environment provides a good return on investment. The security controls for each asset match the risk specific to each asset. They are ready when threats act upon them. Ultimately, their security risk profile is correct and the financial statements prove it.

Organizations that do not know the answers to these questions do not have the right controls deployed to the right assets at the right time. They are often in fire drill mode, reacting to successful attacks against themselves or to attacks that are pervasive among their peers. Their datacenter racks are littered with the blinking lights of security appliances that aren’t worth the power to run them. They are not ready when threats act upon them. Ultimately, their security risk profile is not correct and the financial statements prove it either due to money wasted on unnecessary controls or due to the costs of recovering from a compromise. Think TJ Maxx, Heartland Payment Systems, RBS WorldPay, and CardSystems Solutions.

Most of us operate somewhere in between these two extremes.  Regardless of where you are at on this continuum, the closer to correctly matching the threat for your environment and your assets is where you want to be. Knowing which enemies will attack your systems, which of your systems they will attack, and what compromise methods they will employ will help get you to a more efficient and effective risk posture.

Defend against attacks that will occur. Don’t defend against attacks that will never occur. Choose your battles wisely and fight them well.

[1] Orson Scott Card, Ender’s Game, pages 262-263, TOR Science Fiction