Tuesday, November 24, 2009

Shaolin Temple Hacks beg age-old question

I try to read the taosecurity blog, by Richard Bejtlich, when I can. For all of you fans of The Hitchhiker's Guide to the Galaxy, we could say he is a hoopy frood who really knows where his towel is.

In a recent post, Richard pointed out some information about recent hacker attacks against the Shaolin Temple in China. The temple was hacked "three times in a row", according to abbot Shi Yongxin.

This of course begs the age-old question. Which is better: Chinese Martial Arts, or Japanese Martial Arts.

So here is the answer:

It depends upon the practitioner.

That may sound like a cop-out answer, but I assure you it isn't. One must know their limitations and their strengths if one is to excel at anything in life. A short and stout person with short arms and legs, in most cases, should not be surprised if they have a hard time mastering a martial art that requires high jumping kicks through the air. Even if they learn it all, when it comes to a real combat scenario they will find that they are on the losing end against similarly trained enemies with long legs and arms. One should seek to maximize their strengths and minimize their short-comings. In the end, it is more about the practitioner than the art they choose to devote themselves to. Given any genuine system of martial arts, it is all the same at the top. They are all paths that could be called "the art of winning".

How can we apply this to our cyber-jutsu?

You must start by knowing yourself, or in the case of cyber-jutsu, knowing your information infrastructure. We have talked about this in other posts - it is the basis of all good cyber-jutsu and must be accomplished before you seek to "know the enemy".

If you are running a web server farm, and have decided that your cyber-fu or cyber-jutsu will center around your packet-filter firewall, you are making a mistake. Certainly you will want to limit the traffic through the border router or firewall; but, your attacker will certainly look for weaknesses in your web implementation.

In such a case, we might be better served by taking a more "zen-like" approach to control. The Zen Master says that you cannot control another's actions. So, you should not try to control them. Instead, just watch them. In this way, you are in control in a wider sense of the word. In your cyber-infrastructure, this translates to out-of-band IDS systems that are tuned by those who "know" your applications. It might also translate to having a robust and fast restoration process. Surely the tao of true event correlation that leads to specific knowledge rather than piles of useless data could become a part of such a cyber-jutsu strategy. How else can we better know our selves? Perhaps adding a visualization strategy to effectively and quickly communicate threats would go far in improving our cyber-jutsu.

As in hand-to-hand combat with one or more attackers, the key to success is being aware and "in the moment", and "riding the martial wind". Yes, you need techniques. But you can learn techniques anywhere. In the Bujinkan, Sensei Masaaki Hatsumi
stresses learning the "feeling" of an attack. It should be no different for cyber-jutsu.

If you are struggling to decide which new "wiz-bang" security software or security appliance to purchase, I advise you to put your purchase request down. Hire another cyber-jutsu practitioner. Hire another Systems Administrator. Hire another Information Security Professional. Invest in the talent you already have in-house. Set up attack labs that mirror your environment, and learn the "feeling" of the attack. Most of you are not even reviewing your log files with any regularity.

The path to expert cyber-jutsu is different for each of us at times. But, in common, we have a long journey toward our goal.
"Step by step, we walk the thousand mile road."
- Miyamoto Musashi
The Book of Five Rings

You can check out Richard's post at: taosecurity

You can read the original news article at: PCWorld

-- Sensei Metajunkie

No comments:

Post a Comment