Throughout history war has become increasingly complex and tactics have evolved to compensate. In ancient times, walls were built to protect your city, foot soldiers made up the bulk of your army, and both sides knew how the battle would play out.

Effective tactics varied greatly, depending on:

1. The sizes and skill levels of both armies
• In a mass land battle, on open terrain, usually the army with the largest number of soldiers would win. Smaller armies had to get smarter so generals would change their tactics to attack and defend with smaller numbers.
2. The unit types of both forces
• Cavalry was added to the army to allow the outflanking of spear wielding soldiers (pikemen, hoplites, and so on) which forced them to turn and face the charging horsemen. This allowed the attackers archers to fire volley after volley of arrows into the lines of soldiers, who, with their backs turned, were unable to protect themselves from both sides.
3. Terrain and positional advantages of both armies
• Most people have heard about the movie 300 which was a decent dramatization of the tactics that Leonidas I used in the battle of Thermopylae. The Spartans held the approaching Persian army at bay with only 300 Spartans, 700 Thespian, 400 Thebans and perhaps a few hundred others. The small pass, which was the only way through to Greece, forced the larger Persian army to send smaller numbers to face the Spartans. The Persians ultimately won the battle but for every one Sprtan/Thespian/Theban soldier that was slain, Persia lost five.
4. The weather
• (From The Story of the Invasion of Japan)During the summer of 1281, a combined force of Mongol and Chinese forces prepared for an assault on the western shores of Kyushu, Japan. The Mongol invasion force was a modern army, and its arsenal of weapons was far superior to that of the Japanese. Its soldiers were equipped with poisoned arrows, maces, iron swords, metal javelins and even gunpowder. The Japanese, however, would be forced to defend themselves with bow and arrows, swords, spears made from bamboo and shields made only of wood. Miraculously, as if in answer to Japanese prayers, from out of the south a savage typhoon sprang up and headed toward Kyushu. Its powerful winds screamed up the coast where they struck the Mongol’s invasion fleet with full fury, wreaking havoc on the ships and on the men onboard. The Mongol fleet was devastated. After the typhoon had passed, over 4,000 invasion craft had been lost and the Mongol casualties exceeded 100,000 men.

The point of this little trip through history is that tactics must evolve. Firewalls are no longer the single solution for preventing malicious attackers. If it were, then UTM devices wouldn’t have been invented and there would be no need to NIPS solutions. If all viruses conformed to the same signature then we would not require HIDS/HIPS and behavioral AV solutions installed on our desktops and servers.

I believe that all security professionals should be students of military history and tactics. Seeing what failed for great generals will show us how to adapt to, and defend against, network and system attack situations in the future.

Tis the season I guess. To add to Andy Willingham’s recent posts (part 1 / part 2) entitled How to NOT sell me security products, I too have experienced one of the worst sales calls I have ever been on the receiving end of.

Today, an unnamed security vendor, decided to call me and discuss their offering. After the initial pleasantries and introductions, it went kind of like this:

[Vendor]: Let me explain what Single Sign-On is…(clipped because we all know what it is)

[Me]: Umm…ok.

[Vendor]: Do you follow me?

[Me]: Yeah I think I get it. (SIDEBAR – little did he know that I was the ‘expert’ on a SANS Webcast in September 2007 entitled Separated at Birth – Identity and Access Reunited! with Stuart Rauch, Director of Product Marketing, Authentication, at Secure Computing. – I’m familiar with the concept of SSO 😛)

He then proceeded to talk to me about the solution and I explained that I had to test the product but, when I signed up for the evaluation download, I never did hear back from them.

[Vendor]: That’s strange. I’ll send you a spreadsheet and, if you fill it out completely and send it back to me, I’ll be sure to get you the software.

[Me]: Great.

[Vendor]: Did you get it yet?

[Me]: Not yet. Oh wait, here it is in my junk folder.

[Vendor]: I bet I know what happened. When you signed up on the site for the evaluation download the email they sent you probably went to your junk mail folder.

[Me]: I guess that’s possible. (SIDEBAR – WRONG! This wasn’t what happened. They never sent me any email.)

He then walked me through the spreadsheet.

[Vendor]: Where it says name, fill out your name. Where it says address, put in your address.

[Me]: OK. (SIDEBAR – yes, he really clarified this for me…sigh….)

[Vendor]: And where it says phone number…

[Me]: My phone number…right?

[Vendor]: You got it. Now you need to be very careful about filling out this form.

[Me]: OK.

[Vendor]: Andrew…in the United States encryption is considered a weapon.

[Me]: Oh…ok. (SIDEBAR – HAHAHAHAAHA…yes…he said this too!)

[Vendor]: So you have to be really careful about filling out the evaluation form as we’ll have to do a full background check of your company.

[Me]: Ummm…alright. I’ll fill out the form and send it back to you.

[Vendor]: You know, I’d like you to fill out the form, and I’ll be happy to set you up with an evaluation of our product, but I want you to first talk to your CIO and let him know that our solution has been deployed by (big flagship company #1) to xxxx systems and (big flagship company #2 which is in the financial sector) to xxxx systems.

[Me]: That’s good.

[Vendor]: And since we offer a 30 day money back guarantee you don’t even need to buy it now. You should really just buy it and if you don’t like it return it. I don’t want you to waste you time trying it out because it’s so easy to deploy and I know you’ll love it. I’ll contact your local vendor when we get off the phone and get you a quote for Friday.

[Me]: I have heard that it’s easy to deploy but it’s my job to perform some due diligence and test the proposed solution. We don’t just blindly jump into a product without testing.

[Vendor]: Oh, I understand…but.

[Me]: And I used to be a product manager for a security company so I know where your coming from on this. I still have to test it.

[Vendor]: Oh, OK. Well if you can get that evaluation form back to me then we can get you your demo software and I’ll still get you that quote.

[Me]: Fantastic. Thanks for all your help.

The moral of the story. Don’t try to strong arm a sale while talking to Andrew. He knows that it’s a quarter-by-quarter world for sales guys. He knows that you’re only trying to do your job. Unfortunately, he’s got rules to follow so please, don’t try to influence the way he does his job.

Thanks.

Rob Fuller brought up an interesting question on Twitter today:

Now, everyone who responded that you are still at IE in the enterprise. Why? Did you show TPTB clickjacking and it’s effects?

Here is why I believe organizations cannot simply “up and switch” to a different browser (regardless of security concerns).

Training

Not everyone is a “power user”. If you switch the browser that the mail clerk, accountant, or CxO use it may confuse/scare/panic them. Many people have an expectation of stability in their applications and will require formal training to use a new one (yes a browser is an application). Not only will your users need to be trained but your support organization will also have to learn how to handle the influx of support issues that will inevitably be raised.

“I used to do xyz in IE but I don’t know how to do it in this new browser!”

“What happened to all of my book marks? What did YOU do?”

“Our custom application no longer works with YOUR new browser that YOU installed. I want my old browser back NOW!!”

Anyone who has worked in a support role is familiar with hearing these questions after a poorly planned roll out of new software. If not…you’ve missed out 🙂

Money

“But aren’t browsers are free Andrew?!?!” Why yes, they are. But the time it takes to deploy an application to a large enterprise is very time consuming. There is (or at least should be) integration testing, quality assurance testing, acceptance testing, and training. This costs money for project planning resources, testing resources, implementation resources, and so on.

Don’t forget the cost of training your staff to field the aforementioned questions in the previous section. Not all front line support staff will know how to support the new browser and may require training which costs time and money.

Deus Ex Machina

Thanks to Ryan Russell for reminding me that this was the term I was looking for – stupid Grade 9 English class failed me!

At the end of the novel Lord of the Flies, the group of ship wrecked children are miraculously saved when it appears all is lost. This literary device, called Deus Ex Machina, is often unknowingly employed by executives who have blind faith in a third party (e.g. Microsoft, a patch management solution, IPS signatures, and so on) to solve the problem at hand.

Unfortunately, this one is for you Rob Fuller, this is the kind of battle that security professionals fight daily. How do you convince your executives that it’s time to invest the time and money into a different solution? It all comes down to putting the problem and solution in terms they can understand – cost/benefit analysis. If you can prove to your executives that switching to an alternate solution, although potentially costly in the short term, could reap long term security, financial, and productivity benefits for the company (not necessarily in that order of course) then you may find your executives on your side.

Blind Eye

We all know that it’s sometimes easier to just turn a blind eye to the problem.

“Well it hasn’t hit us yet and we don’t know anyone that has been attacked using this exploit/hole so we’re probably safe.”

Ummm….I guess that’s true in a warped logic sort of way.

“We’ve been using this browser for years so we’re not about to change it now.”

Ah yes…the old “if it ain’t broke don’t fix it” approach. Unfortunately it, meaning the browser, is broken and it’s up to you, the security professional, to convince them, the organization powers-that-be, that it’s time for a change. Good luck as this will be the hardest fight of your life. Throw back some espresso, pull up your socks, and come out swinging!

You’ll need to show them the risks associated with not switching to a different solution. Throw in some cost/benefit analysis and you might make it through to the final round, but I guarantee that you’ll be tired, frustrated, and maybe even a little bloody.

Conclusion

I hope this sheds some light on why I believe that an organization switching to a new browser isn’t as cut and dry and we security yokels would like it to be. You may not agree with all of my points but I hope that one or two items might make you think differently.

As always, I’d be happy to discuss this further with any of my readers via the comments in this post, via email, or even via phone/Skype.