(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Kenjitsu’ Category

Musashi’s Last Duel: Sasaki Kojirō

leave a comment »

In April 13, 1612, Musashi (about age 30) fought his most famous duel, with Sasaki Kojirō, who wielded a nodachi. Musashi came late and unkempt to the appointed place — the remote island of Funajima, north of Kokura. The duel was short. Musashi killed his opponent with a bokken that he had carved from an oar while traveling to the island. Musashi fashioned it to be longer than the nodachi, making it closer to a modern suburito.

Musashi’s late arrival is controversial. Sasaki’s outraged supporters thought it was dishonorable and disrespectful while Musashi’s supporters thought it was a fair way to unnerve his opponent. Another theory is that Musashi timed the hour of his arrival to match the turning of the tide. The tide carried him to the island. After his victory, Musashi immediately jumped back in his boat and his flight from Sasaki’s vengeful allies was helped by the turning of the tide. Another theory states he waited for the sun to get in the right position. After he dodged a blow Sasaki was blinded by the sun. He briefly established a fencing school that same year.

Miyamoto Musashi’s last duel ends much like his first at age 13, but in this case he kills with less fury than he did on the occasion of his first duel. This last duel though was the epitome of his arts being perfected. The arts of not only swordsmanship, but also tactics.

It seems to me lately, that the art of tactics has been pretty much lost on our society. Perhaps its the Eastern mindset that we just lack here in the states, but, overall I think its a cultural thing more than anything. In Japan, the tactics of “business is war” have been practiced since post WWII, but here in the west (US) that only came to our collective consciousness in the 80’s when they started to kick our collective economic asses.

Of course now Japan is still in decline as an economic power while China rises. However, what I am aiming at here is not just about economics. I am actually attempting to further this thought process to the area of “cyberwar” and our predicaments where our national security is concerned.

Back to Musashi and on to Cyberwar:

Musashi was a consumate swordsman but like I said, also a great tactical warfare fighter. He created the two sword technique (“Ni-Ten Ichi Ryu”) that in the end, would be, in his hands, unbeatable. He used this technique in tandem with psychological warfare to unbalance his opponents and gain utter dominance. He had the tools to win the battle before it was really fought in essence.

The same can be said about cyber warfare. If you have the tools and the mindset, you can effectively render your opponent impotent and win the battle without actually needing to wage all out war. The Chinese tactician Sun Tzu said much the same in his treatise on war “The Art of War” and I feel that both of these men have much to say that should be applied to todays cyber threat-scape.

Throughout my career working in information security, I have always noticed a certain lack of understanding on the part of corporations as entities as well as that which comprise them. The people who run them where technical security is concerned are either not able to comprehend the issues at hand, or, more likely, to not really see these things as a real danger. Is it a lack of awareness or is it a lack of care? Perhaps a little of both. Whats more, in todays environment, I have seen companies accept risks that are known and should be mitigated because it would cost too much or burden the end users to fix them. This to my mind is not seeing and understanding the tactical threat-scape.

Musashi and Sun Tzu both taught being aware of the battle space, yourself, and your enemy. Japanese “salary men” still today use these tenets to wage business and are often successful at it. I suggest that we too apply these approaches to the work of information security, its application, and the process of teaching its precepts to everyone involved. After all, when individuals and companies cannot as a whole understand the basic threat that an un-secured network printer in a secured area presents, there is a fundamental disconnect that needs to be removed.

This is a failure to understand and be aware of your threat-scape… And it will lose the battle for you.

APT and Snake Oil Cure All’s

Within the last weeks I have seen a trend in twitter and in blogs on the internet from security practitioners about the APT and cyberwar problems. Howard Schmidt claimed that; “There is no cyberwar” and, as the new Tsar of the cyber area for this country, has been taken to task on this statement. I myself have written of my lack of faith in Howard’s understanding of not only the threat-scape, but also his own newly acquired title. The essence though here is that there are many pundits, salesmen, and interested parties looking to cash in or have their say on this. It’s really signal to noise at this point.

Meanwhile, the anti-virus, NAC, SIM, and other vendors have begun their putsch to promote their products that can stop APT in their tracks. This has been of concern to many of the security wonks on the blogs too. You see, the fact is the APT is not a malware one trick pony that a behavior based or signature based model can always detect. The APT or Advanced Persistent Threat is not just the tools they use, but the people who create and use them… And they are more than likely familiar with the precepts of war that Sun Tzu and Musashi taught.

When the APT saw that their malware was being detected by AV, they looked at the threat-scape to them and adapted their stratagem to defeat it. The looked at the castle and saw that the weakness lay with the way things got out of the castle as well as the natures of those who live within. Just as I have written before about the War for Troy and the Trojan Horse, so too have the APT thought things through seeking the weaknesses and exploiting them. In the case of the APT, they basically saw that they could ex-filtrate the data out of the environment through the weak point of regular traffic. They basically stegged the flow with signal to noise.

So now, we have the vendors in a lather trying to sell solutions to a particular vector of attack while the APT will move on to look once more at the threat-scape and change the battle plan to once again evade their new “products” and go unseen while they take the data and win the battle. In essence, the vendors and the clients have failed to understand the nature of the APT and the battle space on a level that is key to winning. They lack the mind set it seems as a whole to this problem in favor of a quick fix solution that will “cure all”, much like the sideshow snake oil salesmen of old.

APT, Cyberwar, Government, and YOU

In the end, I am advocating that we as a whole begin to understand the threats and the technologies better and not be so reactive after the fact. Our government needs to understand the threats as well as the technologies in order to create appropriate responses and proactive measures to prevent us having to be reactive. So far, our governments answers have been lackluster to the point of the president having a big red easy button to shut down the internet should there be a threat. This is no answer, and thankfully it was struck from the bill this week.

The government also needs to listen to the experts in the field and employ them to help mitigate our vulnerabilities without the usual “Washington Two Step” that is so prevalent. This whole flap over Schmidt’s lack of understanding or using a company line to allay the fears of the masses is just one case in point. Schmidt needs to be able to speak the truth if he knows it as well as have a position that carries some gravitas. Thus far it seems that he is in fact a neuter.

Schmidt’s comment on cyberwar also needs to be looked at from the perspective of tactics. There is no cyberwar is not an answer. Cyberwar means more than actual physical warfare as well as it not should be merely perceived as espionage. Cyberwar is more than just malware and thievery, it’s a tactic in a larger warfare scheme and we as a country are still unable to comprehend this outside of certain military purviews. Where this really becomes an issue is that most of our infrastructure in this country is held privately and thus its up to the owner to protect them.. Or, not as the case has been.

Lastly, there is the element of you, the general public. Employees of those same companies that run the infrastructure. Private citizens who are on the same internet as the rest of the companies and countries who do not understand the precepts of computer security as well as OPSEC. How many people today have way too much of their lives open to the internet? How many of those now household machines you use to connect to the internet are not secure? Lack virus scanning utilities? Have kids as well as yourselves opening every e-card they get and wondering afterwards why their systems are now slow and their bank accounts drained?

The general public today is not aware of the precepts of security in computing never mind many of the issues surrounding their daily operation. They just turn them on and they work. Both of these knowledge bases should be inherently taught at some level just as you need a license to drive a car today. I say this because now, you and your machine could be just one in many systems that comprises a botnet that DDoS’s a government entity or a business at great cost or as a pre-cursor to other attacks. You, are a part of the problem and you must be cognizant of that fact.

End Game

In the final analysis I am just putting this article forth to those who would read it. Perhaps the Western mind is just inherently unable to understand Eastern thought. Perhaps we are just a fat and lazy self interested country who’s apathy and arrogance just gets in our way of comprehension. Who’s really to say? However, we as a country have to learn that the issues above must be learned about and proactively worked on. Otherwise someday we may find ourselves in the dark without power to run those nifty machines that we rely too much on. The same machines that the government relies on too and will also collapse should there be a successful attack against our infrastructure.

Now is the time for proactive moves…Do we have the fortitude to move forward?

Musashi went from being a 13 year old rage filled boy with a stick to a master swordsman and tactician. Can this country do the same and protect itself?