Tuesday, September 16, 2008

On Breakership

Last week Mark Curphey asked Are You a Builder or a Breaker. Even today at RAID 2008, the issue of learning or teaching offensive techniques ("breakership") was mentioned. I addressed the same issue a few months ago in Response to Is Vulnerability Research Ethical.

Mark channels the building architecture theme by mentioning Frank Lloyd-Wright. I recommend reading my previous post for comprehensive thoughts, but I'd like to add one other component. Two years I wrote Digital Security Lessons from Ice Hockey where I made a case for defenders to develop offensive skills in order to be "well-rounded." Why is that? Turning to the building architecture idea Mark mentioned, why don't classical architects learn "offense," i.e., why aren't they "well-rounded"?

It turns out that classical architects do learn some "offense," except they limit themselves to the natural physics of their space and less on what an intelligent adversary might do. In other words, architects learn about various forces and the limits of their building materials, but usually not how to design a building that could withstand a Tomahawk Land Attack Missile (TLAM). Of course there are a very few number of people who do learn how to design structures that can withstand TLAMs, but most architects do not.

Digital architects are waking up to the fact that they face the equivalent of digital TLAMs constantly. Any system connected to the Internet, or could be connected to the Internet one day, are vulnerable to digital TLAMs. Therefore, digital architects need to know how these weapons work so they can better build their systems.

It turns out that classical architects must also learn something about intelligent adversaries, especially as the terrorism threat occupies greater mindshare and drives building codes. Mindshare can be transitory but building codes are persistent. Even if we build mindshare or attention to security issues in the digital space, we still lack a "building code." That means we will probably remain vulnerable.

4 comments:

Andre Gironda said...

I have a better military analogy for you.

While reading the SFOD manual, I came across how to build FOBs, or forward operating bases. The construction and layout of these bases was extremely fascinating to me, as it certainly had many physical security implications that did translate at least somewhat well to information security.

One of the key pieces to a FOB is the CONEX (Container Express) or "battlebox". A CONEX can withstand the blast from a direct hit of an 81mm mortar round. I was thinking about the security of such devices, and noticed that some of the main problems of these structures is that they typically only have one door, and that the airflow comes in from underneath the structure, through grating.

Great post, btw. I am a big fan of "building codes" for Internet infrastructure and web applications. I am a big fan of Mark Curphey, JD Meier, and Jeff Williams especially. If you're into security, especially application security -- you should be following their work.

The Serrano Boy said...

haha. he's not a builder but a breaker. hehe

Anonymous said...
This comment has been removed by a blog administrator.
Offshore Software Development India said...

lol.. For sure a breaker...and not a builder....