[attrition] InfoSec, Sun Tzu and the Art of Whore

Fri Jul 2 16:47:51 CDT 2010

http://attrition.org/security/rants/fsck_sun_tzu/

InfoSec, Sun Tzu and the Art of Whore
Fri Jul 2 14:42:30 CDT 2010
swtornio & jericho

Lately, you can't swing a dead cat without hitting someone in InfoSec who 
is writing a blog post, participating in a panel or otherwise yammering on 
about what we can learn from Sun Tzu about Information Security. Sun Tzu 
lends the topic some gravitas and the speaker instantly benefits from the 
halo effect of Ancient Chinese Wisdom, but does Sun Tzu really have 
anything interesting to say about Information Security?

In "The Art of War," Sun Tzu's writing addressed a variety of military 
tactics, very few of which can truly be extrapolated into modern InfoSec 
practices. The parts that do apply aren't terribly groundbreaking and may 
actually conflict with other tenets when artificially applied to InfoSec. 
Rather than accept that Tzu's work is not relevant to modern day Infosec, 
people tend to force analogies and stretch comparisons to his work. These 
big leaps are professionals whoring themselves just to get in what seems 
like a cool reference and wise quote.

     "The art of war teaches us to rely not on the likelihood of the 
enemy's not coming, but on our own readiness to receive him; not on the 
chance of his not attacking, but rather on the fact that we have made our 
position unassailable." - The Art of War

This seems to make sense on its face. If you focus on making your systems 
and networks invulnerable to attack, then you don't need to worry about 
attackers. So, on any modern network where people actually need to get 
work done, can you make systems invulnerable to attack? If not, does this 
particular advice tell us anything useful? Maybe Sun Tzu was trying to say 
that we need to spend more and more money on IPS/SIEM/firewalls/antivirus, 
even if we don't see a particular need to upgrade or improve those areas.

[..]