November 30

Guest Blogger: Information Security Practice as a Game of Chess (Part 3 of 3)

Information Security Practice as a Game of Chess
Ted.Phelps [@] suny [.] edu

Welcome to Part 3 of ” Information Security Practice as a Game of Chess.” In Parts 1 & 2, Ted Phelps explained the analogy and the players.  Now Ted explains the endgame as well as additional points to consider!

Endgame: A game of chess ends—often before 50 moves.
ISec, in contrast, goes on like an endless tournament. The only time it truly sees a loss is when an institution goes down in a disaster and never comes back. And that’s why working to prevent death by disaster is part of ISec’s strategy. However, players will certainly feel as if they have suffered a loss when someone breaches a system containing sensitive information—especially if they have worked to protect that system. Those losses hurt the institution and often hurt persons who have entrusted their personal information to our care. Although we have been checkmated by a crook, we may have to take the blame for the loss, paying for it with our jobs. Avoiding that is central to this game. But how about winning? Can we ever lift a toast to a game well played in ISec? Yes. With each new institutionalized advance we can pause and say, “Good Game. Congratulations!” But note what I am saying. I wouldn’t celebrate a win, exactly, with just any advance. If the advance, e.g., a new firewall, is not built into the organization’s culture in such a way that it transcends individual personalities, whether they be leaders-of-the-day or longtime bedrock technicians, then that advance is just one more good move on the chess board. It could dry up or run down when the boss turns attention to something else; it could get crushed in the turmoil that will follow the next checkmate by an intruder—and we know there will be one of those some day. But if it has soaked into us and become part of our habit of security, we really have something.

More to Ponder
Analogies are useful tools for learning. They are more than fun illustrations. They can inform us about the target concept, which in the case is ISec. Here are some further comments on the observations above made from the chess analogies.

1.    There is a game going on, a strategic conflict. And there really is just one client in this game, and that is information (the King). It is not about protecting computers and networks. They are just pieces on the board.
2.    Some people play the game well; others are novices. Some of each are our attackers. It would not be surprising if we found the game confusing; or that others do not; and that when we hear of others who do not, we find that they have been playing a long time.
3.    You do not become good by simply wishing to be good. You cannot buy skill. This takes time. The game can be studied or can be learned “on the job” playing it many times over the years.
4.    A new Player can lose (lose critical information, or his/her job) in just a few minutes under the deft moves of a skilled, focused opponent. Losing does not require a long, drawn out game. In a low-risk game among equally novice Players, one can last a long time running one, localized strategy at a time. Many opponents only come at us with one, localized strategy at a time, and we can deflect them one at a time and last a long time. But, a skilled comprehensive attack that uses many blended tactics at once will easily defeat the one-trick-at-a time novice Player. Novice Players focus on what is in their minds and enjoy the intricacy and challenge of executing their own tactics. They forget to continuously assess their own risk postures, which requires thinking like the opponent and spending time in defensive pondering of their own Pieces and their locations of the board. Novice Players lose by being surprised. They get surprised because they cannot take the time or cannot divide their attention in order to handle multiple tactics at once.
5.    There are some well-known, standard opening moves that can establish highly effective basic defensive and offensive positions. Even if the subsequent moves needed to play well are not yet learned, these basic opening moves can be done by the book and thereby delay an early defeat, even by an expert opponent.
6.    Novice Players and occasional, vacation-time Players, with a few dozen games of experience and playing a matched opponent can last for hours—which is equivalent to years of organizational life in ISec. Such a Player has a reasonable chance of winning, which in ISec would mean getting through several years without an embarrassing incident, going through many pawns and taking some painful hits, but never suffering a major career-ending information breach, and going on like this until retirement or the next voluntary change jobs. What the organization is experiencing in such a case is not excellent play, but reasonable play in a threat environment that has thus far only contained the typical, ambient threats and has not yet run into its first high-quality opponent.
7.    Few can afford to become excellent at this game. The players who do are mostly the ones that like it. The big financials, big defense, big government, big health, etc. have long ago gone into the game as pros. They play in a different league and are playing for money—big money.
8.    It is easy to think you’re doing well early in the game if you have a lot of pawns (projects, procedures, and protections)  in play. It looks good. But if they are not part of an organized strategy (of course, known to the Player) then they crowd the arena and crowd themselves and many will be taken when the opponent gets busy. Skilled Players use pawns as tactics within a strategy and are willing to sacrifice them in order to create a powerful defense. A good defense is not possible with too many pawns on the board.
9.    The Queen is the easiest piece to engage right away in impressive, flamboyant shows of force. But it is also the hardest piece to engage properly in a long-term strategic way. The early on flamboyant use can accidentally take her down.
10.    Skill in the use of the Queen is the single most telling skill for predicting success. But, a Player who does very little with the King and Queen early in the game and only plays the other major pieces and does so with some basic knowledge can last a long time in a game with a low impact opponent (the ambient threat environment). But the game will probably be lost (and quickly so under a skilled, directed attack) without a skilled handling of the Queen and King.

Ted Phelps
Information Security Officer
State University of New York
October 2006


Tags


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!