I really enjoy reading non-infosec books, audiobooks, articles and the like, consuming them with a mental exercise: finding out what lessons could be learned and applied to security. My specific interests are in forensics, penetration testing, vulnerability analysis, exploit development, and profiling attackers. Currently, as an occasional escape from technical material, I’m looking at some of Paul Ekman’s books on deception, with an eye for how it applies to topics like social engineering engagements, and even interactions with others in the infosec community. Even with the controversy surrounding the research, there are some lessons to be learned, tricks to pick up, and things to think about.
As much as infosec professionals quote Sun Tzu’s The Art of War, I thought that I ought to check it out. I downloaded a translation of it onto my iPod Touch and read through it in my spare time. I felt as though I must have missed something, as I really didn’t see how most of it applied to security in anything more than a superficial way.
Now, at least I know that if I missed something, attrition.org missed it too. They’ve posted a very well-reasoned analysis of the use of Sun Tzu’s work in infosec, pointing out all the places that it really doesn’t make sense. Many of these are sticking points I also had when I tried to make the connection myself. I especially agree with a fundamental point that the Attrition.org folk make: Defenders in infosec are strictly defenders, with their hands tied behind their backs when it comes to attacking the other side. This is kind of a buzzkill for much of Tzu’s advice.
As with most Attrition.org articles, they pull no punches and call out people specifically. This makes some readers uncomfortable, though I do think that it’s a fair and honest assessment. Give it a shot if you’re looking for a good (and very different) read.
(Disclaimer: I have cooperated with the attrition.org guys on a couple of their writeups (though nothing compared to their original research), and I am pretty partial towards them and many of their views. I just hope that if I ever stray into the danger zone of their “charlatan” list that I’ll have earned some kind of warning first )