On Jul 7, 2011, at 7:47 PM, Chesmore, Michael [DAS] wrote: > The users of the cyber ranges are beyond entry level folks but not yet > seasoned security staff.
>From the standpoint of networking security, the real issue is that only a tiny >percentage of soi-disant 'security' practitioners understand TCP/IP, and only >a subset of those understand the interaction of the entire OS/app/services >stack with networking, much less how the Internet really works in terms of >BGP, DNS, how to design/deploy/operate/defend scalable and resilient networks, >and so forth. >From the standpoint of information security in general, only a tiny percentage >of soi-disant 'security' practitioners understand anything at all about >computer science, about the conceptual underpinnings of coding securely, of >how to design complex systems with fundamentally secure architectures, et. al. > Most appear to be little more than Windows 'power users', if that. So, unless/until the majority of security practitioners actually understand computers, networking, the Internet, and information security theory, nothing is going to change in a qualitative. > DoD at the highest levels needed a way to get IT out of the "support role" > and into a "combat arms" role. The use of the word Range infers an offensive > capacity and politically it was exactly the right way to do this. I beg to differ. The potential for collateral damage is far, far higher, in relative terms, than in kinetic warfare; after all, the attacks (DDoS attacks, spear-phishing, SQL injection, ssh bruteforcing, what-have-you) are all launched from botted computers whose owners are completely unaware of their subversion, and which all too often reside on fragile access networks which can be knocked over with very little effort at all. The proper model is not offense, but defense - keeping in mind that in kinetic warfare, the classic ratio of attackers required to overwhelm defenders is at least 3:1, if not higher. Using irrelevant terms like 'combat arms' and 'offense capacity and 'cyber ranges' and so forth in this context is actually harmful, as propagating these semantically incorrect analogies leads to further confusion, misinformation, and serves to obfuscate the proximate problem (the root problems being abysmal software and protocol architectures) - namely, the lack of actual clue amongst the largely self-selected information and operational security communities. ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
