Re: What is a cyber-range?

["Dobbins, Roland" <rdobbins () arbor net>]

On Jul 7, 2011, at 7:47 PM, Chesmore, Michael [DAS] wrote:

> The users of the cyber ranges are beyond entry level folks but not yet seasoned security staff. 

> From the standpoint of networking security, the real issue is that only a tiny percentage of soi-disant 'security' 
> practitioners understand TCP/IP, and only a subset of those understand the interaction of the entire OS/app/services 
> stack with networking, much less how the Internet really works in terms of BGP, DNS, how to 
> design/deploy/operate/defend scalable and resilient networks, and so forth.

> From the standpoint of information security in general, only a tiny percentage of soi-disant 'security' practitioners 
> understand anything at all about computer science, about the conceptual underpinnings of coding securely, of how to 
> design complex systems with fundamentally secure architectures, et. al.  Most appear to be little more than Windows 
> 'power users', if that.

So, unless/until the majority of security practitioners actually understand computers, networking, the Internet, and 
information security theory, nothing is going to change in a qualitative.

> DoD at the highest levels needed a way to get IT out of the "support role" and into a "combat arms" role.  The use of 
> the word Range infers an offensive capacity and politically it was exactly the right way to do this. 


I beg to differ.  The potential for collateral damage is far, far higher, in relative terms, than in kinetic warfare; 
after all, the attacks (DDoS attacks, spear-phishing, SQL injection, ssh bruteforcing, what-have-you) are all launched 
from botted computers whose owners are completely unaware of their subversion, and which all too often reside on 
fragile access networks which can be knocked over with very little effort at all.

The proper model is not offense, but defense - keeping in mind that in kinetic warfare, the classic ratio of attackers 
required to overwhelm defenders is at  least 3:1, if not higher.  

Using irrelevant terms like 'combat arms' and 'offense capacity and 'cyber ranges' and so forth in this context is 
actually harmful, as propagating these semantically incorrect analogies leads to further confusion, misinformation, and 
serves to obfuscate the proximate problem (the root problems being abysmal software and protocol architectures) - 
namely, the lack of actual clue amongst the largely self-selected information and operational security communities.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave