Security
May 7, 2012

Masada: Lessons for cyber defence

There was probably a day in spring of AD 72 that Eleazar ben Ya’ir, commander of Masada, woke up completely unaware that the Roman Tenth Legion was on the march and that Governor Lucius Flavius Silva was determined to recapture his fortress. To Eleazar, it was a good day: it had been two years since the war ended, and still the Romans had not come. He was doomed, but did not yet know it.

Today Bob, a public executive responsible for a computer network, woke up completely unaware that his network was going to come under serious attack. To Bob, it is a good day: there had been minor attacks in the past, but nothing of consequence. Will it still be a good day this evening? Will he have learned from Eleazar – and escaped his fate?

The setting

Masada is an isolated rock plateau whose top measures 550 by 275 metres. To the east, the cliffs are about 400 metres high – about the same as the CN Tower observation deck. To the west, the drop is less but still significant at about 90m. During 37-31 BC, King Herod the Great fortified Masada. He built not only many towers and a wall about 3.7m thick around the top, but also all the amenities needed to keep the royal household safe and comfortable, even while under a year-long siege.

The battle

A band of Zealots, a Jewish radical group, took the fortress by surprise from its small Roman garrison in AD 66 during the opening stages of the Roman-Jewish War. When the War ended in AD 70, the Zealot survivors fled from Jerusalem to Masada, bringing its strength to about 960 men, women and children. In AD 72, the Tenth Legion arrived at Masada and besieged it, constructing a wall completely around the feature, and encampments to house the Legion’s 4500 soldiers, its auxiliaries and slave labourers.

The Romans spent nine months building a siege ramp on the Western face of Masada, using a natural spur as a base. Finally, in April, AD 73, they attacked, quickly breaching the wall. There, the assaulting soldiers found a secondary wooden wall, which they set ablaze. Passing through the remains of this wall the next morning, they found only seven people alive. The rest, including all the adult men, died by their own hand rather than face execution or live as Roman slaves.

The model

For the purposes of an analysis of the battle, we will use a model of a defensive battle comprising four parts: protect, detect, react and restore. It can be used for defence of a city, a ship or a computer network. Protect refers to adding strength to the construction of the defended object to make it resilient to attack. Detect means to discover an attack in time to do something useful about it. React is the stage where the battle is fought to defeat the attacker. Restore is the final stage, where the damage from the attack and subsequent battle is repaired and the object returned to full functionality. The four parts of the model need to work in a coordinated fashion: detection time is related to the method of reaction and the time gained by the built-in protection, and so on.

The lessons

Bob knows that his networks are continually under attack. Given all the open-source reporting, he thinks this is common knowledge for all networks. He also sees the similarity in philosophy between the defence of Masada and the way too many computer networks are defended: rely on Protect; give scant attention to Detect and React; and think about Restore when someone asks about a business continuity plan. With this in mind, what can Bob learn from Eleazar at Masada?

First, Protect by itself is not sufficient. Masada is a natural strong point, and Herod’s engineers had done their job well. Even occupied by a much smaller force of insurgents, it held out for nine months against a siege by an experienced, professional army. Nonetheless, obstacles alone will not prevent a determined and well-prepared opponent from getting through: they can only delay the event. Bob’s opponents are skilled, well funded and motivated. They will find a way in, sooner or later. He cannot hide behind his firewall and hope for the best.

Secondly, there must be a well-designed Detection system. We know that Eleazar could see the Romans from their arrival: the circumvallation wall, encampments and ramp are still visible from the top of Masada today. We do not know if there were outposts to detect the Legion’s approach, or if he was prepared to abandon the fortress even given advance warning. Bob must have, on the one hand, long-term intelligence about the activities of potential opponents, including their methods, and on the other, immediate threat warning when an attack is about to be launched. He needs the former to be able to make long-term plans and to recognize a threat when he sees it, and the latter to allow him to be ready to fight and win against an attacker. Without this intelligence, he will be unable to take a proactive approach – just like Eleazar.

Next, there must be a plan to React – to fight the battle once it is joined. If Eleazar had a plan to conduct a fight, he had no confidence in it. Any action he attempted against the Romans during their preparations had been fruitless, as was the secondary wall. A battle inside the fortifications would likely also have been useless, given the disparities in numbers and training of the opposing sides. It may well be that the only useful reaction the Zealots could have undertaken would have been to abandon Masada – but this decision could only have been made before the Tenth Legion arrived the previous summer, and it would have meant giving up a significant symbol of resistance to Rome.

For Bob, the ability to React implies the creation of a capability – a valid concept, the right people, training, organization, information, equipment, etc. – to defend the network and its information. Producing such a capability is expensive; it may well be that Bob’s department does not have the resources to fund it adequately. He may need to convince his colleagues to establish a common capability, in the same way we have a community fire or police department.

Finally, there must be a strategy tying the four parts of the model together. Eleazar’s objective was not to create 960 martyrs, but rather to survive so his political struggle could continue. He failed to look far enough ahead to see the inevitable outcome, and chose a method with no hope of success. Strategy is about balancing ends, ways and means, and security is about managing risk at a given cost. Bob must express his appetite for risk so his staff clearly understands the desired goals. He must approve the methods to be used, and arrange for the appropriate resources. It will likely be necessary to conduct several iterations of the process before he is happy with the balance between realistic goals, suitable methods and available resources. He may even need to abandon projects if the risks outweigh the benefits.

In the final analysis, this balancing is the key role for Bob and his fellow executives.

Today, Eleazar’s actions at Masada are remembered as a tragic story of courage and determination, but not as a method of conducting a defence. He failed to make a suitable strategic plan, and failed to be proactive. Today, Bob and his colleagues can correct this error. Failure will leave them the same grim choices, albeit figurative rather than literal ones, that Eleazar had – live as slaves to their opponents; be crucified; or slit their own throats. Take your pick.

 

Colonel (Ret’d) Bruce Jackson served in a number of positions dealing with Information Operations. He consults in the areas of strategic planning and IT security.

About this author

0 comments

There are no comments for this post yet.

Be the first to comment. Click here.

Security
 
Governments around the world are increasingly relying on cloud-based IT services...
 
For a few years now, there’s been a throwaway metaphor bounced...
 
According to a 2018 study led by Dr. Michael McGuire, Senior...
 
Cloud technology is a game changer! Successful implementation in both the...
 
For over two days at the end of January this year,...
 
Earlier this month I had the privilege of testifying as an...
 
Canadian Government Executive Media, (CGE) publisher of Canadian Government Executive magazine...
 
In the last few years, we’ve seen various federal governments warning...
 
Canadian Government Executive is excited to announce the agenda for TechGov...
 
In the wake of the WannaCry outbreak, corporate executives, IT professionals,...
 
Facebook Pages can be an essential tool for businesses and charities,...
 
Cybersecurity professionals have sounded the alarm for years, and they are...
 
CBC deserves full credit for exposing the presence of IMSI catchers...
 
Security professionals have an obligation to communicate risks and recommendations to...
 
Over the decades, technology has been grafted into governments around the...
 
In this episode, J. Richard Jones talks about being candid about...
 
Criminals have reportedly threatened to take over 250 million Apple accounts...
 
In this episode, hear more about how Canada is a prime...
 
While the incoming administration of President-elect Donald Trump is being buffeted...
 
In the world that we are living in today, free and...
 
The RCMP adopted a new media strategy earlier this month by...
 
What would tomorrow’s cybersecurity look like? That’s an intriguing question to...
 
Terrorism operates with deadly regularity. In June 2016, a gunman who...
 
Just as the federal government has begun consultations on cyber security,...
 
Efforts by the government to counter the radicalization of young Canadians...
 
Canadian healthcare organizations and businesses in the financial industry are the...
 
Global market trends are accelerating to increase the pressure on commercial...
 
A recent report suggests several strategies how governments and the private...
 
The latest information from IBM Cloud covers: Consolidating Complex Environments Consolidating...
 
IBM Cloud is the first cloud provider to use Intel TXT...
 
Signaling a realignment of Canada’s involvement with NATO, Prime Minister Justin...
 
United States President Barack Obama, speaking before Parliament last night, urged...
 
Yes, according to the former head of the Canadian Security Intelligence...
 
Early this morning, Philippine police confirmed that the severed head found...
 
The challenge is clear: a fast-paced industry pressures organizations to simultaneously...
 
As populations grow and age, the demand for services increases. As...
 
The agency responsible for safeguarding the Pentagon and several other buildings...
 
By Michael Murphy Not all assets can and should be equally...
 
Government agencies, international businesses, as well as, European organizations that comply...
 
The Royal Canadian Mounted Police (RCMP) is poised to launch an...
 
One of Canada’s largest integrated oil companies said it is not...
 
Associates of Russian President Vladimir Putin, the king of Saudi Arabia,...
 
Now more than ever, organizations in both the public and private...
 
The Federal Bureau of Investigation announced that it has managed to...
 
IT organizations, especially those in healthcare facilities and government institutions that...
 
Last year, the Canada Revenue Agency rolled out a pilot program...
 
Strong cryptography is clearly required to protect sensitive government, business, and...
 
As the battle between the FBI and Apple continues to escalate,...
 
“I don’t think that backdoors into encryption is going to increase...
 
Hackers are zeroing in on users of SSL/TLS encryption and no...
 
Meet Bob Heart.  He is an outstanding employee who works hard...
 
The CEO of Google Sundar Pichai has come out in support...
 
A new study released yesterday, Securing the C-Suite, Cybersecurity Perspectives from...
 
Application, operating system, and device logs contain essential security information, but...
 
Yesterday, Ontario Supreme Court Justice John Sproat ruled that the Peel...
 
I wrote about accountability more than a year ago. Recently, a...
 
Intelligence agencies have had widespread and long-running programs to gather, analyze...
 
What concerns me is whether or not we’ve got the balance...
 
One of the consequences of the Information Age in which we...
 
In March of 2011, the east coast of Japan was rocked...
 
BYOD is hot! But is it for you? If yes, which...
 
Protecting critical infrastructure from cyber threats is the shared responsibility of...
 
In numerous interviews with senior military commanders over the past several...
 
In early February, James R. Clapper, the U.S. director of national...
 
The widespread adoption of mobile devices as enterprise-level tools is occurring...
 
CGE Vol.13 No.2 February 2007 Public security, once a task relegated...
 
CGE Vol. 14 No.4 April 2008 In recent years, policy makers...
 
The changing face of public and personal privacy in the face...
 
The announcement regarding the establishment of Shared Services Canada (SSC) was...
 
What role should governments and public servants play in safeguarding personal...
 
L’univers de la sécurité des TI évolue rapidement. À mesure que...
 
The world of IT security is rapidly evolving. As quickly as...
 
There was probably a day in spring of AD 72 that...
 
Cyber attacks don’t have to look highly sophisticated. Hackers are purposely...
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
Governments around the world are increasingly relying on cloud-based IT services...