Learn Something from the Cavalry

Remember the old westerns?  The US Cavalry always comes riding over the hill just in the nick of time and rescues the hero ala deus ex machina.  It’s almost uncanny how the cavalry manages to show us their sense of timing, but if you’ve ever known or worked with the cavalry, they plan it that way–they’re the first well-known proponents of Just-In-Time methods.  Bear me out, and I’ll explain this grandiose statement.

According to the cavalry article at Wikipedia, the cavalry (more specifically, the light and medium cavalry) has the traditional roles of scouting, screening, skirmishing, and raiding.  When they engage, they pick the time and place to engage, and that gives them local numerical and firepower superiority when overall they have a disadvantage.

So think back to the Battle of Gettysburg.  It’s a classical meeting engagement between 2 19th-century armies.  You’ve got the Union Army on one side with very active cavalry under Brigadier General Buford scouting out ahead of it.  He sees the Confederate Army and choses the time and place to engage them in order to delay the Confederates and give the Union Army time to occupy the high ground South of Gettysburg.  The rest by now is well-known–the Union Army defeats the Confederates by defending the high ground and turns the tide of the war.

How does the cavalry master time and space?  They have some advantages that can be summed up in one sentence–they conduct reconnaissance activities in order to mass at critical points and times.  In other words, they know how to prioritize and it gives them an advantage on the battlefield.

One other thing that the cavalry realizes is the concept of friction.  It’s not a new concept, Clausewitz uses it quite frequently.  But it does make sense if you’ve ever gone to war:  things are never the best-case scenario.  Attack times get delayed because Private Smith left the tripod mount for the M240 in his ruck sack.  We can minimize friction to a manageable level, but it’s still present in even the best-planned and best-executed mission.

In information security management, we’re trying to accomplish the same thing.  We use metrics as reconnaissance to find out the times and places to mass our forces.  We use risk management and triage techniques in order to prioritize our scarce resources to engage and destroy the superior enemy.  We account for friction by having a layered approach–if you will, defense in depth.  We use our local advantage in order to shape the remainder of the business engagement.

Yes, we have much that we can learn from the cavalry.  And in the end, we might ride over the ridgeline just in time to save the day.

• Core Belief #2 — Risk Management Uber Alles
• Puzzles v/s Mysteries
• The Long Tail and Security Posture
• Reading Between the Letters G, A, and O
• Ack! With the Mandates!

We did a very preliminary Pandemic Flu Exercise today.  Normally, I wouldn’t be too much worried about things like this when it comes to IT security during a pandemic–we just close out the lights and if the servers die, we’ll fix them after the dust has cleared.

But my organization has a difference from the average IT service provider:  we support the first responders from the US Government who need their IT systems up and running in order to get the knowledge shared and the cure to the right places when it’s needed.  It’s such a different business driver from normal that I had to pause and think it over the first time I heard it.

So today we did a partial VPN and telework test from another facility.  All told, it involved about 30 people.  In a couple of weeks, it’s “Global Work-From-Home Day”.  One lesson learned:  It’s the little things that will get you, like laptop screen real estate and network cables.

Now those of you who know me realize that I’m not that squeamish.  However, I did have a 30-second bout of panic when I thought about mass death where everyone in my apartment complex dies out in a pandemic flu.  Then I got over it. =)

Like I told my boss, it’s just like the consolidate and reorganize task that the infantryman trains on–restaff key positions and weapons systems, deal with the wounded and dead, communicate to higher, and continue the mission.  Now that I can handle.

• In This Corner, the Business Reference Model
• Lines of Business, Relationships, and Trustability
• Core Belief #3 — Learn Something from the Cavalry
• DDoS Planning: Business Continuity with a Twist
• Some Comments on SP 800-39

JD Meier wrote today about not saving the worst parts until last, and it reminded me of Meals Ready to Eat (MREs).  I should probably lay claim to being the Northern Virginia Master of Obscurisms right now while I have your attention, but let me elaborate for a minute.

A case of MREs is 12 individual meals.  That means that one person can, by the book, live off one case of MREs for 4 days assuming that they eat 3 times/day.  That’s a little excessive, since most people can only eat 2/day because of time constraints.

Inside a case of MREs, there are 12 individual meals.  Some are decent, like spaghetti or tuna with noodles.  Some are not, like omelette with ham or corned beef hash.  Keep this in mind, we’ll be using this little kernel of knowledge later.

So imagine this:  You’re out in the woods for 2 weeks with just your 5-member team and your MREs.  Let’s do the math on what you’re eating:

5 people x 14 days x 2 meals per day = 140 individual MREs or roughly 12 cases.

Now inside each case of MREs there are 2 foul-tasting MREs (omelette and CBH), which means 24 of them total.  If the muldoons eat their favorite MREs first and work down the cases in order of most favorite to least favorite, then the last 3 days we are eating nothing but omelette and corned beef hash, and after being in the woods for 2 weeks, I just can’t bear it anymore.

Bad news does not get better with age.  Neither does the MRE selection!

Moral of this story:  Take the MRE that I throw at you and don’t read what the label says, it’s the luck of the draw.

Secondary moral of this story:  You can’t store up badness and expect to tackle it later.  You have to take it as it comes.

Tertiary moral of this story:  Don’t join the army or work in IT. =)

• Bad Security People
• Cult Crossovers Into Information Security
• When the News Breaks, We Fix it…
• Core Belief #3 — Learn Something from the Cavalry
• MOUT and Risk Management

Best presentation slides I’ve seen, ever.  It’s been making the rounds, and finally arrived in my inbox.

How to Win the War in Al Anbar. (warning, political content)

This guy understands the problem.  Too bad an IED got him.

• Some Thoughts from a Week or so of Being “Proposal B*tch”
• It’s a Problem of Scale!
• Bacn–It’s Cooked Spam
• Transparency in Government: Just Give us the Data!
• On Government Employees, Culture, and Survivability

“True confidentiality controls are when you have thermite grenades taped to the top of the servers.” –Michael Smith

• When Google Hacking Gets Way Personal
• DojoCon DDoS Video
• Self-Quote Time #2
• Building A Modern Security Policy For Social Media and Government
• The Accreditation Decision and the Authorizing Official

OK, Sean Wilson cracks me up.  More than you’ve ever wanted to know about Going Commando.  Reminds me of my other life in a different world.

• Trouble Tickets
• Personnel Turnover
• Rebuilding C&A
• AppSec DC Press and Themes
• Got Training?