Article

What have the Romans ever done for Cyber Security?

With organisations are struggling to deal with cyber security threats, there is plenty we could learn from the Roman Empire's approach to security.

The Roman Empire had a fearsome military reputation. Formed nearly 3000 years ago and well before the first modern computers there are attributes of its military campaign which have striking relevance to today’s cyber security challenges.

Organisations are struggling to deal effectively with cyber security threats, and high profile breaches threaten to bring even the titans of businesses to the brink of catastrophe. Yet the Romans had an approach that companies would do well to emulate.

Approaches to security presently fall into two camps, Compliance Based and Threat Based. Or as the Romans presented it, Hadrian’s Wall and Deva Vitrix.

Compliance Based Security

Hadrian’s Wall, one of the great monuments to the ancient Roman Empire, was built to separate the Romans from their enemies – the barbarians. Built from sea to sea it represented the line between trusted and untrusted territories, an attempt at a complete security solution to repel the enemy.

hadrians-wall

Figure 1 Hadrian’s Wall (Reconstruction)

The parallels with modern security programmes are evident, both in the traditional ‘perimeter defence’ model and most importantly with the compliance based approach to security. Whether compliance to external standards (such as PCI DSSISO 27001, and NESA) or internal baselines set by the organisation, security is often handled by the IT department in an ongoing (often insurmountable) effort to have every system meet these minimum requirements. 
There are some major problems with this approach:

  • The wall could not keep out every enemy. It may deter the mass of barbarians out in the untrusted wilderness, preventing disorganised attacks, but a truly motivated group could find single exposed weaknesses. The breach of theses defences during The Great Conspiracy proved this point to great effect.
  • The wall was costly to maintain. Manned forts at regular intervals along the wall require huge resources, and design flaws meant that later repairs were essential. As the wall was only as strong as its weakest point, failure to maintain complete security undermined the resource costs elsewhere.
  • It was static. Shifting the wall and resources in response to changes in the empire was impossible, and perhaps one of the earliest examples of legacy support concerns.

Further drawing parallels, the defence doesn’t account for how easy it is for foes to bribe or trick the guards into letting them in. Now think of the staff in your organisation, the gatekeepers of your critical assets, and imagine those guards were civilians – untrained in detecting friend from foe…

Threat Based Security

Fortunately the Romans weren’t so foolish as to rely on the wall as their only means of defending the realm, as the security programmes of the most sophisticated organisations show.

The Romans deployed resources into Castra – military camps or towns. The castra (such as Deva Victrix) provided a different form of defence, shaped around the territory under its influence.

deva-vitrix-fort

Figure 2 Deva Vitrix (Chester)

The castra had many functions, including operational as well as defensive, and were vital to a successful military campaign. Looking at the castra we can see a few key elements of an effective defence:

  • Castra were deployed at the most important points of the empire. With finite resources, protecting the most critical functions was of primary concern.
  • Castra handled specific threats. With examples like Glevum (now Gloucester) tackling the Silures tribes of South Wales, and Camulodunum (now Colchester) targeting the tribes of Catuvellauni, each castra had unique threats and corresponding defences.
  • Defenders were responsive. Rather than building vast static fortifications, the castra allowed defenders to cover a broad area and actively respond to where the threat was greatest at that time.
  • Defences handled internal as well as external threats. Castra were not stationed only at Rome’s borders but could deploy resources to deal with the barbarian presence already within the empire. Unlike the wall, which once breached could offer little further protection, the castra represented a defence-in-depth approach to security.

The threat based approach to security looks at an organisations most critical functions and, significantly, the collection of unique threats to the business. This part is key as it requires the input of senior management, who will be better equipped to evaluate business risk rather than technology risk. An alternative way of thinking about this approach is to look at your business and identify ‘what goals would an attacker seek to achieve?’

Supplementing knowledge of business risk with threat intelligence and exercises to truly think like an attacker can shed light on how, why and when the business could be breached. Only with this understanding can appropriate defences be put in place. As the military expert Vegetius writes “A general is not easily overcome who can form a true judgement of his own and the enemy’s forces”.

Combining the approach

As we’ve seen, a compliance (or Hadrian’s Wall) based approach to security cannot protect against targeted attackers. Technical controls cannot withstand a targeted attack from a motivated individual or group, as technical controls can always be circumvented at their weakest point. Moreover, the approach is not cost effective and leads to an ever increasing black-hole for security spend that never quite achieves the baseline set.

There are many assets that simply do not require this level of protection or compliance, but are included due to a catch-all policy or failure to descope the environment. This leads to wasted spend. Conversely, with limited budget and a lack of business context, the most critical business functions cannot be protected at a purely technical level. As the baseline can’t adequately address business risk, this leads to over exposure and exposed risk.

  • Wasted spend as a result of broad policy
  • Exposed risk due to lack of business context

A purely threat based approach cannot defend every asset appropriately either. The level of depth needed to fully understand the threat to every single asset is immense and a programme that requires customised defences for every asset is simply unmanageable.

A blended security approach is needed, combining the two approaches for a truly effective defence against cyber attacks:

  • Technical defences for technical driven attacks (Compliance & Baselining)
  • Human defences for human driven attacks (Intelligence & Targetting)

Reallocating resources by reducing the focus on technical defences and total security compliance allows organisations to be more appropriately protected from the threats they currently face.

The baseline controls should be reduced but sufficient to ensure that there is no exposure from those commonly exploited issues, and IT operational security spend is actually reduced to ensure that an attacker will not simply walk through the front door. Compliance with the baseline is also far more achievable, and an estate that can protect everything to a basic level will be less vulnerable than one that protects only a proportion of systems to a higher degree.

Alongside this programme is a focussed effort on the critical operations of the business. These most critical functions are targeted by motivated attackers not simply running simple tools, and therefore require a human defence against human attackers. By mapping the paths that an attacker would take to target the business, the organisation can focus resources on preventing, detecting and responding to those headline-grabbing incidents.

Just as the Romans would surely have failed if Hadrian’s Wall was the only thing protecting the borders of Britain, so too will organisations fail if a threat based approach is not run alongside more traditional security measures.

Compliance vs Threat Security

Conclusions

We have seen two approaches to security, Compliance Based and Threat Based (or Hadrian’s Wall and the Castra), of which Figure 5 provides a useful comparison of the two approaches. Neither approach is the ‘right’ approach to security – if the goal of a security programme is to prevent loss to the company from cyber attack, then only a blended approach to security will be effective.

This blended approach allows a secure baseline to be achieved, preventing more common or opportunistic attacks, whilst focusing resources on protecting the most critical parts of the business. The success of this approach naturally requires a blended effort from the business also, including IT teams alongside input from senior management.

The rewards of such an approach to security then naturally fall into both camps. More appropriate spending of security budget allows the security team to be more effective, and focussing on critical parts of the business protects the company from being the next Sony, eBay, Target, or JP Morgan.

If I can leave you with one final thought from our scholar Vegetius, it is “Si vis pacem, para bellum”. If you want peace, prepare for war.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.