IT Fighting Tactics of the Genghis Khan – 3 Lessons an IT Leader can learn from studying the Mongols! & 2 things you can do about it!

Genghis khanIt is ironic that as I was writing this article that I read on Aug 6 that Russian Hackers Steal More than 1 Billion Passwords. All those passwords are gone!

The fascinating thing is that in the early 1200s Genghis Khan was a similar threat to China, Eastern Europe, Middle East. He was a ruthless, petrifying, frightening threat in his own day.

What are the lessons that you can learn? What can you do about it?

  1. A small adversary can be a BIG one with an Intelligence Network.
  2. Monitoring and listening to subtle clues is where the new IT Security analytics game is being played. You are being exploited by nuance and subtlety and not by brute force.
  3. Walled Defenses are a thing of the past. Mobility and Cloud is ensuring this happens at lightning speed.

Let’s get into the specifics – Last week I was listening to the Hardcore History Channel podcast. It is an amazing history podcast that Dan Carlin puts together, stunning in research and depth. As I listened to Part III of the multi-part series of Genghis Khan Wrath of the Khans III it was striking for me the similarity today to IT security and the Brutal Mongol conquests in the early 1200s. In the podcast III Dan chronicles Genghis’ generals who were sent on a scouting mission into what is now Russia and the city of Kiev. It also reviews Genghis’ push westward it is known that much as modern day Turkey, China and parts of Eastern Europe.

In case you are interested in starting from the beginning, here is podcast Wrath of the Khans I and II.

Historians consider these areas of the world to have been advanced militarily, however they were utterly unprepared for the Mongol ‘might’, ‘mindset’, ‘sophisticating’, ‘leadership’, ‘brutality’ and discipline. The Mongol army was typically a fraction of the size of it’s enemies and yet tore through them like a hot knife through butter.

What I like is that Genghis Kahn liked to scout territory before he tried to conquer. Remember ten years ago when DDoS ‘brute force attacks’ were the only tough attacks. Well this was never Genghis’ style. He liked to understand the people that he was about to attack so that he could exploit weaknesses between clans and various peoples in the regions he would attack. If he knew that a certain people didn’t like one another he would ally himself with this group beforehand. If he knew religious intolerance was a big problem, he would claim to be religiously tolerant before attacking. The examples are many. The key here is that he would exploit a weakness before attacking.

This makes sense today with our modern communication but for a society in the 1200s it is a bit inspiring. Intelligence was crucial for him since he was always tremendously outnumbered on paper. Hackers today are similar. They are patient and take their time exploiting vulnerable networks. They wait and try to take over one system and then use elevated privileges to exploit data in another.

These hackers are HIGHLY motivated individuals and are exploiting organizations that are much larger than them using subtle techniques and sophistication. The big can can take down the small.

Two Things You Can Do About It?

1) Passwords: One of the best password management products that I have sold has been Thycotic. Don’t go numb with this topic. It seems boring, but is much more dynamic and potentially a big security risk that you think. Roles based access to the network and applications and cloud vendors is where the industry is going for small to medium businesses. To ensure that your clans (intersystem communication) are not compromised ensure that your passwords are vaulted. You won’t know that your passwords are compromised unless you approach password management from a different perspective.

Listen to this Fox interview with the Thycotic CEO in response to this breach I mentioned in sentence one.

2) Monitoring and Intelligence Gathering: Yes I know you have a monitoring system, but I also know that they are not being watched the way I would want them to. And, even if they are being watched what I am most concerned with is the subtle clues. You need to understand subtle clues of intersystem compromise. This can only be done with deep investment in security teams which most companies can’t afford or you can leverage Cloud Security Analytics vendors or MSP providers that use cloud security analytics teams to augment their own security teams. Two of my favorites are Alert Logic (for Cloud Security Analytics) and (……yes a subtle plug RedZone Technologies)

Don’t under estimate the threat. A small, agile, mobile threat requires new and creative methods of security. You can do it!

I have created two educational videos that highlight this problem in more detail.

1) Vid 1 – More of a mid level technical review of the exploits. It lasts a little over 2 minutes

2) Vid 2 – A business level…also about 2 minutes for you to educate whoever will be funding your future IT Security projects