it security
DESCRIPTION
Observations and weak spots plus rules for securtity activistsTRANSCRIPT
The IT Security ChallengePeter Cochrane
ca-global.orgcochrane.org.uk
COCHRANEa s s o c i a t e s
Attack Surface =
The Planet
Target Profile =
Vast
Attackers =
Relentless
Scale > WWIII
Rewards = Huge
Solutions?
“keeping at least one move ahead”
Digital Camouflage
“everything is on-line and accessible, but it doesn’t
have to be obvious/explicit”
Encryption
“is never 100% secure”
Hidden in Pictures
‘steganography’
Disassociation
“of everything at all levels is very confusing
for the enemy”
Fractalization
“repeated patterns that look almost the same are very
difficult to deal with”
Path Encoding
“dynamically fast or slow path changes by message, part message or the byte”
Path Diversity& Dependence
“routings are agreed and dynamically randomised to act as a path hiding &
authentication mechanisms with split data, coding and
decoding information”
Form Diversity
“all are flowers, but not all are the same”
A priori Knowledge
“something only you know”
Smoke Screens & False Trails
Cryptic Messages & Replies
Split Media
“perhaps the ultimate jigsaw”
No Hierarchy
“flat structures give few if any clues”
Location Spreading & Encoding
“multi-location & addressed components required to
rebuild the whole”
Snares, Traps & Honey Pots
“we don’t have to be totally passive - we can be nasty”
Damaging Response & Retaliation
“return fire could take down servers, sites, machines, but risks escalation in return”
Cochrane’s Laws of Security
1) Resources are deployed inversely proportional to actual risk
2) Perceived risk never = actual risk
3) Security people are never their own customer
4) Cracking systems is 100x more fun than defending them
5) Security standards are an oxymoron
6) There is always a threat
7) The biggest threat is always in a direction you’re not looking
8) You need two security groups - one to defend & one to attack
9) People expect 100% electronic security
10) Nothing is 100% secure
11) Security and operational requirements are mutually exclusive
12) Hackers are smarter than you - they are younger!
13) Legislation is always > X years behind
14) As life becomes faster and chaotic - it becomes less secure -
but the good news is - half lives are getting shorter too!
15) People are the number 1 risk factor - machines are perverse - but
they aint devious - yet!
Cochrane’s Laws of Security
ID Extras !
Something you: - are - exhibit - know - posses - share
We cannot afford to relax, ever!
Most Importantly - always ask the right questions:
- does it need to be secure?- how secure?- what is the risk?- what is the cost?- who is the attacker?- where are they?- what is their capability?
Thank You
COCHRANEa s s o c i a t e s
ca-global.orgcochrane.org.uk