The IT Security ChallengePeter Cochrane

ca-global.orgcochrane.org.uk

COCHRANEa s s o c i a t e s

Attack Surface =

The Planet

Target Profile =

Vast

Attackers =

Relentless

Scale > WWIII

Rewards = Huge

Solutions?

“keeping at least one move ahead”

Digital Camouflage

“everything is on-line and accessible, but it doesn’t

have to be obvious/explicit”

Encryption

“is never 100% secure”

Hidden in Pictures

‘steganography’

Disassociation

“of everything at all levels is very confusing

for the enemy”

Fractalization

“repeated patterns that look almost the same are very

difficult to deal with”

Path Encoding

“dynamically fast or slow path changes by message, part message or the byte”

Path Diversity& Dependence

“routings are agreed and dynamically randomised to act as a path hiding &

authentication mechanisms with split data, coding and

decoding information”

Form Diversity

“all are flowers, but not all are the same”

A priori Knowledge

“something only you know”

Smoke Screens & False Trails

Cryptic Messages & Replies

Split Media

“perhaps the ultimate jigsaw”

No Hierarchy

“flat structures give few if any clues”

Location Spreading & Encoding

“multi-location & addressed components required to

rebuild the whole”

Snares, Traps & Honey Pots

“we don’t have to be totally passive - we can be nasty”

Damaging Response & Retaliation

“return fire could take down servers, sites, machines, but risks escalation in return”

Cochrane’s Laws of Security

1) Resources are deployed inversely proportional to actual risk

2) Perceived risk never = actual risk

3) Security people are never their own customer

4) Cracking systems is 100x more fun than defending them

5) Security standards are an oxymoron

6) There is always a threat

7) The biggest threat is always in a direction you’re not looking

8) You need two security groups - one to defend & one to attack

9) People expect 100% electronic security

10) Nothing is 100% secure

11) Security and operational requirements are mutually exclusive

12) Hackers are smarter than you - they are younger!

13) Legislation is always > X years behind

14) As life becomes faster and chaotic - it becomes less secure -

but the good news is - half lives are getting shorter too!

15) People are the number 1 risk factor - machines are perverse - but

they aint devious - yet!

Cochrane’s Laws of Security

ID Extras !

Something you: - are - exhibit - know - posses - share

We cannot afford to relax, ever!

Most Importantly - always ask the right questions:

- does it need to be secure?- how secure?- what is the risk?- what is the cost?- who is the attacker?- where are they?- what is their capability?

Thank You

COCHRANEa s s o c i a t e s

ca-global.orgcochrane.org.uk