Sandhus Laws of Cyber Security

1

Protecting Online Identity

• Sandhus Laws of Cyber Security
• Prof. Ravi Sandhu
• Executive Director and Endowed Chair
• Institute for Cyber Security
• University of Texas at San Antonio
• Chief Scientist
• TriCipher, Inc.
• Los Gatos, California

2
Current State of Cyber-Security Practice

• Absolutely awful
• Our security practices have no empirical
  foundation

Password Management In B2C or B2B (Business to
Consumer or Business to Business)
Password Management In B2E (Business to Employee)
3
Wisdom of the Ages

• The only constant is change
• Heraclitus 500 BC
• Change is impossible
• Parmenides 500 BC

Take-away Change is inevitable, escalating and
unpredictable but fundamental laws of science
never change
4
IP Spoofing Story

• IP Spoofing predicted in Bell Labs report 1985
• 1st Generation firewalls deployed 1992
• IP Spoofing attacks proliferate in the wild
  1993
• VPNs emerge late 1990s
• Vulnerability shifts to accessing end-point
• Network Admission Control 2000s

5
Evolution of Phishing

• Phishing 1.0
• Attack Capture reusable passwords
• Defense user education, cookies, pictures
• Phishing 2.0
• Attack MITM in the 1-way SSL channel, breaks
  OTPs
• Defense 2-way SSL
• Phishing 3.0
• Attack Browser-based MITM client in front of
  2-way SSL
• Defense Transaction authentication outside
  browser
• Phishing 4.0
• Attack PC-based MITM client in front of 2-way
  SSL
• Defense Transaction authentication outside PC,
  PC hardening

6
Sandhus Laws of Attackers

• Attackers exist
• You will be attacked
• Attackers have sharply escalating incentive
• Money, terrorism, warfare, espionage, sabotage,
• Attackers are lazy (follow path of least
  resistance)
• Attacks will escalate BUT no faster than
  necessary
• Attackers are innovative (and stealthy)
• Eventually all feasible attacks will manifest
• Attackers are copycats
• Known attacks will proliferate widely
• Attackers have asymmetrical advantage
• Need one point of failure

7
Sandhus Laws of Defenders

• Defenses are necessary
• Defenses have escalating scope
• Defenses raise barriers for attackers
• Defenses will require new barriers over time
• Defenses with better barriers have value
• Defenses will be breached

8
Sandhus Laws of Users

• Users exist and are necessary
• Users have escalating exposure
• Users are lazy and expect convenience
• Users are innovative and will bypass inconvenient
  security
• Users are the weakest link
• Users expect to be protected

9
Operational Principles

• Prepare for tomorrows attacks, not just
  yesterdays
• Good defenders strive to stay ahead of the curve,
  bad defenders forever lag
• Take care of tomorrows attacks before next
  years attacks
• Researchers will and should pursue defense
  against attacks that will manifest far in the
  future BUT these solutions will deploy only as
  attacks catch up
• Use future-proof barriers
• Defenders need a roadmap and need to make
  adjustments
• Its all about trade-offs
• Security, Convenience, Cost

10
Good News

• There is lots of room for improvement
• Lots of low-hanging fruit
• Caveat obstacles are often political and social
• There is job security
• No easy solution
• No shortage of malicious people