Download presentation
Presentation is loading. Please wait.
1
Protecting Online Identity™
Sandhu’s Laws of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio Chief Scientist TriCipher, Inc. Los Gatos, California
2
Current State of Cyber-Security Practice
Absolutely awful Our security practices have no empirical foundation Password Management In B2C or B2B (Business to Consumer or Business to Business) Password Management In B2E (Business to Employee)
3
The only constant is change Heraclitus ≈ 500 BC Change is impossible
Wisdom of the Ages The only constant is change Heraclitus ≈ 500 BC Change is impossible Parmenides ≈ 500 BC Take-away Change is inevitable, escalating and unpredictable but fundamental laws of science never change
4
IP Spoofing Story IP Spoofing predicted in Bell Labs report ≈ 1985 1st Generation firewalls deployed ≈ 1992 IP Spoofing attacks proliferate in the wild ≈ 1993 VPNs emerge ≈ late 1990’s Vulnerability shifts to accessing end-point Network Admission Control ≈ 2000’s
5
Evolution of Phishing Phishing 1.0 Phishing 2.0 Phishing 3.0
Attack: Capture reusable passwords Defense: user education, cookies, pictures Phishing 2.0 Attack: MITM in the 1-way SSL channel, breaks OTPs Defense: 2-way SSL Phishing 3.0 Attack: Browser-based MITM client in front of 2-way SSL Defense: Transaction authentication outside browser Phishing 4.0 Attack: PC-based MITM client in front of 2-way SSL Defense: Transaction authentication outside PC, PC hardening
6
Sandhu’s Laws of Attackers
Attackers exist You will be attacked Attackers have sharply escalating incentive Money, terrorism, warfare, espionage, sabotage, … Attackers are lazy (follow path of least resistance) Attacks will escalate BUT no faster than necessary Attackers are innovative (and stealthy) Eventually all feasible attacks will manifest Attackers are copycats Known attacks will proliferate widely Attackers have asymmetrical advantage Need one point of failure
7
Sandhu’s Laws of Defenders
Defenses are necessary Defenses have escalating scope Defenses raise barriers for attackers Defenses will require new barriers over time Defenses with better barriers have value Defenses will be breached
8
Sandhu’s Laws of Users Users exist and are necessary Users have escalating exposure Users are lazy and expect convenience Users are innovative and will bypass inconvenient security Users are the weakest link Users expect to be protected
9
Operational Principles
Prepare for tomorrow’s attacks, not just yesterday’s Good defenders strive to stay ahead of the curve, bad defenders forever lag Take care of tomorrow’s attacks before next year’s attacks Researchers will and should pursue defense against attacks that will manifest far in the future BUT these solutions will deploy only as attacks catch up Use future-proof barriers Defenders need a roadmap and need to make adjustments It’s all about trade-offs Security, Convenience, Cost
10
Good News There is lots of room for improvement Lots of low-hanging fruit Caveat: obstacles are often political and social There is job security No easy solution No shortage of malicious people
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.