Sandhu

1

Protecting Online Identity

• Sandhus Laws of Cyber Security
• Prof. Ravi Sandhu
• Executive Director and Endowed Chair
• Institute for Cyber Security
• University of Texas at San Antonio
• Chief Scientist
• TriCipher, Inc.
• Los Gatos, California

2
Current State of Cyber-Security Practice

• Absolutely awful
• Our security practices have no empirical
  foundation

Password Management In B2C or B2B (Business to
Consumer or Business to Business)
Password Management In B2E (Business to Employee)
3
Wisdom of the Ages

• The only constant is change
• Heraclitus 500 BC
• Change is impossible
• Parmenides 500 BC

Take-away Change is inevitable, escalating and
unpredictable but fundamental laws of science
never change
4
IP Spoofing Story

• IP Spoofing predicted in Bell Labs report 1985
• 1st Generation firewalls deployed 1992
• IP Spoofing attacks proliferate in the wild
  1993
• VPNs emerge late 1990s
• Vulnerability shifts to accessing end-point
• Network Admission Control 2000s

5
Evolution of Phishing

• Phishing 1.0
• Attack Capture reusable passwords
• Defense user education, cookies, pictures
• Phishing 2.0
• Attack MITM in the 1-way SSL channel, breaks
  OTPs
• Defense 2-way SSL
• Phishing 3.0
• Attack Browser-based MITM client in front of
  2-way SSL
• Defense Transaction authentication outside
  browser
• Phishing 4.0
• Attack PC-based MITM client in front of 2-way
  SSL
• Defense Transaction authentication outside PC,
  PC hardening

6
Sandhus Laws of Attackers

• Attackers exist
• You will be attacked
• Attackers have sharply escalating incentive
• Money, terrorism, warfare, espionage, sabotage,
• Attackers are lazy (follow path of least
  resistance)
• Attacks will escalate BUT no faster than
  necessary
• Attackers are innovative (and stealthy)
• Eventually all feasible attacks will manifest
• Attackers are copycats
• Known attacks will proliferate widely
• Attackers have asymmetrical advantage
• Need one point of failure

7
Sandhus Laws of Defenders

1. Defenses are necessary
2. Defenses have escalating scope
3. Defenses raise barriers for attackers
4. Defenses will require new barriers over time
5. Defenses with better barriers have value
6. Defenses will be breached

8
Sandhus Laws of Users

1. Users exist and are necessary
2. Users have escalating exposure
3. Users are lazy and expect convenience
4. Users are innovative and will bypass inconvenient
   security
5. Users are the weakest link
6. Users expect to be protected

9
Operational Principles

• Prepare for tomorrows attacks, not just
  yesterdays
• Good defenders strive to stay ahead of the curve,
  bad defenders forever lag
• Take care of tomorrows attacks before next
  years attacks
• Researchers will and should pursue defense
  against attacks that will manifest far in the
  future BUT these solutions will deploy only as
  attacks catch up
• Use future-proof barriers
• Defenders need a roadmap and need to make
  adjustments
• Its all about trade-offs
• Security, Convenience, Cost

10
Good News

• There is lots of room for improvement
• Lots of low-hanging fruit
• Caveat obstacles are often political and social
• There is job security
• No easy solution
• No shortage of malicious people