Sandhus Laws of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio Chief Scientist TriCipher, Inc. Los Gatos, California Protecting Online Identity

© Ravi Sandhu, 2007 Page 2 Current State of Cyber-Security Practice Password Management In B2E (Business to Employee) Password Management In B2C or B2B (Business to Consumer or Business to Business) Absolutely awful Our security practices have no empirical foundation

© Ravi Sandhu, 2007 Page 3 Wisdom of the Ages The only constant is change Heraclitus 500 BC Change is impossible Parmenides 500 BC Take-away Change is inevitable, escalating and unpredictable but fundamental laws of science never change

© Ravi Sandhu, 2007 Page 4 IP Spoofing Story IP Spoofing predicted in Bell Labs report st Generation firewalls deployed 1992 IP Spoofing attacks proliferate in the wild 1993 VPNs emerge late 1990s Vulnerability shifts to accessing end-point Network Admission Control 2000s

© Ravi Sandhu, 2007 Page 5 Evolution of Phishing Phishing 1.0 Attack: Capture reusable passwords Defense: user education, cookies, pictures Phishing 2.0 Attack: MITM in the 1-way SSL channel, breaks OTPs Defense: 2-way SSL Phishing 3.0 Attack: Browser-based MITM client in front of 2-way SSL Defense: Transaction authentication outside browser Phishing 4.0 Attack: PC-based MITM client in front of 2-way SSL Defense: Transaction authentication outside PC, PC hardening

© Ravi Sandhu, 2007 Page 6 Sandhus Laws of Attackers 1.Attackers exist You will be attacked 2.Attackers have sharply escalating incentive Money, terrorism, warfare, espionage, sabotage, … 3.Attackers are lazy (follow path of least resistance) Attacks will escalate BUT no faster than necessary 4.Attackers are innovative (and stealthy) Eventually all feasible attacks will manifest 5.Attackers are copycats Known attacks will proliferate widely 6.Attackers have asymmetrical advantage Need one point of failure

© Ravi Sandhu, 2007 Page 7 Sandhus Laws of Defenders 1.Defenses are necessary 2.Defenses have escalating scope 3.Defenses raise barriers for attackers 4.Defenses will require new barriers over time 5.Defenses with better barriers have value 6.Defenses will be breached

© Ravi Sandhu, 2007 Page 8 Sandhus Laws of Users 1.Users exist and are necessary 2.Users have escalating exposure 3.Users are lazy and expect convenience 4.Users are innovative and will bypass inconvenient security 5.Users are the weakest link 6.Users expect to be protected

© Ravi Sandhu, 2007 Page 9 Operational Principles A.Prepare for tomorrows attacks, not just yesterdays Good defenders strive to stay ahead of the curve, bad defenders forever lag B.Take care of tomorrows attacks before next years attacks Researchers will and should pursue defense against attacks that will manifest far in the future BUT these solutions will deploy only as attacks catch up C.Use future-proof barriers Defenders need a roadmap and need to make adjustments D.Its all about trade-offs Security, Convenience, Cost

© Ravi Sandhu, 2007 Page 10 Good News There is lots of room for improvement Lots of low-hanging fruit Caveat: obstacles are often political and social There is job security No easy solution No shortage of malicious people