The raison d’etre of this site is to define just what is “the nature of security.” I introduced this meme with the first article on this site – http://michaeltheroux.com/2011/08/08/nature-and-the-fallacy-of-idealism-in-security/, and I’ll continue to expound on this necessary process of security acculturation to move away from the current and accepted haphazard epistemology. My forthcoming book, Nature on Security develops this idea in great detail, and will be available in January of 2013.
Nature provides a framework of security that outshines any unnaturally derived theoretical model in existence. And its methodology is simple. Let’s briefly delineate how the animal kingdom has developed a simplified system of protection. Animals have 5 basic responses to danger:
4. Camouflage and Deception
Many animals utilize one, or maybe two of these responses at a time – some utilize all of them. What if we could apply these 5 basic responses to computer security? Let’s summarize how this model could play out against malicious attacks – step by step.
You would be correct to assume that this technique used to avoid attacks is mostly unusable where computers are concerned – since your machine is identified by a fixed location – it can’t simply run away. One way to potentially solve this would be to “trunk” all network connections (there are companies that offer this). “Trunking” (as paraphrased from Wikipedia) is a concept by which a communications system can provide network access to many clients by sharing a set of lines or frequencies instead of providing them individually. This method has been used in two-way radio communications for many years, where “trunking” refers to the ability of transmissions to be served by free channels whose availability is determined by algorithmic protocols. So, instead of having a fixed IP address, your IP would change constantly as the site controller assigns them based on the available pool of IPs. The familiar “Tor” application currently does something similar in the browser environment by obscuring internet traffic analysis, but it lacks protection against end-to-end timing attacks (if your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same communication). While this computer analogy is somewhat relative to the nature of “fleeing,” it still doesn’t solve the issue that most computers reside in a fixed location, and cannot run away.
Real network trunking, implemented between ISP and endpoint, would obfuscate actual location at the endpoint, or more correctly, the point of inception of the communication (due to the fact that the IP assigned to the computer changes constantly).
Unfortunately, if this trunking were adopted, it would be with great certainty that someone would develop “trunk following” in short order (much as it was developed for radio scanners). And, if this architectural shift were adopted, it would, of course, present several other security nightmares if managed incorrectly; add complexity to systems; and may add latency to the network. This technology is currently available, and overall, adds an ever-changing secure layer to a normally fixed target.
Again, warnings to potential attackers won’t do much where computer assaults are concerned – hackers will simply ignore them, and automated malware can’t read. But, the slap of a beaver’s tail doesn’t so much warn the attacker to stay away – it warns other beavers in the vicinity that danger is present. If computers that initially recognized danger from a malware attack were able to warn other computers on the same network that danger is present, the network may be better able to proactively protect itself. This can be accomplished by its incorporation into locally installed antivirus (AV) applications. The AV application installed on a single computer on the network ably detects the presence of malicious code from its signature file, and then warns all computers on the network to check that they have the signature installed to detect the malware, and/or check to see if a patch needs to be installed to avoid the exploit. With automation, this technique could then install signature files or patches where necessary, thus reducing the impact to the network.
Now we’re entering the realm of usable, and accepted responses to attacks that are already operational. Armor varies greatly in the animal kingdom, but all armor has the simple function to protect the victim from attacks. Our computer firewalls are our armor, and while there are many varieties of firewalls, they all serve us up the same basic purpose – they simply deter malicious attacks by controlling access in and out of our networks – both internal or external. They are like the great walls that keep out our enemies, the moats of castles, and the science fiction of force shields – and left to their simple purpose, they can inevitably be breached.
One must not rely solely upon these crude blockades – many a fortress has been sacked due to this pollyanish reliance on the security of a secure facade. Like the genius of the Trojan Horse of the Greeks that allowed them to finally to enter the city of Troy, malware has conveniently disguised itself as a friend, and piggybacked upon applications already accepted as legitimate by the firewalls in place.
CAMOUFLAGE AND DECEPTION
The animal kingdom has a long and ancient history of camouflaging its presence to either avoid attacks by predators, or disguise themselves to prey. The chameleon, leopard, walking stick insect, and so many others all disguise themselves by blending in with their surroundings so that predators and/or prey have great difficulty seeing them. They simply do their best to appear as something they are not. This stealthy security circumvents most attacks from predators and likewise fools prey into a false sense of security. Since hackers and automated malware often initially assess the viability of their targets before an attack, the stealthy methodology of camouflage or deception on the victim’s part can be an invaluable asset. If your attacker is looking for a Windows host, and you appear to them to be running unix, they’ll simply look elsewhere. And if you can be invisible – that much better.
Here is where we depart from the conventional security ideology, and step into the real realm of how nature deals with security. At some point, nature may need to fight back. Most animals that generally rely upon the previous methods of avoiding attacks have little to worry about – but on occasion, they will be discovered and must fight back. Others in the animal kingdom, rely solely on their “weaponry” to fight off an attacker.
Our individual imprint in the computer world is a sitting duck. If we are connected to a network, we are vulnerable to attacks, and have little recourse to strike back if we are assaulted. We only have tools to defend against attacks. This is not how it works in nature. All other protections aside, if those are exposed and become indefensible, nature strikes back. Were we able to strike back at a malware attack, and have some success, attacks would dwindle (based on the effectiveness of the counterattacks).
Security in nature may tell us how to handle security in other situations. Nature herself provides a solid foundation for her adeptness at security. How does nature handle security? She handles it deftly, functionally, and purely out of the necessity of survival. Our computer security models can benefit greatly from the simple observations of nature.
First follow NATURE, and your Judgment frame
By her just Standard, which is still the same:
Unerring Nature, still divinely bright,
One clear, unchang’d and Universal Light,
Life, Force, and Beauty, must to all impart,
At once the Source, and End, and Test of Art
Art from that Fund each just Supply provides,
Works without Show, and without Pomp presides:
In some fair Body thus th’ informing Soul
With Spirits feeds, with Vigour fills the whole,
~Alexander Pope, An Essay on Criticism