Security Through Chaos

  • I can't really disclose who told me this, or at which company, but I found it was really interesting. Recently there was some worm that rolled through Windows systems, I forget which one, but a few friends told me about it since it had rippled fairly quickly through their companies. These were all large companies, more than 2 or 3,000 people employed there. However, one company had almost no infections. The spread between systems was almost non-existant.

    Now I'm sure that you are all wondering what great technique they used so you can deploy it in your environment. I was too until I heard it. I dismissed it at first, but then thought it did make some sense. Not sure I'd recommend it, but it was interesting.

    Their defense was chaos. They don't really have a central IT organization, standards are almost non-existent, no central AD setup, not even a standard platform. They do make anti-virus, firewalls, etc. available, but it is up to individual departments, people, and labs/data center areas to deploy them as they see fit. Need a resource from another group? Better start making friends. Want to breach a firewall? I'd recommend buying a Starbucks card or a 6 pack of Red Bull for the admin of that firewall.

    Now this is a technology company and most of the employees are fairly smart technologists. They are each responsible for the most part for their systems. If they break it, they need to fix it or find someone to help becuase it's not an excuse for their work not being complete. But an individual can have a Mac, PC, Sparc, run Windows, Linux, whatever, as long they get their job done.

    Samba is in use as a file system in many places, but permissions control is distributed. Sarbanes-Oxley, secuirty, auditing, etc. all still apply, but there is no central group that ensures it's performed in a consistent manner.

    As I mentioned, at first I was shocked. I thought this was ridiculous. But the more I thought about it, the more I realized that it made some sense. You couldn't easily break into their network because what worked in one place wouldn't necessarily work in another. Compromise one password and you might not get very far at all, even if you had an administrator password.

    I'm still not completely sure what to think of this, but apparently it works. Probably just like my life iwth 3 kids and a wife that works.

    You juggle all the balls and hope none of them drops.

    Steve Jones

  • I've heard of 'Security by Obscurity' but this is my first encounter with 'Security by Chaos'.  When you think about it, though, there's a strange sort of organic sense to it.  Bear with me while I draw an extended analogy.  If an information environment can be thought of as an ecological system, then it makes sense that an extremely resilient information environment would have the quality of diversity that a resilient ecosystem has.  In a resilient ecosystem, in the event of a disaster or a radical change in the environment, some components will survive while others may not.  Survival depends on how attached any particular organism was to the characteristic of the environment that changed.  In an information environment, survival would depend on how attached any particular technology was to the component being compromised.  So a diversity of technologies, application systems, and supporting software, may increase the chances that any one type of attack or component failure will reduce the entire system to a useless lump of silicon and hot metal.

    It would be really interesting if some enterprising Information Systems MBA (or PhD) candidate out there would do a theoretical cost-benefit analysis of diversity, and its inherent integration costs, vs resilience, and the benefit of having at least some of your systems survive any given attack or disaster.

    Who knows, Resilient Diversity may become the next operations buzzword.  Maybe I should go ahead and copyright it.  


    And then again, I might be wrong ...
    David Webb

  • I can understand how such a system would be more resilient to large scale compromise but would be more vulnerable to small scale compromise. Let me evaluate – lets say for example any arbitrary but particular operating system can be compromised via N means (where N is an integer) then the number of means that could be used to compromise system is X*N where X is the number of different operating systems in use. Obviously operating systems are only a small part of the system but still demonstrate that the larger number of possible means of compromising the system; however we can also see that to compromise the entire system at least X means must be used.

     

    The cost of de-integrating the system is of course more inefficient use of resources and an increased difficulty in tracking unsanctioned access and resource usage; but then again how efficiently are we using available resources at present and how successful are we at tracking unsanctioned access.

  • Coming to think of it, the idea seems really "correct" (That is - Once you have overcome the awe). Michael Crichton explains chaos and evolution in his books "Jurassic Park" and "The Lost World" with realistic and believable evidences and ideas. You apply his theory on this situation, and you will be thinking the solution is just "correct"...

  • <<Now this is a technology company and most of the employees are fairly smart technologists>>

    This is the key, though, isn't it? Not only would you need this kind of environment to make it work, I'd bet that in this situation 'the company' would have a devil of a job trying to impose any standards anyway!

     

     

     

     

  • Bio-diversity is why we haven't been wiped out by

    a) The black death

    b) Smallpox

    c) Flu

    d) Umpteen others

    I agree with pg53. The key is that the people managing these diverse technological aspects are all technologists.

  • I don't know about technologists being the key.  Chaos theory has been around for some time.  Seemingly and with bizarre results, it works.  You should watch Ashton Kutcher's "Butterfly Effect." 

    More importantly, you should check this link out.  It explains a lot.

    http://www.imho.com/grae/chaos/chaos.html

  • Steve - In short, thanks! That's one of the funnest reads in a long time anywhere. - David

  • Another problem with this concept being applied to network security is that, if someone does break through your security, it will be very hard to track down the break-in point and secure it.  Even by securing it, you rendering other parts of the network inoperable without adjustments to other areas.  By way of example, if you block a certain port that is being exploited on one workstation or server, other machines that rely on that port being open on that particular machine will not be able to complete their  tasks.

  • Thanks for the comments and they are interesting. I think the fact that just about everyone is a technologist is key. Can you imagine this if you had lots of people that struggle with getting Outlook working?

    I'm not sure I do like this. I hadn't worked at a company this large, well over 10k+ people, but at JD Edwards we had 5k+ and we had things well locked down. That worked pretty smoothly, as smoothly as I've seen 20 computer shops run.

  • I recall quite a bit of heated argument over homogenous vs. heterogeneous networks not long ago. There were quite a few arguments from both sides - I'm not sure either side actually could be declared a winner in all honesty.

    One of the most charged papers was that by a group of security experts that said that the "Microsoft monopoly" lead to homogeneous networks which are a threat to US cyber security:

    http://www.ccianet.org/papers/cyberinsecurity.pdf

    I'm actually a techie, and I've also studied organizational science. There are many formal models for IT organizations monarchy (single powerful leadership), federated (separate groups, all working together towards a single goal), feudal (separate groups, fiefdoms, not working together), and of course, chaotic (no single goal, no organization). This discussion also touches on the realm of IT governance.

    There is definitely a link between the homogenous network/heteregenous network argument, and the organizational model in place. The decision for X company to remain chaotic may give them some flexibility in terms of systems, but of course it's going to actually be harder to secure and manage without a central IT authority. On the other hand, the same decision may, as has been discussed, lead to more security because they are not a homogeneous environment.

    By the way, according the the "organizational experts", the most popular model is that of monarchy (top-down control), followed by feudal. The RECOMMENDED approach is that of federation. Chaos is usually strictly advised against for almost any organization!

    Just a few thoughts.. Have a great weekend everyone!

    Jon Saltzman

  • Serveral security experts have theorized that at some point "the walls will come down." What I mean by that is traditional concepts of perimeter security will finally be laid to rest and security of individual systems will become common place. Network Access Control technologies and the like will start to dominate. However, this still has a somewhat heterogeneous flavor to it because someone is defining minimum standards that have to be met or you don't get on the network.

    I think this works because you said most of the folks were smart technologists. In other words, they understand the risks and take the appropriate measures. But when you're dealing with end users who can't understand why using their only son's name as a password, things quickly break down. Chaos theory and its appliations doesn't apply really well here.

    K. Brian Kelley
    @kbriankelley

  • I totally agree with the view that Brian mentions above - after all, they always say that the greatest security threat comes from within. If system-level security is implemented, the perimeter security becomes less important. I don't think that this approach totally removes the need for some centralized authority, otherwise groups/individual systems within the network are going to be hard to manage!

    My favorite example: it makes it hard to connect to the SQL Server in Accounting if they have a firewall within the company that prevents my DTS package from getting through, and knowing how slowly big corporations move, who knows how long it would take to punch a hole. If the individual system itself has a firewall on it, and there is a firewall around the perimeter as well, now you have to go through many layers before you get to your data.

    Do you agree that with tighter security often comes greater inconvenience? My user base constantly complains about it, and many in the industry have noted same. My opinion is that in the end, some inconvenience is worth the confidence in security, but not if it makes the job at hand near impossible to accomplish.

    -Jon

  • There is a government network that has so many levels of security that the must-have device for any lap-top user is a dial-up modem because the speed of a 56k modem exceeds the speed of the network.

  • ...... but since it is a government secure site laptops and modems and data capture devices (even mobile phones with cameras) are not allowed on site!!

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic. Login to reply