Reflexive Control

deanwebb · December 16, 2015, 08:31:44 AM

https://www.rit.edu/~w-cmmc/literature/Thomas_2004.pdf

This is giving me some interesting ideas... up to page 11, will sum up when I've finished reading.

deanwebb · December 16, 2015, 05:16:31 PM

I have now read it... where before, I was of the mind that one should reveal nothing to an attacker, now I am thinking that there are times when security is improved by offering either accurate, partially accurate, or inaccurate information in order to control the choices of the attacker.

Consider: what if a sophisticated attacker read through employees' LinkedIn profiles to see what kind of gear that they were using, on the assumption that employees would mention vendors they were familiar with or certifications in technologies that they used. If, then, employees were instructed to place numerous certifications in their profiles, potential attackers would be faced with a potential multi-vendor environment with attendant complexities. If that attacker was seeking a target of opportunity, he would move on. This would not deter an attacker seeking a particular asset know to be in that particular firm, but it would lead him to expend more resources in preparing to deal with that potentially complicated environment.

If there were collateral informations to complete that picture, the diversion of resources would continue, further hampering the attempted penetration. Consider an attacker's concerns if he discovered evidence of three vendors' IPS devices, five different firewalls, four different router and switch firms, and a number of other complicating factors, such as a mix of protocols and potentially unstable routing arrangements. His cost in attaining access to that asset would increase dramatically, potentially to the point where it would no longer be worthwhile to attain.

The trickiest part is conveying the information to the attacker. One would have to know where the attacker was looking, in order to put something before his eyes.

NetworkGroover · December 16, 2015, 07:19:32 PM

Dean you're just way too damn deep for me dude.

You're awesome.

https://www.youtube.com/watch?v=fBzv1sjKpCU

deanwebb · December 16, 2015, 10:06:31 PM

Exploring Russian culture can make one think deeply.

https://www.youtube.com/watch?v=7rC_sSFVS-E

Very good film about security and information in the coup of Krushchev. Many things to be learned here. Most excellent lesson at 27:41. Americans always open eyes wider after seeing this lesson of how information can be weapon.

Then there is also Jin-Roh The Wolf Brigade... https://www.youtube.com/watch?v=6lrl5Kj79u4

And The President's Last Bang... https://www.youtube.com/watch?v=w2Am1hL-lm0

Security involves being able to combine many disciplines and areas of knowledge...

Reflexive Control

deanwebb

deanwebb

NetworkGroover

deanwebb