I-Ching & InfoSec
-
Upload
chuan-lin -
Category
Technology
-
view
275 -
download
5
description
Transcript of I-Ching & InfoSec
I-Ching & InfoSec易經和資安Any sufficiently advanced technology is indistinguishable from magic. – A. C. Clarke
The ancient book of wisdom is indistinguishable from advanced science. – C. LinChuan Lin,
CISSP
Summary
This is a theory craft of gleaming Information Security
(InfoSec) from the Book of Changes.
It is an attempt to look at InfoSec outside the box, the
leading edge world of technology, from the most
venerable book of knowledge.
I-Ching is known to be the Most Modern of Ancient
Wisdom. It bears resemblance to binary codes and DNA.
Can it provide insight to InfoSec as well?
What is InfoSec
Information Security, according to Wikipedia, is about defending information from unauthorized access, use, disclosure, disruption, modification, perusal, recording or destruction.
While this is not new to the modern society, technology, economic, and social media have created the need to protect corporate and individual information in addition to state government.
Information Security will be the norm from now on as what one learns about protecting corporate and state information can also be applied at personal level.
What is I-Ching
Who (者) – Fu Xi, one of the
legendary Chinese Sovereigns,
and King Wen of Zhou Dynasty,
were credited to be the authors.
When (時) – Official date was
around 1059 BC though most
believed it existed much earlier
than that. It was introduced to
the West in 17th Century.
Where (處) – It originated in
China.
What (何) – I-Ching is the
accumulated wisdom which
Chinese arts, music, philosophy,
religion, medicine, astronomy,
arithmetic, literature, military,
martial art, divination, science
and technology were derived
from.
Information Security Breakdown資安分列What is Information?
What are we securing?
At Root Level View of
Information Security
Security is about protecting. For InfoSec Professional (InfoSec Pro), it is to ensure that information remains confidential, integral, and available to authorized individuals.
Information is about how a person utilizes a given data.
If a person doesn’t know how to handle a given data, then that information is useless.
If a person is given a wrong data, than that information is useless.
If a person is given a set of data that she knows and provides that data is correct, then this information is useful.
Next Level View of
Information Security
A more detail analysis of
what is InfoSec:
Securing people from
reveal key information
Securing data from
unauthorized access
Securing data input from
corrupting data
Securing data output from unlawful usage
Tertiary View of
Information Security, Part 1 (of 8)
What are we protecting?
People at both individual/family
and corporate/state level
People are susceptible to social
engineering, or psychological
influence, into reveal key
information that would breach
information security.
This is a challenging task because
hardening against social engineer
tended to go against our human
traits and nature.
Tertiary View of
Information Security, Part 2 (of 8)
What are we protecting?
Data at both individual/family
and corporate/state level
Data by itself, is very dormant and
with correct access code, very
accessible.
This is the focus of InfoSec Prof on
how to safeguard data whether it
is at rest or in transit. But this is only
a component of the bigger
picture.
Tertiary View of
Information Security, Part 3 (of 8)
What are we protecting?
Application
Application requires data and/or
inputs to produce desire outputs.
Its side effect is that unsecured
application can leak data.
Next to people, this presents a
challenge for InfoSec Pro since
we are not adopt to scrutinize
lines of codes or in most cases to
certify third party applications as
been secured.
Tertiary View of
Information Security, Part 4 (of 8)
What are we protecting?
Data Bank/Cloud/Server Farm
We generate more and more
data, and we want them to be
instantly accessible yet secure.
Cloud technology is the solution.
Most big cloud service providers
have met US government security
requirement. The physical location
(in US) is vast and with acres of
servers which make searching for
particular set of data to be
proverbial needle in hay stacks.
Tertiary View of
Information Security, Part 5 (of 8)
What are we protecting?
Internet
It allows us to connect with each
other and to have easier access
to information. While internet
provides us quick avenue to
information, it also gives crooks an
expeditious passage to our lives
and data.
A combination of mindful
browsing habits, secured browser,
and password manager will avoid
80% of pitfalls.
Tertiary View of
Information Security, Part 6 (of 8)
What are we protecting?
Home and office
We tend to think our homes as our sanctuary and our offices as safe working environments. This causes us to be lax with securing our data until rogue(s) steal them.
Being a physical location, security access can be established. But problems arise from trading security for convenience and security lax from daily routines.
Tertiary View of
Information Security, Part 7 (of 8)
What are we protecting?
Wifi
Smartphones are primary factor
for pushing data wireless. We are
already transmitted pictures via
social media apps and now,
payment information as well.
Technology to grab sensitive data
over airwave are becoming
available. Wifi jamming devices
are also popular items.
Tertiary View of
Information Security, Part 8 (of 8)
What are we protecting?
energy
While utility companies begin to
offer network services, they are
crucial in information security
because they provide the necessary
energy to power security devices.
A black out would render the world
best security devices useless; a
brown-out would destroy the world
best security devices. Surge
protection and alternate power
sources are part of information
security planning.
Information Security through
I-Ching Point of View
資安透過易經觀點
An Holistic View of
I-Ching/InfoSec
易有太極,是生兩儀
I(易)is Taiji that generates two
primary forces. (tr. Wilhelm and Baynes 1967:318-9)
I(易)is Information that generates
two primary sources.
As InfoSec Pro, our duty is to
protect information to make sure
it is confidential, integral, and
available.
And information concedes into
two primary sources: data &
person
太極
An Holistic View of
I-Ching/InfoSec
易有太極,是生兩儀
Two primary forces in I Ching are
yin and yang.
Yin Yang
negative positive
female male
earth heaven
employees manager
0 1
data person
Yin – receiving, potential, and
passive forces of nature
Yang – giving, kinetic, and active
forces of nature
Data = Yin – data is inert and
requires a person to decipher and
act on.
Person = Yang – person is active
and able to use data to create a
useful information.
As InfoSec Pro, we need to
protect both person and data.
兩儀
An Holistic View of
I-Ching/InfoSec
兩儀生四象
The two primary forces generate the four images.(tr. Wilhelm and Baynes 1967:318-9)
Here in I Ching, the concept of time and state is introduced through the four images.
The two primary sources generate the four states.
Likewise, for InfoSec, after break down information into data and person, we’re introduced to state of data that need to be protected.
四象
An Holistic View of
I-Ching/InfoSec
Four Images\Four States
Old Yang\Person
Young Yang\Input
Young Yin\Output
Old Yin\Data
四象
老陽/Old Yang
In I-Ching, it represents the
peak state, summer, prime,
very active, south, noon
In InfoSec, this represents
person, a small group of
people, they are capable of
generating and utilizing
data.
少陽/Young Yang
In I-Ching, it represents the
growing state, spring, young
adult, active, east, dawn
In InfoSec, this represents
data input, data is to be
processed; data is in motion
to becoming information.
少陰/Young Yin
In I-Ching, it represents the
declining state, fall, middle
age, sluggish, west, dusk
In InfoSec, this represents
data output, data has been
modified; data as
information
老陰/Old Yin
In I-Ching, it represents the
restful state, winter, senior,
restful, north, midnight
In InfoSec, this represents raw
data, unmodified data, data
storage
Examples of Four States of Information
Old
Yang
Young
Yang
Young
Yin
Old Yin
People
Data
Input
Data/
Data
Process
Data
Output
An Holistic View of
I-Ching/InfoSec
四象演八卦 The four phenomena act on the
eight trigrams (bagua) (tr. Wilhelm and Baynes 1967:318-9)
I Ching: trigrams are nature forces
The four states act on the eight mediums.
InfoSec: mediums are building blocks of InfoSec world.
When we breakdown a information system, its components will be one of eight mediums described in the following slides.
八卦
An Holistic View of
I-Ching/InfoSec
Qian in I-Ching
八卦
Image in Nature sky
Wilhelm’s
Translationthe Creative
Family
Relationshipfather
Body Part Head
Binary Code 111
State Active
Qian in InfoSec
Are people because we are the
active force. We create data; we
transform data into useful
information.
Example: In this PowerPoint
presentation, you are the one in
control. You can continue, stop,
rewind, or quit.
InfoSec: People are hard to safeguard because the need to
be active vs. the need to be
restrain.
An Holistic View of
I-Ching/InfoSec
Kun in I-Ching
八卦
Image in Nature earth
Wilhelm’s
Translationthe Receptive
Family
Relationshipmother
Body Part belly
Binary Code 000
State Receptive
Kun in InfoSec
Are data because they are amenable. Data created, manipulated, and accessed by us. By itself, it does nothing.
Example: In this PowerPoint presentation, words and graphic you see are data. They simply presented my thoughts and may become information if you have similar background as me.
InfoSec: Data are easiest to safeguard because they are inactive. But encryption will slow down our access to them.
An Holistic View of
I-Ching/InfoSec
Li in I-Ching
八卦
Image in Nature fire
Wilhelm’s
Translationthe Radiance
Family
Relationship2nd daughter
Body Part eye
Binary Code 101
State adaptable
Li in InfoSec
Are application because they transfer data into something useful or malicious. Application is meaningless with data just like fire without fuel.
Example: In this presentation, MS PowerPoint and browser you used are applications that manipulate and display data into relevant information. Without these data, PowerPoint would open up to a blank page or your browser would get an 404 error.
InfoSec: While it is easy to use white & black lists to restrict applications, but like Prometheus, someone will inadvertently bring in the wild fire.
An Holistic View of
I-Ching/InfoSec
Kan in I-Ching
八卦
Image in Nature water
Wilhelm’s
Translationthe Abysmal
Family
Relationship2nd son
Body Part ear
Binary Code 010
State In-motion
Kan in InfoSec
Are internet because like traditional waterways, it brings life, communication, and commence among people from different areas. Even now, we use terms like torrents, phishing, upstream, downstream, and flood to describe situation involve with internet.
Example: In this presentation, you are accessing it through internet for content delivery. And like waterway, things move quickly when there's no congestion and when it choke, you receive your cargo in sporadically.
InfoSec: Like traditional waterways, companies build series of dams (aka firewalls) to limit inflow and outflow of commodities. The problem is, sometime we have to find out where are leaks and seepage.
An Holistic View of
I-Ching/InfoSec
Gen in I-Ching
八卦
Image in Nature mountain
Wilhelm’s
TranslationKeeping Still
Family
Relationship3rd son
Body Part hand
Binary Code 001
State completion
Gen in InfoSec
Are buildings and hardware because these are the closest things that endure in InfoSec world where things are constantly changing. Building and hardware are traditionally as places where wealth and data are stored.
Example: In this presentation, you are most likely view it in the comfort of your home or office that protects and gives you a sense of privacy and security. Even a coffee shop environment is preferred than outdoor (unless it is a perfect weather and few traffics)
InfoSec: As a physical fixture, it is easily defend. Locks, security devices, lights, fixtures, and guards are used in conjunction to deter, detect, delayed, and denial threats.
An Holistic View of
I-Ching/InfoSec
Dui in I-Ching
八卦
Image in Nature lake
Wilhelm’s
Translationthe Joyous
Family
Relationship3rd daughter
Body Part mouth
Binary Code 110
State tranquil
Dui in InfoSec
Are cloud environment because here is where massive amount of data are stored. If we use the analogy of internet as waterway, all arteries eventually flow into lake or ocean. And if you think of the source of tributaries, most come from mountain (office buildings/homes).
Example: In this presentation, this power point slide is uploaded into slideshare.net which may end up in Amazon cloud or Microsoft Azure or another massive data storage location.
InfoSec: It has both a virtual and physical location. And in both cases, the massive sizes and # of backups, make it nearly impossible to attacks. Instead, threats come from stolen ID, denial of services, or simply bomb the place out of existence.
An Holistic View of
I-Ching/InfoSec
Xun in I-Ching
八卦
Image in Nature wind
Wilhelm’s
Translationthe Gentle
Family
Relationship1st daughter
Body Part thigh
Binary Code 011
State Gentle entrance
Xun in InfoSec
Are wifi technology because data are travelling through the air. This technology allows people to move away from rivulets of network cables and let them to transfer data through zephyr of major telecoms.
Example: In this presentation, this PowerPoint can be view with wifi connection and through mobile devices.
InfoSec: This is a relatively new frontier and brought focus to encrypting data on the move. Most data (especially credit card payment) transfer are unprotected and can be easily grabbed by another mobile device.
An Holistic View of
I-Ching/InfoSec
Zhen in I-Ching
八卦
Image in Nature thunder
Wilhelm’s
Translationthe Arousing
Family
Relationship1st son
Body Part foot
Binary Code 100
State initiative
Zhen in InfoSec
Are energy like its natural image. Info Sec environment is depended on energy.
Example: In this presentation, you don't see the undercurrent energy. But you will feel it if any of your device, the server that housed this power point, or any one network infrastructure in between runs out of juice.
InfoSec: Energy is one of new area for InfoSec Prof to be concerned of. While blackout can knock out our layer defenses, it also deny attackers access to data. But when things are powered back on, our defense network may not be up and ready.
An Holistic View of
I-Ching/InfoSec
八八六十四卦 eight eights are sixty-four
hexagrams(tr. Wilhelm and Baynes 1967:318-9)
I Ching: hexagrams described all natural conditions in terms of human relations. And each condition has its 6 stages of progression.
eight by eight creates sixty-four situations.
InfoSec: These 64 situations have their own life cycle and possible disruptions.
六十四卦
Discussion of 64 Hexagram/Situations is
beyond the scope of this Power Point.
Defensive View of
Information Security & I-Ching
易經與資安防禦
High Level View of
Information Security through I-Ching
This is the final stage of using I
Ching method for information
security.
It is uncomprehensive to the
uninitiated but key ideas behind it
are
Beside human factor, I Ching/ InfoSec utilizes both time element and physical location as part of defense in layers.
Despite it seemly complexity, it is quite portable whether apply to physical location or to virtual domain.
防禦
Encryption in
InfoSec/I-Ching
Encryption is a necessity in
InfoSec that prevents
unauthorized access.
In previous section, I Ching
symbolism is used to relate to
Information Security.
Now, we are exploring applied
math in I Ching for Encryption.
To the right is the Yellow River
Diagram symbolism which
translate into mathematical
equation by clicking on it.
先天
Encryption in
InfoSec/I-Ching
Yellow River Diagram represents
the State of Heaven at rest.
Correspondingly, this method of
encryption is for data at rest.
Here is the algorithm of encoding
and decoding data.
This is the modern interpretation
of same algorithm.
Now, as which one to use, well,
isn’t that the secret.
河圖
Encryption in
InfoSec/I-Ching
To the right is the Luo River Scroll
symbolism that translated into
mathematical equation by
clicking on it.
It represents the State of Heaven
in Motion.
Correspondingly, it can represents
data in motion.
Why, because data in motion
requires fast encapsulation and
decapsulation than data at rest.
後天
Encryption in
InfoSec/I-Ching
This mathematical equation is popularly known in the West as Sudoku.
The idea behind Sudoku is that any lines (vertical, horizontal, diagonal) must add up to same number.
So during data transition, it is encapsulated with series of numbers that when decoded on the other side, must add up to a number in a Sudoku like box in order to validate the data.
洛書
Encryption in
InfoSec/I-Ching 方圖
Prior Information Age, decoding
Sudoku was relatively easy but to
break a 1 – 64 square was a
challenge.
These symbolism can be
translated into mathematical
value.
Then the entire square looks like
this….
Encryption in
InfoSec/I-Ching 方圖
Information Age brought us
incredible process power that
whatever within this square can
quickly decode.
But what if, we are to decode 4
squares of 64 numbers?
As process power improves, we
escalate the number of square by
power of 2?
These squares can be used either
for Yellow River or Luo River
encryption.
Encryption in
InfoSec/I-Ching
However, the problem with previous method is it can be too encumber for data in motion because that will increase amount of decoding time.
Hence the concept of I Ching in time reference. Each hexagram represents approximately 5~6 days (number on I Ching are example and not correct)
Time element introduces variance of how to decode the encapsulated encryption.
E.g. Out of 16 hash code, we’re dropping every other 3 and 4 number.
E.g. Each of 16 hash code is multiply by 9, 8, 7 or 6
圓圖
Encryption in
InfoSec/I-Ching
So by combing both square and
circular I Ching, we’re introducing
a complex encryption scheme
that is portable and yet versatile.
This is also commonly known as
the circular and square formation
of I Ching hexagrams which is
traditionally represented in 2D.
And here is the 3D rendition of the
circular and square formation.
圓圖
Offensive View of
Information Security & I-Ching
易經與資安攻略
Offensive View of Information Security資安攻勢論
Three Types of Attackers
Individual
Organization
State/Enterprise
Purpose of the Attacks
Fame
Gains (Economic/Terminal/scientific)
Revenge
Offensive View of Information Security資安攻勢論
Currently attack techniques are mostly web-based or through networks.
But as network defense and encryption are getting complex, social engineering attacks are on the rise.
Maybe within next 10 years, state/enterprise level will conduct full spectrum attacks to probe target weakness.
Next 8 slides will discuss theoretical threats from I Ching perspective.
Offensive View of Info Sec/I-Ching –
Attacking the Mind
Social Engineering - When
defensive technology is solid,
attackers may use the human
elements as an alternate attack.
Not everyone is trained to be
security mindfulness
Everyone has various degree of
Greed, Anger, and Ignorance
that can be exploited.
Identity Theft
Profits, Revenge, Cyberbully
乾攻心
Offensive View of Info Sec/I-Ching –
Attacking the Data
Extracting Data –
To gain State secrets
To gain economic\technological advantage
To embarrass individual
Inserting Data (false)
To redirect attacks
To disrupt economic\technological advantage
To main\eradicate\disable individual (through false medical information, identify theft)
坤攻資
Offensive View of Info Sec/I-Ching –
Attacking Applications
Hostile applications are the most common means of attack since we are all depended on software to conceptualize, to convert, and to create useful information from a set of data.
There are gamut of PUPs (potentially unwanted programs) ranged from stealing, redirecting, spying, cloning, disabling, controlling, etc.
Like arms races, threat and anti-threat applications have escalated that in mid 2014, Symantec acknowledged anti-virus software by itself is no longer adequate to stop threats.
離火攻
Offensive View of Info Sec/I-Ching –
Attacking Network
Strategically, states controlled
internet pipelines.
Tactically, states,
organizations, groups, or individuals can control bots
that conducted either low
orbit ion cannons or high orbit
ion cannons which can cause
denial of services attacks to
knock down one or a series of domains or networks.
坎攻網
Offensive View of Info Sec/I-Ching –
Attacking the Base
Theft is most common form of attacks against individual properties, homes, offices, and corporate centers.
Nearly all of us carry sensitive data within our portable devices.
In time of economic hardship, employees can be bribed to destroy or to steal corporate data with relatively low risk to instigator.
Beside money, grievance employees may also be willful accomplices to data theft.
艮攻堡
Offensive View of Info Sec/I-Ching –
Attacking the Cloud
Cloud storage vendors currently
enjoy relative scale of (too big to
be hacked) operation as a
defense mean against attack.
Google Barge is the perfect
example of a mobile cloud
storage with plenty of water to
disperse heat and containers of
servers to store data.
Any attacks against Cloud
Storage Vendor will be property
destruction to prevent data for
being available.
兌攻雲
Offensive View of Info Sec/I-Ching –
Attacking the Wind
Wifi and cellular data plan offer
the convenience and mobility of
data creators.
One method of attacking is to
grab data transmitted in public
wifi area. This targets small
business owners who often used
wifi to do credit card transaction.
Another method is to create wifi
and cellular jammer to deny data
and voice communication.
巽攻風
Offensive View of Info Sec/I-Ching –
Attacking the Energy
Like cloud storage providers, utility
companies also seem to enjoy
relative scale of operation to be
safe from attacks.
But unlike cloud storage, the goal
of attacking the energy source
doesn’t have to be at the utility
site, but can be as close as local
grid where data resided.
Without backup power source,
most company’s defenses will go
offline in a blackout.
震攻電
Offensive View of Info Sec/I-Ching資安/易經攻勢論
At individual level
The attacker has lot more
variety of motivation than
those at organization and
state level.
Some are not necessary malicious but simply curious.
Individual only has resources
to utilize 1-2 methods of
attacks: social engineering,
theft, or DDOS.
Offensive View of Info Sec/I-Ching資安/易經攻勢論
At organization/state level
Motivations are easier to
define by greed, grandeurs, or
grievance
They have sufficient resources
to coordinate attacks of
various methods.
But to use all 8 method of
attacks would constitute an
act of war even if it is direct at
an organization within the
same state.
Summary – 略 InfoSec is all about protecting data.
There are books, blogs, and webinars on how to protect and what to look out for.
But like all warfare, involving technology and techniques are evolving rapidly.
Sometime, it is better to step out of a box and look at InfoSec from a different perspective.
I-Ching is not just the Book of Wisdom, or the Book of Divination. It should also be viewed as the Book of Applied Science because of three principles it promotes:
The I(易) is simple to understand once you realize the pattern
The I(易) is changing (just look at germinating virus, Trojans and ransomwares)
The I(易) is constant (data is the goal, whether acquiring or denying it)
References – 參考 Slide 33 & 41: The Yi Globe – the Cosmos in the I Ching is done by József
Drasny, Budapest, 2007 and his website: http://www.i-ching.hu/index.htm
Following graphs are from Hackmageddon (http://hackmageddon.com/)
Slide 43: motivations behind attacks, September 2014
Slide 43: distribution of targets, September 2014,
Slide 44: attack techniques, September 2014
Slide 53: Top 10 famous computer hackers images are from http://h4x3r.quora.com/Top-10-famous-Computer-HACKERS
Slide 54: various images are pulled from bing image search based on the article, http://www.topcomputersciencedegrees.com/notorious-hacker-groups/