Comments: Why Security Modelling doesn't work -- the OODA loop of today's battle

first, a disclaimer, in the past, I sponsored Boyd for a number of presentations ... and applying OODA-loops to other kinds of competitive situations ... some past posts mentioning Boyd and/or OODA-loops
http://www.garlic.com/~lynn/subboyd.html#boyd
and various Boyd references from around the Web
http://www.garlic.com/~lynn/subboyd.html#boyd2

the other factor ... specifically with respect to payment transaction paradigm ... is related to old "security proportional to risk" ... and part of the justification behind aspects of x9.59 financial standard protocol
http://www.garlic.com/~lynn/x959.html#x959

aka ... with the current paradigm, attackers can afford to outspend the defenders by possibly 100:1 ...
http://www.garlic.com/~lynn/2007v.html#86
and
http://www.garlic.com/~lynn/2007v.html#87

and for a slightly different tact ... post on "Death of antivirus software imminent"
http://www.garlic.com/~lynn/aadsm28.htm#2

Posted by Lynn Wheeler at December 30, 2007 04:27 PM

There is a crucial step before "threat modelling": business goals, step which can't be separated from security.

One can't start a financial service without considering security. Its implementation may be delayed, or implemented in steps, but it must be considered from the start.

A financial service has intrinsic security requirements. Such a service can't start on the idea that "we're gonna transfer money from A to B". The crucial requirement here is "we're gonna transfer money from A to B, SECURELY", where "securely" means something specific only in the context set by the business goals.


"We want to make an online account based financial service which transfers money from A to B" is something like, say, EGold.

"We want to make an online account based financial service which transfers money from A to B, where non-generalized insider attacks can't physically succeed" is something which doesn't yet exist (but can).

The business goals above precede and thus define the framework of the future security modeling.

Posted by George Hara at December 31, 2007 12:05 PM

We have come to a similar conclusion, and started to design deployable structures that businesses can adapt and have that "instant" security design they were looking for. So far we have designed anonymous tech support with secure authentication, some disassociated databases, and most recently we designed a system called VAULTS which allows KYC but authenticated and anonymized goods/service delivery.

We work on a theory of least needed information. If we don't store or have access to juicy data, it isn't there to be compromised. Neither internally or externally. Databases don't need to be together, accounts don't need to be linked, data doesn't need to be stored plaintext, servers don't need access to each other, systems don't need knowledge of each other, or dependencies, and most importantly, neither to admins or engineers.

We go to some length to disincentivise attacks throughout the system by bleeding out unnecessary rewards to security attacks, and setting up defense in depth tactics while employing leveraged unpredictability in our structures inbetween these modules.

The idea is instead of designing a system that can fail if one gear gets trashed, you design your business security in cells that are deployable with difficult to compromise structures. This essentially turns a walnut with a hard shell but delicious core, into a rather unpalatable sack of dried rice.

These strategies can be employed even by small businesses, as they are modular components. It only takes someone to write an open-source library for the implementation and then everyone can begin to incorporate these things. So with only a few hours of coding by competent coders and sec minds, even a startup can open it's doors with a staggering amount of security infrastructure.

Posted by Steve T at December 31, 2007 05:49 PM

re:
http://www.garlic.com/~lynn/aadsm28.htm#3 Why Security Modeling doesn't work -- the OODA-loop of today's battle

I had become acquainted with John Boyd in the early 80s and sponsored him for a number of corporate conferences. He was retired and giving talks for just his out-of-pocket expenses.

despite enormous contributions in numerous areas, much of the establishment preferred to act as if he didn't exist ... possibly because he had low tolerance for numerous things. He made the F15, F16, F18 and whole generation of airplane design what they are today ... but the air force almost acts as if he wasn't there. he was eventually adopted by the marines (adapting aerial dog fights and ooda-loops to ground warfare).

some recent long-winded posts in financial transaction related subthread ... that much of the current "risk" isn't because the information is so easy for the crooks to obtain ... but the fundamental "risk" is that the crooks can use the obtained information for fraudulent transactions.
http://www.garlic.com/~lynn/2008.html#4
http://www.garlic.com/~lynn/2008.html#5
http://www.garlic.com/~lynn/2008.html#7
http://www.garlic.com/~lynn/2008.html#8
http://www.garlic.com/~lynn/2008.html#9

this is also the previous comment that the crooks (attacking the information) can outspend (by possibly 100:1) the merchants (attempting to prevent information access).

the x9.59 standard
http://www.garlic.com/~lynn/x959.html#x959

rather than attempting to prevent all possible access to the information ... changed the paradigm and made the information useless to crooks for generating fraudulent transactions (eliminated the risk). this is somewhat the thread here this summer about the naked transaction metaphor
http://www.garlic.com/~lynn/subintegrity.html#payments

Posted by Lynn Wheeler at January 2, 2008 11:02 AM

re:
http://www.garlic.com/~lynn/aadsm28.htm#3 Why Security Modelling doesn't work -- the OODA loop of today's battle
http://www.garlic.com/~lynn/aadsm28.htm#5 Why Security Modelling doesn't work -- the OODA loop of today's battle

taking a slightly different "Boyd" perspective
http://www.garlic.com/~lynn/subboyd.html#boyd

some of the current problems could be attributed to not having a strong defensive position ... which gives the attackers an enormous advantage ... referenced in this thread/post
http://www.garlic.com/~lynn/aadsm28.htm#6 Death of antivirus software imminent

my wife's father graduated from west point (and then got a engineering graduate degree from berkeley) ... however, one of the things that typically is taught is how to choose your defensive position. he had been engineers for patton and frequently was ranking officer into enemy territory ... and acquired a collection of officer (silver, gold, platinum) daggers in surrenders. he also was involved in liberating some number of camps.

Posted by Lynn Wheeler at January 2, 2008 02:26 PM

Yes, I think it is curious, but people are very slow to wake up and realise there are systemic flaws in our security situation. All those things that we ignored because they were too tough in the past are now starting to haunt us.

I find Boyd to be interesting for 2 reasons: one is that his theory & concepts are relatively easy to understand, unlike most other war-like academics. The second is more snippety; in that it seems that Americans have finally found a recent academic military hero. In the past, most of the history of warfare has been written by other countries, and all countries have always tended to promote their own academics. But Americans didn't really have someone who stood out alongside Sun Tzu, Klauswitz, Fuller, Guderian, etc.

So for that reason, he's very popular, and worth using as an example. Whether we can make a dent in the "security modelling" practice remains to be seen, but something has to be done.

Posted by iang at January 3, 2008 09:58 AM

Boyd characterized US WW2 strategy as massive logistics (overwhelming enemy by 10:1 resources) and extremely rigid command and control. Part of this was claim that US entered the conflict with very few professional soldiers and quickly fielded a large number of rapidly mobilized citizens. Part of the extremely rigid command and control was to leverage the experience of the few professional soldiers and part of it was to manage the enormous logistics operation.

As a contrast, he would quote Guderian, on the eve of the blitzkrieg "verbal orders only". This is related to the definition of auditors as the people that go around the battlefield after the war, stabbing the wounded. The claim was that Guderian wanted the professional "on the spot" to make decisions and not have to worry about any monday afternoon quarterbacks.

In the early 80s, Boyd claimed that the rigid command and control structure with underlying assumption that the majority of people were unskilled ... were adversely affecting US business, as the young WW2 officers came to major executive positions (and they reflected their WW2 training).

This theme was also behind his briefing "Organic Design For Command and Control". I have a copy of the original version and some subsequent copies as it evolved over time.

Posted by Lynn Wheeler at January 3, 2008 12:12 PM

It was interesting to read your notes on soviet military doctrine (btw, you've got it quite well), granted it is my past and I have to identify myself more with "the other side" ;)

Posted by A.T. at January 8, 2008 03:15 AM

Did everybody get it? A picture of Me-262 - the first jet fighter - right under a call for a "revolution in security thinking"?

Posted by Anton Chuvakin at January 11, 2008 11:42 AM

Me-262: lol, I'm glad someone got it :)

A.T.: tell us more! I always wondered if it was true ... and what did they tell you about the other armies that left you worried?

Posted by iang at January 11, 2008 12:08 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55e9045bcc50) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.