Designing Good Deceptions in Defense of Information Systems" by Neil C. Rowe
Although computer systems and their security procedures have become more sophisticated in recent years, so too have those who would seek to attack these networked systems. One of the fundamental features of past computer-based systems has been the ability of the hacker to rely upon the information the computer system provided; in other words, computers may break down or they may be programmed incorrectly, but "computers never lie." The author, though, suggests that it is time for them to start lying, at least when it comes to dealing with those who would try to overcome the system's security. In fact, Rowe makes the point that the hackers' own interactions with the computer system can be used against them based on these behaviors. In this essay, Rowe makes the point that access controls are currently inadequate to provide the levels of protection that valuable computer-based information systems require, and because the level of threat to these systems has grown enormously in recent years, new approaches to defeating unauthorized intrusions has become increasingly important today (1).
Given that hackers can reasonably be expected to continue to defeat the existing control systems for the foreseeable future, the author suggests that developing some type of "back-up defense" to overcome these intrusions is an important initiative today. The current various lines of defense cited by the author (intrusion-detection systems, computer forensics, and so-called "honeypots") are designed to passively collect information rather than actively attempt to prevent unauthorized access to computer databases (2). Furthermore, when these passive systems typically react to unauthorized intrusions, they do so in a manner that alerts the intruder that the system is aware of the intrusion, thereby providing the hacker with the opportunity to try yet a different attack.
Complicating things for computer security professionals today is the fact that tracing such unauthorized accesses is difficult; in fact, unless the hacker is attempting to subvert the system from an internal access point; if the attack comes from outside the system, tracking these unauthorized accesses to their points of origin is exceedingly difficult, and usually impossible. Furthermore, even it was possible to identify the perpetrators, any counterattacks against them are usually illegal. While not outright illegal, the author suggests that subterfuge is second line of defense that security professionals could use to help protect their computer systems from unauthorized access. Although Rowe does not recommend stealing from hackers, he does believe that just about anything else goes: "Information systems could lie, cheat, and mislead attackers to prevent them from achieving their goals." This approach would also help protect computer systems from unauthorized access by insiders as well, he says (3).
You’re 65% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.