Are you prepared to deal with a world of asymmetric information to protect your organizations most valuable information assets?
It’s already upon us
The events of the past year may be sufficient evidence we are beyond the tipping-point: one where black-hats are able to more rapidly and stealthily gather information about you than you are, to defeat them. Some events of the past year – those that that have been publicized – indicate we are at or over the edge of information asymmetry, include:
- Aurora attacks on Google
- Rerouting of 15% of Internet traffic through a small ISP located in China
- Google gathering data from unprotected Wi-Fi networks for its Street View projects
- 100,000 iPad customers surprised by a hack on records at AT&T
- Stuxnet worm destroys Iranian nuclear capabilities and equipment
- Wikileaks continuing to find & publish secret and confidential state data
- RSA two-factor authentication token system compromised by hackers
- SSL BEAST proof-of-concept attack demonstrated against SSL
- HTC Android phones spewing user data
- The ever-changing, Facebook un-privacy flavor-of-the-month
When black-hats have better information than you do, the results are lopsided, and heavily in their favor.
What they don’t have – one hopes – is all of the tricks you use to defeat their attacks to gain additional information.
While there is merit to the now-common approach to information security based on Kerckhoff’s principle that I’ll re-phrase as “no security through obscurity”, there’s also merit to the pragmatic approach of using “security through obscurity” to reduce your information asymmetry.
In an environment where adverse selection plays an important role in determining outcomes, he who has more information, has the upper-hand.
Whether it’s information asymmetry of economic agents (mortgage brokers, estate-agents), war (Operation Fortitude of World War II, Sun Tzu) or that for information and security risk management (honeypots for example); the cat-and-mouse games involving signaling, screening behavior, false information, information hiding, information transparency, and the absolute necessity of up-to-date information intelligence dictates winners.
She who has more intelligence – information asymmetry – at her fingertips will generally survive to play the next game.
Some related information
Asymmetry in Infosec
Security through obscurity
Ascent of Asymmetric Risk in Information Security: An Initial Evaluation
The Value of Security Audits, Asymmetric Information and Market Impact if Security Breaches