Security lessons from Nature – Playing Dead

The natural world is resplendent with stories of animals that play dead. Some are well known, such as the opossum and the hognose and grass snakes. Others, such as the lemon shark, parasitic wasps and brittle stars are less well known. What is interesting, though, is that this behavior is common across many families of animals.

The root of this behavior is that an animal that is dead is likely less appetizing to an attacking predator than one that is alive. Some even go so far as to foul themselves and release blood from their mouths to be very convincing. In many cases, it works. The attacker looks at the critter, maybe paws it a bit, and then wanders off to find something better.

Wouldn’t it be nice if we could use this same technique in our everyday businesses?

Well, in a way we can. Many systems are built to detect attacks and deny traffic. This is much like a turtle hiding in it’s shell. The attacker knows that the attack was detected, and all it has to do is wait or attack from a different direction when it’s blocked. However, if you can make the system unpalatable, the attacker might just stop altogether. What if, instead of just doing a deny, you redirected that traffic to a honeypot or system in an error state. If the attacker started getting back error pages or saw services stopping, they might conclude that they broke something. Thus, instead of constantly trying, they might go on to something else.

Now, it’s important to note that, like most defenses, this one is not perfect. Some attackers would just break into the system faster than you could “play dead”. Others might persist in the attack until they get in, whether or not you are dead. This defense, much like in nature, would only function against non-persistent attackers. It might, however, be a good way to identify which attackers are persistent. That might help you determine and reasonable and targeted defense system.

Security lessons from Nature – The Pacific Barreleye

How could I not read about the Pacific Barreleye without mentioning it here?  The fish, like most, lives in the water.  Like many, it lives in the deep water.  Like very few, it likes to eat siphonophores, a type of stringy jellyfish with lots of stinging cells. Like no others I know, it has a transparent head.

Really.

The theory here is that it uses the transparent head and scales to protect it’s eyes from it’s stinging prey.  The video (which is here) looks a bit like computer rendering to me, but I know that there are transparent fish (boring link here) and mentions of this fish predate the recent news, so odds are that it’s real.  What’s fascinating is that this critter is using transparency as a defense as well as an attack.

For years, people in the I.T. industry have been saying that we need to be more transparent in our business dealings.  Attempts to make transparent software have resulted in open source software that is taking the market by storm.  Opening up business processes have shown similar results.

In the security field, “transparency” often refers to security controls that the user doesn’t notice.  These may be subtle barriers around the wrong actions tied with subtle rewards around the right actions. Sometimes it involves considerable monitoring and reaction only to known danger. In the physical world, these can be RFID tags and sensors that help prevent theft. In the electronic world, it can involve “watermarking” intellectual property or encrypting data for archival purposes. Security doesn’t have to get in the way, and making it as unobtrusive as possible can often make it more effective.

Of course, nature figured this out long ago.

Security lessons from Nature – Immortal Jellyfish

Today, let’s take a look at the other side of immortality (the down-side of which was explored here).  In particular, let’s look at jellyfish.

That’s right, scientists have discovered immortal jellyfish.  (Such an interesting world that we live in.)

What’s most interesting about these creatures is how they achieve immortality:

But when starvation, physical damage, or other crises arise, “instead of sure death, [Turritopsis] transforms all of its existing cells into a younger state,” said study author Maria Pia Miglietta, a researcher at Pennsylvania State University.

The jellyfish turns itself into a bloblike cyst, which then develops into a polyp colony, essentially the first stage in jellyfish life.

The jellyfish’s cells are often completely transformed in the process. Muscle cells can become nerve cells or even sperm or eggs.

In other words, it does a “reset”.  This allows it to adjust in the face of environmental changes and rebuilt itself in such a way as to maximize success.

How many times have you had your IT people come up to you and say “if only you’d let us re-write/re-build the system, we could make all these problems go away”?  How many times have you sighed, shaken your head and patiently explained to them why such a move didn’t make business sense?

Looking at the jellyfish, it might be worth considering.  If things aren’t looking too good, maybe it would make sense to take another look at those persistent business problems.  If you can solve even ONE of them, it might allow you to rebuild your company.  After all, it worked for Flickr.

Security lessons from Nature – Venom

I am quite certain that it will come as no surprise to you that there are animals out there that are venomous.  Generally speaking, they’re the ones that slither around until you walk up to them, at which point they begin doing a remarkable impersonation of a stick.  Should you be unwise enough to think “Hey, I need a stick just like that one!” and pick it up, they will suddenly turn around and stab you with long pointy fangs.  Then of course, to add insult to injury, they’ll also inject you with venom.  These nasty chemicals will course their way through your system causing pain, organ failure and death.

It’s not just the slithery scaly ones that you should be careful of, of course.  There are also the ones with far too many legs.  These ones lurk in the woods, waiting for you to get distracted by a pretty nature scene, at which point they’ll descend from the trees on long thin threads, land on your neck and bite you.  Then, as you’re falling down and writhing in pain, they’ll climb back up the thread and return to their lairs, giggling the whole way.  They also like to live in areas where there are no trees, where they’ll conceal themselves in crevices and wait for you to go rock climbing.  If you stick a finger in a hand hold, they’ll bite the fingertip, so that when you yank your hand out and fall off the mountain, you have time to watch your hand slowly swell and turn colours before you eventually splat at the bottom.

Then, there are the ones that live in the sea that are venomous all over.  Since they swim better than you, they can come at you from all directions.  Since you can only look in one direction at a time, you’re pretty much doomed.  There are even some that are almost invisible and are one of the most deadly creatures in the sea.

Lastly, even the cute fuzzy critters can be dangerous.  From good sized ones that are part duck to rodents that swarm to little monkey-like creatures with poisonous elbows(!), you never know what’s going to get you.

So yeah, the world is a very dangerous place (and it’s even worse if you dare to live in Australia).  The only way to be safe is to not go out in it at all.  Well, maybe not.  Maybe you’re just fated to get bitten and die a lingering painful death.  After all, with all these creatures around, everyone dies that way, right?

Right?

What, they don’t?

The lesson to learn this week is one that you already know.  Simply put, don’t panic. Yes, there are venomous animals all over, but there are a great many mitigating factors as well.  Snakes and spiders actually prefer to be left alone and only bite as a last resort.  Even better, most of them aren’t venomous.  Scorpion fish and stingrays tend to only bother divers, who generally know the risks and how to avoid them.  Also, I can count the number of times I’ve been attacked by a platypus, slow loris or horde of shrews on one hand… and I don’t even need to use my fingers.

The business world is full of security concerns.  The threats are real and need to be addressed. However, it can be overwhelming to listen to everyone’s advice and idiotic to ignore it.  You have to strike a balance in what you do.  It doesn’t make sense to spend a million dollars to protect a $10,000 server.  Just like it doesn’t make sense to wear a suit of armor when going rock climbing.  The thing is, it also doesn’t make sense to go on a ten mile hike stark naked, smeared with rattlesnake pheromones.

Others have said similar things (Bruce Schneier, Drew McLellan).  It really comes down to a simple problem.  We’ve had millions of years to come to terms with the risks of living in the world, but only about twenty years to deal with the risks on the Internet.  We don’t know how to strike the balance between being naked out there and armoring up ridiculously.  We can’t intuitively recognize that a pair of good hiking boots is “good enough”.

There are all sorts of mathematical models that we use in the industry to analyze risk to do cost justification to senior management.  They mostly work, but when you down to it, it’s like trying to come up with a mathematical model that says things like “wear gloves when rock climbing” and “don’t pick up snakes in the woods”.  They’ll never going to be perfect.

So, what’s the right solution?

I’m afraid that it’s going to have to depend on the situation.  If your organization is structured such that you allocate money on a yearly basis, and that money has to be approved by a board, you probably have to weigh all your options, call in numerous vendors, get position statements from all the middle managers, perform risk and threat analyses and put together a cost justification.  Then, once you have a plan to present, you get to try to shoehorn the plan into an ROI model that’s not going to work anyway.  Then, if you’re lucky, you get it passed.  If you’re not, you’re unprotected for another year.

However, I prefer to work with small business.  Then it’s easy to do what I like to call “agile security”.  It’s fast, it’s cheap and it’s easy.  There’s just one drawback.  You have to trust.

Back in the days when people didn’t know which snakes were venomous and which ones were safe to hit with a stick and bring home for dinner, they likely relied on a handful of experts.  Some knew snakes.  Some knew spiders.  Some knew plants: which ones not to eat, which ones were yummy, and which ones were the best ground up into a paste and put on the wound that was made when you ignored the advice of the snake expert.

They didn’t have complex models.  They didn’t use a lot of numbers.  They just said things like: “Don’t touch that snake.  When Og touched that snake, it bit him.  Then he ran around in circles for a while, turned purple and died.”

In a similar vein, I offer you this advice:

  • Install a firewall that blocks both inbound and outbound traffic.  If you don’t, it’s easy for an attacker to get your data or use your system to attack others.  When this happens, your business will suffer.
  • Run a HIPS product (antimalware or application whitelisting).  If you don’t, you’ll get infected and an attacker could do anything they want.
  • Don’t give everyone administrator access on your servers. If you do, there’s no control over your systems, and anyone could make a mistake that brings everything down.
  • Make sure that more than one person knows the administrator passwords.  If you don’t, and that person proves to be untrustworthy, you’ll be locked out.
  • Keep your systems patched.  Server maintenance is like house maintenance.  It’s a LOT cheaper to fix things early.

There are a great many others, of course, but these are a good place to start.  If you’re not following any of this advice, pick one and start.  Remember, you’re walking around in the woods right now.  I know that you can’t afford a suit of armor.  I know that you don’t know which boots are best.  That’s OK.  Here are some sandals.  They’re not ideal, but it’s better than what you’ve got.

Let’s work our way up together.

Just in case someone gets here by doing a search and doesn’t care for an essay on I.T. Security, here are some links:

Security lessons from Nature – Fire ants and lizard evolution

Borneo is a fascinating place.  It is a land of edible birds nests, dragon’s blood and gold.  Oh yeah, and don’t forget the parachuting cats (pages 29 and 31 are best, or, if you prefer, there’s a boring version.)  But as much fun as the cat story is, I’d like to talk about ants instead.  Ants, lizards, and the economy.

The news about the US economy isn’t all that good… depending on what “good” means.  I personally have my doubts as to whether ever-increasing growth is a good thing.  When that happens in a population like Borneo, we call it an epidemic (malaria) or an infestation (rats).  When it happens in a person, we call it cancer.  When it happens in the stock market, we call it “business as usual”.  Methinks that there’s a misunderstanding somewhere, but I’ll let the economists handle that.

As I look at the news over the Internet and I hear from my friends, I’m seeing companies failing and people being laid off/let go/fired.  Whatever terms you want to use, it’s pretty awful for people whose jobs are on the line, as they are in a position where they don’t have control over their own lives (much as if they were fighting malaria or cancer, actually).  It is not surprising that the phrase “job security” would be bandied about right about now.  For years I’ve been told “there’s no such thing as job security” and that I should “work to put myself out of work”. This doesn’t make much sense on the face of it, but when you get down to it, it’s all about control.  In a lot of businesses, the bosses are in control and the employees do what they’re told.  In others, the bosses and the employees work together to build something better.  The former model is hierarchical and the latter model is cooperative.

Which brings me directly to ants and lizards.

See, in an ant society, you have very strict roles.  The queen’s job is to lay eggs.  The drones’ job is to mate with the queen, which sounds like a nice job, but they then have to die (always read your employment contract).  Then you have the workers which, well, work.  Then, some species will also produce soldiers who protect the nest.  The model works well, and the ants are able to build very complex structures and societies within it, but the queen has all the control.

Lizards, in contrast, just sorta hatch and spend the rest of their lives eating things and laying about on rocks.  Each lizard has their own autonomy and is in control of their respective lives. No one talks much about lizard edifices.  Outside of science fiction and Minnesota, no one talks much about lizard societies.

But you know, they should… because the lizards are winning.

Recent developments on the fire ants vs lizards front has led to lizards evolving longer legs and faster speed.  In contrast, the ants on Borneo are blowing themselves up.  As with much in live, it all comes back to Borneo.

See, in Borneo, the ants are required to be suicide bombers because each suicide also takes out one invader.  Taken as a whole, allowing harm to come to a few workers here and there keeps the colony safe and stable.  Seems a bit like laying people off to keep the company afloat, doesn’t it?  In contrast, the lizards who have learned to run away from threatening ants have survived and become successful enough for them to produce children that are even faster.  They can escape the ants.  They might even be able to escape parachuting cats (short version here if you skipped the earlier links).

It seems that, unless you’re independently wealthy, you have a choice to make.  You can be an ant and lay your job on the chopping block to help out your company, or you can be a lizard and scurry from project to project, moving so fast that the other ants can’t keep up.  Your company may or may not survive, but if you’re fast enough and good enough, you’ll likely land on your feet (like a parachuting cat, actually).

Security is an active pursuit. Your IT systems won’t stay secure if you just lock things down and then ignore them.  Your job won’t stay secure if you sit around and hope for things to get better.  Your business won’t stay secure if you wait for an outsider to fly over your island and drop cats on you.

Now is the perfect time to be a long-legged lizard.

Security lessons from Nature – Genetic Tricks of Parasites

Let’s start this one by utterly ignoring the negative connotations of the word “parasite”.  It is a perfectly valid form of life and has proven to be highly successful in nature.  So, in other words, there’s nothing wrong with being a parasite… you know, if you happen to be one.

This news from from the journal Nature Genetics and is summarized here.  In a nutshell, they’ve found that parasitic life forms tend to have fewer genes than non-parasitic life forms.  Why is this interesting?

Well, it means that creatures that are dependent on other creatures can simply drop the bits of themselves that they don’t need.  However, dropping genes is a lot easier than gaining new ones (usually).  What does this mean to you?

It’s interesting to compare this to business models.  While no company exists in a vacuum, different companies do have differing levels of self-sufficiency.  For example, a full service IT company can do many things themselves.  They may use the products of different companies, but generally speaking, they are dependent on none of them.  If one branch of their business were impacted by a change in the market, they could just focus on another.  This is good, but it does tend to make the company larger and less responsive.

Compare this to companies that only do one thing, but do it very very well.  Let’s take a hosting company as an example.  A hosting company is completely dependent on their bandwidth provider.  Sure, some of them use multiple bandwidth providers, but even in this case, the business model is parasitic (upon a genus or order of businesses, rather than just one species).  So, suppose that something happened to all but one of the sphenodontian businesses.    Our little parasitic business would be forced to work with the one remaining business to survive.

Suddenly, the reduced resource usage that parasitism allows for doesn’t look quite so appealing.

As with many things, it’s all about risk management.  You gain an advantage here, it’s often paired with a disadvantage there.  So, as you look at your business and consider where to make cuts or where to focus on your core competencies, just consider one thing:

How do reductions now reduce my options later?

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.