i-ching & infosec

I-Ching & InfoSec易經和資安Any sufficiently advanced technology is indistinguishable from magic. – A. C. Clarke

The ancient book of wisdom is indistinguishable from advanced science. – C. LinChuan Lin,

CISSP

Summary

This is a theory craft of gleaming Information Security

(InfoSec) from the Book of Changes.

It is an attempt to look at InfoSec outside the box, the

leading edge world of technology, from the most

venerable book of knowledge.

I-Ching is known to be the Most Modern of Ancient

Wisdom. It bears resemblance to binary codes and DNA.

Can it provide insight to InfoSec as well?

What is InfoSec

Information Security, according to Wikipedia, is about defending information from unauthorized access, use, disclosure, disruption, modification, perusal, recording or destruction.

While this is not new to the modern society, technology, economic, and social media have created the need to protect corporate and individual information in addition to state government.

Information Security will be the norm from now on as what one learns about protecting corporate and state information can also be applied at personal level.

What is I-Ching

Who (者) – Fu Xi, one of the

legendary Chinese Sovereigns,

and King Wen of Zhou Dynasty,

were credited to be the authors.

When (時) – Official date was

around 1059 BC though most

believed it existed much earlier

than that. It was introduced to

the West in 17th Century.

Where (處) – It originated in

China.

What (何) – I-Ching is the

accumulated wisdom which

Chinese arts, music, philosophy,

religion, medicine, astronomy,

arithmetic, literature, military,

martial art, divination, science

and technology were derived

from.

Information Security Breakdown資安分列What is Information?

What are we securing?

At Root Level View of

Information Security

Security is about protecting. For InfoSec Professional (InfoSec Pro), it is to ensure that information remains confidential, integral, and available to authorized individuals.

Information is about how a person utilizes a given data.

If a person doesn’t know how to handle a given data, then that information is useless.

If a person is given a wrong data, than that information is useless.

If a person is given a set of data that she knows and provides that data is correct, then this information is useful.

Next Level View of

Information Security

A more detail analysis of

what is InfoSec:

Securing people from

reveal key information

Securing data from

unauthorized access

Securing data input from

corrupting data

Securing data output from unlawful usage

Tertiary View of

Information Security, Part 1 (of 8)

What are we protecting?

People at both individual/family

and corporate/state level

People are susceptible to social

engineering, or psychological

influence, into reveal key

information that would breach

information security.

This is a challenging task because

hardening against social engineer

tended to go against our human

traits and nature.

Tertiary View of



Data at both individual/family

and corporate/state level

Data by itself, is very dormant and

with correct access code, very

accessible.

This is the focus of InfoSec Prof on

how to safeguard data whether it

is at rest or in transit. But this is only

a component of the bigger

picture.

Tertiary View of



Application

Application requires data and/or

inputs to produce desire outputs.

Its side effect is that unsecured

application can leak data.

Next to people, this presents a

challenge for InfoSec Pro since

we are not adopt to scrutinize

lines of codes or in most cases to

certify third party applications as

been secured.

Tertiary View of



Data Bank/Cloud/Server Farm

We generate more and more

data, and we want them to be

instantly accessible yet secure.

Cloud technology is the solution.

Most big cloud service providers

have met US government security

requirement. The physical location

(in US) is vast and with acres of

servers which make searching for

particular set of data to be

proverbial needle in hay stacks.

Tertiary View of



Internet

It allows us to connect with each

other and to have easier access

to information. While internet

provides us quick avenue to

information, it also gives crooks an

expeditious passage to our lives

and data.

A combination of mindful

browsing habits, secured browser,

and password manager will avoid

80% of pitfalls.

Tertiary View of



Home and office

We tend to think our homes as our sanctuary and our offices as safe working environments. This causes us to be lax with securing our data until rogue(s) steal them.

Being a physical location, security access can be established. But problems arise from trading security for convenience and security lax from daily routines.

Tertiary View of



Wifi

Smartphones are primary factor

for pushing data wireless. We are

already transmitted pictures via

social media apps and now,

payment information as well.

Technology to grab sensitive data

over airwave are becoming

available. Wifi jamming devices

are also popular items.

Tertiary View of



energy

While utility companies begin to

offer network services, they are

crucial in information security

because they provide the necessary

energy to power security devices.

A black out would render the world

best security devices useless; a

brown-out would destroy the world

best security devices. Surge

protection and alternate power

sources are part of information

security planning.

Information Security through

I-Ching Point of View

資安透過易經觀點

An Holistic View of

I-Ching/InfoSec

易有太極，是生兩儀

I(易)is Taiji that generates two

primary forces. (tr. Wilhelm and Baynes 1967:318-9)

I(易)is Information that generates

two primary sources.

As InfoSec Pro, our duty is to

protect information to make sure

it is confidential, integral, and

available.

And information concedes into

two primary sources: data &

person

太極

An Holistic View of

I-Ching/InfoSec

易有太極，是生兩儀

Two primary forces in I Ching are

yin and yang.

Yin Yang

negative positive

female male

earth heaven

employees manager

0 1

data person

Yin – receiving, potential, and

passive forces of nature

Yang – giving, kinetic, and active

forces of nature

Data = Yin – data is inert and

requires a person to decipher and

act on.

Person = Yang – person is active

and able to use data to create a

useful information.

As InfoSec Pro, we need to

protect both person and data.

兩儀

An Holistic View of

I-Ching/InfoSec

兩儀生四象

The two primary forces generate the four images.(tr. Wilhelm and Baynes 1967:318-9)

Here in I Ching, the concept of time and state is introduced through the four images.

The two primary sources generate the four states.

Likewise, for InfoSec, after break down information into data and person, we’re introduced to state of data that need to be protected.

四象

An Holistic View of

I-Ching/InfoSec

Four Images\Four States

Old Yang\Person

Young Yang\Input

Young Yin\Output

Old Yin\Data

四象

老陽/Old Yang

In I-Ching, it represents the

peak state, summer, prime,

very active, south, noon

In InfoSec, this represents

person, a small group of

people, they are capable of

generating and utilizing

data.

少陽/Young Yang


growing state, spring, young

adult, active, east, dawn


data input, data is to be

processed; data is in motion

to becoming information.

少陰/Young Yin


declining state, fall, middle

age, sluggish, west, dusk


data output, data has been

modified; data as

information

老陰/Old Yin


restful state, winter, senior,

restful, north, midnight

In InfoSec, this represents raw

data, unmodified data, data

storage

Examples of Four States of Information

Old

Yang

Young

Yang

Young

Yin

Old Yin

People

Data

Input

Data/

Data

Process

Data

Output

An Holistic View of

I-Ching/InfoSec

四象演八卦 The four phenomena act on the

eight trigrams (bagua) (tr. Wilhelm and Baynes 1967:318-9)

I Ching: trigrams are nature forces

The four states act on the eight mediums.

InfoSec: mediums are building blocks of InfoSec world.

When we breakdown a information system, its components will be one of eight mediums described in the following slides.

八卦

An Holistic View of

I-Ching/InfoSec

Qian in I-Ching

八卦

Image in Nature sky

Wilhelm’s

Translationthe Creative

Family

Relationshipfather

Body Part Head

Binary Code 111

State Active

Qian in InfoSec

Are people because we are the

active force. We create data; we

transform data into useful

information.

Example: In this PowerPoint

presentation, you are the one in

control. You can continue, stop,

rewind, or quit.

InfoSec: People are hard to safeguard because the need to

be active vs. the need to be

restrain.

An Holistic View of

I-Ching/InfoSec

Kun in I-Ching

八卦

Image in Nature earth

Wilhelm’s

Translationthe Receptive

Family

Relationshipmother

Body Part belly

Binary Code 000

State Receptive

Kun in InfoSec

Are data because they are amenable. Data created, manipulated, and accessed by us. By itself, it does nothing.

Example: In this PowerPoint presentation, words and graphic you see are data. They simply presented my thoughts and may become information if you have similar background as me.

InfoSec: Data are easiest to safeguard because they are inactive. But encryption will slow down our access to them.

An Holistic View of

I-Ching/InfoSec

Li in I-Ching

八卦

Image in Nature fire

Wilhelm’s

Translationthe Radiance

Family

Relationship2nd daughter

Body Part eye

Binary Code 101

State adaptable

Li in InfoSec

Are application because they transfer data into something useful or malicious. Application is meaningless with data just like fire without fuel.

Example: In this presentation, MS PowerPoint and browser you used are applications that manipulate and display data into relevant information. Without these data, PowerPoint would open up to a blank page or your browser would get an 404 error.

InfoSec: While it is easy to use white & black lists to restrict applications, but like Prometheus, someone will inadvertently bring in the wild fire.

An Holistic View of

I-Ching/InfoSec

Kan in I-Ching

八卦

Image in Nature water

Wilhelm’s

Translationthe Abysmal

Family

Relationship2nd son

Body Part ear

Binary Code 010

State In-motion

Kan in InfoSec

Are internet because like traditional waterways, it brings life, communication, and commence among people from different areas. Even now, we use terms like torrents, phishing, upstream, downstream, and flood to describe situation involve with internet.

Example: In this presentation, you are accessing it through internet for content delivery. And like waterway, things move quickly when there's no congestion and when it choke, you receive your cargo in sporadically.

InfoSec: Like traditional waterways, companies build series of dams (aka firewalls) to limit inflow and outflow of commodities. The problem is, sometime we have to find out where are leaks and seepage.

An Holistic View of

I-Ching/InfoSec

Gen in I-Ching

八卦

Image in Nature mountain

Wilhelm’s

TranslationKeeping Still

Family

Relationship3rd son

Body Part hand

Binary Code 001

State completion

Gen in InfoSec

Are buildings and hardware because these are the closest things that endure in InfoSec world where things are constantly changing. Building and hardware are traditionally as places where wealth and data are stored.

Example: In this presentation, you are most likely view it in the comfort of your home or office that protects and gives you a sense of privacy and security. Even a coffee shop environment is preferred than outdoor (unless it is a perfect weather and few traffics)

InfoSec: As a physical fixture, it is easily defend. Locks, security devices, lights, fixtures, and guards are used in conjunction to deter, detect, delayed, and denial threats.

An Holistic View of

I-Ching/InfoSec

Dui in I-Ching

八卦

Image in Nature lake

Wilhelm’s

Translationthe Joyous

Family

Relationship3rd daughter

Body Part mouth

Binary Code 110

State tranquil

Dui in InfoSec

Are cloud environment because here is where massive amount of data are stored. If we use the analogy of internet as waterway, all arteries eventually flow into lake or ocean. And if you think of the source of tributaries, most come from mountain (office buildings/homes).

Example: In this presentation, this power point slide is uploaded into slideshare.net which may end up in Amazon cloud or Microsoft Azure or another massive data storage location.

InfoSec: It has both a virtual and physical location. And in both cases, the massive sizes and # of backups, make it nearly impossible to attacks. Instead, threats come from stolen ID, denial of services, or simply bomb the place out of existence.

An Holistic View of

I-Ching/InfoSec

Xun in I-Ching

八卦

Image in Nature wind

Wilhelm’s

Translationthe Gentle

Family

Relationship1st daughter

Body Part thigh

Binary Code 011

State Gentle entrance

Xun in InfoSec

Are wifi technology because data are travelling through the air. This technology allows people to move away from rivulets of network cables and let them to transfer data through zephyr of major telecoms.

Example: In this presentation, this PowerPoint can be view with wifi connection and through mobile devices.

InfoSec: This is a relatively new frontier and brought focus to encrypting data on the move. Most data (especially credit card payment) transfer are unprotected and can be easily grabbed by another mobile device.

An Holistic View of

I-Ching/InfoSec

Zhen in I-Ching

八卦

Image in Nature thunder

Wilhelm’s

Translationthe Arousing

Family

Relationship1st son

Body Part foot

Binary Code 100

State initiative

Zhen in InfoSec

Are energy like its natural image. Info Sec environment is depended on energy.

Example: In this presentation, you don't see the undercurrent energy. But you will feel it if any of your device, the server that housed this power point, or any one network infrastructure in between runs out of juice.

InfoSec: Energy is one of new area for InfoSec Prof to be concerned of. While blackout can knock out our layer defenses, it also deny attackers access to data. But when things are powered back on, our defense network may not be up and ready.

An Holistic View of

I-Ching/InfoSec

八八六十四卦 eight eights are sixty-four

hexagrams(tr. Wilhelm and Baynes 1967:318-9)

I Ching: hexagrams described all natural conditions in terms of human relations. And each condition has its 6 stages of progression.

eight by eight creates sixty-four situations.

InfoSec: These 64 situations have their own life cycle and possible disruptions.

六十四卦

Discussion of 64 Hexagram/Situations is

beyond the scope of this Power Point.

Defensive View of

Information Security & I-Ching

易經與資安防禦

High Level View of

Information Security through I-Ching

This is the final stage of using I

Ching method for information

security.

It is uncomprehensive to the

uninitiated but key ideas behind it

are

Beside human factor, I Ching/ InfoSec utilizes both time element and physical location as part of defense in layers.

Despite it seemly complexity, it is quite portable whether apply to physical location or to virtual domain.

防禦

Encryption in

InfoSec/I-Ching

Encryption is a necessity in

InfoSec that prevents

unauthorized access.

In previous section, I Ching

symbolism is used to relate to

Information Security.

Now, we are exploring applied

math in I Ching for Encryption.

To the right is the Yellow River

Diagram symbolism which

translate into mathematical

equation by clicking on it.

先天

Encryption in

InfoSec/I-Ching

Yellow River Diagram represents

the State of Heaven at rest.

Correspondingly, this method of

encryption is for data at rest.

Here is the algorithm of encoding

and decoding data.

This is the modern interpretation

of same algorithm.

Now, as which one to use, well,

isn’t that the secret.

河圖

Encryption in

InfoSec/I-Ching

To the right is the Luo River Scroll

symbolism that translated into

mathematical equation by

clicking on it.

It represents the State of Heaven

in Motion.

Correspondingly, it can represents

data in motion.

Why, because data in motion

requires fast encapsulation and

decapsulation than data at rest.

後天

Encryption in

InfoSec/I-Ching

This mathematical equation is popularly known in the West as Sudoku.

The idea behind Sudoku is that any lines (vertical, horizontal, diagonal) must add up to same number.

So during data transition, it is encapsulated with series of numbers that when decoded on the other side, must add up to a number in a Sudoku like box in order to validate the data.

洛書

Encryption in

InfoSec/I-Ching 方圖

Prior Information Age, decoding

Sudoku was relatively easy but to

break a 1 – 64 square was a

challenge.

These symbolism can be

translated into mathematical

value.

Then the entire square looks like

this….

Encryption in

InfoSec/I-Ching 方圖

Information Age brought us

incredible process power that

whatever within this square can

quickly decode.

But what if, we are to decode 4

squares of 64 numbers?

As process power improves, we

escalate the number of square by

power of 2?

These squares can be used either

for Yellow River or Luo River

encryption.

Encryption in

InfoSec/I-Ching

However, the problem with previous method is it can be too encumber for data in motion because that will increase amount of decoding time.

Hence the concept of I Ching in time reference. Each hexagram represents approximately 5~6 days (number on I Ching are example and not correct)

Time element introduces variance of how to decode the encapsulated encryption.

E.g. Out of 16 hash code, we’re dropping every other 3 and 4 number.

E.g. Each of 16 hash code is multiply by 9, 8, 7 or 6

圓圖

Encryption in

InfoSec/I-Ching

So by combing both square and

circular I Ching, we’re introducing

a complex encryption scheme

that is portable and yet versatile.

This is also commonly known as

the circular and square formation

of I Ching hexagrams which is

traditionally represented in 2D.

And here is the 3D rendition of the

circular and square formation.

圓圖

Offensive View of

Information Security & I-Ching

易經與資安攻略

Offensive View of Information Security資安攻勢論

Three Types of Attackers

Individual

Organization

State/Enterprise

Purpose of the Attacks

Fame

Gains (Economic/Terminal/scientific)

Revenge

Offensive View of Information Security資安攻勢論

Currently attack techniques are mostly web-based or through networks.

But as network defense and encryption are getting complex, social engineering attacks are on the rise.

Maybe within next 10 years, state/enterprise level will conduct full spectrum attacks to probe target weakness.

Next 8 slides will discuss theoretical threats from I Ching perspective.

Offensive View of Info Sec/I-Ching –

Attacking the Mind

Social Engineering - When

defensive technology is solid,

attackers may use the human

elements as an alternate attack.

Not everyone is trained to be

security mindfulness

Everyone has various degree of

Greed, Anger, and Ignorance

that can be exploited.

Identity Theft

Profits, Revenge, Cyberbully

乾攻心


Attacking the Data

Extracting Data –

To gain State secrets

To gain economic\technological advantage

To embarrass individual

Inserting Data (false)

To redirect attacks

To disrupt economic\technological advantage

To main\eradicate\disable individual (through false medical information, identify theft)

坤攻資


Attacking Applications

Hostile applications are the most common means of attack since we are all depended on software to conceptualize, to convert, and to create useful information from a set of data.

There are gamut of PUPs (potentially unwanted programs) ranged from stealing, redirecting, spying, cloning, disabling, controlling, etc.

Like arms races, threat and anti-threat applications have escalated that in mid 2014, Symantec acknowledged anti-virus software by itself is no longer adequate to stop threats.

離火攻


Attacking Network

Strategically, states controlled

internet pipelines.

Tactically, states,

organizations, groups, or individuals can control bots

that conducted either low

orbit ion cannons or high orbit

ion cannons which can cause

denial of services attacks to

knock down one or a series of domains or networks.

坎攻網


Attacking the Base

Theft is most common form of attacks against individual properties, homes, offices, and corporate centers.

Nearly all of us carry sensitive data within our portable devices.

In time of economic hardship, employees can be bribed to destroy or to steal corporate data with relatively low risk to instigator.

Beside money, grievance employees may also be willful accomplices to data theft.

艮攻堡


Attacking the Cloud

Cloud storage vendors currently

enjoy relative scale of (too big to

be hacked) operation as a

defense mean against attack.

Google Barge is the perfect

example of a mobile cloud

storage with plenty of water to

disperse heat and containers of

servers to store data.

Any attacks against Cloud

Storage Vendor will be property

destruction to prevent data for

being available.

兌攻雲


Attacking the Wind

Wifi and cellular data plan offer

the convenience and mobility of

data creators.

One method of attacking is to

grab data transmitted in public

wifi area. This targets small

business owners who often used

wifi to do credit card transaction.

Another method is to create wifi

and cellular jammer to deny data

and voice communication.

巽攻風


Attacking the Energy

Like cloud storage providers, utility

companies also seem to enjoy

relative scale of operation to be

safe from attacks.

But unlike cloud storage, the goal

of attacking the energy source

doesn’t have to be at the utility

site, but can be as close as local

grid where data resided.

Without backup power source,

most company’s defenses will go

offline in a blackout.

震攻電

Offensive View of Info Sec/I-Ching資安/易經攻勢論

At individual level

The attacker has lot more

variety of motivation than

those at organization and

state level.

Some are not necessary malicious but simply curious.

Individual only has resources

to utilize 1-2 methods of

attacks: social engineering,

theft, or DDOS.

Offensive View of Info Sec/I-Ching資安/易經攻勢論

At organization/state level

Motivations are easier to

define by greed, grandeurs, or

grievance

They have sufficient resources

to coordinate attacks of

various methods.

But to use all 8 method of

attacks would constitute an

act of war even if it is direct at

an organization within the

same state.

Summary – 略 InfoSec is all about protecting data.

There are books, blogs, and webinars on how to protect and what to look out for.

But like all warfare, involving technology and techniques are evolving rapidly.

Sometime, it is better to step out of a box and look at InfoSec from a different perspective.

I-Ching is not just the Book of Wisdom, or the Book of Divination. It should also be viewed as the Book of Applied Science because of three principles it promotes:

The I(易) is simple to understand once you realize the pattern

The I(易) is changing (just look at germinating virus, Trojans and ransomwares)

The I(易) is constant (data is the goal, whether acquiring or denying it)

References – 參考 Slide 33 & 41: The Yi Globe – the Cosmos in the I Ching is done by József

Drasny, Budapest, 2007 and his website: http://www.i-ching.hu/index.htm

Following graphs are from Hackmageddon (http://hackmageddon.com/)

Slide 43: motivations behind attacks, September 2014

Slide 43: distribution of targets, September 2014,

Slide 44: attack techniques, September 2014

Slide 53: Top 10 famous computer hackers images are from http://h4x3r.quora.com/Top-10-famous-Computer-HACKERS

Slide 54: various images are pulled from bing image search based on the article, http://www.topcomputersciencedegrees.com/notorious-hacker-groups/

http://www.i-ching.hu/index.htm

http://hackmageddon.com/

http://h4x3r.quora.com/Top-10-famous-Computer-HACKERS

http://www.topcomputersciencedegrees.com/notorious-hacker-groups/