RE: When it comes to security, chaos may be your friend

Excellent observations. I think diversity, however, would be a better term than chaos. I've spent a good deal of my career building diversity into systems, so that they appear different at different times, and so that different devices appear differently to attackers. This can make them more difficult to attack, since each attack must be "custom made," and has only a limited time during which it may be effective.

Even the Internet root servers of old were purposely deployed using more then one platform for (partially) this reason. This is a lesson from Nature, where biodiversity is a primary defense mechanism. Investors know this when they diversify their profile as well.

I should point out that being random is not enough. Diversity must be carefully managed. For example, if you want to hide which Web server you are running, you might change the headers to emit random server IDs. For one request you are Apache, for the next you pretend to be IIS. If you are not careful, though, the very fact that you randomize could become a parameter in profiling your system. Furthermore, you may be exposing patterns in one random element that could give clues to others.

I like the way Andreas puts it - noting that attackers think outside the box which is already a very small box. So...change the box, maybe using chaotic dynamics as my current project does, but that chaos is only a path to the true defensive technique: diversity.

Click to read the article this is in response to.