This document discusses the similarities between the board game Go (also known as Weiqi) and information security (InfoSec). It describes how Go components like stones, the board, and lines of defense map to InfoSec concepts like technologies, company locations, and layers of security. Stones represent both offensive and defensive tools, and the board represents a company, with intersection points as areas where networks, hardware, software, and people converge. Different board sizes correlate to company sizes, and strategic points on the board are like critical assets to protect. The document advocates viewing InfoSec defenses holistically and in depth, rather than focusing on any single area.
2. As Information Security (InfoSec資安)
Profession, we tend to focus on a particular
domain because it is happening right now
and we often miss the bigger picture.
• Weiqi (圍棋) is a Chinese board game of
moving pieces in order to gain greater area of
board. It is more popular known in the West
as Japanese Go.
3. • Weiqi has been often used to metaphor on
one’s life, business, and military conflict
where one gains or loses grounds.
• By observing weiqi in play, it can help us
seeing our company’s Information Security
in its entirety.
• This is 1st of 3 part series on Weiqi/InfoSec.
• This slide will focus on weiqi components
and how they are similar to InfoSec World.
4. Stones are playing pieces
that both players take
turn placing them on
board. Once placed,
these stones can’t be
moved until it is
completely surrounded
by opposing pieces.
In Weiqi, black stone (黑
棋子) has the first move. "Stones go" by Chad Miller - Flickr: pente. Licensed under Creative Commons
Attribution-Share Alike 2.0 via Wikimedia Commons -
http://commons.wikimedia.org/wiki/File:Stones_go.jpg#mediaviewer/File:Stones_go.j
pg
5. Black Stones in InfoSec
can represent
technologies, tools,
social engineering, and
the human component.
These pieces are used in
advanced persistent
attacks as being
dedicated, concealed,
coordinated, and goal
oriented.
"Stones go" by Chad Miller - Flickr: pente. Licensed under Creative Commons
Attribution-Share Alike 2.0 via Wikimedia Commons -
http://commons.wikimedia.org/wiki/File:Stones_go.jpg#mediaviewer/File:Stones_go.j
pg
6. White Stones (白棋子) in
InfoSec are represented
as administrative,
physical and technical
controls that are able to
support each other
without dissonances.
They can be firewall,
RFID card, security
camera, logs, guards, etc.
"FloorGoban" by Goban1 - Own work. Licensed under Public domain via Wikimedia
Commons -
http://commons.wikimedia.org/wiki/File:FloorGoban.JPG#mediaviewer/File:FloorGob
an.JPG
7. Whatever they may be,
these white stones have to
work in unison, to support
one another. Firewall is
only as good as the person
who maintain it. InfoSec
Profession can only be as
effective as the company
policy dictated. And policy
can only be forceful if
people and technology are
backing it up. "FloorGoban" by Goban1 - Own work. Licensed under Public domain via Wikimedia
Commons -
http://commons.wikimedia.org/wiki/File:FloorGoban.JPG#mediaviewer/File:FloorGob
an.JPG
8. Stones are placed at the
intersect points on a
playing board which is
called goban (碁盤).
There are three goban
size that corresponded
the skill of the players
which also corresponded
to a company size.
"Blank Go board" by Gringer (talk) - Originally based on File:Blank_Go_board.png, but
SVG has since been manually rewritten. Licensed under Public domain via Wikimedia
Commons -
http://commons.wikimedia.org/wiki/File:Blank_Go_board.svg#mediaviewer/File:Blank
_Go_board.svg
9. A goban represents a
company/business
physical location.
These intersect points
are the converging points
of network, electrical,
hardware, software and
human presence.
"Blank Go board" by Gringer (talk) - Originally based on File:Blank_Go_board.png, but
SVG has since been manually rewritten. Licensed under Public domain via Wikimedia
Commons -
http://commons.wikimedia.org/wiki/File:Blank_Go_board.svg#mediaviewer/File:Blank
_Go_board.svg
10. A goban of 9x9 is for
beginner which has 4
dots which are known as
star points (星). They
have strategic and
tactical importance.
There is a center point
called Tianyuan (天元)
or tengen. It is the center
of heaven.
11. This is similar to
organization structure of
a regional size company
whose star points are…
These start points are
area of controls which
are targeted by attackers.
administration HR
finance IT
data
12. For InfoSec of a regional
size company, these star
points can also view as…
By maintaining a control
over a star point, hacker
may advance to cover
more area/InfoSec may
contain hacker’s
movement.
network software
hardware employees
data
13. Next goban board is 13x13
and the largest board is
19x19. They represent
national or international
sized corporation. They
have 6 to 9 star points of
strategic and tactical
importance in game and
in real world.
14. Organization structure
of both national and
international businesses
will have additional star
points which are...
adminsitraton HR
IT
research
law
vendors
finance
core
business
Data
15. Both national and
international businesses
will have additional star
points which need to be
consider when planning
out defenses.
Even now, hackers are
thinking of another
venue of entrance by
thinking out of the box.
network hardware
software
location
employees
vendors
energy
Internet
of things
Data
16. If you line up all those
star points, they form
into the 4th Line of
Defense, the Influence
Line.
This is an optima area of
player to expand to all
direction.
However, it is easier to
expand toward the center
than to the edge.
17. Influence Line in InfoSec is
where the threat is
detected within the
premise, or within the
company network.
The threat has almost
unlimited potential to
move around because it is
inside of all layer defenses.
Nonetheless, it will be
harder to expand outward
than inward because of
same reason above.
"FloorGoban" by Goban1 - Own work. Licensed under Public domain via Wikimedia
Commons -
http://commons.wikimedia.org/wiki/File:FloorGoban.JPG#mediaviewer/File:FloorGob
an.JPG
18. If you draw a box
surround all those star
points, they form into
the 3rd Line of Defense,
the Onsite Line.
Like Influence Line, this
is a potential because it
can establish a link
toward the outside or the
inside.
19. Onsite Line in InfoSec is
where the threat is
detected within public
area of the premise, or at
the 2nd firewall layer.
The threat is attempting
to establish a connection
between the outside and
the inside.
"FloorGoban" by Goban1 - Own work. Licensed under Public domain via Wikimedia
Commons -
http://commons.wikimedia.org/wiki/File:FloorGoban.JPG#mediaviewer/File:FloorGob
an.JPG
20. If you draw a box at a
point right next to the
border, they form into
the 2nd Line of Defense,
the Failure Line.
Though line is longer
than 3rd and 4th, it does
not have much
maneuverability.
This line is played during
mid to late game.
21. Failure Line in InfoSec is
where the threat is
detected at the public
area around the premise,
or at the DMZ.
If this showed up after an
internal breach is
detected, this may be an
attempted to establish a
connection.
"FloorGoban" by Goban1 - Own work. Licensed under Public domain via Wikimedia
Commons -
http://commons.wikimedia.org/wiki/File:FloorGoban.JPG#mediaviewer/File:FloorGob
an.JPG
22. If you draw a line around
the border, they form
into the 1st Line of
Defense, the Demise
Line.
This line is usually
exploited in mid to late
game to establish
spheres of controls.
23. Demise Line in InfoSec is
where the threat is
detected away from the
premise, or at the first
firewall of the company
website.
The threat is far away
that InfoSec has time to
strengthen defenses in
depth.
"FloorGoban" by Goban1 - Own work. Licensed under Public domain via Wikimedia
Commons -
http://commons.wikimedia.org/wiki/File:FloorGoban.JPG#mediaviewer/File:FloorGob
an.JPG
24. Game of Weiqi has been around for centuries. Yet, it still
can provide profound insights to the 20th Century InfoSec
Professional.
For hackers, their DDOS and ransomware are not made up
an all powerful single identifiable majestic piece (i.e. the
Queen) but consisted multitude of negligible pieces (i.e.
the stones) that when synced up, it can deliver a
devastating punch.
For administrators, it is not about the best tools that
money can buy, but inclusive of employees, security policy,
incident responses, contingency plans, and more
importantly, the communication that interlocked around
corporate data.
25. Besides traditional entry points of network, hardware,
software and physical, there are other new entry points
which become apparent as a company getting larger.
These new entry points could provide the VPN for an
impeding attacks that bypass layer defenses.
Layer defense strategy shouldn’t just apply to incoming
attacks but also to block attacks from phoning home.
Next Weiqi/InfoSec powerpoint will focus on how the
game mechanic resemble an attack.