Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How Secret is a Secret?             By Vicente Aceituno CanalE    veryone has secrets, some small, like eating a bar of ch...
1. Preventing others from knowing the existence of the secret makes     it easier to keep.  2. Keeping the group of people...
Upcoming SlideShare
Loading in …5
×

How Secret is a Secret? - ISSA Journal, April 2006

1,540 views

Published on

  • Be the first to comment

  • Be the first to like this

How Secret is a Secret? - ISSA Journal, April 2006

  1. 1. How Secret is a Secret? By Vicente Aceituno CanalE veryone has secrets, some small, like eating a bar of chocolate when you are on a diet; some are personally important, like an embarrass-ing personal or professional mistake in the past. There are as many types of Where C is the quantity of information, Tk is the time someone has known the secret, Tdk the time someone has had interest in knowing the secret.secrets as people and organizations that keep them. Some examples are: If C=1, we can see some examples: ▼ Personal secrets and family secrets, normally related to the morals Who killed Kennedy? Let’s suppose two people have known since 1963, and taboos of the culture where they live. and 300 million Americans would like to know. After 42 years: ▼ Business secrets, like financial information, strategy and trade secrets. ▼ Law enforcement secrets, like forensic or methods, investigation S = Log( 300 million * 42 / 2 * 42 ) = 8,1 information and details about ongoing investigations. ▼ Crime secrets, like insider trading, organized crime and gangs. Who was Deep Throat? Just before it was found, 4 people knew, and ▼ Political secrets (most nations have some form of Official Secrets Act 300 million were interested. After 33 years: and classify material according to the level of protection needed) like: ▲ Weapon designs and technology (nuclear, cryptographic, stealth). S = Log( 300 million * 33 / 4 * 33 ) = 7,8 ▲ Military plans. ▲ Diplomatic negotiation positions. What if 2 more people had found out after 30 years? ▲ Intelligence information, sources and methods. ▲ International relations and secret treaties S = Log( 300 million * 33 / (4 * 33 + 2 * 30) ) = 6,7 Secrets are kept for a variety of reasons, among them giving a sense of At a business, perhaps a secret is important for a few years, and all yourprivilege to those who become “in the know.” For those who know the competitors would be eager to know. If 10 people in the company knowsecret, there is an advantage. for a year, and 150 people from other companies would like to know: Keeping the privacy of third parties is normally seen as a virtue, whilesome professions have a fundamental duty that would otherwise ham- S = Log( 150 * 1 / (10 * 1) ) = 1,17per their work. Lawyers, Doctors, Social Workers, Journalists and Priests,for example, have a duty of confidentiality. This confidentiality is nor- If after two years the market is more competitive and more peoplemally limited for ethical reasons, like saving the life of someone or for (1500) are interested:preventing crime. A trade secret is information used by a business that provides an advan- Secret = Log (1500 * 1 / (10 * 1) ) = 2,17tage over those competitors who don’t know the trade secret. Trade secretscan be lost by reverse engineering. A trade secret is deemed to exist only Mysteries, secrets known by no one, like those discovered bywhen the holder takes measures to maintain the secret. Champollion when deciphering Egyptian hieroglyphics, have S=infinite. Secrecy is often controversial. For example, secrets are misused for hid- Unfortunately, it is very difficult to estimate the number of people inter-ing mistakes or unlawful, immoral, or criminal behaviour, which is in direct ested in a secret, so the accuracy of measuring secrecy won’t normally beconflict with the public interest. Most governments attempt to conceal very high. This way of measuring secrets can lead to some interesting exer-information from the public and from other governments. cises, like adding a factor to the formula for how intense is the interest for learning the secret or analyzing the diffusion of a secret in a group depend- Measuring Secrets ing on the likelihood of every member of the group of revealing it. Measuring secrecy can help us gain an understanding of how secret the While we all have an intuitive way to distinguish small secrets from big information we handle is and the kind of efforts we make to keep it secret.secrets, there hasn’t been so far a way to measure secrets. Having a clear understanding of the reasons for keeping the secret and the Now use the following formula: influence of time, interest and group of people who know the secret can give insights on how to manage secrets properly. Two conclusions can beSecret = Log C*(Sum Tdk / Sum Tk) = Log C + Log ( Sum Tdk / Sum Tk ) easily drawn from the formula: THE ISSA JOURNAL ◆ April 2006 ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
  2. 2. 1. Preventing others from knowing the existence of the secret makes it easier to keep. 2. Keeping the group of people who know the secret as small as possible prevents leakages more effectively than any technical measure. Secrets and the Infosec World Secrets are the bread and butter of Information security professionals,as the incident that causes the biggest fear in clients is the breaching ofsecrets. As a matter of fact, more often than not, keeping confidentiality isseen as synonymous to keeping secrets secret. Normally the safeguardingof secrets relies on the extensive use of cryptography and access controls.There is a well-known limit to what technology can achieve in this area—the human factor. Those who know the secret have to be trusted, as withcurrent technologies there are few secrets that you can’t hold on a pen-drive or send over e-mail. Keeping secrets is therefore both a technical anda people management issue. The impact of secrets on organizations is severe, as serious efforts tokeep secrets will normally imply use of separate physical areas and net-works to handle these secrets, setting up elaborate schemes for grantingaccess to secrets, using systems specially configured to prevent the leak-age of information, and performing extensive backgrounds checks onnewcomers who might be trusted with important secrets. This impact isexacerbated by the existence of multiple classifications or levels ofsecrets. Classifying secrets is difficult, as there are competing require-ments. When using a small number of categories, they are easier tounderstand and manage, and reasonably easy to manage, but the clas-sification can present some slack. On the other hand, if the number ofcategories is high, the classification can be more flexible and granular,but the classification can be difficult and the management can becomecostly. For this reason, organizations normally try to keep the number ofcategories to a minimum. Consequences for the revelation of secrets can be extremely serious. Forbusiness this will normally mean the end of their competitive advantage,or the failure of important agreements like mergers due to the interven-tion of third parties, or it could mean dramatic changes in their stock mar-ket value. Companies have a duty to keep the privacy of their clients. InEurope, a breach can lead to very severe penalties. Some lawyers say it ischeaper to maul someone in Spain, for example, than to fail to keep hisprivacy as your customer. Conclusion A clear understanding of the type of secrets in a organization, howsecret they seem to be, the impact of their revelation, and a measure oftheir secrecy is the first step to a cost effective and efficient classificationand protection of secrets. ¡Vicente Aceituno Canal is Senior Consultant at SIA (www.sia.es) and TechnicalTelecommunications Engineer at the Polytechnical University of Madrid. He leadsthe F.I.S.T information security conferences in Spain (www.fistconference.org).He authored the ISM3 (Information Security Management Maturity Modelwww.isecom.org/ism3) and published his first book, Information Security, ISBN:84-933336-7-0 last year. In addition, he maintains a Web site on personal com-puter security (www.seguridaddelainformacion.com). ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ April 2006

×