Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

On Information Security Paradigms - ISSA Journal, September 20…


Published on

  • Be the first to comment

On Information Security Paradigms - ISSA Journal, September 20…

  1. 1. On Information Security Paradigms By Vicente Aceituno Canal An International Article Brought to You from Spain Introduction best tool for the advancement of empiric knowledge. Scientific theories are considered successful if they: It is very difficult to define security, and there are many reasons why. Information systems are very complex; they have structural and ▲ Survive every falsification experiment tried.dynamic aspects. Generally speaking, information systems are structured ▲ Explain an ample spectrum of phenomena becoming widely information repositories and interfaces, connected by channels (phys- ▲ Facilitate the advance of knowledge.ical and logical). Interfaces connect information systems between them, ▲ Have predictive power.allow interaction with users, and facilitate input/output of information.Repositories hold information temporarily or permanently. Information Four Approaches to Defining Securitysystems are dynamic, producing results and exchanging messagesthrough channels. Let’s have a look at the four main approaches to defining security. Information systems process data, but data is not information. The sameinformation can be rendered as binary data using different formats and 1. the set of security measuresrates of data to information. The importance of a single bit of data depends 2. to keep a stateon how much information it represents. 3. to stay in control Security is not a presence, but an absence. When there haven’t been any 4. CIA and derivativesincidents, we could say that we have been safe. Security depends on the context. An unprotected computer wasn’t as The first approach is easy to debunk. If security was the set of securitysafe connected directly to the Internet in 1990 as it would be when con- measures, a bicycle with a lock would be just as safe in the countryside ofnected to a company’s network in 2005, or totally isolated. We can be safe England as in Mogadishu, but it is not. It is interesting that Bruce Schneierwhen there are no threats, even if we don’t protect ourselves. So security has been so often misquoted. “Security is a process, not a product” does-depends on the context. n’t mean that security is impossible to achieve, a point of view favored by Security costs money. We must consider the cost of protection, as there those who think that being secure is the same as being a clear limit on how much we spend protecting an information system, Reading the quote in context, what he means is that security is not some-which depends both on how much the system is worth to us and the avail- thing you can buy; it’s not a product. Security is NOT the set of securityable budget. measures we use to protect something. Finally, security depends on our expectations. The higher the expecta- The second approach states that security is a state of invulnerability ortions, the more difficult they will be to meet. A writer who stores everything the state that results from protection. Examples of proponents of thishe wrote in his life in a computer and someone who just bought a com- approach are:puter will have totally different expectations. The writer’s expectations willbe more difficult to meet, as he might expect his hard drive to last forever, ▲ Gene Spafford: “The only truly secure system is one that is poweredso a crash can mean catastrophe, while the recently bought computer’s off, cast in a block of concrete and sealed in a lead-lined room withhard drive might be replaced with little hassle. armed guards - and even then I have my doubts.” A good security definition should assist in the processes related to pro- ▲ RFC2828 Internet Security Glossary:tecting an information system, for example: ▼ Measures taken to protect a system. ▼ The condition of a system that results from the establishment 1. Find what threats are relevant to me. and maintenance of measures to protect the system. 2. Weigh the threats and measure the risk. ▼ The condition of system resources being free from 3. Select security measures we can afford that reduce the risk to an unauthorized access and from unauthorized or accidental acceptable level at the lowest cost. change, destruction, or loss. Unfortunately, current definitions are not up to this task, and worse still, The approach that states that security is like being invulnerable isthey are not helpful for advancing information security knowledge. Ideally, purely academic and can’t be applied to real systems because it neglectsa security definition should comply with the scientific method, as it is the to consider that security costs money. Invulnerability leads to protection THE ISSA JOURNAL ◆ September 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
  2. 2. from highly unlikely threats, at a high cost. It is related to very uncommon Operational Definition (one of many possible) CIAexpectations, and it focuses on attacks, neglecting protection from errors, Equivalentand accidents. Comply with existing legal regulations. No The third approach, stay in control, is akin to keeping Confidentiality, Control the access to secrets Confidentialitydefined as the ability to grant access to authorized users and deny access Control the access to private information Confidentialityto unauthorized users. This approach can be considered a subset of the Control the access to copyrighted information. ConfidentialityCIA paradigm. This approach states that security is “to stay in control” or Identify the authors of information or messages Confidentiality“protecting information from attacks.” Examples of proponents of this Record of the use of services. Confidentialityapproach are: Bear the users responsible for their use of No services and acceptance of contracts and agreements. ▲ William R. Cheswick: “Broadly speaking, security is keeping anyone Control the physical ownership of information Confidentiality from doing things you do not want them to do to, with, or from and information systems. your computers or any peripherals.” Control the existence of information and Integrity ▲ INFOSEC Glossary 2000: “Protection of information systems against services. access to or modification of information, whether in storage, Control the destruction of information and No processing or transit, and against the denial of service to authorized services. users, including those measures necessary to detect, document, and Control the availability of information and Availability services. counter such threats.” Control the reliability and performance of Availability ▲ Common Criteria for Information Technology Security Evaluation services. - Part 1: “Security is concerned with the protection of assets Control the precision of information. No from threats, […] in the domain of security greater attention is Reflect the real time and date in all their records. No given to those threats that are related to malicious or other Figure 1: Table of equivalence showing CIA and an Operational human activities..” Definition of Security Some access mechanisms used to achieve Confidentiality are often ▲ ISO17799: “Preservation of confidentiality, integrity and availabilitytaken as part of security definitions: of information” ▼ Confidentiality: Ensuring that information is accessible only to ▲ Identification is defined as the ability to identify a user of an those authorized to have access. information system at the moment he is granted credentials to ▼ Integrity: Safeguarding the accuracy and completeness of that system. information and processing methods. ▲ Authentication is defined as the ability to validate the ▼ Availability. Ensuring that authorized users have access to credentials presented to an information system at the moment information and associated assets when required. the system is used. ▲ INFOSEC Glossary 2000: “Measures and controls that ensure ▲ Authorization is defined as the ability to control what services can confidentiality, integrity, and availability of information system assets be used and what information can be accessed by an including hardware, software, firmware, and information being authenticated user. processed, stored, and communicated.” ▲ Audit is defined as the ability to know what services have been used by an authorized user and what information has been The CIA Paradigm and The Operational Definition accessed, created, modified or erased, including details such as when, when, where from, etc. This popular paradigm classifies incidents and threats by effects, not ▲ Non-repudiation is defined as the ability to assert the authorship of causes, and therefore is not falsifiable. a message or information authored by a second party, preventing Professionals who don’t question the CIA paradigm classify the loss of the author from denying his own authorship. synchronization as an integrity problem (“time information has been changed”), while it’s clear that only stateful information, like a file or a This has led to different mixes of CIA and these security mechanisms. As database, can have the property of integrity.these definitions mix the definition of security with protection mechanisms It is impossible to think of an experiment that shows an incident or ato achieve security, I won’t bother debunking them any further (ACIDA, threat not to belong to one of the confidentiality, integrity or availabilityCAIN, etc) categories. Therefore the CIA paradigm is unscientific. CIA is the fourth approach to defining security and the most popular; There are several examples of incidents that are not well treated“keeping confidentiality, integrity, availability,” defined as: using CIA, but appear to fit within the paradigm. Uncontrolled perma- nence of information can lead to Confidentiality Loss. Information Copy ▲ Confidentiality, already defined, sometimes mistaken for secrecy. in violation of authorship rights can lead to Confidentiality Loss, as ▲ Integrity, defined as the ability to guarantee that some information someone is getting access who is not authorized. Copy in violation of or message hasn’t been manipulated. privacy rights can lead to Confidentiality Loss, as someone is getting ▲ Availability is defined as the ability to access information or use access who is not authorized. Now, what are these CIA classifications services at any moment we demand it, with appropriate performance. good for? It’s very clear that to prevent “confidentiality” incidents, our controls will be very different if we want to limit access, if we want to Examples of proponents of this approach are: prevent breaching of authorship rights, or if we want to guarantee infor- ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ September 2005
  3. 3. mation erasure. So, why are we classifying at all, if the classification The following definitions of incident and threat follow from the opera-doesn’t help to do something as simple as selecting a security measure? tional definition:Some other examples of incidents that don’t fit CIA are operator errorsand fraud. To neutralize a threat, a control that regulates the causes of ▲ Incident: “Any failure to meet our expectations about an informationthe threat will normally be needed; therefore, for control selection, it system.” This definition makes our expectations the pivotal pointwould be far more useful to classify by causes than by effects, which is about what should protected.exactly what CIA doesn’t do. ▲ Threat: “Any historical cause of at least one incident.” This implies CIA doesn’t consider the context at all. This is why small and that the probability is not zero, and brings in the context.medium size organizations are intimidated by the exigency ofConfidentiality, Integrity and Availability, giving up on devoting enough The threats relevant to an information system will be the causes of his-resources to security. Only big organizations aim for Confidentiality, toric incidents in information systems protected equivalently in equivalentIntegrity and Availability. environments. Insecurity can be measured by the cost of historic incidents CIA doesn’t consider our expectation about our information systems. in a span of time for every information system equivalently protected in anYou can’t demand confidentiality of public information. You can’t demand equivalent environment.integrity of low-durability information; it is too easy to reproduce. And you Many companies have these general expectations about their informa-can’t demand availability of low-priority services. tion systems and the way they are used: Many practitioners who use the CIA definition have a stance of “Wewant to prevent attacks from succeeding.” In other words, for us to be safe 1. Comply with existing legal equivalent to being invulnerable. The definition of an incident under this 2. Control the access to secrets and information or services protectedlight is totally independent of the context, and considers attacks only, by law, like private information and copyrights.neglecting accidents and errors as incidents. Disaster recovery plans show 3. Identify the authors of information or messages and record of theirthat the need to protect a company from catastrophes is well known, but use of services.many accidents are considered a reliability issue and not a security issue, 4. Bear the users responsible for their use of services and acceptancebecause accidents are not considered a security problem. of contracts and agreements. So, if no current information security definition or paradigm is satis- 5. Control the physical ownership of information and information systems.factory, what can replace it? An interesting alternative is the use of an 6. Control the existence and destruction of information and services.operational definition. For example, a meter is defined operationally as 7. Control the availability of information and services.the distance travelled by a beam of light in a certain span of time. An 8. Control the reliability and performance of services.example for the need of operational definitions is the collapse of the 9. Control the precision of information.West Gate Bridge in Melbourne, Australia in 1970, killing 35 construc- 10. Reflect the real time and date in all their records.tion workers. The subsequent enquiry found that the failure arosebecause engineers had specified the supply of a quantity of flat steel Every organization will have a different set of expectations, which leadsplate. The word “flat” in this context lacked an operational definition, to different sets of incidents to protect from and different sets of threatsso there was no test for accepting or rejecting a particular shipment or to worry about, depending on the environment. The more specific thefor controlling quality. expectations, the easier it becomes to determine the threats and the Before detailing the operational definition, some words about probabil- security measures.ity. Probability has predictive power with the following considerations: To determine how relevant the threats are, it is necessary to gather his- torical data for incidents in equivalent systems in equivalent environments. ▲ As long as systems and the environmental conditions don’t change, Unfortunately, whereas the insurance industry has been doing this for the future is similar to the past. years, information security practitioners lack this statistical information. It is ▲ You can apply probability to a set of phenomena, not to individual possible to know the likelihood and cause of having a car accident, but phenomenon. there is not data enough to know how likely you are to suffer an informa- ▲ A sufficiently big set of historic cases must be available for tion security incident, nor the cause. Quantitative risk measurement with- significant probability calculations. out proper historical data is useless. Some practitioners even mix estimative figures with complex formulae, which is equivalent to mixing Probability is often misunderstood. If you drop a coin nine times and magic and physics.get nine crosses, the probability of getting a cross the tenth time is still Even if there is no accurate data about risk, it is possible to follow a riskhalf, not lower as intuition suggests. Quite the opposite, the more crosses assessment process similar to OCTAVE to identify the expectations aboutwe get, the higher should be our confidence that the next drop will be a the information systems and the significant threats that can prevent thecross, too. expectations to materialize. An operational definition for information security is: “The absence of With the operational definition, every identified threat can be controlledthreats that can affect our expectations about information systems equiva- using suitable security measures. If quantitative risk information is avail-lently protected in equivalent environments.” able, the most cost-efficient security measures could be selected. This operational definition is not only falsifiable, but it is expectations- The operational definition of an incident helps to focus on whatever isdependent and deals cleanly with the definition difficulties of context. It is relevant to our context. If there is no expectation for secrecy, no matterhelpful to determine what threats are relevant, to weigh the threats, meas- what is revealed, there is no incident. The operational definition of aure the risk, and to select security measures. threat helps focus on threats that are both relevant and likely. It doesn’t make much sense to consider meteors as a threat if no information sys- THE ISSA JOURNAL ◆ September 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
  4. 4. tem has ever been destroyed by a meteor.Measuring insecurity by the cost of incidents Resourceshelps to gauge how much to invest in informa- ▲ security. If our expenses protecting informa- ▲ Google “define: (integrity, confidentiality, etc)”tion systems for the last five years were 10.000 ▲ RFC 2828 - Internet Security Glossary - a year, and our losses were 500 euros a ▲ Common Criteria for IT Security Evaluation -, it probably doesn’t make sense to raise the ▲ Pseudoscience: to 20.000 euros, but to 10.500 tops. Ofcourse this is a gross estimate, but it gives us anidea of what can be achieved if statistics on the cost of incidents and theircauses were available. Conclusion The operational definition is richer than the other paradigms. Itaddresses expectations, context and cost and makes it far easier to deter-mine what security measures to take to protect the expectations put of aninformation system. The adoption of a falsifiable definition should enablesome progress in information security theory, which has been stagnant formany years. ¡Vicente Aceituno Canal has 12 years’ experience in IT and security consulting. Heleads the F.I.S.T information security conferences in Spain (, authored the ISM3 (Information Security Management MaturityModel, published his first book, Information Security,ISBN: 84-933336-7-0 last year, and maintains a Web site on personal computersecurity ( ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ September 2005