The view from here
These are usually things I find hard to understand, the more I write, the more confused I get...
See my personal blog here
Tuesday 18 September 2007, 7:53 PM
Confidentiality, Integrity and Availability
Anyone coming into the world of security today learns this straight off the bat: CIA. Confidentiality, privacy of information, is required to keep information secret. Integrity of information is required to make sure data remains the same in any transaction, and availability of information is vital for any sort of transaction to occur in the first place.
All too often this gets ignored by business, and availability is made king. Confidentiality is often an afterthought, and what of integrity?
Consider for a moment, your network. The fact that you have a network means that someone has invested in availability. What was the first piece of security they put in place? Probably a firewall. All a firewall does is restrict access, so this is anti-availability isn't it? Yes, but it also creates an element of confidentiality. Granted it is protecting computer ports from external attack, and not much else, but it is still a form of confidentiality, and in fact, it should help to provide integrity, system integrity of anything behind the firewall. I will talk about this in more detail in a coming post.
What else does every network have these days? Antivirus perhaps. AV is a case in point for integrity. AV is there to protect your systems and networks from any rogue viruses and malware which might infect them. The very definition of integrity. However, the best way to protect integrity is to disallow anything to happen to a system. The way most AVs work is to screen traffic entering a system and compare against a known list. Thus 0day viruses are still beating even the most up to date systems, and always do the most damage before they are caught.
So, I don't consider AV a true integrity system, merely a reaction to a problem. No, few people understand integrity properly. One who does is Fred Cohen, an acquantaince from my previous job:
"Here's one to put to a friend in the military. Which would be worse?
* The enemy can forge electronic communications.
* The enemy can cut off all electronic communications.
* The enemy can listen in on all electronic communications.
It's a more interesting question in this case, but I think you will find that most military people will tell you that the loss of integrity is far worse than the loss of availability or secrecy. Without integrity, we can be ordered to kill our own troops. Without secrecy, the enemy will know our plans. Without availability, we have to alter our fighting style."
Integrity is often difficult to envisage, and confidentiality can be given too much emphasis. I now work for an encryption company, so I'm glad that people are interested in confidentiality as never before, however I am constantly surprised at the lack of interest in integrity.
With the range of new compliance measures coming in, there will be increasing pressure on business to consider confidentiality and integrity, if not to understand it fully. Emphasis is shifting from network security to data security, which brings with it the relatively quiet but massively important question of user security. From availability the market is moving towards confidentiality as more is understood in these areas. Integrity is coming in quietly behind it's bigger brothers.
It is no surprise to me that identity theft is the fastest growing crime in the world when user security and integrity are largely misunderstood and ignored.
Wednesday 12 September 2007, 1:36 PM
Security relationships
The RSA Europe Conference this year is themed around Leon Battista Alberti. The so-called "father of Western Cryptology" published the first polyalphabetic cipher in 1466, spawning the substitution cipher to which most of today’s systems of cryptography belong.
I'm a big fan of encryption, always have been, always will be. I'm a fan in much the same way I'm a fan of crosswords, and used to spend hours playing with Caesar ciphers as a child. Later progressing on to more complex Alberti ciphers, but of course I didn't know that then.
I've worked with a number of encryption providers over the years, using CBC and EBC to the newer elliptic curve identity-based encryption. It's all very clever, but as greater advances are made in encryption I'm beginning to wonder if we really need to be spending so much time working out new secure methods of obfuscation, or tying up the entry points.
To anyone who has spent any time in this area, this will seem simple, but I've read a number of articles this morning about encryption (in the name of research), which imply that this is not common knowledge.
I'd love to spend the next 4 hours telling you about everything from Diffie-Hellman to ECB, CBC, IVs and all manner of other TLAs. I don't have enough room on the blog and you don't have enough patience however.
The problem is, even with the strongest encryption in the world, if I have your password and account details, I can see that data. Data security doesn't just sit in and with the data, it is totally dependent on user security. The fact is that there is no such thing as unbreakable encryption. Given enough time, and an infinite number of monkeys, I could break anything you provided me with. Sure it might take 1000 years with a million PCs, but it's not unbreakable, there is no fully secure encryption method, and thus it must be or we wouldn't be able to decrypt.
Also, access controls are probably about as good as they're going to get. We can polish the management of them, but you either let someone access the data, or you don't. Where we are still lacking is user security, and not the mechanisms, but the use of and education around it.
If we had this implemented properly in our networks already, we'd be a lot more secure. Two-factor is just about strong enough for corporate use, single factor should be reserved for blog comments and signing up for demos. Banking should, of course, be as tight as possible for the sake of everyone using it and running it.
So much effort is spent on each individual point solution pushing their wares that the average user gets lost in a morass of conflicting messages. It's time we had an end to end security message for the clients and users of the systems.
Security is way too confusing for most people, and we're way too busy to educate on every part of it aren't we? Well, if we make the time now, I have a feeling it will make our lives a whole lot easier moving forwards.
Private message disabled
