| COLUMN |
Mad as Hell IV: Security basics for Ma&Pa |
 |
By Winn Schwartau
08 Jun 2005 | SearchSecurity.com
|
Disgusted by security issues and poor performance, Winn Schwartau makes the switch from Windows to the Mac and details the bumps in the road along the way in his "Mad as Hell" series.
Oddly enough: I am on my way from Whistler to New York. Been reading a book, "Hybrids", by Robert Sawyer. [I swear this is purely coincidental.] Page 299, and I quote: "every time her Windows-based PC displayed that blue screen of death, she felt like throwing her support in with Linux crowd. And now it had happened again, for the second time today. Mary did the three-fingered salute but after sitting through its interminable wait for the system to reboot, she found that it stubbornly refused to reacquire its network connection."
The Basics are the Basics
I've been in infosec since 1984, before the Feds tried to tell us what to do with the Orange Book and C2 and all that nonsense which had so little applicability in the real commercial world. And in those 21 years, I believe that the fundamental properties of infosec have not really changed one iota. Not one bit.
As our company is all about security awareness, it is only appropriate that we do cover the basics. No matter WinTel, Mac, PDA, file folders, the principles upon which all security should be designed and architected have not changed. The original thinkers were very smart.
In the classic model of infosec there are three components upon which all other aspects are built, much like protons, electrons and neutrons are often viewed as the building blocks of atoms. The classic security triad is based upon these tenets, also known as CIA:
- Confidentiality: Simply put, keeping secrets a secret. The spy movies call it "Eyes Only" and in a sense that is true. Only those people who are supposed to see the information should have access to it. So, keep it written on paper locked away safely from prying eyes, encrypt it or use access control mechanisms.
- Integrity: Ensures that information is not modified or altered intentionally or by accident whether data or program. Banks really care about this.
- Availability: All systems and information resources must be "up and running" as per the needs of the organization. Denial of service attacks confidentiality.
However, in physics we discovered a more basic unit, the quark, and in infosec,
Donn Parker [retired SRI security guru] suggested that we add a few more bits of granularity to make a security model more comprehensive.
- Control/Possession: Do you remain in control of your resources? A software program can be duplicated without the manufacturer's permission; they are not in control. You know your password, but who and what else has possession of it? How does that affect security?
- Authenticity: How can you be sure that the person you are talking to is who he claims to be? Repudiation concepts fall into this category as well.
- Utility: Say you have an employee who has encrypted data but you do not have the key to make the contents intelligible. The argument is that the data is available, but you do not have the use or utility of it.
I agree that these are strong and valuable additions to the infosec field, but I also believe that they are subcategories of the first three, which are more "quark-like" in their fundamental-ness.
Confidentiality > Control Possession
Regardless if you use a hexad or triad as your corporate model, use one of them. These are the basics... no matter what the byte-heads might think. No offense to byte-heads, of course!
|
|
|
|
