Cisco Systems recently teamed with major antivirus vendors to "push access privilege to routers." "Key to the program," according to a Security Wire Perspectives article, "is the new Cisco Trust Agent, a software client" installed on PCs that gathers data from other clients -- including antivirus software -- and relays it to "routers and other network devices."
So what's the problem? I'm aware of seven different definitions for "clients and servers" from hardware, software and object-oriented vendors, and none represent the terms as used in this instance.
We shouldn't really be surprised, though. The infosecurity world is filled with inconsistent terminology. Blame it on marketers deliberately misusing words to sell something. Blame it on media pundits explaining complex concepts in limited space, incorrectly using familiar words rather than taking the space to explain it accurately. Blame it on users applying terms incorrectly. The result is an imprecise language that won't support accurate discussions or understanding of the real nature of risks and mitigating controls.
To address IT security, we must clean up our language.
Perhaps we need new generalized words. Rather than computing/communications, why not "computication"? Perhaps we need to take the space to be more specific. For instance, client boxes talk to server boxes, and processes talk to processes. But boxes don't talk to processes. Perhaps we need to deal with the specifics. The topology of Netware running on ArcNet LANs? It's a "star-bus-ring-mesh-star." The server and workstations hooked up to a repeater hub with wires forms a media star. Electrically (Layer 1) all NICs are connected on a signaling bus. Link and network access (Layers 2-3) is accomplished by token passing in a logical ring. End-to-end (Layer 4), messaging is effectively a fully connected logical mesh. Using a Netware server and IPX/SPX, sessions (Layers 5-7) all home on the server, a logical star (with a different hub than the media star). Hence the overall topology is "star-bus-ring-mesh-star," and each layer has its own risks and mitigating controls which need to be dealt with separately -- layer-by-layer -- and not as a single entity with a single topology.
Risk mitigation requires precision and accuracy -- all the time. This especially applies to marketers and pundits, on whom we depend for language revealing the true nature of particular tools.
If such language is not forthcoming from these wordsmiths, we must clean up our act ourselves. We should adopt terms from standards organizations (IEEE, ISO, NIST, etc.); from projects like one by MITRE Corp., which is developing a standard language to use in searching for software bugs in computer systems; or from our own consortiums.
Whatever the source, we need to recognize the need for language which illuminates rather than obfuscates. Security by obscurity may have worked in the past, but no more. The first key to security is understanding our world in unambiguous terms. That requires unambiguous language. If we are to take this seriously, we can demand no less.
That means no more "server client agents sending messages to that router box." This will not be easy, but it could be fun.
About the author
Stuart Holoman is a principle consultant with Holocon Computications Consulting in Raleigh, NC. Formerly with Bell Laboratories, he is involved with the security and audit communities providing technical training and developing technology-independent system analysis methodologies, such as the Audit and Security Analysis (ASA) model.
Test your knowledge of basic security terminology with our quiz.