The CIA of Information Security

Mon, Oct 13, 2008, by TechDoc


Often referred to by the acronym CIA; Confidentiality, Integrity and Availability are the three primary tenets of information security so crucial in ensuring that only duly authenticated authorized entities (people and systems) are granted access to secured information.

In essence, information security involves making sure that only authenticated authorized entities (people and systems) are granted access to secured information. Remember that an entity is that which is or that which is perceived to exist.

Thus; the people, the information systems (hardware and software) and the data (information) contained within them (the people and the information systems) are all entities that information security is concerned about “securing”. Not only does information security have this as an objective but it must also secure these very same entities from themselves and each other. The key factor here is that you need adequately cover all bases and not just a selection. If there are any holes in your defenses the worms are sure to get in.

Thus; in order to provide adequate, expansive and multi-level protection free from any single points-of-failure the security afforded information systems must function at both the macroscopic and microscopic levels. Information and information systems security initiatives must promote confidence in the users of the information systems that said information systems will remain free from undetected outside interference, corruption or attack whilst being immune to subversion from within.

Confidentiality, Integrity and Availability (CIA)

Often referred to by the acronym CIA; Confidentiality, Integrity and Availability are the three primary tenets of information security and have traditionally been defined as follows:

Confidentiality – The goal of information confidentiality is to ensure that only duly authenticated authorized entities have appropriate access to that information. Encryption is the most commonly used tool to achieve confidentiality.

Authentication, authorization and entity (users and systems) access rights and privileges such as those implemented and enforced through RADIUS, TACACS, Kerberos and directory services including Novell’s Directory Services and Microsoft’s Windows Server Active Directory and Group Policy also play keys roles in ensuring information confidentiality.

Integrity - It is imperative that keeping information confidential is closely partnered with ensuring its trust-worthiness. Thus; we also need to ensure that our information systems and the information contained within them remain free from modification by unauthorized parties as well as not being improperly modified by authorized ones. Only then can they be relied upon.

Due to the difficulties of categorically enforcing attack-proof measures so that we can be 100% confident that the integrity of our information systems is not compromised we are best advised to implement additional measures that will be reliable in the detection and determination of alterations and interferences of all kinds. To this end checksums and hashes are used to validate data integrity, as are transaction-logging systems.

Availability - Information systems serve no purpose if they and the information they house are not readily accessible to duly authenticated authorized users and systems with appropriate levels of access rights and privileged as and when it is needed or desired. This should be more or less instantaneously and at a whim. The latter point concerning whimsical access is important as it does present the need for both scheduled and non-scheduled random access capabilities.

In addition to simple backups of data and disaster planning and recovery mechanisms, availability includes ensuring that systems remain accessible in the event of attack such as denial of service (DoS) and distributed denial of service (DDoS) attacks.

Critical data must be adequately protected from erasure, be it accidental or otherwise. For example, preventing the erasure of data on your organization’s external Web site is of high priority for ecommerce and information and support sites alike.

Information and Information Systems Additional Concerns

Now; that we have a basic handle on the key roles played by confidentiality, integrity and availability in the information security picture, we need to augment them with additional controls to further extend our ability and those of our information systems to deliver a united and truly secure information and information systems environment. Additional areas of concern with regards to information security include:

Authentication – The purpose of implementing authentication systems and processes is to ensure that information users and information systems are, in fact, who they say they are. Various password authentication mechanisms are; without doubt, the longest standing traditional way to authenticate users.

Highly complex passwords or passphrases using in excess of 12 mixed upper and lower case alphanumeric characters as well as signs and symbols do provide reasonable levels of rapidly verifiable authentication security. It is important to note that they are not the only method available to us. Cryptographic tokens, “smart” cards and biometrics also have a role to play.

Passwords and Cryptography – Concerning password-based authentication mechanisms it must also be noted that in today’s information climate cryptography also plays a key role in ensuring that passwords remain confidential. It is no longer appropriate to transmit unencrypted passwords over such publically accessible media as is the case with wireless networking. Not only should the password not be transmitted unencrypted it is desirable that verification of password authentication credentials takes place seamlessly, transparently to users and eavesdroppers alike.

One tactic employed here is to encrypt the password and then use a hashing algorithm to produce a digest of the encrypted password. It is the digest that is transmitted between end-systems. On the authenticating end-system it is the digest that is stored and used for verification and validation of the local or remote end-user. The user still keys in their password as per usual but that is all.

Machine Authentication – Passwords are not anywhere secure enough or practical when it comes to the authentication of information end-systems; that is to say machine to machine authentication. This is where digital certificates and other machine friendly mechanisms are employed. Without proper and reliable authentication of information end-systems such attacks as the “evil twin” and phishing can take place. Both ends of a conversation or transaction need to be able to reliably authenticate each other. Failure to ensure this is tantamount to no security at all.

Authorization and Access Control – Ensuring that a user, once authenticated, is only able to appropriately access information to which he or she has been granted permission by the owner of the information.

This can be accomplished at the operating system level using file system access controls or at the network level using access controls on routers or firewalls. Similar measures can be implemented for machine accesses such as those required during automated backup and recovery procedures over the network. Too often we fall into the trap of forgetting that computers need appropriate authorization and access controls.

For instance MAC Address Filter Tables can be used to regulate authenticated device access to a wireless network. In this case dual authorization is required. Once for the user being given wireless network access privileges and another for the machine as being a device permitted to access network resources wirelessly.

Many administrators employ similar measures to ensure that all automated backups occur thoroughly and as desired regardless of who is or who has been using the device being backed up.

Appropriateness – We need to ensure that only appropriate access requests by duly authenticated user(s) or system(s) are granted in such a manner that their current access request is executed in a manner appropriate for the purposes for which they are requesting said access.

For example a backup operator verifying the success or lack of success of a backup operation is concerned that the data backed up is valid and not corrupted. This does not mean that the backup operator needs to be able to manually visually peruse the data. A hashing algorithm and checksum will do this even if the data is fully encrypted.

Auditing and Accountability – To ensure that all activity and all transactions taking place on a system or network are consistent with the system or network’s appropriate usage policies we can automatically monitor and record them. Creating logs is only part of the story; you need to review and analyze them if you actually want to learn what they can tell you about system availability and to detect instances of unauthorized use.

These processes can take many various forms including: logging by the operating system, logging by a network device such as a router or firewall, or logging by an intrusion detection system (IDS), logging by an intrusion prevention system (IPS) or packet-capture (network sniffing) software and devices such as a PC with EtherPeek, Wireshark (formerly Ethereal), Snort, Kismet etc installed.

Non-Repudiation – Implementing processes and procedures to ensure that a person initiating a transaction is irrefutably authenticated and validated to an extent sufficient enough that he or she cannot reasonably deny that they were the initiating party. Public key cryptography is often used to support this effort.

It is also important that users actively practice appropriate security and authentication practices such that it would be unreasonable to assume the possibility of authentication credentials substitution. Multi-factor authentication systems are very prominent in this regard.

Additional Access Controls – Firewalls, intrusion detection devices (IDS) and intrusion prevention devices (IPS) are also used to control user access and access capabilities at both the network and systems levels. Creating areas of reduced user rights and privileges can be done via the implementation of demilitarized zones (DMZs) in which case using a dedicated robust full-featured firewall device is a better option. This does not mean Windows native firewall which is of use to end-users but is most definitely not up to the job when asked to perform as an information network firewall.

Honey Pots – Using honey pots as sacrificial lambs; so to speak, can divert would-be attackers unknowingly away from their true objectives and so save more serious breaches of information security.

In fact terminating a honey pot in a “black hole” route can deliver considerable enjoyment for information security administrators. Not only have you led them up the proverbial garden path but you have delivered them unto the abyss.

The moral of the story is that it is not just the attacker that can have a malicious streak; so to can the defenders. All is fair in information love and war.

Liked it
Leave a Reply
comments powered by Disqus