InfoSec: No Kiddie Pool — More Like the Atlantic Ocean
By Patrick Hunter
In recent weeks, there has been a very newsworthy breach of security by some unnamed nefarious group into the software of an industry-leading technology company. The reader may well be aware of the breach, and the widespread impact on enterprises across the globe. While there is much speculation on this event, the author declines to go into deeper detail due to ongoing investigations and mitigation efforts. But this particular hackapalooza got us wondering, how solid a definition of information security do we really have, and is it well understood by the general population even in technology circles like our beloved industry? Let’s dip our toes into those waters, which run ever so deep as it turns out.
Information security has many definitions as stated by a variety of security-minded organizations, including the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC), United States Committee on National Security Systems (CNSS), Information Systems Audit and Control Association (these days, just ISACA), and many academic publications. One common theme among many of these definitions is the presence of the concepts of confidentiality, integrity, and availability of information. Let us check those out in more detail, shall we?
Confidentiality certainly seems to be at the core of what most of us would consider regarding security. It is occasionally used interchangeably with “privacy,” but the two shouldn’t be considered exactly the same thing. For information to be confidential, it is suggested that the information can’t be available to people or systems that aren’t allowed to see or know it. Keeping information confidential means that that information should only be stored or transmitted in a manner which allows only authorized parties to retrieve or receive it. Pretty simple once we break it down in those terms. In an informal poll taken by this author, everyone answered the question “what is information security in your own words?” by discussing confidentiality in one form or another.
Integrity is the piece of the puzzle in which things start to get a little hairy, in my opinion. What we are suggesting is that any particular piece of information must stay exactly correct and accurate as it was intended by its creator from the time it is created (or appropriately modified, assuming it has been kept confidential) until its destruction. Just stating the concept that way brings to life a new concept, which is that information actually has a lifecycle. It isn’t sufficient to simply create information and then lock it away confidentially forever, but rather there must be mechanisms to ensure that the information, when shared or accessed appropriately, is still in fact the exact information it was intended to be. But, what other information could it be if not exactly what was intended? It could be that some electronic storage system of the information had a fault, and some portion of the data was corrupted. It could also be the case that an unauthorized individual (read: confidentiality was broken) made changes to the information (yep, think data here), which by its very definition violates our integrity principle.
Availability is the third leg of our information security stool. In information security circles, it is a common belief that information should be accessible to the appropriate parties at all times if possible. This means that the location of the information (typically some storage medium or system), the means by which information is accessed (typically network and other communication methods), and the security controls that protect the information should operate correctly and without impairment. There is a great discussion on the meaning behind highly available systems in the fall 2020 edition of Broadband Library which is particularly relevant to this principle.
Therefore, our definition of securing information explicitly requires that data be reachable for users at all times. More practically speaking, it means that to meet information security standards, it is not enough to simply lock away information and protect it from the universe in order to call it secure. This concept is not in the forefront of most people’s minds when discussing information security and is quite intriguing.
There are other principles worthy of deeper discussion in the InfoSec universe, but, much to the chagrin of my CISO and CISSP friends, we’re declining to include them here. Suffice it to say, ensuring that information that is transmitted is completely secure opens up the concept of non-repudiation, which involves proving whether or not a sending or receiving party can in fact prove that the data was sent and not altered in transit by outside parties, which opens up a veritable black hole of other factors to consider.
In a broader sense, the idea behind information security takes on a risk management role in information technology. There have been references to the idea that information is completely confidential, integral, and available at all times. No big surprise, but theory and reality are often not identical twins. Information security is a great example of such a case. Therefore, managing the risk of information being compromised in some manner is a full time job for armies of people. In fact, the Gordon-Loeb model of the economics of information security analyzes the decreasing return on investment when pursuing risk mitigation. More information on the Gordon-Loeb model is available at the Association for Computing Machinery website (dl.acm.org). The idea is that there is a point of investment in which it may not make sense to chase after mitigation of a predicted loss, which of course implies that one needs to be able to measure and quantify the “loss” when information is compromised. Sometimes, informed opinions or educated guesses provide the value figures. Other times, quantitative analysis is necessary to accomplish the valuation task. This is indeed not the stuff of professionals with weak constitutions.
After valuation, the process of handling risk management for information security includes threat and vulnerability assessments and determining the impact that threats may have on the assets (information). Naturally, after determining the value and assessing threats, the next step is to find the right security controls and get them in place. Lastly, ongoing evaluation of the controls is necessary to ensure the right tool is being used for the job. In these final steps, it is incumbent on the information security team to ensure that appropriate levels of response are deployed relative to the value and vulnerability. (Refer to Gordon-Loeb here.)
Let’s not forget that in all of this security-minded effort, one cannot neglect the fact that physical security plays a role. It is not only the black hat hacker halfway across the globe that presents a threat. The information assets must be stored in a manner that precludes an individual from simply walking up to a computer, storage array, or some other form of data storage and “plugging in” to gather the information needed. In addition, physical security concerns itself with the availability principle in that smoke detectors and fire suppression systems play a critical role in ensuring data availability in the event of a fire or other physical disaster.
In summary, it should come as no surprise that there are numerous facets in the information security landscape. Just keeping the data “safe” isn’t enough. Ensuring it is not mangled or mishandled while also ensuring that the people who need it can get to it is also critical. That is the ultimate goal of information security: keeping the promise of protecting the data, keeping it intact, and getting it to those who need it reliably. Those enterprises that invest in that promise will reap the rewards for decades to come. Those that do not will provide the rest of us with a cautionary tale worthy of our attention.
Patrick Hunter — “Hunter”
Director, IT Enterprise Network and Telecom,
Charter Communications
hunter.hunter@charter.com
Hunter has been employed with Charter since 2000 and has held numerous positions, from Installer, System Technician, Technical Operations management, Sales Engineer, and Network Engineer. His responsibilities include providing IP connectivity to all users in Charter’s approximately 4,000 facilities, including executive and regional offices, technical centers, call centers, stores, headends, hubsites, and data centers. Mr. Hunter has served on the SCTE Gateway Chapter Board of Directors since 2005. He spends his spare time mentoring, teaching, and speaking on IP and Ethernet networks as well as careers in the network field.
shutterstock