Sign in Subscribe

When the intuition points the wrong way (1/2)

Last updated on 
When the intuition points the wrong way (1/2)
People who are not security experts are often misguided by their intuition and feelings.

As an IT Security Engineer, there are typical situations that I experienced over and over again. People try to do their best and take the best decision they can but end up with the wrong answer. Often, they do not have specific expertise in security which can explain their errors. Still, I even saw a Director of IT Security fell in one of these traps. Not because he was not good but because he was never exposed to some critical concepts.

In a previous post, I mentioned the importance of the statement of needs. It is important because often, people do not realize all they actually need to build for a project to be successful. They try to cut corners to save money or completely forget about parts of the project. The end result is a deliverable that will not perform properly, will need to be re-done and will cost way more than it should have.

The statement of needs is essential but what happens if it is not produced with the correct understanding of the situation and the needs themselves ?

Availability, Integrity, Confidentiality and...

Many are familiar with the model used by NIST and others that describes security needs as Integrity, Confidentiality and Availability. Right away, there is something terribly wrong with this model!

Integrity is to ensure data has not been modified without authorization. In the same way, Confidentiality is to ensure data will not be viewed by someone without authorization. But what defines who someone is and if he is authorized or not ? Authentication!

To fill that gap, some say that Authentication is part of Confidentiality. Really ? Most people recognize you (authenticate you) by looking at your face. Because that is to be kept confidential, you should walk with a bag on your head ? If passwords are meant to be kept secret, they are not the only way (nor even the best way) to do authentication.

Authentication is a fundamental security need by itself and must be considered as such.

What is the most important for you ?

When I present these 4 security needs to someone and ask him what is the most important, he almost always gets the wrong answer. So wrong that what he chooses as a first is in fact the very last.

So out of Availability, Integrity, Confidentiality and Authentication, what is the most important ? People always jump on Confidentiality. Every time, I keep the ball rolling and ask them :

Tomorrow, you suffer a security incident. Too late to avoid it, you will suffer an incident. Still, you have time to choose which incident you will suffer. In one case, during the incident, an intruder get access to your data and read it but after the incident, you still have your data too. The other option is that despite the incident, nobody got access to your data but you do not have them anymore either.

Often, they try to avoid the situation by saying that they will still have their data from their backups or similar. No : the situation is that both intruder and yourself have access to your data or no one does. When forced to choose, they will acknowledge that to keep access to their data is more important. So Availability is more important than Confidentiality.

Lets keep the ball rolling now :

After the incident, you still have access to your data but they have been modified by the intruder. Second option is not to have access to information at all now that they have been falsified.

After discussing the first question, people usually get this one right : you are better without data than with falsified data. At least without data, you know where you are. You may be able to re-create them by re-doing your tests or re-collecting new raw data. As opposed, falsified data can be almost impossible to detect and can produce the worst consequences possible. The conclusion here is that integrity is more important than availability.

For the last one, there is no need to ask a question. Integrity is to ensure that data has not been modified without authorization and as explained, that makes Authentication a requirement for integrity. Being a requirement, it must be satisfied before Integrity.

So for over 95% of environments, the actual priority should be:

1-Authentication ; 2-Integrity ; 3-Availability ; 4-Confidentiality

That does not mean confidentiality is to be neglected or disregarded. It means it should not be enforced in a way that would impact other needs.

The proper way is to rely on authentication as a means to enforce confidentiality. Many incidents were just Amazon S3 Buckets left open to public. So enforce confidentiality but not by encrypting everything inside your buckets. Enforce it by leaving your data cleartext while requiring authentication before accessing any of your buckets. Another reason this is so important is the fact that confidentiality almost always goes against the other security needs.

When talking about Authenticity, Integrity and Availability, you can ensure the security of all your instances as long as a single one remains safe. If you doubt the integrity of one data while you are sure of another instance, just compare the two. If you loose one instance of your data but have it somewhere else, just restore the second instance over the first one and you are back in business. To increase your security, increase the number and variety of instances of your data. Unfortunately, it is the opposite for confidentiality.

Should you have 10 copies of the same data, the leakage of a single copy has the same consequence as the leakage of all of them. Because security is as strong as its weakest link, more instances means the potential of more weak links. As such, an important way to ensure confidentiality is to reduce the number of instance of this data.

So indeed, the statement of needs is essential. The thing is that itself must be written with a proper understanding of the actual needs and not just feelings or intuitions. To provide this kind of input is the role of a senior security advisor. With proper advice and expertise, the needs will be well identified, well defined, achievable and of real value. Do not just follow your intuition or feelings, you may very well end up at the opposite of where you should have been.