Don't forget the "A"

IT Security is often described as the assurance of three qualities: Confidentiality, Integrity and Availability. CIA. The "C" is easy to understand, especially since so many organisations have been so helpful by their lack of it, so that we can all point and gawp at massive data losses (while secretly crossing our fingers and hoping the bad guys don't look our way).

Integrity is also easy to understand, and I've blogged before that this was the focus of IT Security efforts when I began my career in the 80s. "C" was hardly talked about, the internet was just an academic plaything back then so we didn't have any public attack surface, thus the only threats were within. The only attack my early employers could envisage was an unauthorised data edit, or perhaps an accidental modification or deletion. Thus we had lots of "I" control.

What of Availability? The "A" of the triad is often the poor relation, many have trouble considering it part of Security in the first place. Surely Availability is part of Service Management, of Disaster Recovery or Business Continuity? Well, yes, but all of those disciplines tend to kick in *after* the service goes down, the first line of defence has to be Security. If you can't apply that change with your day job account, you can't apply those untested code changes and break the system. But perhaps more obviously there is one threat, an attack methodology whose focus is just that single quality. Hitting "A" is the sole objective of the Denial of Service (DoS) attack.

DoS attacks (they are all DoS's but only DDoS's if large numbers of network nodes participate) have exploded in recent years, perhaps due to the perfect storm of ubiquitous internet access, easy availability of simple toolkits with which to launch attacks and political unrest and social disaffection thanks to the global recession. While we security professionals need to do all we can to defend against loss of "A", this article by Dr. Anton Chuvakin points out, among other things, that of the three qualities, Availability is probably the easiest breach to cost, since downtime of your core service usually has a simple economic metric!

But the point of this article is to draw attention to another point Dr Chuvakin makes, almost buried in that blog post, which is this. If Security includes Availability, and Availability is key: why not host your services in a large, redundant, elastic, multi-homed server farm for maximum protection?

Cloud, anyone?

Compliance isn't everything.

What Good is PCI-DSS? from Infosec Island.

More evidence that Compliance should never be equated with Security. There are three issues to my mind:
1. "Point in time" compliance, that is that you're Compliant at the date of the Assessment, but once the auditors have gone, if you don't have Continous Controls, you can drift from that position quite rapidly.
2. Quality of Assessment, i.e. a bad QSA or a good one with bad advice can assess positively in error. And the organisation has no interest in a negative result so will do all they can to gain a pass. The result is false positives.
3. The Human Factor. As the linked piece says.. "No matter how much technology you throw at security, people will always be the weakest link. The PCI-DSS standard (and many others) doesn't do a very good job of evaluating how well we train our people to recognize social engineering and spear phishing."

As I've said before, compliance is not security, but if you do security right, you'll achieve compliance. Get your horse in front of your cart. And manage that Human Factor.

Life in the old AV yet.

Infosec Island: Why We Still Need Firewalls and AV

Just because they're not covering much of the attack space any more, doesn't mean they're not doing a job. Just because your car is now kept in the garage doesn't mean you forget to lock it. Why traditional commoditised controls are still useful, from Infosec Island.