Wednesday, February 27, 2008

availability > confidentiality + integrity?

umm, no...

chris hoff makes a valiant attempt at arguing for availability being more important that confidentiality and integrity combined (alluding to a previous discussion on the matter) using the example of the recent conflict between youtube and pakistan that left youtube offline for an hour over the weekend...

unfortunately, what he doesn't mention is that the availability problem that youtube suffered was as a direct result of the corruption of the routing information for youtube... in other words, unavailability was a symptom of an integrity problem...

which reminds me (because anton brought it back to the surface) of another recent article concerning the CIA triad... richard bejtlich posted his observation on the attack trends over the years and from his perspective availability (in the form of bandwidth) was the first to fall victim back in the mid 90's...

i don't think it would be unfair to suggest that richard comes from a network security background and views things through that lens, and i can certainly see where he's coming from given that... once again, though, this looks at a symptom rather than a cause...

causative agents don't generally reside in the network, they reside on devices (though sometimes they are the devices) and when they don't belong on the device they usually qualify as malware... malware goes back quite a bit further than the mid 90's and malware intrusion has always been fundamentally an integrity problem... this is why generic detection was traditionally performed using integrity checking, and even today many current generic controls have an integrity validation component...

of course that's just the lens that i see things through, but i'm not about to turn things around and say that integrity is a bigger deal than availability and confidentiality (especially since i can envision a third perspective where confidentiality is key)... ultimately i think the notion that availability trumps other aspects of security comes from the notion of aligning security with business... the alignment is often one-sided (security changes but management doesn't) and availability (and it's affect on the bottom line) is the thing that management understands best so that's what business-aligned security focuses on most... i wonder what it would be like if aligning security and business was a 2-way street...

3 comments:

Anonymous said...

Kurt, I think you missed reading about 1/2 my post:

1) I'm not endorsing the position regarding availability as an "argument" suggesting it's more important at all.

I'm simply presenting the case that offers the oft proffered opinion by those OUTSIDE security that C and I aren't always looked at in a balanced approach.

2) Did you miss the entire paragraph from the Renesys blog that was in the middle of the post that clearly demonstrated that the Pakistani ISP announced a more specific route to YouTube's address space?

BTW, that's *NOT* corruption at ALL...it's a perfectly allowable action given the way BGP functions -- without authentication. This underscores the issue with systems and protocols designed for A with little or no regard for C and I.

At the end of your post after disagreeing with what you interpret as my point you basically say the same thing...and very well, I may add:

ultimately i think the notion that availability trumps other aspects of security comes from the notion of aligning security with business... the alignment is often one-sided (security changes but management doesn't) and availability (and it's affect on the bottom line) is the thing that management understands best so that's what business-aligned security focuses on most... i wonder what it would be like if aligning security and business was a 2-way street...

That's exactly right. You're not disagreeing with me at all.

/Hoff

kurt wismer said...

"I'm simply presenting the case that offers the oft proffered opinion by those OUTSIDE security that C and I aren't always looked at in a balanced approach."

sorry if i mischaracterized your post, but i went back and reread it and i still don't come away with the above after reading it...

"2) Did you miss the entire paragraph from the Renesys blog that was in the middle of the post that clearly demonstrated that the Pakistani ISP announced a more specific route to YouTube's address space?"

did you miss the part where it was demonstrably an invalid route to youtube?

"BTW, that's *NOT* corruption at ALL...it's a perfectly allowable action given the way BGP functions -- without authentication."

just because it's allowable (which is a bit of a misnomer as most seem to agree that what happened shouldn't be allowed) doesn't mean it isn't corruption... there are no controls preventing me from drawing new highways on a map but that doesn't mean i'm not corrupting the map by doing so...

"This underscores the issue with systems and protocols designed for A with little or no regard for C and I."

and by extension the issue with over-focusing on A...

"At the end of your post after disagreeing with what you interpret as my point you basically say the same thing...and very well, I may add:"

that's great that we're able to agree on where availability-centric thinking comes from... can we also agree that the one-sided process that creates it is wrong-headed?

Anonymous said...

"that's great that we're able to agree on where availability-centric thinking comes from... can we also agree that the one-sided process that creates it is wrong-headed?"

Sure. I never said that I endorsed this approach, I merely presented the case that it exists -- a lot -- and that in certain cases and from certain perspectives, one might be moved to consider *why* these thoughts exist.

/Hoff