Posted on 06/13/2005 9:30:26 PM PDT by Swordmaker
Oddly enough: I am on my way from Whistler to New York. Been reading a book, “Hybrids”, by Robert Sawyer. (I swear this is purely coincidental.) Page 299, and I quote: “every time her Windows-based PC displayed that blue screen of death, she felt like throwing her support in with Linux crowd. And now it had happened again, for the second time today. Mary did the three-fingered salute but after sitting through its interminable wait for the system to reboot, she found that it stubbornly refused to reacquire its network connection.”
I’ve been in infosec since 1984, before the Feds tried to tell us what to do with the Orange Book and C2 and all that nonsense which had so little applicability in the real commercial world. And in those 21 years, I believe that the fundamental properties of infosec have not really changed one iota. Not one bit.
As our company is all about security awareness, it is only appropriate that we do cover the basics. No matter WinTel, Mac, PDA, File Folders, the principles upon which all security should be designed and architected have not changed. The original thinkers were very smart.
In the classic model of infosec there are three components upon which all other aspects are built, much like protons, electrons and neutrons are often viewed as the building blocks of atoms. The classic security triad is based upon these tenets, also known as CIA:
1. Confidentiality: Simply put, keeping secrets a secret. The spy movies call it “Eyes Only” and in a sense that is true. Only those people who are supposed to see the information should have access to it. So, keep it written on paper locked away safely from prying eyes, encrypt it or use access control mechanisms.
2. Integrity: Insures that information is not modified or altered intentionally or by accident whether data or program. Banks really care about this.
3. Availability: All systems and information resources must be ‘up and running’ as per the needs of the organization. Denial of Service attacks confidentiality.
However, in physics we discovered a more basic unit, the quark, and in Infosec, Donn Parker (retired SRI security guru) suggested that we add a few more bits of granularity to make a security model more comprehensive.
1. Control/Possession: Do you remain in control of your resources? A software program can be duplicated without the manufacturer’s permission; they are not in control. You know your password, but who and what else has possession of it? How does that affect security?
2. Authenticity: How can you be sure that the person you are talking to is who he claims to be? Repudiaton concepts fall into this category as well.
3. Utility: Say you have an employee who has encrypted data but you do not have the key to make the contents intelligible. The argument is that the data is available but you do not have the use or utility of it.
I agree that these are strong and valuable additions to the Infosec field, but I also believe that they are sub-categories of the first three, which are more ‘quark-like’ in their fundamental-ness.
Confidentiality > Control PossessionIntegrity > Authenticity
Availability > Utility
Regardless if you use a hexad or triad as your corporate model, use one of them. These are the basics... no matter what the byte-heads might think. (No offense to byte-heads, of course!)
Winn Schwartau
PING!
If you want on or off the Mac Ping List, Freepmail me.
People pay him for this, do they?
Apparently...
I'm still waiting for Winn Schwartau's imminent "Electronic Pearl Harbor," a phrase which IIRC he coined in about 1991.
And, yes, I also am thinking of getting an iBook in the next year. I like the idea of OS X.
I recycled an old Mac today by giving it to a friend. He had been limping along with an old G3 tower with a very old and flickering Apple monitor, so I gave him a slightly newer G4 tower with a slightly newer Sony monitor. After I copied all his old files and email over, the very first new email he got was one from the Administrator at his ISP telling him email account had been cancelled due to an outdated profiile, and to "Click Here" to get the details. Of course he did, and thank goodness he wasn't on a PC. Nothing happened so he called me to complain that I must have been the one to screw up his email. I explained to him that he was the target of a worm (the "Click Here" target was a .scr file), but that he should be glad he was still using a Mac.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.