These notes are written as part of a series for sharing sessions with my mentees & colleagues. I doubt I can clock my CISSP CPEs with this.
Jokes aside, many believe this famous triad is the be-all-end-all for so call ‘cyber-security’. These data requirements of Confidentiality, Integrity & Availability forms the basic fundamentals, but there are other related concepts that need to be covered for a complete appreciation of security beyond Information & Communication Technology systems.
Confidentiality & Privacy are often confused as synonymous. Confidentiality pertains to the treatment of information (eg. encryption) while privacy is about the people & control over the extent, timing & circumstances of sharing of these information of individuals.
For any information producing-consuming systems, we can look at it from the angle of data operations: Create, Read, Update & Delete; commonly known as CRUD. Integrity requirement is related to creation, update & deletion of data. The data integrity requirement is often associated with the notion of Non-Repudiation, which is the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.
The Availability of data for the ‘right’ person/system to use is linked to the Access Control concepts of Identification, Authentication, Authorization & Accountability:
So far we discussed in terms of data & system requirements. Perhaps with infinite financial resources & know-how, there’s a possibility of designing an impenetrable system, but in our reality of limited budget, time, resources & recurring human errors, systems are designed & implemented with requirements trade-offs such that additional controls are needed as after-thought. Such systems under the ‘right circumstances’ will fail at least one of these requirements of CIA. What then are these ‘right circumstances’?
In August 2013, Jeff Huges & George Cybenko came up with a paper ‘Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity’. That paper covered another ‘triad’ that posits the necessary & sufficient conditions for a successful attack:
- A system is susceptible if it has vulnerabilities & is of value to the attacker;
- A susceptible system is accessible if it has some logical &/or physical attack surface reachable to the attacker(s); &
- A successful attack can only occur iff the threat actor has the capability in the forms of tools, techniques & resources to take advantage of the two conditions above.
By ‘attack’, we are not limited to ICT systems which are mainly concern with the production & consumption of information, but also Cyber-Physical systems that perform physical functions as with weapons & industrial controls (think Critical Information Infrastructures, Autonomous Vehicles…). There are other considerations to consider for Cyber-Physical systems which is the notion of Dependability. Confidentiality, Integrity & Availability forms a subset within the Dependability attributes.
Threats affect systems that are linked together in the form of cascading causation:
Regardless of ICT or Cyber-Physical systems, Jeff Huges & George Cybenko proposed guidance in the form of The Three Tenets, which is in use by Software Protection Initiative of US Air-Force Research Laboratory. Collectively, The Three Tenets comprise a system security engineering approach consisting of both a secure design methodology & an assessment tool for security evaluation. The Three Tenets are described below:
- Focus on What is Critical: The first Tenet instructs the designer to consciously & methodically focus on including only those system functions that are essential to the mission. Adherence to this Tenet reduces the number of potential susceptibilities, & therefore, the paths between the attackers’ starting state (i.e., the system access points) & goal states in which mission-essential functions, critical security controls, or critical data are compromised. This Tenet eliminates those access points and susceptibilities associated with unneeded functionality.
- Move Key Assets Out-of-Band: The second Tenet instructs the designer to consciously differentiate between user access and attacker access for a given system’s mission. This Tenet modifies system availability and is accomplished by moving the data/processes used by mission-essential functions, their security controls, & associated access points out-of-band of the attacker either logically, physically, or both. By “out-of-band” we mean not accessible by the attacker through their preferred or available access methods. Adherence to this Tenet reduces threat access for a given mission (i.e., use case) and may enable unalterable observations of system state by a security control sensor. The extent & strength of access differentiation between the user and attacker is greatly influenced by the type of out-of-band mechanism employed and whether it is done in software or hardware.
- Detect, React, Adapt: The third Tenet instructs the designer to employ dynamic sensing & response technologies (e.g., a security control sensor or reference monitor) that mitigate the threat’s capabilities and exploitation attempts through automated (preferably autonomic) system behaviour. Adherence to this Tenet confounds the attacker’s capabilities by making the system’s defences unpredictable (i.e., nonstationary) & adaptive (i.e., with penalties) instead of merely being passive.
Each ingredient of the threat model has grounding in Electronic Warfare & classical criminology theory, each of The Three Tenets has been advocated & practiced in one form or another by computer security researchers and developers in the past. Further details & a more comprehensive treatment of The Three Tenets is available in a longer & more technical article (Hughes & Cybenko, 2013).
A detailed discourse of risk assessment is beyond this introduction to The Three Tenets model. In fact the very notion of ‘risk management’ using ‘business logic’ is questionable (Curious reader may consider this paper). Nonetheless, as depicted by the following diagram, risk assessment generally leads to the selection of controls (& hopefully not doing nothing):
In an ideal world, we aspire to design systems & protocols that meets all 3 data requirements of Confidentiality, Integrity & Availability & ensure system Dependability particularly for Cyber-Physical systems. But in a less than ideal reality, we still need Deterrent Controls to reduce Threat Accessibility, Preventive Controls to reduce System Susceptibility, Detective Controls to discover Threat capabilities & Corrective Controls to reduce the business impacts. For an in-depth prescription of controls, one may turn to Center for Internet Security Critical Security Controls.
For the next sharing, we will put our attention on Threat Capability, specifically a survey of Threat Capability models like Cyber Kill-Chain or Attack Life Cycle.
