The CISO Den
Published in

The CISO Den

Can you prove Confidentiality, Integrity and Availability are fundamental security concepts?

I don’t think so

Can you?

The current state of affairs is that most information security professionals use the concepts of Confidentiality, Integrity and Availability for audits, consulting projects, risk assessment and management, and development of new standards. These concepts present a series of problems that have yet to be solved.

  1. C-I-A is incomplete. Some professionals supplement them with concepts like Possession, Utility, Risk, Authentication, Authorization, Audit, Non-Repudiation and Accountability. This means performance and delivery vary greatly depending on what professional or company you use.
  2. C-I-A is ambiguous. Many professionals and even published standards give different definitions of Confidentiality, Integrity and Availability. This adds more undesirable variance. Consequently, Threats, Incidents, Vulnerability and Weakness among other concepts can’t be reliably defined in terms of Confidentiality, Integrity and Availability reliably, increasing the ambiguity of definition.
  3. C-I-A doesn’t have units of measurement. This makes it impossible to manage information security quantitatively. Bye, bye, optimization of resources.

The use of ambiguous, incomplete, non operational concepts (in the scientific sense) without units of measurement has created a number of problems for information security management. Communication with between specialists and non-specialists in information security is difficult. Demonstrating the value of information security is difficult. Generally speaking, the use of these proxy concepts that don’t add value makes information security management more difficult that it needs to be. Time is wasted, security projects that need funding don’t get it, and trendy projects with little return get the green light. Luckily, change is possible.

I created a test, the “Security Objectives Test” to pit the C-I-A triad versus an alternative, Security Objectives. In order to pass it you have to solve the Test Use Case at the end of this article. You have two options: using traditional concepts like Confidentiality, Integrity, Availability (C-I-A triad option), or new concepts like Security Objectives (Security Objectives option). The options are mutually exclusive.

The significance of the test is that there some facts to unearth in order for a professional to do a job (secure a company). This is perfectly feasible, but it not , as far as evidence goes, to do it using C-I-A concepts. If it is not possible to unearth or express the needs of a company using C-I-A concepts, it follows they are not fundamental nor useful.

The Use Case is a fictional travel agency in Madrid, Spain. Your role is to act as information security consultant who is preparing a meeting where you have to determine what are the information security needs of the Travel Agency.

Determining the security needs of the Use Case will enable the you (the consultant) to determine the reasonable security measures to be applied, which are likely to be different, and cheaper, than all the security measures that could be taken. In order to prove that they can successfully determine the security needs, you have to create a meeting Agenda with a list of Questions to ask the managers or employees of the client company. This should be, in principle, easy since ALL THE ANSWERS PART OF THE USE CASE ARE AVAILABLE IN THIS SPREADSHEET YOU CAN DOWNLOAD.

You have a choice to make:
1. C-I-A Option: Questions can ONLY ask about Confidentiality, Integrity and Availability. NOT using at least one of these terms (or Confidential, Integer, Available) in any question results in a FAIL.
2. Security Objectives Option : Questions can NOT ask about Confidentiality, Integrity or Availability. Using ANY of these terms in any question will result in a FAIL.

For a question to be valid it should render naturally the answers given, for someone with intimate knowledge of the Use Case.

Since 2014 when the this test was originally published, no one has ever passed this test using the C-I-A Option. If you think you can, and prove C-I-A are fundamental security concepts, please post online your list of questions and let me know via Twitter (@vaceituno). You think you can? Download the Test here, and read the Test Use Case (below) carefully.

Note: I have never received a single completed form filled in with the questions using the C-I-A option. I am not saying I received it and it failed the test. I am saying no one believed, on their end, that they had passed the test using the C-I-A option.

Please note that there is a difference between finding out what the Travel Agency needs and what the Travel Agency might do regarding information security. If we were to compare the security practices of the Travel Agency with some standard, we could find out that the Travel Agency is not doing everything that a standard says can be done. There is a difference between doing everything that is standards state is possible, and everything that meets the needs of the business.

I have been waiting since 2014…what do you think that means?

And, what is the alternative? It looks like this:

###

TEST USE CASE

Ambiguous Ltd is a travel agency located in Madrid, Spain. Their business is selling retail travel packages both online and through their offices, which are street level on a main street. The most important system they own and operate is the Package Sales System, which they use for advertising, sales, and bookings. This system interfaces with the Amadeus GDS system (checking availability and bookings), with VISA (payments), and with an equivalent system of a Moroccan partner (MTravel), as it is a popular destination for Spanish tourist and represents a significant part of the company’s business.

The owner of Ambiguous Ltd has put Myrna in charge of IT, among other responsibilities. Myrna has hired you do find out which security measures (controls or processes) would provide the highest return of investment for Ambiguous Ltd. Myrna will take care of implementation. Your first (and only) task is to make an assessment of Ambiguous SL security needs.

Myrna has named Ignatius as the project manager for the Package Sales System. He is an employee of the company (Confederacy SL) that develops and maintains the Package Sales System for Ambiguous Ltd.

The Package Sales System functionality is as follows (please note this a Use Case, so it is simpler than a real life case):

  • Create, Modify and Delete Travel Packages.
  • Sell Travel Packages both online and at the office.
  • Receive feedback from customers and the public in general.
  • Send Travel Package offers to subscribers.
  • Manage Claims and Issues.

A high level view of the Package Sales System Database reveals the following data resources:

  • Travel Package Archive
  • Sales Archive
  • Feedback Archive
  • Offers Archive
  • Claims, Feedback and Incidences Archive

The following list of actions can be performed on each data resource:

  • Travel Package Archive: Create, Update, Retire, Publish, Unpublish.
  • Sales Archive: Book, Release, Sell, Refund, Update.
  • Feedback Archive: Create, Update, Close.
  • Offers Archive: Create, Update, Retire, Publish.
  • Claims, Feedback and Incidences Archive: Create, Update, Close
  • Sales Statistics Report Archive: Create, Close

There are certain requirements about who can do what, and where they can do it:

  • Only the sales manager can Create, Update and Publish Travel Packages.
  • Each salesperson can only view the personal information of his or her own clients.
  • Only the sales manager and the person assigned to Feedback and Claims can view the personal information of all clients.
  • Only the owner of the company can access the Sales Statistics Report.
  • Only the sales manager can create Offers

Certain parts of the Package Sales System are licensed, namely the Operating System, Application Server and Database.
As the company and systems are located in Spain, the Package Sales System needs to comply with the DPA. Since the Package Sales System manages VISA payments, it needs to comply with PCI-DSS.

Some of the users of the Package Sales System are employees of Ambiguous Ltd, some are temps from Adecco. The administrators of the Package Sales System are employees of Confederacy SL. The general public of Spain is a user and they can purchase Travel Packages through the application. The application does not serve the public of countries other than Spain. Persons under the age of 18 can ask for feedback and signup for offers, but they can’t purchase Travel Packages.

The system is located in a properly conditioned room inside the office. The system interfaces with Internet via a high speed fibre optic connection. The system interfaces with the interconnected systems and users via mail, file transfers and a VPN that connects directly with the MTravel network.

The system is expected to work 24x7, but because of maintenance stoppages of no more than one hour per week during no business hours (from 9 to 5 from Tuesday to Sunday) are acceptable. The longest time that the system can be offline during business hours is 2 hours, because sales can be performed with TPV and handwritten notes can partially replace the use of the system. In case of a major malfunction of the system, it would be acceptable to lose one day of data, since most data could be reconstructed checking with VISA, Amadeus and Mtravel. It is understood that all “live” transactions would be lost in case of an incident.

Data needs to be archived for 5 years in order to meet tax regulations. After ten years data should be deleted permanently, as customer behaviour changes over time and data is no longer useful for Business Intelligence.
Sales representatives and customers sometimes make mistakes entering data. This is acceptable as long as there is no more than one percent of the records contain inaccurate information.

In order to create an account in the Package Sales System, potential clients can login using Facebook or create an account linked to their email address. They can unlink or delete the account at any time, but that does not delete any data in the database if they have purchased a Travel Package, even if they cancelled the purchase. In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator. The email states what functions the user should be able to perform. The general public doesn’t need an account to provide feedback or sign up for the Offers newsletter.

Customer who lose their passwords to the Package Sales System can request a new one and a link will be sent to their email address. Users who lose their password to access the Package Sales System need to physically visit the Administrator, who resets the password and give it to them in a written note.

As some Offers expire at midnight, the Package Sales System should prevent customers from purchasing Travel Packages after they have expired, even by a few seconds.

There is a development environment, that Confederacy SL maintains in their own data center, and a pre-production environment, at Ambiguous SL office.
The current administrator is subscribed to email lists that notify him of security updates. The Administrator has configured the system using security guidelines found on Internet for every component. Security patches have not been applied since a patch caused a half day downtime.
The Administrator changes about once every six months.

The system has no malware protection.
The domain has been registered with Piensasolutions.es. The digital certificates used by the system are from Thawte. No one has been assigned with the responsibility to manage the domain or the certificates.
The systems logs all the sales activity, but not any other activity.
There is no Firewall. The internet connectivity provider (Telefonica) provides a service that is supposed to provide “clean” traffic.

No part of the Package Sales System is located in a publicly accessible location.
No part of the Package Sales System is accessible via Mobile application, but there are plans to incorporate a solution for this.
No part of the Package Sales System is exposed to extreme environmental conditions.

To learn more

This article is part of a series that starts here: Principles of Evidence Based Cybersecurity Management

You can also check the results of the only responses I ever got.

--

--

--

The CISO Den is about how to deliver the best cybersecurity for organizations, no matter the size, budget, industry or country

Recommended from Medium

When Fraud Made the News: The Biggest Fraud Cases of 2019

DHCP Snooping — Basic concepts and configuration — SuperTechman

{UPDATE} BTS Dancing Line Hack Free Resources Generator

Warrantless Governmental Surveillance through the Use of Emerging Technology Has Become a Mainstay…

What Is Incident Response in Cyber Security?

📢 Pre-sale Second Unlock — Now official 💥

THE ATTRIBUTES REQUISITE & ESSENTIAL FOR DEXTERITY OF DOING BUSINESS IN BANKING SECTOR WITH GREAT…

❓ What special features does UnirealWallet have ❓

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vicente Aceituno Canal

Vicente Aceituno Canal

Evidence-based cybersecurity management leader

More from Medium

Guide for Readers of The CISO Den

Threat Modeling — The Short Version

Security Value Pyramid

Mapping Risk to Cyber Threats, and Adopt Zero Trust by NIST’s CSF

Mapping Risk to Cyber Threats, and Adopt Zero Trust by NIST’s CSF | by Z3n Cybersec | Medium