Now why would somebody read a confidential document during his commute to office on a public transport? Did the classification serve any purpose..? I was getting curious about this and asked him “any urgent review going on…?” He said, “No, why”..? I said, I could see the document classified “Confidential”. He has his explanation as “It is just an old document, maybe sometime in 2006”. Well why the document not re-classified if it was old…?

Urgency is one big enemy of security and so is labeling to a certain extent.

In another instance, there was an organization which has many branch offices and they have physical mail that is exchanged between these branch offices. However the recommendation for exchanging documents that was classified as “Top Secret” was to put the document into an envelope and label that as “Top Secret” and then put that envelop into another one and label it as “Personal”. The classification levels in this organization were first “Top Secret” and then “Confidential”. Now how would this serve the purpose?

The mails are exchanged through outsourced mailman (or even it would have been an internal employee) and the mailman would be curious with the label Personal itself. Once he intends to open it, he will be more curious or happy since it to be labeled “Top Secret”.

Do we need to restrict labeling for physical documents that reside within the organization premises only..?

For example: in the first instance, what if the person removed the label and printed the document. I would not even bother to look into the document that he was reading and have a conversation about this with him.

In the second instance, as far as the document is moving from one office to another, remove the label and deliver it personally (I meant only for “Top Secret” document). Once it is in the destination office, can’t it be labeled back..?

I feel that labeling of physical documents should be primarily used just for identifying the way it can be stored and protected and not while in physical transit. Let me know your views.

Let us consider that someone is trying to call me over the phone and he/she is going to talk to me for the first time. In this case, how does he/she understand that I am the person on the other side of the phone OR is he/she connecting to the right person? Not possible.  

Now if you are in a large organization and the organization maintains an updated directory which lists the contact person, his office location, extension number etc, this is one place for validation and you can be sure that you are reaching the person that you intended too.  

But still there is a chance that someone else might pick up the extension instead of the person you are looking for. Once you have reached the intended person, you will now require to be sure that your conversation is not heard or interpreted by a third party.

Similarly while accessing a website, how sure are we that we are accessing the website that we intended too and how sure are we that the information that we pass through is not read by anyone else?  

SSL is a solution that would give us an assurance to a great extent.  

I shall explain each step with reference to the below diagram.  

Server – Obtaining the certificate  

1. The server initiates a request for procuring a certificate from a trusted authority. This authority is called Certificate Authority (CA). Similar to Verisign, Thawte, Trustwave etc.  

2. The CA validates www.xyz.com after verifying related information.   

Client/Server – Establishing secure connection  

3. Client initiates a connection to www.xyz.com on the secure port, to check the website.  

4. Since the connection is initiated on the secure port, the server sends back it’s public key and the cipher it supports, back to the client.  

5. Now the client needs to verify if response was genuinely from www.xyz.com and that it is not from any person in the middle trying to give false information. The client contacts the certificate authority (CA) and provides www.xyz.com’s public key for verification.  

6. Let us consider the request been genuine. The certificate authority sends back the information (valid public key) to the client by encrypting the information using the CA’s private key. Now why is the encryption been done? The client just asked for a validation. The encryption is done to tell the client the CA is the one sending this information and the client call only decrypt it using the CA’s public key. This means the information is authentic and is sent by the CA itself.  

7. The client decrypts the information sent by the CA using CA’s public key and reads the message (valid public key).  

8. Now the client is happy that the public key of www.xyz.com is genuine. Next the client chooses the cipher and the symmetric key (password) that it needs to use for data encryption. The possible ciphers that can be used are received from the server at step 4. All this information is encrypted using the public key of www.xyz.com. Now why is this done? Encrypting the information using www.xyz.com’s public key means that only www.xyz.com can decrypt the information using its private key.  

9. www.xyz.com received the information, decrypts the information using its private key. Now the client and server are ready to transmit information which is encrypted using the chosen cipher and password.  

Step 3 – initiation of the connection  

Step 6 – confirmed that we are communicating with whom we want to communicate  

Step 8 – decided on protecting the data and hence chose the cipher and password  

Step 9 – secure communication established  

Hope this makes it clear and simple. If you have any questions or you feel that this can be further simplified, please do let me know.

The Parkerian Hexad attributes are the following:

• Confidentiality
• Possession or Control
• Integrity
• Authenticity
• Availability
• Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

I think I don’t require to provide the explanation of C-I-A here. Let’s look at the other attributes.

Possession or Control

Suppose a thief were to steal a sealed envelope containing a bank debit card and (foolishly) its personal identification number. Even if the thief did not open that envelope, the victim of the theft would legitimately be concerned that (s)he could do so at any time without the control of the owner. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

Authenticity

Authenticity refers to correct labeling or attribution of information. For example, if a criminal forges e-mail headers to make it look as if an innocent person is sending threatening e-mail messages, there has been no breach of confidentiality (the thief uses his or her own e-mail account), possession (no information has been taken out of the control of the victim), or integrity (the e-mail messages are exactly as intended by the criminal).

What is breached is authenticity: the e-mail is incorrectly attributed to someone else. Similarly, misusing a field in a database to store information that is incorrectly labeled is a breach of authenticity; e.g., storing a merchant’s tax code in a field labeled as the merchant’s ZIP code would violate the authenticity of the information.

Utility

Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form.

Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

Source: www.wikipedia.org

Having said this, I would like to discuss the possible controls that can be implemented to mitigate risks for the above 3 attributes.

It is important for every organization to constantly carry out risk assessment in their organizations to ensure that they are protected from new threats. Today terrorism has become a major threat for organizations as well and hence it is definitely required for organizations to include terrorism as a threat in their risk assessment exercise.

A constant risk assessment exercise does not only help in identifying and protecting against the latest threats, but also looks into the processes and controls that was defined and implemented years ago. Though the processes and controls might be working well, it might not include the risks due to the latest threats and if risk assessments are not conducted on a regular basis, these new threats might go unnoticed.

Hence organization are encouraged to have the risk assessment exercise as an annual activity and also when there is a major change within the organization. It is also important to keep a tab on the new threats that need to be included in their risk assessment exercise.

Now the next arising question is, what are the risks of having these armed CISF securities in the campus?

While looking at various aspects of data loss, the end reason always point to “PEOPLE”. The above statement holds good not only because there are data loss (which is now the high rated security risks), even if you look at any frauds that has happened in the recent past, everything has been manipulated by “HUMAN”. No matters what standards are adopted, what stringent rules are set in an organization, frauds still happen.

In an organization that is financially in very good position, has all the best technological gadgets implemented to ensure no frauds or data loss happen. The organization is certified against 7799, 27001, PCI DSS, you name it. They have the best security professionals and chief executives to run the organization, who are on their toes to identify what new is going to come and how they can protect their organization from different attacks. On the other hand we would be having an employee sitting beside his cubicle or on the next floor using one of the USB data card to connect his/her PC directly to the internet.

We all are aware of the rules of driving, but sometime we tend to break those by not knowing the consequences or maybe the law is liberal. Again the law made by people might be stringent but it is made liberal by the people practicing the same. We still break the rules on the road by knowing that the consequences would affect us directly. Now how would one not break a rule, if they know that the consequences might not affect them directly, but the organization would suffer.

I think we are all done with standards, compliance, certifications, awareness etc. We need to have a cultural change. None of the standards or compliance requirements talks about how to bring this paradigm shift of culture in an organization. It is never easy as the parameters that need to be considered to get a cultural change are too many from people to geographic locations to business verticals etc. Looking forward for something that would help us bring this change.

“In the past battle was happening between human face-to-face using weapons. Now it has changed to battle fought using technology, never to forget, it is still between human.”