Now why would somebody read a confidential document during his commute to office on a public transport? Did the classification serve any purpose..? I was getting curious about this and asked him “any urgent review going on…?” He said, “No, why”..? I said, I could see the document classified “Confidential”. He has his explanation as “It is just an old document, maybe sometime in 2006”. Well why the document not re-classified if it was old…?

Urgency is one big enemy of security and so is labeling to a certain extent.

In another instance, there was an organization which has many branch offices and they have physical mail that is exchanged between these branch offices. However the recommendation for exchanging documents that was classified as “Top Secret” was to put the document into an envelope and label that as “Top Secret” and then put that envelop into another one and label it as “Personal”. The classification levels in this organization were first “Top Secret” and then “Confidential”. Now how would this serve the purpose?

The mails are exchanged through outsourced mailman (or even it would have been an internal employee) and the mailman would be curious with the label Personal itself. Once he intends to open it, he will be more curious or happy since it to be labeled “Top Secret”.

Do we need to restrict labeling for physical documents that reside within the organization premises only..?

For example: in the first instance, what if the person removed the label and printed the document. I would not even bother to look into the document that he was reading and have a conversation about this with him.

In the second instance, as far as the document is moving from one office to another, remove the label and deliver it personally (I meant only for “Top Secret” document). Once it is in the destination office, can’t it be labeled back..?

I feel that labeling of physical documents should be primarily used just for identifying the way it can be stored and protected and not while in physical transit. Let me know your views.

Let us consider that someone is trying to call me over the phone and he/she is going to talk to me for the first time. In this case, how does he/she understand that I am the person on the other side of the phone OR is he/she connecting to the right person? Not possible.  

Now if you are in a large organization and the organization maintains an updated directory which lists the contact person, his office location, extension number etc, this is one place for validation and you can be sure that you are reaching the person that you intended too.  

But still there is a chance that someone else might pick up the extension instead of the person you are looking for. Once you have reached the intended person, you will now require to be sure that your conversation is not heard or interpreted by a third party.

Similarly while accessing a website, how sure are we that we are accessing the website that we intended too and how sure are we that the information that we pass through is not read by anyone else?  

SSL is a solution that would give us an assurance to a great extent.  

I shall explain each step with reference to the below diagram.  

Server – Obtaining the certificate  

1. The server initiates a request for procuring a certificate from a trusted authority. This authority is called Certificate Authority (CA). Similar to Verisign, Thawte, Trustwave etc.  

2. The CA validates www.xyz.com after verifying related information.   

Client/Server – Establishing secure connection  

3. Client initiates a connection to www.xyz.com on the secure port, to check the website.  

4. Since the connection is initiated on the secure port, the server sends back it’s public key and the cipher it supports, back to the client.  

5. Now the client needs to verify if response was genuinely from www.xyz.com and that it is not from any person in the middle trying to give false information. The client contacts the certificate authority (CA) and provides www.xyz.com’s public key for verification.  

6. Let us consider the request been genuine. The certificate authority sends back the information (valid public key) to the client by encrypting the information using the CA’s private key. Now why is the encryption been done? The client just asked for a validation. The encryption is done to tell the client the CA is the one sending this information and the client call only decrypt it using the CA’s public key. This means the information is authentic and is sent by the CA itself.  

7. The client decrypts the information sent by the CA using CA’s public key and reads the message (valid public key).  

8. Now the client is happy that the public key of www.xyz.com is genuine. Next the client chooses the cipher and the symmetric key (password) that it needs to use for data encryption. The possible ciphers that can be used are received from the server at step 4. All this information is encrypted using the public key of www.xyz.com. Now why is this done? Encrypting the information using www.xyz.com’s public key means that only www.xyz.com can decrypt the information using its private key.  

9. www.xyz.com received the information, decrypts the information using its private key. Now the client and server are ready to transmit information which is encrypted using the chosen cipher and password.  

Step 3 – initiation of the connection  

Step 6 – confirmed that we are communicating with whom we want to communicate  

Step 8 – decided on protecting the data and hence chose the cipher and password  

Step 9 – secure communication established  

Hope this makes it clear and simple. If you have any questions or you feel that this can be further simplified, please do let me know.

Now, let’s look at what is the definition of information assets. Information assets are basically data that is in transit or at rest and also that are available on papers. Having this in mind, I think it is easier to assess the C-I-A values of these assets. Let us take an example:

Contract documents is an information asset or let’s take the file server in an organization, the “data” in the file server is an information asset. How much impact the organization would have, if the information in the document is exposed to unauthorized persons..? – if the impact is less, confidentiality value is less and if the impact is high, confidentiality value is high. Similarly, this is applicable for Integrity and Availability. If the impact is high by losing the integrity or availability, it will be rated high or else low. After determining the C-I-A values the asset value is derived by either taking the highest value or with some simple calculations.

Let’s consider the C-I-A values for a hardware asset. The confidentiality value of the hardware asset is derived by the information that it holds and hence I feel that there would be duplication if we consider the confidentiality value here. We are considering the hardware asset as a whole and hence integrity of the server is not applicable here. Availability value is what we need to consider for an hardware asset.

As we have looked into the hardware asset, the same applies to software and service assets. Now let us look at the people asset.

If we are trying to consider the C-I-A values of a person, let’s say the CEO of the organization, yes he has confidential information. But how do we assess the confidentiality value? It is hard to determine the information that he is holding in his memory and it might also be varying constantly. Which means you cannot determine the “C” either as high or low at given point in time. I am not quite sure about the integrity aspect and coming down to the availability value; this definitely needs to be assessed.

Again, the availability value of people asset according to me should always be set to high, irrespective of his designation, age, gender etc. Why?

Controls are implemented based on the derived risk value. Risk value is proportionate to the asset value, which means if the asset value increases, so does the risk value. In this context, let us take an example:

Contract document (Information Asset) C-I-A = 5 * Threat = 3 * Probability = 3 = 45 (Risk Value)

IT Manager (People Asset) A = 3 * Threat = 3 * Probability = 1 = 9 (Risk Value)

In the above scenario, the information asset has a risk value higher that the people asset. If there is a fire break out in the organization, which of these assets will be well protected or rescued? People will always be considered first during a disaster and hence the asset value of people should always be rated as high. In this case you may ask, we already know that people is first, then why should be even consider listing people asset in the risk assessment exercise? Well, Your thoughts

I would even look to see why we need to consider hardware, software and service assets for the assessment, because all the values are anyway dependent on the information it holds or transmits.

Your thoughts again.

Once while driving through a technology park, I was stopped by a couple of security personnel and they requested me to open the boot of my car and there was the second one running a mirror underneath my car and looking at something. Since the amount of different car models that I has come out in market, I assumed that the bottom  of every car must be different and out of curiosity, I just enquired with the security personnel, as to what is he looking for and you will be amazed with the answer. “I am not sure sir, they have asked me to check and I am checking”.

In the meantime, the one who was checking the boot of the car just opened up the spare wheel compartment and looked around and closed the boot. Assuming they might be checking for placement of some car bombs, are those the only areas where you can place a bomb..? If not, what is the purpose of this check..? Are we not just wasting time and resources..?

In a similar incident, I was attending a training which was held in one of the hotels. I have attended many training here and have never seen any security checks happening. This time as I drove through, similar to the above scenario one was checking something underneath and the other checking the boot. I had four day training and they did this to me for all the three days and on the fourth day when one of the security personnel was beginning to check, the other shouts at him, “it is fine, please let Sir pass by”. That ended the effectiveness of a security control. Since I did not question him for the three days of checking, he might have sort of built a trust in me and by-passed the control.

So if one passes through a security channel couple of times and obeys the security personnel, he/she has a high chance of been let in without passing through a security channel. This could be one reason for some of the breaches that are happening across the globe.

In a recent visit using the air transport, I was really bugged with a series of security check which made me remove my waist belt all the time and nothing else. Now I think back and try to understand, why security is so annoying to the non-security professionals.

During the trip at one of the airport during departure, I had to pass through a four metal detector at different locations and all the four times the detector would beep at my waist belt. I had to remove the same and place it on the luggage scanner and then pass through the metal detector again. I could see this happening with 90% of the passengers passing through that metal detector and every lounge you go, I could find passengers busy putting back their waist belts, including myself.

What is more annoying is that the same does not happen while I visit a shopping mall equipped with metal detectors. In fact at shopping malls, I have never heard the metal detectors beep even once, for any reason. Anything passing by the detectors, allows it to go through. So what are we trying to implement is a deterrent control using a tool that can help in preventive control.

In looking at both the scenarios of over or under implementation of controls, it is necessary that the authorized personnel take adequate steps to calibrate the equipments on a timely basis and cause minimum impact on the public. It should not reach a situation where human beings are sent through the luggage scanner just because the metal detectors beeps even after complete striping.

The Parkerian Hexad attributes are the following:

• Confidentiality
• Possession or Control
• Integrity
• Authenticity
• Availability
• Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

I think I don’t require to provide the explanation of C-I-A here. Let’s look at the other attributes.

Possession or Control

Suppose a thief were to steal a sealed envelope containing a bank debit card and (foolishly) its personal identification number. Even if the thief did not open that envelope, the victim of the theft would legitimately be concerned that (s)he could do so at any time without the control of the owner. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

Authenticity

Authenticity refers to correct labeling or attribution of information. For example, if a criminal forges e-mail headers to make it look as if an innocent person is sending threatening e-mail messages, there has been no breach of confidentiality (the thief uses his or her own e-mail account), possession (no information has been taken out of the control of the victim), or integrity (the e-mail messages are exactly as intended by the criminal).

What is breached is authenticity: the e-mail is incorrectly attributed to someone else. Similarly, misusing a field in a database to store information that is incorrectly labeled is a breach of authenticity; e.g., storing a merchant’s tax code in a field labeled as the merchant’s ZIP code would violate the authenticity of the information.

Utility

Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form.

Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

Source: www.wikipedia.org

Having said this, I would like to discuss the possible controls that can be implemented to mitigate risks for the above 3 attributes.