Why do you "parrot" the exact same thing that has been told --repeatedly --
over the past 15 years? They have you brainwashed! How many principles do you
think there really are (and not just the ones that ISC(2) *tells* you that
there should be)? What do you think makes up the components of a good security
model? What defines the best practices, and how should it be enabled? Are 3
overly simplified principles the only key? I disagree.
Security is not about "absolutes", but about "resolutes". It is (most of the
time) "hit or miss", sometimes hitting dead nuts on target, other times,
completely missing the target entirely. There will *never* be "absolute
security", because of the random, human factors that are involved, no matter
how much business and government attempt to accurately predict human behavior.
To me, "confidentiality" is based on how well you can keep a secret. This
(again, to me), is dependent upon the "integrity" of the data, as well as it's
"availability". If it's not available, you have nothing to control the secret.
If the data has been tampered, you (again) have nothing to keep secret. The
levels of confidentiality are dependent upon those 2 principles (using your
ISC(2) security model). Expanding on the security model, to me, "intelligence"
carries a fair share amount of weight, as does "information" itself. The
reason for mentioning "information" is that if it's useless "information", why
bother protecting it? Henceforth, why the U.S. government has both
intelligence and information assurance offices. The IA offices determine if
the information is useful. The intelligence offices determine how it should be
determined (I know that sounds circular, but hey, welcome to the redundant
world of redundant systems of a redundant world...confused yet?) If businesses
and government (alike) didn't agree with that statement, then we wouldn't have
those 2 kinds of organizations throughout the world; therefore, the security
model is inclusive to these 2 additional elements.
My quote for 2006: "The best security is no security that's needed." Think
about it... ;))
-rad
----- Original Message -----
From: Saqib Ali [mailto:docbook.xml@gmail.com]
To: Jason Muskat [mailto:Jason@techdude.ca]
Cc: Bob Radvanovsky [mailto:rsradvan@unixworks.net], "Sadler, Connie"
[mailto:Connie_Sadler@brown.edu], email@securityabsurdity.com,
security-basics@securityfocus.com
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And
Total Failure of Information Security."
Security has to be correct 100% of the time. One omission can lead to an
I don't disagree with you. However aboslute security requires absolute
non-existence of the information. For e.g. You can have IPS, IDS, DRM,
TPM, AV, Firewall etc on your netowork, but as soon as somebody prints
out that confidential document and tosses it in a garbage can, you
security goes with it.
Another e.g.: Everyone knows that one-time pad provides the "perfect
secrecy". But then how did the British intercept the Soviet
communications???? Soviet re-used the OTP, which allowed for
statistical analysis and/or pattern matching. Re-using seemed pretty
harmless at that time, but in retrospect it was a big mistake. Isn't
everything in retrospect a mistake?
Security has 3 core priciples Confidentiality(non-disclosure),
Integrity, Availability(non-destruction). In in way Confidentiality is
inversely propotional to Availability (i think). By making something
available you are increasing the chances of its disclosure. So in
theory 100% security is not possible.
--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------
