Sunday, May 13, 2007

Dedication - The Dark @rts

The world that we occupy today is dominated by our complete dependence on Information Processing Systems (IPS). One only need to look closely at modern inventory management and you can see that businesses today can’t live without the IPS infrastructure that enables higher profits through improved efficiencies gained by highly integrating processes and Information Technology (IT).

What this means for anyone who wants to compete in the world today is that you have to either operate with slave labor or invest in integrating IPS into your business. It does not matter what that business is or what you do with the data that is processed. You could be a director in a federal agency or the CEO of any size or manner of company. If you want to be competitive you have to “trust” that your IPS is operating with all the assurances that you won’t wake up in the morning to discover that your entire life just went “poof” due to a malicious compromise of your IPS.

An Information Processing System (IPS) is more than hardware and software. The modern IPS is composed of every single aspect that is needed for an organization to input and output data to yield the desired results for that company or government agency. This means that as information managers we need to redefine the basic roles and responsibilities in the organization. The current thinking with regards to role and responsibilities is that “IT” handles data and everyone else just does their jobs and relies on IT to function as required without the “users” thinking about what is going on to ensure that the support that IT provides is there.

It is after all the human element that keeps information security practitioners like me gainfully employed. Human behavior has and continues to drive security regardless of assets that are being protected. One of the key challenges to information security of a modern IPS is that humans while inherently predictable, within the constraints of defined sociology, are at the same time completely unpredictable. It is at this point in the evolution of the IPS that humans continue to be the driving source behind all exploitations of vulnerabilities within the IPS. It is also humans that make understanding risk to operations of IPS inherently unpredictable and ergo almost impossible to quantify in terms that a business or government can fully to plan for.

This is especially true within the US Federal Government where risk of operating information processing systems is not always clearly understood and the ability of managers to achieve high degrees of confidence that risk has been mitigated to acceptable levels is often qualitatively assessed. The qualitative assessment is tantamount to “Black Majic” or “Voodoo”. The system owner or operator makes a best guess and moves forward while often placing a blind fold on and “trusting” that everything will be okay. This kind of assessment is rampant within US Federal Government as apparent by testimony from Donald Reid, senior coordinator for Security Infrastructure at the State Department's Bureau of Diplomatic Security who said officials felt "pretty confident" that the recommended wrapper was the best course of action, although it was a difficult decision.

[ref: http://homeland.house.gov/about/subcommittees.asp?subcommittee=12]

In response to Mr. Reid’s comment Rep. James Langevin, D-R.I. said “I believe they made the determination that accessibility to data is more important than confidentiality and integrity.” To make a determination one needs to understand all the vectors that impact that choice. To be truly informed with regards to information security we need to be able to see clearly the future. After all how would you be able to be absolutely sure that the countermeasures that were put in place could withstand the random actions of a human being?

There are those out there that might read this and think I am on crank. The question might be posed “What about bot nets, malware, and other robots on the net?” I say that not a single line of code has been written by a machine that wasn’t first written by a human first. We are the progenitors of our own destruction. The day that machines have the ability to capture the level of creation that only humans and other mammals are privileged to enjoy is the day I check out for good.

The challenges we face as security practitioners today are more complex, more daunting, and carry more liability than ever before. In the beginning, no not the UNIVAC, there were mainframes. Security was simplistic compared to today. Access controls were centrally managed and architectures were fairly simple by today’s standards. A user had no real processing power at the terminal other than what was doled out by the central core. More importantly the knowledge to manipulate those early systems was also mostly centralized.

Understanding risk to the IPS was also easier to assess and report in the beginning. Bad code, human errors, and mechanical failure were leading causes of system failure. After 40 years those 3 basic areas of flaw remediation are with us like a moon and sun. Rising and falling with every iteration of generations of IPS.

What has changed is our relationship to risk. Risk has been with us since the beginning of time. What has changed is the scale of the consequences for failure of the IPS to perform the most basic of functions. That being the input and output of data flow in the designated direction and destination without corruption of the data, eavesdropping, or flat out failure to reach the intended destination. The stakes have never been higher and yet the risks are not fully understood. Mitigation of risk is currently performed to “acceptable” levels based on a level of trust and assurance that risk has been managed to the degree established by the organization, government, or corporation.

Risk is assumed, trusted, qualitatively, and even sometimes quantitatively assessed. These assessments assume many vectors to be both true and false and often trust that the worst case scenario will never happen. It is after all part of being human to go through life never expecting the worst things to happen.

Information Security has evolved from a very simplistic methodology of vulnerability remediation to the "The Dark @rt" (or Voodoo) that we see today. Today security practitioners anywhere can tell you what has been done and what threats have been mitigated. But no one can tell you with absolute certainty what will happen. This is the essence of “The Dark @rts” to which I am dedicating this blog to. To be able to provide true 360 degree visibility over the flow of data that passes through any organization, company, or government IPS.

We live in a world driven not by smokestacks and steel factories but digital shop floors where knowledge products are created and pedaled on a global scale. It is this world we protect and serve.

V/r Halon

No comments: