I won't dive into those results here, except to say they have revealed something that, perhaps, I should have already known: there's a gap between what we want to do and what we're able to do.
I've been having a back-and-forth with one such editor, and following is my e-mail where I tried to both distill the meaning of Integrity, and show how the focus on Integrity starts with the system - not the data.
This is my classic method - use examples, preferably car examples, to describe the more intellectual subjects of information security. Sadly, this shows that what you see here in my blog is exactly how I write - and how I think.
After reading this e-mail, the editor said it needed to be published. So, here it is. Enjoy.
(Note: the editor I was talking to is British, hence the selective use of a few words in here like "petrol" for "gas".)
I think I need to take another run at explaining Integrity.
Yes, it’s all about the data. But, sometimes, it’s about the systems, too.
Yes, it’s all about the data. But, sometimes, it’s about the systems, too.
Take a
system like your car. You’re the data, the car is the system that handles
the data. The purpose of the car is to deliver the data safely at its
destination while allowing some changes (aircon, heating) and not allowing
others (theft), and protecting from the eventuality of yet others (seat belts,
airbags).
Think
about all the components of that car. As a driver, you’re relying on the
integrity of every component – the steering, the engine, the suspension, the
brakes, the tires – but the only assurance you have that your car still has
integrity is the garage it’s parked in, a check engine light, and a penetration
car alarm.
A criminal picks you. They put a pinhole in the
fuel line feeding petrol to the engine. Sure enough, the car alarm goes
off – but, of course, car alarms go off ALL THE TIME, so no one checks
it. (Barking dog syndrome.) A fuel line won’t trigger the Check
Engine Light. Do you know your car’s integrity has been
compromised? No, and somewhere along your drive to your next destination,
your system flames out and self-destructs. Hopefully you get out safely
(probably, since cars are designed to handle engine fires).
What
happens if the pinhole is in the brake system? One time you go to stop –
no brakes. That’s much worse.
Now, a
real hacker wouldn’t even set off the penetration car alarm. They’d sit
and wait, capture the signal from your remote keyless entry, and use that to
disable the alarm before opening the (now unlocked) car. They’d put a
camera and GPS in the car to see all the data and track the use of the
system. They’d accumulate the information, periodically re-entering the
system to retrieve the captured information. The most you’d notice is a
new rattle in the dash and finding your car strangely unlocked some random
mornings – which you attribute to old age.
The
garage is the company firewall. The car alarm is the host IDS. The
check engine light is the SIEM. Each suits their purpose perfectly, but
each can be circumvented in the process of compromise of the overall system.
Integrity
monitoring would catch these events. It would see that the fuel line has
been modified, the brake line has been modified. It would even report the
hood being opened. It will even alert you when your oil was changed –
but, since you planned that, you’ll dismiss it.
As an
aside, encryption tints the windows. No one can see the data within the
car, but everyone still knows there’s a car carrying data – and, now, suspects
it’s valuable.
No comments:
Post a Comment