Food for Thought

Security-Functionality-Usability Trade-Off

The S.F.U (Security. Functionality. Usability/Ease of Use) is a security triad widely used.

Image Referenced from [1]

In any implementation of security controls, all three factors – Security, Functionality, and Ease of Use, have to be considered carefully, searched for the balanced trade-off for all stakeholders.

Using the S.F.U Security Triads

Simply focusing on any one individual factor will severely impaired the others.

  • Increased in Security will impair Functionality and Usability
  • Increased in Functionality will cause vitiation of Security and Usability
  • Increased in Usability reduce Security and Functionality

Hacking Functionality/Usability

Security are usually the one being undermine by many corporations. Simply because it is not something that generate income for the organization. Although not included in the S.F.U security triad, an increase in Functionality and Usability means increase in work efficiency.

Adversaries would love to see companies heading towards that direction. Undermining security concerns, they could exploit the huge of pool of vulnerabilities opened to them.

Other Write-up on S.F.U Security Triads

[1] Andrew Waite. InfoSec Triads: Security/Functionality/Ease-of-Use. June 12, 2010.

Security is only as Strong as its Weakest Link

A team of researchers from Norwegian University of Science and Technology and National University of Singapore pushed the envelope and discovered a method to intercept data by tapping on an optical fibre cable. They designed an apparatus that is able to sniff data by reading small light pulse transmitting in the cable. Hoi-Kwong Lo from University of Toronto, too, unveiled an optical fibre hack by determining how sender polarised their photons. Tricking the sender in sending tweaked photons, he will be able to study the error rate, and leveraging tweaks to compensate for the disturbances created from photon interception.

As how [1] put it:

Neither of these techniques actually breaks the fundamental principles on which quantum cryptography is based. They simply exploit loopholes introduced when it is reduced to practice.

Security will never be a fair play. The blue team will have to defend every single aspect of the infrastructure – Applications, Networks, and Operations. In contrast, the red team simply needs to discover a single vulnerability each times for them compromise you.

Recalling a project I did on circumventing Microsoft Windows Encrypting File System (EFS) a year ago, I too, tried to achieve my goal exploiting implementation faults. Cryptography is a big field of studies in mathematical science. Yet no matter what encryption one uses, the message will definitely be decrypted when it reaches the intended recipient. In computing, looting information out from end-points is so much easier than intercepting encrypted messages and trying to decrypt it.

Security is only as strong as its weakest link. As a country you need to defend all domains of land, sea, and air. Singaporean will not forget how the Japanese exploited our weak border defence up north that separates us from Malaysia when we placed most of our defences at Sentosa waiting for them to attack us from the south.

People, Process, Technology

The three basic domains of information security – has to be considered when implementing security strategies.

Image Extracted from TechNet

Weakest Link – Exploiting the CIA Triad

CIA – Confidentiality, Integrity, and Availability – is the three core components of security. This triad will always appear in every corner of security. An absence of any component would cripples security. We will have to ensure that the data are protected (C) and trustworthy (I), as well as (A)vailable.

Image Extracted from Wikipedia

It is straight forward to security practitioners when we talk about Confidentiality and Integrity. But many confused (A)vailability being (A)uthenticity as the CIA triad. The latter sounds more coherent when we think about security. Authenticity is more likely a supporting feature than a core component itself. Availability is a core not just in security but also your business.

When you are unable to download your files or play your games when your security suite is in your way, you switch it off. When your firewall is interrupting your business service, you switch it off. How much discipline do you think the government bodies or military have, when their telecommunication is not audible due the installation of encryption devices?  How likely than will security works when there is no availability?

Security is only as strong as its weakest link – all security considerations (CIA) has to be though through and integrated in every single domain (People, process, and technology) of your business.

[1] The Economist. Light Fantastic. 2010, 26 July

Security Professionals should Broaden Perspective

Ross Anderson & Tyler Moore, 2008

The economics of information security has recently become a thriving and fast-moving discipline. … The new field provides valuable insights not just into ‘security’ topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability, and policy. … has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and social sciences. Most recently it has started to interact with psychology, both through the psychology-and-economics tradition… … Game theory and microeconomic theory has becoming important to the security engineer…

Information security is never a business on its own. It is an entity that is spawned in the presence of others. The field of information includes security, economics, social science, psychology, etc. Each of them correlates closely with each other.

No longer can security professionals be narrow minded in their own technological fantasy. Studies of human cognitive model, social science, microeconomics, politics and international relations are necessary for us to create an impact and make the infocomm world a better place.

Judging trustworthiness: Mortal v. Virtual World

Judging trustworthiness is an activity taken place almost in every part of our life. In every conversation we made with each other, news we read from the media, to hiring new employee to your organization. It has always been a best practice for the Human Resource (HR) to assess their target before coming to a decision whether to hire him/her; taking precautions on if they are introducing new risk to, for example, the organisation’s intellectual property. Such event, especially in sensitive genre such as the military and intelligence agencies, could even to to the extent of performing a polygraph test on their potential employees.

The case study of Brian P. Regan [1, 2] and Bradley Manning [2] perfectly illustrates the declination of accuracy on such assessment. Things will just get to get worst over time in the information age we are living in.

Famously quoted from Dr. Joseph Krofcheck:
"Judging trustworthiness is currently geared only to evaluating behavior in the Brick and Mortar world."

The instinct that we are born with to judge worthiness only allow us to perform so accurately in this brick and mortal world which our species have been living for centuries. Our sense has yet to adapt to the young and neutral virtual world.

A person’s characteristic in this “real” world does not exactly reflect who they are when are acting in a virtual one. Here an interesting example from Michael Theis in the Security Directions virtual conference: Envisage I’m your potential employer performing an assessment on you. I questioned if you’ve committed petty crime as such stealing. You think about it for a moment… you could have probably stolen some sweets or stationery when you were young… or maybe not… Probably I got my polygraph machine attached onto you, and would not reflect you are lying. You would most likely to protest because you are telling the truth! What about illegally downloading of MP3 music on the Internet? Does not that consider stealing? Fair enough… you were not lying. 😉

Reference

  1. Michael C. Theis. Security Directions: A Virtual Conference – Meeting the Challenges of the Trusted Insider Threat. http://events.unisfair.com/rt/secdir~april10
  2. Wikipedia – Brain Patrick Regan. http://en.wikipedia.org/wiki/Brian_Patrick_Regan
  3. Kevin Poulsen & Kim Zetter. U.S. Intelligence Analyst Arrested in Wikileaks Video Probe. http://www.wired.com/threatlevel/2010/06/leak/

It’s not the Technology… It’s the Assets!

Information security is no longer a “good to have”, but a “need to have”. Security mechanisms have become vital members of companies’ system architecture as more and more data are being digitalised, and business workflows and transactions are carried out on the network backbone. Moreover, users are becoming more and more concern with security threats. Information is the greatest assets to any organizations, those whom fail to secure their information won’t expect anything less than failing in their business.

Does simply introducing security mechanism to organizations’ system architecture really improve security?

Certainly, it helps the business reputation to shows that they take security matters seriously by implementing security mechanisms in their system. But, is it equivalent to taking assets security seriously?

The underline of security is asking yourselves: what are you defending from and against? In most cases, you implement security mechanisms to protect your assets. It has been the principle of security since many centuries ago. Defining your goals/objectives, set your priorities, and addressing your assets is vital. You do not want to allocate huge amount of resources to protect your secondary assets, and pay little attention to your primary assets. Having your primary assets less secured that your secondary’s one is a great treat to your adversaries.

Duress Code

According to Wikipedia, a duress code is a covert signal used by an individual that is under duress to indicate their state. Duress code is used widely across the world; in many different facets ranging from checkpoint, burglar alarm system, to computer security.

Duress Code in Action

My first encounter of duress code is as an antipode of false positive in a burglar alarm system; a code used to inform the security officer that you are under duress (e.g. held at gunpoint to indicate that the alarm is false positive). It is an interesting and useful innovation in the security field. It doesn’t take much longer for cryptographer to pick up the idea.

Duress Code Improvement

Personally I think duress code might not be as usable as we thought it would be especially when the user come to the state of duress. What’s the chance that people will forget the code in that state of mind? What’s the chance that people will remember the code they rarely use when most of the time they cannot recall the password of applications that they seldom use?

My idea is not exactly an improvement to the system. More like “better usability suggestion.” Adopted from form validation best practices – deny every thing, accepts what is expected. In other word, it means every thing is a duress code. You just need to remember your false positive code (remembering one code instead of two).

You may come to argue that you may forget your false positive code and your security agent will come running to your house when it’s just a false alarm. You just have to ask yourselves two questions:

What’s the chance of you unable to recall your “password” in a state of duress compared to when you are not?

Do you prefer your security agent to “drop-by” when it’s a false alarm? Or not caring about you because you could not remember your duress code when you are held at gunpoint?