Wed, 8 Jun 2011
Over the last few years there has been a popular meme talking about information centric security as a new paradigm over vulnerability centric security. I've long struggled with the idea of information-centricity being successful, and in replying to a post by Rob Bainbridge, quickly jotted some of those problems down.
In pre-summary, I'm still sceptical of information-classification approaches (or information-led control implementations) as I feel they target a theoretically sensible idea, but not a practically sensible one.
Information gets stored in information containers (to borrow a phrase from Octave) such as the databases or file servers. This will need to inherit a classification based on the information it stores. That's easy if it's a single purpose DB, but what about a SQL cluster (used to reduce processor licenses) or even end-user machines? These should be moved up the classification chain because they may store some sensitive info, even if they spend the majority of the time pushing not-very-sensitive info around. In the end, the hoped-for cost-saving-and-focus-inducing prioritisation doesn't occur and you end up having to deploy a significantly higher level of security to most systems. Potentially, you could radically re-engineer your business to segregate data into separate networks such as some PCI de-scoping approaches suggest, but, apart from being a difficult job, this tends to counter many of the business benefits of data and system integrations that lead to the cross-pollination in the first place.
Next up, I feel this fails to take cognisance of what we call "pivoting"; the escalation of privileges by moving from one system or part of a system to another. I've seen situations when the low criticality network monitoring box is what ends up handing out the domain administrator password. It had never been part of internal/external audits scope, none of the vulns showed up on your average scanner, it had no sensitive info etc. Rather, I think we need to look at physical, network and trust segregation between systems, and then data. It would be nice to go data-first, but DRM isn't mature (read simple & widespread) enough to provide us with those controls.
Lastly, I feel information-led approaches often end up missing the value of raw functionality. For example, a critical trade execution system at an investment bank could have very little sensitive data stored on it, but the functionality it provides (i.e. being able to execute trades using that bank's secret sauce) is hugely sensitive and needs to be considered in any prioritisation.
I'm not saying I have the answers, but we've spent a lot of time thinking about how to model how our analysts attack systems and whether we could "guess" the results of multiple pentests across the organisation systematically, based on the inherent design of your network, systems and authentication. The idea is to use that model to drive prioritisation, or at least a testing plan. This is probably closer aligned to the idea of a threat-centric approach to security, and suffers from a lack of data in this area (I've started some preliminary work on incorporating VERIS metrics).
In summary, I think information-centric security fails in three ways; by providing limited prioritiation due to the high number of shared information containers in IT environments, by not incorporating how attackers move through a networks and by ignoring business critical functionality.
Categoriers
.ac.za (1).za (2)
44con (4)
about:us (42)
analysis (7)
auctions (1)
auditors (1)
b-sides (2)
blackhat (23)
blog (10)
broadview (4)
build-it (1)
ccdcoe (1)
cloud (12)
community (21)
conferences (75)
consulting (1)
crypto (6)
estonia (1)
fail (3)
foos (1)
footprinting (2)
fun (52)
goodbye (1)
hackathon (1)
hackrack (2)
Hope? (2)
howto (14)
imsojaded (2)
infosec-soapies (25)
infrastructure (3)
interns (1)
ios (1)
jobs (3)
local (7)
mac (15)
management (12)
materials (4)
memcached (2)
memory (1)
metasploit (3)
metricon (2)
metrics (3)
mindless-politics (4)
mindmaps (1)
mobile (5)
modelling (5)
PCI (2)
penny (1)
pentest (4)
phone (1)
pickle (4)
policy (1)
post-exploitation (1)
post-it (1)
presentations (3)
Press (3)
privacy (7)
product (2)
programming (14)
public (360)
python (7)
qo[w|m|?] (5)
rambling (2)
README (1)
real-world (17)
Release (3)
report-info (1)
research (55)
reversing (12)
risk (2)
SAP (2)
security-fyi (8)
security-news (6)
shells (1)
silly-yammerings (20)
skype (2)
solution (1)
suru (1)
tech-toys (3)
threat (5)
time-waster (6)
tin-foil-hat (6)
tools (50)
training (38)
travel (2)
tricks (3)
UK (2)
Uncategorized (3)
uncon (2)
vendors (7)
videos (6)
vulnerability (10)
wasc (1)
webapps (6)
web_x.0 (2)
wifi (1)
windows (1)
writing-advice (1)
zaprize (2)
zen-hacking (6)
Archives
May 2013 (3)April 2013 (2)
March 2013 (4)
Feburary 2013 (2)
January 2013 (1)
December 2012 (3)
November 2012 (6)
October 2012 (1)
September 2012 (3)
August 2012 (3)
July 2012 (1)
June 2012 (2)
May 2012 (5)
April 2012 (1)
March 2012 (3)
Feburary 2012 (1)
December 2011 (3)
November 2011 (2)
October 2011 (6)
September 2011 (3)
August 2011 (3)
July 2011 (3)
June 2011 (2)
May 2011 (6)
March 2011 (3)
Feburary 2011 (3)
January 2011 (1)
December 2010 (2)
November 2010 (4)
October 2010 (3)
August 2010 (4)
July 2010 (1)
June 2010 (4)
May 2010 (3)
April 2010 (3)
March 2010 (7)
Feburary 2010 (2)
January 2010 (3)
December 2009 (4)
November 2009 (4)
October 2009 (3)
September 2009 (5)
August 2009 (9)
July 2009 (1)
June 2009 (5)
May 2009 (4)
April 2009 (10)
March 2009 (13)
Feburary 2009 (12)
January 2009 (11)
December 2008 (9)
November 2008 (8)
October 2008 (5)
September 2008 (5)
August 2008 (6)
July 2008 (6)
June 2008 (6)
May 2008 (2)
April 2008 (3)
March 2008 (7)
Feburary 2008 (12)
January 2008 (9)
December 2007 (8)
November 2007 (4)
October 2007 (9)
September 2007 (14)
August 2007 (18)
July 2007 (13)
June 2007 (17)
May 2007 (2)
July 2006 (1)
April 2006 (1)
August 2005 (1)
June 2005 (1)
May 2005 (2)
- Social:
- E-mail: info@sensepost.com
- Tel (South Africa): +27 (0)12 460 0880
- Tel (United Kingdom): +44 (0)20 7956 8826
- Accreditations: PCI ASV, CREST
United Kingdom
- 37th Floor
- 1 Canada Square
- Canary Wharf
- London
- E14 5AA
- United Kingdom
South Africa
- Lakeview 2
- 138 Middel street
- Nieuw Muckleneuk
- Pretoria
- South Africa
My view is from inside the organisation and relates to how we would look to identify where to apply the right control/s to secure our information. The solution should consider attack vectors and vulnerabilities as a control must be applied in the right location at the right time, otherwise it will be ineffective. I also believe that context-awareness is going to become more important, and can form part of the control environment (simple example is to restrict access to some information types based on locat
ion from which it is being accessed such as a public network or mobile device).
A vulnerability-centric model works well for external assessments to test how an attacker could gain access to company information, and provides a manner to validate that the internal control environment is suitably designed and deployed.
Not sure if I'm talking about control validation techniques or security models now :-P
(Another response to your comment back on my blog)
As for the business risks side, the process is still specifically weak there. Existing risk data is used to assign a value to a system. Ideally, the output of existing "criticality-based" approached can be used here. This is an input into the model, and is used to weight the impact of a breach on certain system's components. However, the end result is a list of attacks (physical, technical logical) that could occur. These are very much phrased in the language of information security, and not trivially accessible to board-level, although, beyond short attention spans for sec-risks, I'd like to think the giant blue bar labelled "theft of critical IP from internal employees" next to a small one labelled "0day used on garden shack access control system" in the summary dashboard would be somewhat accessible. In trying to provide one summary view to rule them all, the closest I've gotten is a frequency curve polynomial trend line. It provides a nice picture against which improv
ements can be tracked.
However, there is no in-methodology or easy way to compare the output with, say, the risk of the CFO making poor investment choices, although, I'm no sure an approach for that can be generalised, and may need people with a deep context for the business to rank them.
ng for "dominic white veris".
Information-centric security is only part of a total security solution. Loo=
k for Chris Hoff's comments.=20
True information-centric security would take care of all of the issues that=
Dominic highlights in the original article but true information-centric se=
curity is not available yet. However, there is no reason that we can't use =
what we do have. If you look at most of Information Security tools, there a=
re very few that protect the actual data and not the underlying infrastruct=
ure and there needs to be more. Information is quickly becoming separate fr=
om the infrastructure and this makes it more difficult to protect.
This is not to say that a good threat model is not useful. My feeling is th=
at to compare threat modelling with information-centric security is not eve=
n an apples-oranges comparison but more like comparing apples with orange-t=
rees.=20
- Allen