Wednesday, February 18, 2009

Is the CIA model still relevant?

When one thinks of securing information, practitioners will recite the standard CIA mantra. We need to protect information from confidentiality, integrity and availability threats. Some call these security primitives, attributes, goals, objectives, aspects, qualities, threat taxonomy, etc.

Since there is no clear consensus on this matter (as far as I can tell), I’ll just refer to them as threats to information assets that the owner needs to protect against. Is the CIA model still relevant though given today’s evolving threats?

Consider the following scenario, Bob the developer is in financial trouble and needs a quick “loan” to settle some debts. Lucky for him he has a transaction account with his employer, a bank. Using a service account, he logs on the transaction database and makes a small deposit into his account by altering his bank balance (the asset).

Looking at the CIA model we find that there was no breach of confidentiality, the balance has not been disclosed. The Integrity of the database is intact, redundancy checks pass. The database with his balance is still available, so he runs down to the street and makes an ATM withdrawal.

Did the CIA model consider these information threats?

Parker in his seminal work Fighting Computer Crime, proposed a new model that extended the CIA triad by introducing three additional non overlapping (atomic) attributes or threats.

  • Confidentiality was extended to include Possession/Control. An adversary may steal a memory stick with you private key on it, but they may not have your pass phrase to use it. The confidentiality has not been breached but your adversary now has possession and control of your information asset.
  • Integrity was extended to include Authenticity. An adversary may gain unauthorized access to database and update a table. Internal and external consistency checks (integrity) will pass but table now contains tampered data that’s not authentic or trustworthy.
  • Availability was extended to include utility. A user may encrypt their private key with a pass phrase. If they forget their pass phrase the usefulness (utility) of the information asset is lost. The information is still available but not usable.

M.E. Kabay from Norwich University an advocate of this model calls it the Parkerian Hexad. I really like this model since it clearly delineates information threats and I’ve found it particularly helpful in my work.

I’m amazed though how little traction this has gotten within the security community.

Microsoft as part of the SDL has opted for the STRIDE model. A quick comparison between STRIDE and CIA/Parkerian Hexad shows how they overlap.

  • Spoofing primarily deals with authentication, no overlap.
  • Tampering overlaps with Integrity.
  • Repudiation partially overlaps with Authenticity.
  • Information Disclosure overlaps with Confidentiality.
  • Denial of Service overlaps with Availability.
  • Elevation of privilege primarily deals with Authorization, no overlap.

Although useful, I feel that STRIDE conflates information threats with services like authentication and authorization. We missed possession/control, authenticity and utility.

To further complicate things, Dave Piscitello proposed another model that Bruce Schneier really liked.

  • Authentication (who are you)
  • Authorization (what are you allowed to do)
  • Availability (is the data accessible)
  • Authenticity (is the data intact)
  • Admissibility (trustworthiness)

Should we be surprised that our customers are confused when we struggle find consensus on the basics?

Dave's extended model goes beyond information threats and deals with identity, trust and access control. I like to think of these elements as services that control access to information assets.

My approach is to start with assets. First you have to figure out what information assets you have, and what threats you want to protect them from. You should also have an idea of how important they are to you and what the impact would be if certain threats were realized. Use Parker's model to evaluate threats and set your objectives.

Information is useless if you can't handle and process it. Consider how users and systems will interact with information.Threat modeling can really help you here. I'd suggest you go beyond STRIDE and including threats from Parker's model. It really needs a better name, it sounds weird to say Parkerian Hexad all the time. Dave's extended model can act as a heuristic here to ensure completeness.

4 comments:

  1. Are we saying we should do away with the AIC principles within security?

    The CISSP material uses the AIC, to elaborate on everything that has been mentioned on this blog.

    The problem is that we have too many Kamakazi pilots in security that think they understand the concept in securing a service.

    One point to mention from ones AIC model, one could perform a Qualitative and Qantitative analysis of a risk and implement just enough security for the service offering.

    In many scenarios security is looked at as an enabler to a service and yet all it is being used for is to reduce the possible risk and TCO.

    I am certain this will bring about other debates, however debates are always welcome.

    Regards

    Jazz Man

    ReplyDelete
  2. Jazz Man, I think you totally missed the point of my question. I asked whether the CIA model is relevant, since it is unable to describe certain classes of information threats. Do we look for an alternative or do we augment it?

    ReplyDelete
  3. I still reckon CIA is the ‘bare bones’ for categorising impact, where the Parkerian Hexad lets you get into more detail if you want to.

    When describing what harm was caused, it’s either
    C: Data was read by an unauthorised party, or, a trusted party abused privilege to read data they didn’t need to.
    I: Data was modified during an error in processing, by an unauthorised party, or, as per your example, was modified by a trusted party who abused their privilege.
    A: Data was not available to authorised parties.

    In your example were the balance is modified on the DB, I think your taking a control point of view when you say "The Integrity of the database is intact, redundancy checks pass". If I take it from an impact point of view, I think the integrity of the database is not intact because it’s been modified in an unauthorised way (even if the user was authorised to have write access). From a control point of view, the bank should have had reconciliation and change control processes that prevented authorised users from making unauthorised changes.

    So perhaps the ‘I’ in CIA is still relevant to your example? We might disagree for semantic reasons where your definition of integrity is strict and limited to ‘data is well formed and only modified by authorised users’ and mine is extended to ‘modified in authorised process or ways’. To me, integrity means data is not modified in unintended ways.

    While authentication and authenticity seems to be left out of CIA, I think they are implied since subverting authentication leads to a loss in authenticity and ultimately the impact can still be described with CIA (e.g. data read, modified or deleted by someone in an unauthorised way). However, while I think CIA is sufficient for describing impact, I might be more persuaded to agree it inadequate when describing attacks and controls.

    ReplyDelete
  4. Thanks JP, my focus isn't specifically on impact. I still feel that some of the concepts are not well defined, conflated or equivocated and hence it's hard to communicate with our customers and peers. From an impact perspective I don't really disagree with your "impact" centric view, I'm looking at control objectives though.

    ReplyDelete