This lesson marks the transition from the Cyber Battlefield portion of this course to the Models & Tools portion of the course. In this lesson we look at a basic Information Assurance model that clarifies what it is that really needs to be defended in the cyber world. We will look at the fundamental tension between security and providing services, and look at a basic model for understanding risk.


DoD Information Assurance emblem

Information Assurance

We've spent the semester so far learning about the Cyber Battlefield — digital data, computers, OS's, programs, networks, the internet, systems of programs communicating over networks (with the world wide web as the biggest example). We've seen lots of examples of things that can go wrong in this domain — things that we recognize as dangerous, things that we recognize we need to defend against. But what, actually, are we actually defending? This is a deeper question than it might first appear. Understanding the answer will help us understand what attacks are, how to defend against them, and even help us understand what we really want when we ask for "security".
  1. We are not interested in protecting computers. If you really wanted to protect your computer, you'd simply turn it off and stick it in a fireproof/waterproof safe.
  2. We are not interested in protecting data. If you really wanted to protect some piece of data, you'd disconnect your harddrive, and stick it in a fireproof/waterproof safe.
What then? We have information systems that store, process and transmit data to different parts of the system in order to provide services — what service depends on the system. For example, Skype is a system that provides telephone & chat services. "Security" for Skype means the on-going ability to provide their service while maintaining the following key attributes:
This is Ciana.

www.flickr.com/photos/jimfischer/4540646854/
She'll be your mnemonic for the five pillars of IA!

C - confidentiality
I - integrity
A - availability
N - non-repudiation
A - authentication

These attributes are referred to as the Pillars of IA (Information Assurance). And for almost any information system, they describe the fundamental properties that must be maintained. Essentially, these properties are what we want to protect (or attack, if you're on the other side). IA (Information Assurance) is the practice of managing risks while maintaining these properties. Malicious human threats are not the only kind IA considers — a hungry squirrel might gnaw through a cable and bring down a server. Protecting against this is IA, though not really cyber security. We'll focus on the security-related aspects of IA. [More seriously: IA includes concerns like could extreme weather take down the internet?]

A New Unmanned Aerial Surveillance Platform


The MQ-4C "Triton" BAMS UAS — a new unmanned aerial surveillance plaftorm — is finishing development and may be operational as early as 2015. The MQ-4C BAMS "will enhance battlespace awareness, shortening the sensor-to-shooter kill chain".

This UAV is clearly a component in a larger information system, not only the system that tells it where to fly, but also this "sensor-to-shooter kill chain". Think about how the five pillars apply to this system? What kind of bad things could an enemy accomplish by attack on the integrity of this system? Availability? Confidentiality? Authentication?

Understanding "Bad Stuff" in Terms of the Five Pillars

We've already seen a number of examples of "bad stuff" in this class. Understanding something as an attack requires understanding which of the five pillars is violated — which property is lost. Let's review a few of the bad things we did/observed and understand them this way.
  1. You injected HTML like 
    <script type="text/javascript">document.location="http://www.usma.edu";</script>
    or maybe 
    <script type="text/javascript">var i = 0; while(i < 9999999999999) { i = i + 1;}</script>
    into a simple message board, so the page was always redirected to www.usma.edu. Which pillar was violated? This attack essentially makes the message board impossible to read, so this is an attack on availability.
  2. We tricked users into posting "My SI110 instructor is a doofus." on a message board by inducing them to click on a bad URL or open a bad HTML e-mail attachment. In this case, which property is violated that the victim really cares about? In this case, we've lost non-repudiation. The victim did not insult his instructor (at least not on the class message board), yet the system shows that he did. So that action on the system can be repudiated. The user can honestly say "It wasn't me!"
  3. Your instructor used Wireshark to view your TCP traffic (netcat chatting) when you were on the wireless network. Clearly the property you've lost is confidentiality. (Note: as you read this, you may not have yet had the lab in which this happened. If not, it'll happen in your next lab.)
  4. We used cross-site scripting to steal a user's login credentials. Once again, the property we've lost is clear: authentication (although confidentiality was compromised as well, in the sense that the login credentials were confidential information). If the system allows login credentials to be stolen, it does not provide authentication.

Services vs. Security

There is a fundamental tension between the services an information system provides, and security. A building with no doors or windows is quite secure, but pretty limited in its utility. Similarly, an information system with no way for data to flow in or out is very secure, but it is unable to provide a service. The more services you provide/allow, the more ways in and out of your system that need securing. Thus, for each service one needs to weigh the value of the service against the security implications of providing/allowing it. You weigh the risk against the benefits and make a decision.

If you don't want to type services.msc in the Windows shell, you can get the services list with mouse clicks too:
  1. Right click on Computer, select Manage.
  2. In the left pane, expand Services and Applications.
  3. Click on Services.
On Windows, you can get a list of possible services along with their status as started/stopped by entering services.msc in the Windows shell. An entry in this list looks like a name, description, and status (and some other stuff). Clicking on the entry allows you to see the full description. So, for example, you'll probably see a line for DNS Client. You should be able to read that description and understand given your recent background in networks. What service does this provide? What would be the consequence of turning it off? A much harder question is what security implications accompany this service. At any rate, you as a user can make decisions about the services you provide/allow.

There is no one right answer as to whether a service should be provided/allowed. For example, Remote Desktop for Windows is a service that allows someone on a remote machine to pull up the complete graphical desktop on your machine, in order to see what they would see if they were sitting in front of your machine. Among other things, this is really helpful when providing technical support or remotely administrating a machine — especially for people who are not tech-savvy and aren't sitting near the person who is helping them. Consider the decision as to whether or not to turn this service on in two cases:

  1. Your grandma's computer
  2. The CNO's (Chief of Naval Operations) computer
What are the points you need to consider? My guess is that you instinctively know what the important points are. How valuable is the service? What are the risks inherent in providing/allowing that service? This requires a better understanding of risk, vulnerabilities, and threats.

Risk, threats, vulnerabilities

Risk is sometimes given a quasi-mathematical formulation: risk = likelihood × impact There are no units associated with this as it stands, so we're not really going to multiply anything, but it gets at the idea that we have to consider the likelihood of the bad thing we're worried about happening as well as the impact that bad thing would have. And it gets at the idea that as either of these factors increase, so does the risk. In the Grandma/CNO example we might reason like this: The impact of someone illicitly getting a remote desktop on Grandma's computer is relatively small — she just surfs and e-mails her grandchildren. The impact of someone getting a remote desktop on the CNO's computer is ... well, it could be very bad. So even without analyzing the likelihood of someone getting an illicit remote desktop in each of these cases, we see that the risk will be much higher in the CNO's case than Grandma's.

To clarify the roles of vulnerabilities versus threats: a threat is an actor who has the potential and desire to do bad stuff assuming they can find a vulnearbility to exploit. So, for example, consider something like leaving your wallet in an unlocked locker at a train station, versus in the men's locker room in Macdonough Hall. How does the risk of getting your wallet stolen change? The vulnerability (unlocked locker) is the same in both cases. However, there are a lot fewer people with access to Macdonough (potential) and Mids and Faculty and Staff here a generally pretty trustworthy, so there are very few people who would want to steal something (desire). So moving from the train station scenario to the Macdonough scenario, the vulnerability stays the same, but threats are dramatically reduced. That means liklihood of getting your wallet stolen is reduced. Since the impact is presumably the same, we deduce that the risk is less in the Macdonough scenario ... which probably agrees with your intuition.
Analyzing the likelihood of an exploit, like someone getting an illicit remote desktop on a machine, requires us to distinguish between vulnerabilities and threats. A vulnerability is a weakness or defect in a system that could be exploited to do bad stuff. A threat is an actor who has the potential and desire to do bad stuff. A vulnerability in the absence of threats is no problem. (For example, it doesn't matter that Superman is vulnerable to kryptonite if there are no bad guys have access to kryptonite.) Similarly, threats are of no consequence to an invulnerable system. (For example, mean kids with squirt guns are not a problem for an adult like me ... unless they're my own.) To analyze the likelihood of a remote desktop exploit in both the Grandma and CNO scenarios, we need to know more information than we really have access to, but factors might be: the CNOs computer is probably sitting behind firewalls, while Grandma's is not, so Grandma's is probably more vulnerable. On the other hand, there are a lot more people who would like to break in to the CNO's computer than Grandma's, so he has more threats.

RECAP: risk = likelihood × impact, where likelihood is a function of threats and vulnerabilities

Let's apply our newfound model of risk to a less extreme example: Is writing down a username & password for an online bank account on a piece of paper and putting it in your purse risky ...

  1. for your Grandma who almost never leaves the house?
  2. for your other Grandma who takes the NY subway every night to go play bingo?
Why? You should be able to make a solid argument here, identifying the relevant factors that are different in the two situations and how they ultimately effect the risk of someone getting Grandma's username and password and breaking into her bank account.

Important Note

Since you now understand that Information Assurance is about providing services while maintaining the CIANA properties, for full credit your homework and exam answers must always mention the pillar(s) as they relate to the question being asked. Ask yourself: which pillar applies? Have any been violated?

References

1. CNSSI-4009