Pillars of Cyber Security

Table of Contents

Learning Objectives [Top]

After completing these activities you should be able to:

Discussion


DoD Cyber Security emblem (formerly Information Assurance)

During the course, we will learn about the Cyber Battlefield — digital data, computers, operating systems, programs, networks, the Internet, systems of programs communicating over networks (with the world wide web as the biggest example). We will see lots of examples of things that can go wrong in the cyber domain — things that we recognize as dangerous, things that we recognize we need to defend against. But what, actually, are we actually defending?

This is a deeper question than it might first appear. Understanding the answer will help us understand what attacks are, how to defend against them, and even help us understand what we really want when we ask for "security".

  1. We are not interested in just protecting computers. If you really wanted to protect your computer, you'd simply turn it off and stick it in a fireproof/waterproof safe.
  2. We are not interested in just protecting data. If you really wanted to protect some piece of data, you'd disconnect your hard drive, and stick it in a fireproof/waterproof safe.

What then? We have information systems that store, process, and transmit data to different parts of the system in order to provide services — what service depends on the system. For example, Skype is a system that provides video, telephone, and chat services. Security for Skype means the on-going ability to provide their service while maintaining the following key attributes:

This is Ciana.
ciana
www.flickr.com/photos/jimfischer/4540646854/
She'll be your mnemonic for the five Pillars of Cyber Security!

These attributes are referred to as the Pillars of Cyber Security (formerly Pillars of Information Assurance). And for almost any information system, they describe the fundamental properties that must be maintained. Essentially, these properties are what we want to protect (or attack, if you're on the other side). Information Assurance (IA) is the practice of managing risks while maintaining these properties. Malicious human threats are not the only kind information assurance considers — a hungry squirrel might gnaw through a cable and bring down a server. Protecting against this is information assurance, though not really cyber security. We'll focus on the cyber security related aspects of IA. [More seriously: IA includes concerns like could extreme weather take down the Internet?]

A New Unmanned Aerial Surveillance Platform


The MQ-4C "Triton" BAMS UAS — a new unmanned aerial surveillance platform — is finishing development and initial operational capability is planned for 2018. The MQ-4C BAMS "will enhance battlespace awareness, shortening the sensor-to-shooter kill chain".
MQ-4C
This UAV is clearly a component in a larger information system, not only the system that tells it where to fly, but also this "sensor-to-shooter kill chain". Think about how the five pillars apply to this system? What kind of bad things could an enemy accomplish by attack on the Integrity of this system? Availability? Confidentiality? Authentication?

As with with any domain there are specific definitions for terms; the following are the definitions for the Pillars of Cyber Security.

  • Confidentiality: Protection of information from disclosure to unauthorized individuals, systems, or entities. Confidentiality is data oriented.
  • Integrity: Protection of information, systems, and services from unauthorized modification or destruction. Integrity is data oriented.
  • Availability: Timely, reliable access to data and information services by authorized users. Availability is service oriented.
  • Non-repudiation: The ability to correlate, with high certainty, a recorded action with its originating individual or entity. Non-repudiation is entity oriented.
  • Authentication: The ability to verify the identity of an individual or entity. Authentication is entity oriented.

There is some overlap between the Pillars of Cyber Security. In many cases a defensive measure will protect more than one pillar. In many cases a particular attack will violate more than one. Often the question of what pillars were violated by an action is somewhat subjective, and depends on the viewpoint from which you are asking from.

There is a close relationship between non-repudiation and authentication, but they are separate. Authentication is compromised when an attacker has the ability to pose as another individual or system, often by stealing valid authentication credentials. In contrast, non-repudiation reflects our ability to prove later, after the fact, that an action is associated with a specific individual or entity. Very often, log entries or digital signatures of events (which we will cover later) are used to provide non-repudiation, so a violation occurs when the logging or signature mechanism is compromised. One example is the digital signature you can place on a document, using something that is associated with you (a digital certificate, for example). Non-repudiation establishes that, later on, an analysis of the signed document can show, with high certainty, that it must have been signed by someone who possessed that digital certificate.

Some organizations and publications limit their discussion of Cyber Security pillars to confidentiality, integrity, and availability; other organizations list many more. While the overall number of pillars/attributes that must be maintained in supporting information assurance is debated, the inclusion of confidentiality, integrity, and availability is nearly universal. In this course, we also include non-repudiation and authentication as distinct pillars.

Examples

Understanding something as an attack requires understanding which of the five pillars are violated — which properties are lost. Let's consider some examples.

Services vs. Security

There is a fundamental tension between the services an information system provides, and security. A building with no doors or windows is quite secure, but pretty limited in its utility. Similarly, an information system with no way for data to flow in or out is very secure, but it is unable to provide a service. The more services you provide/allow, the more ways in and out of your system that need securing. Thus, for each service one needs to weigh the value of the service against the security implications of providing/allowing it. You weigh the risk against the benefits and make a decision.

If you don't want to type services.msc in the Windows shell, you can get the services list with mouse clicks too:
  1. Right click on File Explorer, select Manage.
  2. In the left pane, expand Services and Applications.
  3. Click on Services.
On Windows, you can get a list of possible services along with their status as started/stopped by entering services.msc in the Search Bar. An entry in this list looks like a name, description, and status (and some other stuff). Clicking on the entry allows you to see the full description. How many services are installed? How many are running? Can you tell just by the name what each one does? Just this list of running services should give you an idea of the dizzying array of software that exists just to serve your laptop. The picture gets even more complex when we discuss servers, such as web servers, for example.

There is no one right answer as to whether a service should be provided/allowed. For example, Remote Desktop for Windows is a service that allows someone on a remote machine to pull up the complete graphical desktop on your machine, in order to see what they would see if they were sitting in front of your machine. Scroll down your list to find the entry for 'Remote Desktop Services.' Among other things, this is really helpful when providing technical support or remotely administrating a machine — especially for people who are not tech-savvy and aren't sitting near the person who is helping them. Consider the decision as to whether or not to turn this service on in two cases:

  1. Your grandma's computer
  2. The CNO's (Chief of Naval Operations) computer
What are the points you need to consider? My guess is that you instinctively know what the important points are. How valuable is the service? What are the risks inherent in providing/allowing that service?

You now understand that Cyber Security is about providing services while maintaining the CIANA properties. For full credit on your homework and exam answers, where appropriate, you should mention the pillar(s) as they relate to the question. Ask yourself: What pillars apply? Have any been violated?

References