This lesson marks the transition from the
Cyber Battlefield portion of this course to the
Models & Tools portion of the course.
In this lesson we look at a basic Information Assurance
model that clarifies what it is that really needs to be defended
in the cyber world. We will look at the fundamental tension
between security and providing services, and look at a basic
model for understanding risk.
DoD Information Assurance emblem
We've spent the semester so far learning about the
Cyber Battlefield — digital data, computers, OS's,
programs, networks, the internet, systems of programs
communicating over networks (with the world wide web as
the biggest example). We've seen lots of examples of things
that can go wrong in this domain — things that we recognize
as dangerous, things that we recognize we need to defend
against. But what, actually, are we actually defending?
This is a deeper question than it might first appear. Understanding
the answer will help us understand what attacks are, how to defend
against them, and even help us understand what we really want when we
ask for "security".
What then? We have information systems that store, process and
transmit data to different parts of the system in order to provide
services — what service depends on the system.
For example, Skype
is a system that provides telephone & chat services. "Security" for
Skype means the on-going ability to provide their service
while maintaining the following key attributes:
- We are not interested in protecting computers.
If you really wanted to protect your computer, you'd simply
turn it off and stick it in a fireproof/waterproof safe.
- We are not interested in protecting data.
If you really wanted to protect some piece of data, you'd
disconnect your harddrive, and stick it in a fireproof/waterproof
These attributes are referred to as the Pillars of IA (Information Assurance).
And for almost any information system, they describe the
fundamental properties that must be maintained. Essentially,
these properties are what we want to protect (or attack, if
you're on the other side).
IA (Information Assurance) is the practice of managing risks
while maintaining these properties. Malicious human threats are
not the only kind IA considers — a hungry squirrel might
gnaw through a cable and bring down a server. Protecting
against this is IA, though not really cyber security. We'll
focus on the security-related aspects of IA.
[More seriously: IA includes concerns like
extreme weather take down the internet?]
|C|| - confidentiality|
|I|| - integrity|
|A|| - availability|
|N|| - non-repudiation|
|A|| - authentication|
A New Unmanned Aerial Surveillance Platform
The MQ-4C "Triton" BAMS UAS — a new unmanned aerial
surveillance plaftorm — is finishing development and may
be operational as early as 2015.
The MQ-4C BAMS "will enhance battlespace awareness, shortening
the sensor-to-shooter kill chain".
This UAV is clearly a component in a larger information
system, not only the system that tells it where to fly, but
also this "sensor-to-shooter kill chain". Think about how the
five pillars apply to this system? What kind of bad things
could an enemy accomplish by attack on the integrity
of this system? Availability? Confidentiality?
- Confidentiality: "Assurance that information is not disclosed
to unauthorized individuals, processes, or devices."1
means no unauthorized modification or destruction of information.
"Quality of an IS reflecting the logical correctness
and reliability of the operating system; the logical completeness of the hardware and
software implementing the protection mechanisms; and the consistency of the data
structures and occurrence of the stored data. Note that, in a formal security mode,
integrity is interpreted more narrowly to mean protection against unauthorized
modification or destruction of information."1
- Availability: "Timely, reliable access to data and information
services for authorized users."1
- Non-repudiation: "Assurance the sender of data is provided with
proof of delivery and the recipient is provided with proof of the sender's identity,
so neither can later deny having processed the data."1
- Authentication:"Security measure designed to establish the
validity of a transmission, message, or originator, or a means of verifying an
individual's authorization to receive specific categories of information."1
Understanding "Bad Stuff" in Terms of the Five Pillars
We've already seen a number of examples of "bad stuff" in this
class. Understanding something as an attack requires
understanding which of the five pillars is violated —
which property is lost. Let's review a few of the bad things we
did/observed and understand them this way.
You injected HTML like
into a simple message board, so the page was always
redirected to www.usma.edu. Which pillar was violated?
This attack essentially makes the message board impossible to
read, so this is an attack on availability.
We tricked users into posting "My SI110 instructor is a doofus."
on a message board by inducing them to click on a bad URL or
open a bad HTML e-mail attachment.
In this case, which property is violated that the victim
really cares about?
In this case, we've lost non-repudiation. The
victim did not insult his instructor (at least not on the
class message board), yet the system shows
that he did. So that action on the system can be
repudiated. The user can honestly say "It wasn't me!"
Your instructor used Wireshark to view your TCP traffic
(netcat chatting) when
you were on the wireless network. Clearly the property
you've lost is confidentiality.
(Note: as you read this, you may not have yet had the lab in
which this happened. If not, it'll happen in your next lab.)
We used cross-site scripting to steal a user's login
credentials. Once again, the property we've lost is clear:
authentication (although confidentiality was
compromised as well, in the sense that the login credentials
were confidential information). If the system allows login
credentials to be stolen, it does not provide authentication.
Services vs. Security
There is a fundamental tension between the services an
information system provides, and security. A building with no
doors or windows is quite secure, but pretty limited in its
utility. Similarly, an information system with no way for data
to flow in or out is very secure, but it is unable to provide a
service. The more services you provide/allow, the more ways in
and out of your system that need securing. Thus, for each
service one needs to weigh the value of the service against the
security implications of providing/allowing it.
You weigh the risk against the benefits and
make a decision.
On Windows, you can get a list of possible services along with
their status as started/stopped by
If you don't want to type
Windows shell, you can get the services list with mouse
- Right click on Computer, select Manage.
- In the left pane, expand Services and Applications.
- Click on Services.
services.msc in the Windows shell.
An entry in this list looks like
a name, description, and status (and some other stuff).
Clicking on the entry allows you to see the full description.
So, for example, you'll probably see a line for
DNS Client. You should be able to read that
description and understand given your recent background in
networks. What service does this provide? What would be the
consequence of turning it off? A much harder question is what
security implications accompany this service.
At any rate, you as a user can make decisions about the services you
There is no one right answer as to whether a service should be
provided/allowed. For example, Remote Desktop for Windows is
a service that allows someone on a remote machine to pull up
the complete graphical desktop on your machine, in order to see
what they would see if they were sitting in front of your
machine. Among other things, this is really helpful when
providing technical support or remotely administrating a
machine — especially for people who are not tech-savvy
and aren't sitting near the person who is helping them.
Consider the decision as to whether or not to turn this service
on in two cases:
What are the points you need to consider? My guess is that you
instinctively know what the important points are.
How valuable is the service? What are the risks inherent in
providing/allowing that service?
This requires a better understanding of risk,
vulnerabilities, and threats.
- Your grandma's computer
- The CNO's (Chief of Naval Operations) computer
Risk, threats, vulnerabilities
Risk is sometimes given a quasi-mathematical formulation:
risk = likelihood × impact
There are no units associated with this as it stands, so we're not
really going to multiply anything, but it gets at the idea that
we have to consider the likelihood of the bad thing we're worried
about happening as well as the impact that bad thing would have.
And it gets at the idea that as either of these factors increase,
so does the risk. In the Grandma/CNO example we might reason
The impact of someone illicitly getting a remote desktop
on Grandma's computer is relatively small — she just surfs
and e-mails her grandchildren. The impact of someone getting
a remote desktop on the CNO's computer is ... well, it could be
very bad. So even without analyzing the likelihood of someone
getting an illicit remote desktop in each of these cases, we see
that the risk will be much higher in the CNO's case than
To clarify the roles of vulnerabilities
versus threats: a threat is an actor who
has the potential and desire to do bad stuff assuming
they can find a vulnearbility to exploit. So, for example,
consider something like
leaving your wallet in an unlocked locker at a train station,
versus in the men's locker room in Macdonough Hall.
How does the risk of getting your wallet stolen change?
vulnerability (unlocked locker) is the same in both cases.
However, there are a lot fewer people with access to
Macdonough (potential) and Mids and Faculty and
Staff here a generally pretty trustworthy, so there are very
few people who would want to steal something (desire).
So moving from the train station scenario to the Macdonough
scenario, the vulnerability stays the same, but threats
are dramatically reduced. That means liklihood of
getting your wallet stolen is reduced. Since
the impact is presumably the same, we deduce that
the risk is less in the Macdonough scenario
... which probably agrees with your intuition.
Analyzing the likelihood of an exploit, like someone
getting an illicit remote desktop on a machine,
requires us to distinguish between vulnerabilities
and threats. A vulnerability is a weakness or defect
in a system that could be exploited to do bad stuff.
A threat is an actor who has the potential and
desire to do bad stuff.
A vulnerability in the absence of threats is no problem.
(For example, it doesn't matter that Superman is vulnerable to
kryptonite if there are no bad guys have access to kryptonite.)
Similarly, threats are of no consequence to an invulnerable
system. (For example, mean kids with squirt guns are not a
problem for an adult like me ... unless they're my own.)
To analyze the likelihood of a remote desktop exploit in both
the Grandma and CNO scenarios, we need to know more information
than we really have access to, but factors might be: the CNOs
computer is probably sitting behind firewalls, while Grandma's
is not, so Grandma's is probably more vulnerable. On the other
hand, there are a lot more people who would like to break in to
the CNO's computer than Grandma's, so he has more threats.
risk = likelihood × impact,
where likelihood is a function of threats
Let's apply our newfound model of risk to a less extreme
example: Is writing down a
username & password for an online bank account
on a piece of paper and putting it in your purse risky ...
Why? You should be able to make a solid argument here,
identifying the relevant factors that are different in the two
situations and how they ultimately effect the risk of someone
getting Grandma's username and password and breaking into her
- for your Grandma who almost never leaves the house?
- for your other Grandma who takes the NY subway every night to go play bingo?
Since you now understand that Information Assurance is about providing
services while maintaining the CIANA properties, for full credit your
homework and exam answers must always mention the pillar(s) as they relate to the
question being asked. Ask yourself: which pillar applies? Have any been violated?