When I talk about information security, I’m actually talking about a specific model; this security model is widely described as the information security model or the information assurance (IA) model. Some people love to debate whether to treat these two models separately; regardless, as a security professional, you need to have a general idea of what the IA model is, how it works, and why it is important from a modern security perspective. Proponents of the information security model opine that it is the same as the IA model. The information security model is all about three key elements: people, process, and technology.
Other people claim that the information security model and the IA model are quite different. According to this view, the IA model focuses on ensuring availability, integrity, authentication, confidentiality, and nonrepudiation of information. When an organization has a solid mechanism like the IA model for protecting against threats, it can react to each threat properly. On the other hand, information security deals only with the unauthorized access, disclosure, modification, and destruction of data.
It is evident that the IA model breaks information security into two distinct parts. In this view, information assurance deals with only technology and parts of processes. Information security deals with people and parts of processes.
Whatever your take, it is widely accepted by the computing community that the IA model plays an important role in the infrastructure that supports key factors that control our lives, such as national security, healthcare, commerce as a whole, telecommunications, and more.
As your experience grows, you will find that a deep knowledge of the AI model is crucial in your business as a security professional. From the previous chapters, you have a basic understanding of how ethical hackers gather information and how they analyze vulnerabilities and scan a port or scan a URI to get more information. Ideally, now you can understand why you should attach more importance to this well-accepted model of information assurance. In this chapter, you will learn about the basic concepts associated with this model.
At the end of this chapter, I will point you to a handful of good books that may come in handy if you want to dig deep.
What the AI Model Is All About
From the government to the corporate world, everybody has pretty must adopted the AI model so far, and it has become an exceptionally useful model as far as information security is concerned. It is all about linking three key elements for asset protection. Defending your assets does not mean only a few little things like a USB port or a printer or even a computer; it is more about the larger scale—a whole business, a line of business, or maybe a government. The first question is, how do you ensure that information is secure? What are the main elements that you need to address to ensure that?
The three key elements of the IA model are people, process, and technology. Even a veteran security professional may fumble around here mistaking that asset protection stands only for IT assets. They forget about the other two elements: people and process. They think about how to use VPN protocols or how to use new cryptography, and they forget about the larger picture where the best technology cannot survive if people don’t protect it. If people don’t know what to do or if people don’t know what the information security model is all about, all the hell may break loose. I’ll explain how and why that happens.
Next comes another important aspect: the process. If the processing fails, cannot classify data, or cannot connect things, the whole concept of protecting assets crumbles into dust. Therefore, all these things play together to protect the assets.
You need to know about all of these things separately as well as know how to tie them together.
How to Tie the Elements Together?
Are people trained on security?
Are all levels of an organization committed to security?
Do all the employees follow the security process strictly?
Do they have a basic knowledge about the AI model?
Do they know how to classify data when they create new information or process information?
Are they trained to lock their computers when they leave them?
As you can see, training people is important. Regrettably, it is the most overlooked aspect of the three elements. The people of an organization must know why a lengthy password is necessary; in other words, they should be trained on that. Most of them have a bad habit of keeping passwords in a file on the system. I have shown you what happens to those passwords. You have seen how one can just sniff them easily, and after that, penetrating the system is a piece of cake.
Another overlooked part is the process. Think about a case where you have secured the processes of an organization; however, you have not documented them. Securing the process is critical, but along with that, documentation and implementation are also important. Another crucial question is, do the people follow the processes? Finally, does technology properly implement the processes?
Of the three key elements of the AI model being discussed, the most commonly understood component is technology. An organization always cares about spending money on firewalls, intrusion detection systems, and anything related to technology. That is the most typical approach and a reflection of the poor understanding of the other two key components. They forget that this is just one part of a big information model. Any attack? Any data breach? Any intrusion? They always raise their fingers at technology. They forget that it might have been generated from the people part, or there might have been a loophole in the process part.
I will now share my experience while doing security programming for a long period of time so that if you, as a security professional, face the same situation, you can tackle it in a more logical way. In the real world, after any kind of attack, many organizations start believing that it was a technological fault. Technological problems sometimes seem to be cloak-and-dagger stuff, so the security manager is often given the boot first when a breach happens. (If the systems manager were clever enough, he or she would already have passed the buck to any subordinate malware intrusion staff!)
Therefore, in every attack, an organization points the security finger at the technology first. They don’t even check the other layers. For example, has technology properly implemented the processes? Or, does technology simplify security too much for the people? Usually, they never ask those questions.
They forget the ugly truth that crackers or potential attackers know this model very well. They know that breaking technology is the hardest part of the game. So, they try to find out other details first. They try to penetrate into the process. Which company is responsible for fixing the equipment? From which store were the new machines bought? For example, say a cracker takes up a job at that store. Once he gets into there, he can put malware easily into the system. It reaches the target and results in poisoned switches, servers, and other devices. Can you blame technology anymore? Can you blame the staff who got fired from the job? One of the key elements, process, is responsible here, not technology.
Now think about the people who have the authorization. What if the cracker decides to buy any of them by spending some dollars? Knowing the password is the easiest way to intrude.
Now compare this model to the OSI security architecture you learned about in Chapter 1. The OSI security architecture focuses on three key elements: attacks, mechanisms, and services. Now replace the word attacks with technology, replace mechanism with process, and replace service with people. In any security attack, technology is compromised. The security mechanism directly deals with the processes or the devices that incorporate such processes. Finally, the security of services always starts from the authorized people. They are responsible for initiating services that are intended to counter security attacks.
How the AI Model Works
So far, you have a basic idea of what the AI model is. Let’s try to understand how it works. Three key elements are tied together, and they stand on five key pillars.
The pillars are confidentiality, integrity, availability, nonrepudiation, and authentication.
Confidentiality assures you of one thing: unauthorized individuals, processes, or devices will never be able to know the information; it is guaranteed that information is not disclosed to them. Now with the first pillar of confidentiality, you have an assurance of not disclosing data. Now you are concerned about unauthorized modification in the source or, an even worse possibility, the destruction of data.
The second pillar of integrity means no unauthorized modification or no destruction. It starts with the logical correctness of the operating systems, the proper implementation of hardware and software that has logical completeness, and the consistency of data structures. It gives you protection against unauthorized modification or deletion of information.
The third pillar of availability assures you of reliability. Authorized users get timely services. Users know that each service is reliable.
Now comes the fourth pillar: nonrepudiation. In some previous examples, you saw how a sniffer can misguide a system. In such cases, information marked for some recipient reaches the wrong address. Consider a concrete example. A is sending data to B. A does not know that C has gotten that data. The basic purpose of nonrepudiation is, ensure that the sender (A) is provided with proof of delivery; at the same time, make sure the recipient (B) is provided with proof of the sender’s identity. Sender A now is assured that B has gotten the data. B knows that A has sent that data. No one of them can later deny this. They have processed the data.
The final pillar is authentication. This is not the same as authorization. Authentication is a security measure that verifies whether an individual has authorization or whether the individual’s authorization is incorrect. The process of authentication does not stop there. It also assures an authorized individual gets specific categories of information. For example, a bank manager and a bank client are both authorized users. However, authentication ensures that the client does not get information that has been earmarked for the manager. So, the final pillar of authentication is crucial in establishing the validity of a transmission or message; at the same time, it verifies an individual’s authorization.
In the next section, you will learn why the AI model is important.
Why Is the AI Model Important?
As a penetration tester or a security personal, you need to convince your clients that the AI model is essential. How about giving your clients a concrete example? Imagine a house with no doors and windows. This house is pretty heavily secured, is not it? But, it is pretty limited in its service aspect. In other words, it has limited utility. When in an information system no data flows in or flows out, it is secured. You actually keep it in quarantine. However, it cannot provide you with any service. The data flowing in or flowing out can include services. Therefore, to get services, you need to secure the systems. Service and security go hand in hand.
When you think about services, the three key elements of the AI model get involved: people, process, and technology. What kind of service does your client offer? Your client has to weigh the value of each service against the security implications.
You have already seen a lot of real-life examples where these five pillars of the AI model can be breached. You will definitely see more in the coming chapters. You have seen examples where you can read passwords, sniff and capture packets, inject and poison weak applications, listen to ports, and so on.
Therefore, I will not give any more examples here; instead, I will show how these pillars can be affected by these attacks.
When a cracker injects a vulnerable application and it redirects to another web application, the pillar of availability is violated. When a cracker makes denial-of-service attacks, it violates the same pillar: availability. The application is no longer available. Spoofing can violate the nonrepudiation pillar by inducing the user to click a poisoned URL link. In this case, either the attacker has conducted social engineering or it’s a case of identity theft. The sender and recipient do not match. Nonrepudiation is violated.
You have seen how Wireshark works. If somebody views the TCP traffic of a victim, the pillar of confidentiality crumbles. You will see more such examples in the “Metasploit” and “Exploitation” chapters.
You have seen the example of Burp Suite where a user’s login credentials were stolen. Now you understand how one of the key elements of the AI model, people, can violate the pillar of authentication by keeping a password in a file on the system. If a system allows crackers to steal the login credentials, it does not provide authentication anymore.
Further Reading
M. Whitman, and H. Mattord, “Principles of Information Security”
D. Parker, “Our Excessively Simplistic Information Security Model and How to Fix It,” ISSA Journal
D. Lacey, “Managing the Human factor in information security”
Y. Cherdantseva, and J. Hilton, “Information Security and Information Assurance. The Discussion about the Meaning, Scope and Goals,” in: F. Almeida, and I. Portela (eds.), Organizational, Legal, and Technological Dimensions of IS Administrator