Re: Article: "Security Absurdity: The Complete, Un

[Bob Radvanovsky <rsradvan () unixworks net>]

Why do you "parrot" the exact same thing that has been told --repeatedly -- over the past 15 years?  They have you 
brainwashed!  How many principles do you think there really are (and not just the ones that ISC(2) *tells* you that 
there should be)?  What do you think makes up the components of a good security model?  What defines the best 
practices, and how should it be enabled?  Are 3 overly simplified principles the only key?  I disagree.

Security is not about "absolutes", but about "resolutes".  It is (most of the time) "hit or miss", sometimes hitting 
dead nuts on target, other times, completely missing the target entirely.  There will *never* be "absolute security", 
because of the random, human factors that are involved, no matter how much business and government attempt to 
accurately predict human behavior.

To me, "confidentiality" is based on how well you can keep a secret.  This (again, to me), is dependent upon the 
"integrity" of the data, as well as it's "availability".  If it's not available, you have nothing to control the 
secret.  If the data has been tampered, you (again) have nothing to keep secret.  The levels of confidentiality are 
dependent upon those 2 principles (using your ISC(2) security model).  Expanding on the security model, to me, 
"intelligence" carries a fair share amount of weight, as does "information" itself.  The reason for mentioning 
"information" is that if it's useless "information", why bother protecting it?  Henceforth, why the U.S. government has 
both intelligence and information assurance offices.  The IA offices determine if the information is useful.  The 
intelligence offices determine how it should be determined (I know that sounds circular, but hey, welcome to the 
redundant world of redundant systems of a redundant world...confused yet?)  If businesses and government (alike) didn't 
agree with that statement, then we wouldn't have those 2 kinds of organizations throughout the world; therefore, the 
security model is inclusive to these 2 additional elements.

My quote for 2006: "The best security is no security that's needed."  Think about it... ;))

-rad

----- Original Message -----
From: Saqib Ali [mailto:docbook.xml () gmail com]
To: Jason Muskat [mailto:Jason () techdude ca]
Cc: Bob Radvanovsky [mailto:rsradvan () unixworks net], "Sadler, Connie" [mailto:Connie_Sadler () brown edu], email () 
securityabsurdity com, security-basics () securityfocus com
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."


> > Security has to be correct 100% of the time. One omission can lead to an
>
> I don't disagree with you. However aboslute security requires absolute
> non-existence of the information. For e.g. You can have IPS, IDS, DRM,
> TPM, AV, Firewall etc on your netowork, but as soon as somebody prints
> out that confidential document and tosses it in a garbage can, you
> security goes with it.
>
> Another e.g.: Everyone knows that one-time pad provides the "perfect
> secrecy". But then how did the British intercept the Soviet
> communications???? Soviet re-used the OTP, which allowed for
> statistical analysis and/or pattern matching. Re-using seemed pretty
> harmless at that time, but in retrospect it was a big mistake. Isn't
> everything in retrospect a mistake?
>
> Security has 3 core priciples Confidentiality(non-disclosure),
> Integrity, Availability(non-destruction). In in way Confidentiality is
> inversely propotional to Availability (i think). By making something
> available you are increasing the chances of its disclosure. So in
> theory 100% security is not possible.
>
>
> -- 
> Saqib Ali, CISSP, ISSAP
> Support http://www.capital-punishment.net
> -----------
> "I fear, if I rebel against my Lord, the retribution of an Awful Day
> (The Day of Resurrection)" Al-Quran 6:15
> -----------