Why Information Security: D-UH!

February 8, 2011 · Posted in Information Security, Information Systems 

 I almost always feel like saying “D-uh!” every time I see a text heading for an article or book topic that says “Why information security” or “Why Security”.  I feel that it is almost a nonsensical question as “why do I need to breathe”. However, stepping back and looking at the big picture, that is really a wrong assumption. It is almost an internal bias that akin to me being surprised at meeting someone who still doesn’t have an e-mail or a broadband connection. It boggles my mind that in this day and age of information security exploits and regulatory liabilities, I still meet programmers and developers who still continue to spit out commercial products that are filled with so many holes that a 13-year old script kiddie can easily slice through it like it was Swiss cheese.

That being said, the nature of my profession makes me a little bit more attuned to information security issues than perhaps the next guy (maybe not guys sitting right next to me as I write this considering that they do the same work as I do, but perhaps the next guy in the mall or something) and whether I like it or not it becomes part of my nature. To me, thinking about threat, vulnerabilities and risks is about as natural as breathing. This fact, however, is not true to majority of digital innovators and users out there.

Security often takes a back seat behind functionality and ease of use. Often times the key decision points on the marketability of the product relies upon the functionality and the ease of use of that particular product. How secure that product is (unless it is of course a security product) is often an afterthought. Market forces demands this and the bad guys knows this. Facebook for example did not become famous because it assured its users their privacy or that their account are secure, it became the leading social network engine in the Internet because of all the functionalities that it offers and how easy it is to use.

You can imagine these three key facets of security, functionality and ease of use in the form of a triangle wherein each facet represents a corner of the triangle. Now imagine placing an imaginary ball inside that triangle and as you move the ball closer to one corner the farther it gets from the other two corners. What this essentially means that the more you focus on security for example, you will often sacrifice functionality and ease of use and likewise you sacrifice security if you focus on either of the other two.

In essence security is inversely proportional to functionality and ease of use. More of than not there is always the tendency to sacrificing security in favor of either of the two facets even though in the back of our head there could be potential trouble. What that potential trouble could be is often pretty hard to easily see or decipher and hence we assume that it is worth the risk.

So after that long intro, let’s get back into the meet of this topic. So really, “Why Information Security?” (The security guy in me just yelled out “D-uh!”, but I’ll ignore him).

There are obviously a multitude of answers to this question. I can imagine that even your everyday non-infosec person can probably list out a good number of reasons, so I won’t dwell on each of them with specificity, but rather I’ll try present it abstractly in the context of what security professionals call the Information Security Triad or 3 Key Elements of Information Security: Confidentiality, Integrity and Availability also known as the CIA of Security.

Not that you can just simply Google the definition for these three, but I’ll be the good blogger and define them for you and besides it helps build this blog’s keyword ranking, or so I hope:

  • Confidentiality
    • According the International Organization of Standardization (ISO) in ISO-17799, which can technically say as the InfoSec bible, confidentiality is defined as “ensuring that information is accessible only to those authorized to have access.” In other words, keeping your secret a secret and not ending up in Wikileaks or something to that effect.
  • Integrity
    • According to the Virginia Tech website, integrity is concerned with the protection against unauthorized modification or destruction of information. A state in which information has remained unaltered from the point it was produced by a source, during transmission, storage, and eventual receipt by the destination. In the simplest of terms, imagine a poster of a famous politician and a vandal came in drew a Pancho Villa mustache on the image. Now imagine a hacker having the ability to change a message. Julian Assange sends an e-mail to the President, “I would like to surrender.” Instead, the President receives, “I think you look good in suspenders.” Not cool.
  • Availability
    • In simplest of terms, it is primarily concerned with ensuring that information is available to those who need access to the information and are allowed to access the information. Imagine wanting to check your credit card balance or wanting to pay your credit card debt online before you get dinged by the interest and late fees, only to realize that the site is down because it was targeted by Wikileaks supporters for denial-of-service.

I have mentioned Wikileaks several times in the previous paragraph because the recent news about this organization presents a really good case study on answering the question of “Why Information Security”.

Bookmark and Share

Thought you should know, etc... Update

Using a Project Methodology

By using a project methodology as a guide for your next business venture, you have set the parameters of your project and all of the tasks that need to be completed. The path you take is then decided by the…

Using a Project Charter Template

By using a project charter template you will have a jump start on completing the task you have undertaken. The template is designed to assist you in the creation of this document so the final product will be formatted as…

The Project Manager Position

For every company that employs one, the project manager position is a very demanding job that requires a certain type of person to fill. To be able to fill the shoes of this position, you must experience in the position and the ability to perform the required tasks that will…

Tips to Plan and Manage Collaborative Team Tasks

Manage your team wisely and achieve everything you planned. The crucial moments you need to take into consideration for this can be found in this article. Complex team You need to have different professionals and different people in your team so that they will bring different ideas to the project...

The Five Types of Cloud Customers

One of the consulting leaders, Bain surveyed nearly 500 North American CIOs and IT decision makers and spoke with more than 25 cloud providers. Through this research, they identified five clusters of companies with common approaches to cloud computing...

Tags: , , , , , , ,

Comments

Leave a Reply




  • Your Shopping Cart

    Your cart is empty

  • Calendar

    February 2011
    M T W T F S S
    « Jan   Mar »
     123456
    78910111213
    14151617181920
    21222324252627
    28  

  • RSS From the National Vulnerability Database

    • CVE-2012-0291 (pcanywhere, altiris_client_management_suite_pcanywhere_solution, altiris_deployme...) February 21, 2012
      Symantec pcAnywhere through 12.5.3, Altiris IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), Altiris Client Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), and Altiris Deployment Solution Remote pcAnywhere Solution 7.1 (aka 12.5.x and 12.6.x) allow remote attackers to cause a denial of service (applic […]
      nvd@nist.gov
    • CVE-2012-0315 (alftp) February 21, 2012
      Untrusted search path vulnerability in ALFTP before 5.31 allows local users to gain privileges via a Trojan horse executable file in a directory that is accessed for reading an extensionless file, as demonstrated by executing the README.exe file when a user attempts to access the README file. […]
      nvd@nist.gov
    • CVE-2012-0223 (termis) February 21, 2012
      Untrusted search path vulnerability in 7-Technologies (7T) TERMIS 2.10 and earlier allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2012-0224. […]
      nvd@nist.gov
    • CVE-2012-1256 (easyvista) February 21, 2012
      The single sign-on (SSO) implementation in EasyVista before 2010.1.1.89 allows remote attackers to bypass authentication via a modified url_account parameter, in conjunction with a valid login name in the SSPI_HEADER parameter, to index.php. […]
      nvd@nist.gov
    • CVE-2011-4185 (iprint) February 20, 2012
      The GetPrinterURLList2 method in the ActiveX control in Novell iPrint Client before 5.78 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2008-2431 and CVE-2008-2436. […]
      nvd@nist.gov
    • CVE-2012-1218 (freelancerkit) February 20, 2012
      Multiple SQL injection vulnerabilities in freelancerKit 2.35 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to the (1) notes and (2) tickets components. […]
      nvd@nist.gov
    • CVE-2011-4521 (advantech_webaccess) February 20, 2012
      SQL injection vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary SQL commands via crafted string input. […]
      nvd@nist.gov
    • CVE-2012-1222 (r2/extreme) February 20, 2012
      Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and earlier allows remote authenticated users to execute arbitrary code via a long string to TCP port 23. […]
      nvd@nist.gov
    • CVE-2012-1235 (advantech_webaccess) February 20, 2012
      Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0235. […]
      nvd@nist.gov
    • CVE-2012-0865 (cubecart) February 20, 2012
      Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php. […]
      nvd@nist.gov
Get Adobe Flash playerPlugin by wpburn.com wordpress themes