Shaking foundations: are infosec paradigms in crisis?

I enjoyed reading Dan Geer’s lecture at the NIST science of security gathering.


As usual it is rather heady, academic stuff, but he levels that with clear flow and witty turns of phrase.

Venturing directly to the heart of the issue, he questioned the adequacy of prevailing paradigms in information security. Among the paradigms he doubted were the concepts of Confidentiality, Integrity, and Availability.

Some call this the C-I-A triad. We might trace the triad at least back to the “Comprehensive” (also called “McCumber”) model proposed in 1991. That model formed the foundation of infosec education for national security systems, and has spread from there. You can find the model in Annex A to NSTISSI 4011.

I tend to agree that the C-I-A triad is overused and not effective in some cases. At best, it is useful at design time — when you are deciding how to build security into a system, but less so for security operations — when you are trying to maintain that system in an evolving threat environment.

Let met give an example:

One time consuming security operations task is vulnerability and patch management. CVSS is the common vulnerability scoring system. The system relies on impact to confidentially, integrity, and availability, among other factors, to produce a score that theoretically helps defenders prioritize what vulnerabilities to mitigate.

Look at CVE-2010-2568 — the Microsoft LNK vulnerability. This vulnerability received a base score of 9.3 with a “vector” of (AV:N/AC:M/Au:N/C:C/I:C/A:C).

Interpreting the base score vector requires memorization of the categories and variables. A description of these can be found here. Of course, the more severe the variables, the higher the score.

In the case of vulnerability management, I don’t find the C-I-A jargon very useful at all. In theory you can map the C-I-A impacts to C-I-A requirements you’ve established for each software you operate, but I still don’t think it helps make decisions any more accurately or quickly than simply saying: “denial of service”, “arbitrary code execution”, “privilege escalation” or even “access to password hashes”. Which is probably how the researcher who found the vulnerability characterized it in the first place!

Various other criticisms have a been levied against CVSS. I don’t want to get into those here. My point is that using C-I-A as the basis for operational security decisions tends to confuse rather than simplify the issue.