Cyber security is arguably a buzz word. It is often used in a very broad sense, often in a non-specific way: “Cyber security must be improved!”. But in recent years network and information security has become part of legislation (both at EU and national level), and especially in these cases it becomes important to be more precise. So what are possible definition of network and information security”? In this post I will go over some possible definitions:
Communications security and computer security: Network and information security means ‘security’ of the networks (or network systems) and ‘security’ of the information systems. In other words, Network and Information Security (NIS) includes communications security and computer security.
Works as expected: The word “security” in normal language means “to be assured of something”, something good: So network and information (system) security is about making sure that network and information systems work as expected (in a good sense). This implies that security is closely related to usability (user interface design, accessibility), standardization and system development (requirements analysis, software development). Think: The hot water knob is always on the left.
Not all security experts would agree with equating their work to sound system design. What are the typical things we expect from a secure computer system?
Au-Au-Au: Butler Lampson wrote a great paper on computer security. He simplified computer security to three main processes (the so-called Golden standard after the acronym of Gold in the periodic system):
- Authentication – Check who is interacting with the system (requesting access e.g.)
- Authorization – Check if this action is allowed (check clearance, access rules e.g.)
- Audit – Log the decision (allowed or not), so it can be audited later.
Let’s look at these three steps taking a simple website as an example. Step 1 is often implemented using a user password. Step 2 is usually implemented using a so-called (access control) reference monitor which checks if the user request should be granted. The third step (audit), is a kind of safeguard: No system is perfect. To allow administrators to verify if things went all right, the system must keep logs of past user actions and past access control decisions. Such logs can be reviewed manually (for example following an incident) or analyzed and acted on in an automated way (for example by blocking an account after three failed login attempts or by doing anomaly analysis using a tool like Splunk).
Lampson’s approach does not cover all security aspects it seems. For example, continuity and availability is not explicitly addressed, nor secrecy of communications, or privacy of the user.
Client-Service view: Another way of looking at computer systems is to see them as service endpoints. Systems can offer any set of services, but typically they can be reduced to four basic actions users can perform on objects: create, read, update, delete (on some abstract object) – CRUD. This simplification is even a design-methodology (or architecture principle) for distributed systems, called REST, and is the basis of the World Wide Web. Depending on the setting these 4 actions would require different permissions. In mandatory access control (a type of access control policy often used in military settings), for example, employees with no clearance can create classified information, but they need clearance to read classified data.
What about CIA: There is a rather wide-spread tradition in the security field to take a data-centric perspective and to look at three security properties for the data: confidentiality, integrity and availability (of data). The CIA triad is also part of the ISO27000 standard which provides a vocabulary to speak about information security management systems. Many security experts say CIA is the foundation of security. It is good to keep in mind that CIA is essentially a data-centric view – not a service-oriented perspective. CIA works well when you are in a discretionary access control setting, using a data-centric perspective – for example file and folder permissions on a file-sharing server.
CIA++: It is not uncommon to see mixed definitions or extensions of CIA: CIA plus some other computer security principles. Many have argued that CIA needs to be extended with the principles of authentication and accountability/non-repudiation.
EC definition: The EC offers a definition in one of its first communications about network and information security (COM 2002/298). The definition shows the shift from data-centric to service-oriented perspective of some years ago: “Network and information security can thus be understood as the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems.” It is important to stress that in that definition the EC takes an all-hazard approach: Not only attacks are in scope, but also errors, power cuts, storms, etc. Anything that could affect networks and/or information systems.
Protocol view: Finally one could look at interactions between systems as protocol runs. Such a view can be very useful when analyzing interactions between multiple parties (merchant, vendor, customer, e.g.) or multiple subsystems (single sign-on systems e.g.). From a protocol-flow perspective system security becomes more like a protocol analysis problem. In protocol analysis security properties are split in two main classes:
- Liveness properties (white): Something good happens, most of the time, e.g. continuity, availability of the service. Authorized user requests get the correct response to, timely.
- Safety properties (black): Something bad never happens, e.g. unauthorized access. Unauthorized user requests don’t, ever.
This division highlights the classical trade-off in network and information security: liveness or safety. Outside the protocol analysis community the term ‘safety’ has a different meaning (see next paragraph).
Security versus safety: It is easy to confuse security and safety. They are synonyms. In most information security literature the first really means that things go as planned, as expected while the second means that things are safe too. When speaking about ICT (websites, smartphones, et cetera) safety often means ‘free of harm’. Let’s take the water tap as an example: Security means that the hot water knob is left and red. Safety means the water does not come out too hot (not more than 60 degrees) to prevent people (children e.g.) from hurting themselves.
Network and security incidents: Often it is useful to speak more specifically about network and information security incidents. A typical definition goes as follows: A network and information security incident is an unwanted or unexpected event (or series of events) which could impact the security of network and information systems.
This definition is very similar to the one used in ISO standards (the ISO27005 to be precise). It is also in line with the scope of risk management standards like ISO27001 which covers not only the cyber-threats (computer viruses, etc), but more generally threats which could affect security of networks and information systems.
Note again that this definition includes things like near-misses and increased risks. It is already an incident, even before it has an impact. For example, if someone discovers a vulnerability in some software then this could be considered an NIS incident, even before an attack happened. A clear advantage of speaking about security incidents, instead of security, is that it is more to the point: here are the incidents we don’t want.
Threats: A threat is an event or a series of events which could cause an incident. An other word for threat is cause. So in NIS the relevant threats are those threats that could cause an NIS incident (see above).
Network and information risks: The word risk is perhaps the most fuzzy term of all. Formally speaking a risk (associated to a threat) is a measure for the likelihood that this threat materializes multiplied with the impact this threat would have. A risk is a number which comes with a threat. But in practice the words risk and threat are often mixed. Often when we say ‘let’s look at all the risks’ we will start by enumerating all relevant threats. Per threat we will then look at the associated risk (low, medium, high, for example).
Do you know more ways to split/define network and information security? Do you know better definitions?