[Disclaimer: I do not claim to be an expert on IS or IA. All information provided are for informational purposes and as a foundation to an opinion rather than any form of academic reference. Please use the references that are provided to make further use of the information contained therein. However experiences in the field of networking and computer security in my specific environments have prompted me to document the information in this post.]
Security. It's on people's minds when surfing the web, using a network or concerned about privacy. It permeates our communication, transmissions, and even some daily routines. On the computer spectrum, since in most cases the end-user is running a Windows Operating System it is reasonable to conclude, that it at least crosses every computer user's mind at one time or another, "am I safe?"
I think there are common misconceptions thrown around on forums, social networks and among PC/Mac flame wars. Often the terms security, exploits, vulnerabilities etc. are thrown around often with loose meanings. I've often seen, 'if the PC users would switch to Mac, there would be a lot less problems with [insert exploit here]." Now this is not to say these comments are coming from security experts and those that should know better, at least I hope not. But judging by the comments I've witnessed, they seem to be misinformed people speaking to a misinformed audience.
First of all, why are there so many vulnerabilities constantly being found on a Windows OS? Well instead of simply looking at the way Windows operates, let's examine why a vulnerability exists in the first place. But if we're going to talk about vulnerabilities we will definitely need to talk about exploits right? And if we're going to talk about exploits, there would be reason to speak about payloads! We know vulnerabilities exist. We know exploits take advantage of those vulnerabilities. We know that the payloads determine how severe the vulnerability eventually becomes. So instead of talking about Windows containing "buggy or flawed" code or that it has a large market share or whatever other reason is often given, let us talk about more of the principles of security than the results of vulnerabilities, and perhaps it would give us a better understanding of why they exist anyway.
From my personal research and observance, there are three main divisions that in one form or another involve security; Computer Security, Information Security, and IA (Information Assurance). Of course we as computer users are primarily concerned about computer security, though it is not unwise to also gain a little bit of knowledge on the other two. For two reasons: the first, computer security is actually a branch of IS, and second, the other two existed before or at the birth of computer security. So even though they are not the same thing, some fundamental things are shared among them either slightly modified or for a different purpose.
Let us first look at Information Security. Information security has existed for as long as any sense of "privacy" in humans has existed. Whenever it was that the first human breached trust, violated someone's privacy and exploited the information, you can bet that people began to worry about security. This really became apparent when the mechanism of writing became a common tool to use in communication. Then when a mechanism for transmitting these messages were used (smoke signals, runners, coaches, letters, electronics etc.,) the need for security was obvious. It was much more evident throughout history of its importance when wars began. Intercepting information, breaching physical locations, and interrogation only magnified the need for security measures.In order to avoid some obscure history lesson, the point is, "security" has existed a long time and from the beginning there has also existed "vulnerabilities" and "exploits" for such measures. People that implemented their forms of communication, information sharing and security did not take sides in flame wars, "my smoke signal pattern is more secure than yours!" Rather as computer security enthusiasts should be, they focused on the truth, all security is penetrable.
An example, would be the well known Caesar cipher. I say well known because I think at one time or another, as children we've all seen "decoder" items or toys in cereal boxes or a box of Cracker Jacks, those were based on that particular cipher. However given its simplicity, this way of protecting information in that environment was possibly very effective. The reason I say "environment" is because of the type of people he was trying to keep out of his information. Did they know the cipher? Probably not. Was it a highly common thing among those he was protecting information from? Not really. Some scrambled letters could have easily looked as a different language and have been unusable to his enemies.
Even though it is a primitive form of "encryption" an equally primitive form of Brute Force attacks were its exploit to the vulnerability even back in 50 B.C.! Technically speaking, if you came across such an encrypted message in our day, you'd understand it was encrypted. You wouldn't know immediately though what encryption nor what algorithm was implemented, but you could guess. In this modern age, we have a wide range of access to free information, it would take a relatively short time to figure out what sort of encryption is used on a message. Really then, the principle has not changed. It is not a matter of how but when. Given enough time, anything can be cracked, but fortunately for most modern encryption, time is something humans do not have. So is the vulnerability gone? No it is not, but instead it has been made very difficult. So do any other vulnerabilities exist with modern encryption? Yes. One need to look no further than the software that makes use of the encryption, or better yet, the users. It has been proven often that social engineering is a formidable foe and it will continue to be so until humans are no longer prone to make mistakes, ever.
[For further insight on the discussed subjects see the following links: Encryption, Introduction to IS, and Software Security Engineering by Microsoft ]
There of course is much more to the workings of IS (e.g. hardware, physical, software) but is well beyond the scope of the point in this post.
Note: Information Security is modeled on three main components, which are discussed under the next heading because of their close relationship.
Now let's look at Information Assurance. With IS, we were a lot closer to the security of information, but with IA we are actually a bit higher and further from operation. This is because IA takes in a broader sense of risks that not only involve security, but availability, privacy, integrity and authenticity. There are actually a few more areas in which IA's scope manages but for this article, we do not really need to touch on them. Since it is closely related to IS, I will use the CIA model of IS (not the government agency) to display a common core of components.
The "CIA" model consists of Confidentiality, Integrity and Availability. These are the main principles adopted by IS but also instituted within the IA model of principles, as I said, we are further back from the picture looking at a broader sense of information.
The basic functions of IA is to assess the object that is being protected. Remember, not only protected in a security format, but also from disaster, manipulation and availability. (Privacy, Integrity, Availability.)
Once it is decided which assets are to be protected, it is next determined what possible risks exist, ultimately worst case scenario.
When such an evaluation is done, the IA personnel will provide not a solution simply to "proof" the information from any of the above already existing vulnerabilities, but to manage how to best protect the information with the least TCO. Not only financially, but legally (broad sense) and effectively keeping availability.
If you notice however, why isn't an effort to "100% proof" a system performed? Because quite frankly it would be unreasonable to do such a thing. Not only would it be unreasonable, but consider the resources it would take at the expense of TCO; and yet the system would still prove to be penetrable. Furthermore, have you observed a system that is vulnerability proof? It then seems logical to conclude that based on these two core principles, our argument should not be on who has the most "vulnerabilities" or "exploits" but rather on providing and making use of the security and other resources immediately available!
For further reading, the following links may be of interest: Department of Defense IA Implementation, DoD Intructions, Bella-La Padula model, more on Computer Security models. Here is a paper on general security models, including the previously mentioned at crazylinux.net
And then there was Windows. After these two brief non-exhaustive presentations, it would be foolish to sit on a particular Operating System because you think it is "more secure." You are lying to yourself. Rather you should be sitting on an Operating System because of your observance of how closely the above principles are applied, but first of all with yourself. Whether at the developer level, or at the end-user level, security measures can be implemented to a respectable degree that would make even the would-be hacker nod their head in respect. Even though still penetrable, respect for security as a whole would protect you in most cases. After all, it was respect for security that moved the above principles to be developed and implemented.
Though, back on the subject of the Windows Operating Systems, again, why do they have vulnerabilities? Is it simply because the code is "bad" or because another OS does a much better job? Or could it possibly be because it is well known? Is it because it is a target? Is it because the weakest links are easier to predict than are the encryption schemes? I believe these questions should provoke objective thinking on the subject on an individual basis rather than uninformed generalizations.
The fact and theme of this post remains the same, from the ancient days of security, though it has evolved over time into different forms, the reason it has had to change has never changed itself, vulnerabilities exist in all of them and unless people cease to look for them, they will always exist. The more services are accessible, the more risks open up for breaching. The more exposure, the more chance there is. The more we think we are "safe" the more insecure we become.So again, it is not a matter of if or how, but a matter of when.
No comments:
Post a Comment