DoS == Vulnerability?
I think that a Denial of Service condition is a vulnerability, but lots of other people don’t. Last week Dave G. over at Matasano [link to http://www.matasano.com/log/725/when-did-denial-of-service-attacks-stop-being-vulnerabilities/ no longer works] posted a seemingly very simple explanation that nicely sums up the way I’d always been taught to think about these sorts of issues:
The ability to halt or shutdown most modern operating systems usually requires credentials (you must hava an account or be on console) and privilege (you must be in the wheel or admin group). If you can bypass authentication and authorization requirements and cause a machine to panic (let alone gracefully shutdown), then I think we have a security problem.
Security being the contentious field that it is, plenty of folks didn’t agree with his assessment. The discussion in comments (now up to 32) is well worth reading and brings up some great alternative viewpoints. Where do you stand on this issue?
Some alternative viewpoints, yeah, but the folks arguing in absolute terms that DoS vectors don’t constitute vulnerabilities are completely out to lunch.
The Information Assurance Directorate at the NSA has been saying some interesting things on this for a couple of years now. The long standing view is that Confidentiality is at the top of the C-I-A list and Availability is at the bottom. Modern thinking, however, is reversing the list to make it A-I-C.
There is recognition that, for military and national security purposes, not having the right information available to the right people at the right time can often be far more damaging than a compromised allowing information to fall into wrong hands. It sounds strange to see the NSA downgrading the importance of secrecy, but there have been some hard lessons on this in recent history. I sometimes wonder how this might have played out in that organization’s internal politics.
The Global Information Grid is a product of this thinking. Richard Bejtlich, in his blog, occasionally touches on what is going on in that quarter.
http://taosecurity.blogspot.com/2005/09/iatf-discusses-availability-and.html
http://taosecurity.blogspot.com/2006/10/thoughts-from-iatf-meeting.html
> reversing the list to make it A-I-C.
I can’t agree with that. Surely the wrong information is worse than no information – I can see a justification for I-A-C though…
After reading some of the comments from the Matasano post, I’m baffled at how dogmatic this industry can be. Information Security isn’t about protecting the electronic assets from tampering… that’s an acute view that leaves a lot of potentially damaging activity out of the “security” pervue.
And as for CIA (or IAC or AIC or ICA or ACI), the order of the accronym shouldn’t matter. The importance of the three components are completely contextual and should be prioritized based on “business” need; whether that business be making money, or blowing stuff up! It’s concievable that the priority order could change dynamically based on what the “business” drivers are.
All we are supposed to be doing in Security is providing clear information on the risks and implementing the controls that are dictated by the authorities who can put perspective on the usage.
There, 1st blog comment ever and rant over!