Protecting information confidentiality, integrity, and availability is the mantra of the modern information system security professional. We know this as the CIA Triad. It is surprising to me that we don't seem to fully support all three of these security services. Confidentiality is clearly important. We want to protect our assets from exposures. We exclaim the need for encryption and access control to prevent unauthorized access to sensitive information. We also understand the need for availability. A system which is unplugged, encased in concrete and stored in a vault might be secure, but it is not very useable or available. But, what can we say about integrity? I think insufficient attention is given to this most important service.
The integrity service is apparent in a system when controls are in place which prevents unauthorized changes to information or the system. Unauthorized changes to information include undesired overwriting or deleting of important documents. Changes to system parameters include modification to configuration files, but is that all? I believe we should also consider any processes executing on a system to also be identified as a system parameter. Since most systems rely upon discretionary access control (DAC), processes executing in the context of a user could make any number of changes to the system according to their privileges. Given this line of thought, executing process becomes a factor regarding system integrity.
Weaknesses in integrity can be used to circumvent controls protecting information confidentiality. Similarly, a lack of integrity can quickly lead to a loss of availability. This is frequently experienced in the presence of malware. Confidentiality and availability are voided in the presence of this type of unauthorized software. Spyware can steal keystrokes or files from a system. Trojans open backdoors and allow unauthorized access to a system in the context of an account compromised. Thus, a failure in integrity will, in many cases, cause a breach in confidentiality and availability.
All malware exhibits itself, one way or another, through a thread of execution on a system. However, our tools at detecting malware have limitations. Anti-malware tools are only as good as their signature database or their ability to detect anomalous behavior. Given this position, our first line of defense against breaches to system integrity involves preventing the execution of unauthorized processes. Since we cannot always determine if a given process is malicious or not, we should simply stop those processes which are not authorized from executing at all. This would include all software which is not authorized and validated to run on the system. For instance, individuals should be prohibited from running executables, screensavers, or other tools which have not been previously validated by the security and/or operations staff.
Some may perceive this viewpoint as Draconian. Indeed, it is. The implications are far reaching. Especially, when we consider mobile code and Web 2.0. However, how can we imply that the CIA Triad is supported by a system when it can easily be circumvented by unauthorized processes? If we do not fully enforce system integrity then we have little hope of enabling the other security services as well. Integrity cannot be preserved when unauthorized process are allowed to execute in a DAC environment.
Part of that process involves the testing of new software for the system. Preventing the execution of unauthorized processes supports IT Governance laws and regulations. Thus, this should not be an issue for corporate and government agencies. Smaller organizations might have fewer regulations to worry about, but their operational risk of not enforcing system integrity will most certainly be elevated.
More surprising, I have also encountered security professionals which also feel that allowing the execution of unauthorized processes is an acceptable business practice. Perhaps this is true in some environments. However, it is difficult to conclude that a system allowing the execution of unauthorized software will have sufficient countermeasures in place to guard against the loss of information confidentiality or system availability. Accurately measuring and validating a system's information assurance is problematic when unauthorized processes are allowed to run with little or no constraints.
As security professionals, we should have the integrity to point out the risks involved with allowing the execution of unauthorized processes to system managers. Although they may choose a dangerous path, it is incumbent upon us as to point out the risk involved with allowing this activity and advocate the need to prevent the execution of unauthorized processes.
More...
