Ask anyone who works in Information Security what the initials CIA mean and they will say “Confidentiality, Integrity and Availability”. These are the three measures used to assess the impact that an unwelcome event would have on an asset.
When I train people, I talk about another more important Information Security meaning of CIA: Common Sense, Intent and Application.
Good Information Security requires everyone to use their common sense. Have you ever wondered why some people have common sense and others do not? Why some users remember strong passwords, and others would think it is OK to use their cat’s name and then write it down on a post-it?
This common-sense-imbalance used to worry me until the day I heard Ira Winkler give a presentation where he argued that “there’s no common sense without common knowledge” and you know, he’s absolutely right.
When users (and sometimes security professionals) do something that’s as far from common sense as can be, I’ve found it’s generally because we don’t share a common knowledge. For instance:
I know it is wrong to write your password down because it allows someone to easily logon to a system and perhaps do bad things while pretending to be you – that’s common sense:
they don’t understand why anyone would ever want to do this.
I know that writing the password to an encrypted file on the CD holding the file devalues the encryption – that’s common sense:
they don’t understand why the data needed to be encrypted in the first place and what encryption means, and decided that the password was less likely to get lost if they wrote it on the CD.
In Information Security we are all guilty of assuming that everyone understands threats and vulnerabilities in the same way that we do; but they don’t, which is why their common sense doesn’t match ours. To develop an instinct for good common sense, you need common knowledge – which means proper education for your users and for the whole of your Information Security team.
My dad used to have a phrase that really annoyed me when I was a kid. He’d say “If a job’s worth doing it’s worth doing well”—especially when my homework came back with C grades. I’m reminded of this whenever people talk about doing projects or initiatives in Information Security.
My experience is that it is a waste of time to be half-hearted about security. Worse still, it can have the opposite effect to the one you intended.
Take any simple control that’s documented in a process or a policy. If people see it’s not enforced, or has a variable implementation based on someone’s position in the organisation chart, then it sends the message that all controls are optional.
It is better to do a few things well, than lots of things poorly.
Implement security with a positive intent to do it well. If you know you’re going to make a half-baked attempt at a project, pick a simpler project you know you’ll do well.
Much in of what we do in Information Security is dull. Checking, maintaining, documenting, cleaning, auditing, testing – just making sure that what needs to be done is done and done well.
My observation is that people – and especially technical people – get more excited about playing with new things than they do about keeping the old things going. Sure, they might not describe it as ‘playing’ and use works like ‘evaluating’, ‘installing’ or ‘configuring’ but at the end of the day it is the challenge and excitement of learning the new that excites them.
Good security though isn’t always about the new. It’s about doing the tedious stuff well and paying attention to it. It is about:
- Checking the logs on a regular basis
- Making sure that the roles defined in the role-based access are correct
- Doing the lessons learned from an incident and following up the action points until they’re all completed
- Updating the DR documentation when you change a server configuration
- Cleaning the backup tape heads and verifying the backup worked properly
- Filling out the visitor book for the server room
- Writing the documentation for X before moving on to Y
- Chasing the last person who didn’t complete the Data Protection training course
It takes application from everyone in the team to keep on top of these and hundreds of other little tasks. It takes application from management to make sure it happens.
So there you have it. My alternative exposition of the CIA triad:
Common Sense: Invest in the security education of users and the IT team
Intent: Plan on doing each security project or initiative well
Application: Keep doing the dull things