Overcoming Security Superstitions

Let’s talk about these weird new security patterns that emerged when we approached security as scientists.

Now Ancient Philosophers were the GOATs of this process. They’re like, hey humans sing and birds sing but humans can’t fly. So it can’t be the singing that makes them fly. It has to be something else entirely. Maybe it’s the feathers? But bats and bees and can still fly but humans can’t so it can’t be the feathers. And they keep doing this until technology and determination gets them to the point of understanding the various things that need to happen to make flying a thing.

We could do that with security. Company ABC had firewalls and AV and got breached by phishing. But Company XYZ had only AV and didn’t get breached. So maybe it’s the AV they need to have. But company LMN had AV and micro segmentation and got breached. So it’s not the AV. The problem is that’s a very simplistic view and lacks a lot of details as we know security is about interactions, perspective, and context and that view really has none of that. After looking at thousands of breaches like that I assure you there will be no patterns. Which the idea of best practices emerging to take hold of the industry like a superstition. When the world is scary and things don’t make sense most people stick to what didn’t have a terrible outcome.

Up until now, most of us have likely only seen security based on best practices. Those are somebody’s idea of what security tactics have worked in the past and then they assemble them like Avengers to make sure they have a hero that can counter each villain’s special attack. In security models we often call them pillars, principles, and cornerstones. There’s no science or understanding behind it, just the sweet smell of hope. It’s like security potpourri.

Because of that we knew we couldn’t use observation to find answers. We had to use analysis; the same analysis a medical examiner would use to treat a new illness. That meant instead of assuming we knew what it took to make security and mashing together controls to make new models from old ideas, we started with a blank slate. We asked fundamental questions.

Q. What is the goal we are trying to achieve?

A. We want to ensure a separation between an asset and a threat. We want that to scale to all types of assets and all threats. We need to prepare for all eventualities.

This allowed us to start our research with the Five Point Process, the means to analyze security across all possible Channels. A Channel is a form of interaction that requires unique knowledge, tools, and methods for interaction, like Physical, Wireless, Human, Data Networks, Applications, AI, and so on. Which means the attributes representing each control should not be unique to a specific technology and can be applied to all means of interactions, including those not invented yet.

But what is a control?

OSSTMM defines a security control as an action that performs a defined operation to control a specific part of a process. (No wonder people say the OSSTMM reads like stereo instructions.) For example, Confidentiality is a security control which is defined as “Assuring discretion of intentions.” In this example, the operation might be for sending a message over the Internet and therefore the required Confidentiality control would be to use encryption. That way we assure only the sender and the receiver are aware of the contents of the message.

However, it doesn’t need to be encryption. You can choose any way that works best for you operationally to make sure that message is sent discretely. Maybe you hide it in an image on a website. Maybe you send page and paragraph numbers from a volume of books that you share to create the message. And maybe you whisper it. You can pick any method of discretion that works for that Channel in your operations. However, if your method is found to not be discrete then, in OSSTMM terms, your Security Control has Limitations, which is the nice way of saying it sucks. But maybe the terms and conditions under which it sucks are good enough for you and for meeting compliance then fine. It’s still a Control but it’s just a bad one.

Now Confidentiality isn’t just a Security Control, it’s actually one of 15 possible security controls. Each control is just a descriptive name and are defined according to a table with a unique collection of attributes in each cell. The one we call Confidentiality just happens to have the attributes that best match what we recognize as making something discrete or Confidential.

In this case, the attributes that are listed in the cell that Confidentiality occupies look like this:

1.????? Time: Intent (occurs before the interaction)

2.????? Analysis Type: Inquest (we probe it for emanations)

3.????? Property: Narrative (a telling, reason for, intentions, presenting an understanding or situation that reflects a particular point of view or set of values)

4.????? Limitation: Exposure (allows for info leaks)

5.????? Engagement: Interactive (interacts with the threat)

6.????? Phase: Act (is an action, directly controlling operations)

7.????? Mirror: opposite of Transparency (the level of transparency to all operational parts and processes of the target and its environment. The fewer the parts or processes identifiable, the greater the risk)

8.????? Orientation: the Security Property of Insulation (no uncompartmentalized or unencrypted intentions, knowledge, or communications)

9.????? Influence: by Inception (Address opaque narratives by anticipating actions to determine and address anomalies)

Each of the 60 cells in the table have a unique set of these nine attributes. From those nine properties we try we figure out what to name the thing that fits there. In this case, what fits to those attributes is a security control we call Confidentiality.

This is actually a lot harder to do than you can imagine. It’s a slow process like building a puzzle based on descriptions of a picture rather than actual pictures. Sometimes, the thing we think we know from our security experience is a little wrong. We had that problem with the definition of Authentication. We need to determine if we have the wrong name or if maybe we have been applying the control in the wrong way. Now if it’s way too wrong we know it can’t be Authentication and has to be something else. But maybe we have never seen that something else before. In which case we find a new word for it that doesn’t confuse anyone with a similar sounding security control. For example, we had this issue with the control Stabilization (determining and addressing changes in resources) which is similar to Integrity (assuring notification of a change in narrative).

Our method opened us to patterns that show us properties and controls that we hadn’t had had before, like Containment (holding the interaction in isolation while denying resources), unknown Trust Properties like Importance (the priority at which the target handles the interactions. The lower the priority, the greater the risk.), and find means of controlling things we don’t trust but have no authority to deny, like Simplicity (the target or its interactions are made simple and limited to its necessary usefulness or greatest benefit.).

From these attributes we have spawned a total of 30 Controls from 30 Properties of Security and Trust. It’s like a Periodic Table of Security, with each cell of the table having unique properties where we can predict what the control, if it could exist, would do.

From these 60 elemental ways to address all risks we can combine them into specific solutions comprising of multiple controls to protect a specific Channel. And here is where it gets really weird: this table is just one layer. If we flip it over, we have a new layer for Attacks. The same attributes that work for defense also work for offense. Furthermore, this leads us to a negative layer which we have yet to name that seems to reflect Entropy and Latency instead of Passive and Active in the Positive Layer. There we can use the attributes to determine exactly how something can be vulnerable or how we can make an attack more difficult to address. We just started scratching the surface.