Friday Basics: the CIA Triad

In information security (INFOSEC), there several foundational concepts and principles. One of the ones that’s introduced almost immediately is called the CIA triad or the Information Security Triad. While it may look like a version of the Triforce, this triad has nothing to do with a video game.

The three elements are defined as:

• Confidentiality – Read access is restricted only to authorized personnel.
• Integrity – Write (Add/Change/Delete) access is restricted only to authorized personnel.
• Availability – The system or platform is available to authorized personnel when needed.

I usually expand “authorized personnel” with “authorized personnel via authorized processes.” This covers the case of service accounts and accounts acting on behalf of a user and it covers the situations like when a database is intended to be accessed only through an app but permissions allow a user to connect via Excel. The addition of “via authorized processes,” indicates that a user accessing via Excel would be in violation of the CIA triad. With respect to data we’re used to CRUD (Create, Read, Update, and Delete) operations. Confidentiality covers the R of CRUD while Integrity covers the C, U, and D.

One of the things I talk about with other security professionals is about ensuring Availability is met. I have been the over zealous security engineer who tightened down a system where Availability was broken. That does the business no good. If I can’t access the system like I need to do so when I should be doing so, I might as well not have the system at all. And that’s why Availability is a key part of this security concept.

So if you ever hear anyone talking about CIA or the CIA triad with respect to security, this is what it means.

Going to Cloud? Look at the Shared Responsibility Model

The bottom line here is this: the idea that a CSP takes care of everything for you is a fallacy that really needs to die.

Thompson, Graham. All-in-One CCSK Certificate of Cloud Security Knowledge Exam Guide. Page 3. McGraw Hill. New York: 2020.

I was dealing with a situation lately where a group was looking at licensing a cloud-based resource, but no one had checked the cloud service provider’s (CSP) shared responsibility model. The group assumed the vendor’s model was similar to the bigger vendors. Turns out they were wrong.

One of the “must dos” when looking to on-board a new service offering from a CSP is to check the shared responsibility model. In some cases, a vendor may have a single model for all offerings, but that is not always the case. For example, with the CSP the group was looking at, there were two different service offerings and they had different shared responsibility models.

If you aren’t familiar with the concept of a shared responsibility model, here is the one for Microsoft Azure. Every CSP should have this, though you may have to ask for it. Never assume the CSP is going to take care of something for you. Verify what they will and will not handle with the appropriate shared responsibility model document.

Dealing with Change – Two Resources

As I look at the state of information technology today, I see one constant: rapid change. We all see it. For instance, if you had said two years ago that you knew that generative AI would become a big deal in 2023, most folks would have looked at you like you were crazy. Yet here we are. And I know more, drastic change is still coming. Quantum computing is moving forward. When it gets here in full force, the way we secure the Internet will be obsolete. I’m not exaggerating. Dealing with change is hard. Understanding how to handle and attack change is crucial. While this is the type of post I would normally post at my Goal Keeping DBA blog, given how many folks in IT I see struggling with change led me to post it here. Let me suggest two books that may help.

The first book is Who Moved My Cheese? by Dr. Spencer Johnson. This is a classic and it uses a fable with four characters, two mice and two humans the same size as the mice to describe how we respond to change. It’s a quick read, probably a single sitting. The characters encounter a major change and the rest of the fable is about how those characters handle that change.

Wrapped around the fable is a fictional high school reunion where one of the attendees relates the fable to his friends. Each friend is facing a situation of great change. Before the fable, we’re given a hint into some of the attendees’ situations. After the fable, the author presents the discussion of those friends and how they relate to the fable. This book has helped a lot of folks throughout the years.

The second book is the sequel to Who Moved My Cheese?, which is Out of the Maze. It is also a quick read. This book covers the story of Hem, the character in the fable who resisted the change, Hem. In the fable, we never learn the fate of Hem. Out of the Maze looks at the story of Hem after the events of the first fable. It’s a positive take on the fact that even if we are like Hem, we can eventually come around to dealing with the change and eventually get out of the maze altogether.

If you’re more of a visual learner, I did find an animated summary on YouTube that’s around 12 minutes in length which presents the fable from Who Moved My Cheese? along with additional explanation to help understand the fable better.

Note: The links to the books are Amazon affiliate links.

Tomorrow: Webcast on SQL Server security

Tomorrow, April 16, 2024, I will be giving another webcast; this one will be on SQL Server security. It’s scheduled for 1 PM EDT / 5 PM UTC.

Sign up link

As always, the registration is free. Here’s the abstract:

Data is the lifeblood for almost every organization. As a result, platforms like Microsoft SQL Server are high-value targets for attackers. However, knowing what to do and not do can be daunting.

In this webinar, we’ll walk through a framework to secure your SQL Servers from end-to-end. Starting with the install and walking through surface area, permissions, backups, encryption, and concluding with decommissioning, we’ll cover every area you’ll need to consider for your SQL Server environment. Where they are applicable, we’ll also point out industry good practices and where to find the documentation on them.

By the end of the webinar, you should leave with a plan for where to start, what’s most important, and where to go for more information to ensure you can properly harden and secure the SQL Servers in your organization.

RTO and RPO are myths unless you’ve tested recovery

I’ve watched teams spend a lot of time on backup strategy. They plan out the full, differential, and log backups to ensure they can successfully meet the recovery point objective (RPO). And they assume they can make the recovery time objective (RTO). There’s a second assumption, of course: they can meet RPO, too. So we’re all working with the same definitions:

• Recovery Point Objective (RPO) – How much data can you afford to lose.
• Recovery Time Objective (RTO) – How much time do you have to get the system back on-line.

There are all kinds of reasons for not meeting RTO and/or RPO. Here are some of them.

• Backup files are missing.
• There were problems getting access to the backup files.
• The backup scheme takes too long to restore.
• The backup strategy is invalid.
• The backup strategy would have been valid, but something occurs to break the strategy.
• There is some additional step beyond standard restoring the database.
• Security wasn’t properly backed up.

Sure, there are other reasons, but that just reinforces the fact that we need to test recovery. Test the most common scenarios, including the worst one: you’ve had to rebuild a database server from scratch and then restore from backup. If you don’t have a database server standing by, how long will it take to get one up? Until you’ve tested these scenarios, you don’t know for sure you can RTO/RPO. Testing is the only way to ferret out any issues, before the disaster or failure happens.

Webcast: How to Secure SQL Server – End to End Security

On April 16, 2024, I will be giving another webcast; this one will be on SQL Server security.

Sign up link

As always, the registration is free. Here’s the abstract:

Data is the lifeblood for almost every organization. As a result, platforms like Microsoft SQL Server are high-value targets for attackers. However, knowing what to do and not do can be daunting.

In this webinar, we’ll walk through a framework to secure your SQL Servers from end-to-end. Starting with the install and walking through surface area, permissions, backups, encryption, and concluding with decommissioning, we’ll cover every area you’ll need to consider for your SQL Server environment. Where they are applicable, we’ll also point out industry good practices and where to find the documentation on them.

By the end of the webinar, you should leave with a plan for where to start, what’s most important, and where to go for more information to ensure you can properly harden and secure the SQL Servers in your organization.

Tomorrow – Webcast on SQL Server Administration

I will be giving another Microsoft SQL Server-based webcast, this time on the administration of Microsoft SQL Server. The webcast is scheduled for March 26, 2024 at 1 PM Eastern.

Registration link (free): What a DBA Needs to Know about SQL Server Administration

Here is the abstract for the webinar:

The DBA role encompasses a broad range of skills and focus areas. One of those is SQL Server administration.

What does a DBA charged with SQL Server administration need to know to be successful? In this webinar, we’ll look at the key areas you should master if you’re charged with SQL Server administration: a secure installation, ensuring proper backup/recovery mechanisms to meet recovery time objectives (RTOs)/recovery point objectives (RPOs), securing access to SQL Server and the data contained within, baselining and performance monitoring, and finally, basic troubleshooting – where to look and what to look based on the issues a particular SQL Server is experiencing.

Webcast on SQL Server Administration

I will be giving another Microsoft SQL Server-based webcast, this time on the administration of Microsoft SQL Server. The webcast is scheduled for March 26, 2024 at 1 PM Eastern. It’s scheduled for 1 PM EDT / 5 PM UTC.

Registration link (free): What a DBA Needs to Know about SQL Server Administration

Here is the abstract for the webinar:

The DBA role encompasses a broad range of skills and focus areas. One of those is SQL Server administration.

What does a DBA charged with SQL Server administration need to know to be successful? In this webinar, we’ll look at the key areas you should master if you’re charged with SQL Server administration: a secure installation, ensuring proper backup/recovery mechanisms to meet recovery time objectives (RTOs)/recovery point objectives (RPOs), securing access to SQL Server and the data contained within, baselining and performance monitoring, and finally, basic troubleshooting – where to look and what to look based on the issues a particular SQL Server is experiencing.

Humble Bundle of Java Books

I try to keep an eye on the Humble Bundle bundles for books. The bundles serve two great purposes:

• They allow you to get a lot of books at a price a whole lot less than if you had paid for them through normal retail sources. You get to choose the amount, though there are usually minimums depending on the number of books from the bundle that you want to get.
• A part of the money goes to benefit a charity (which is clearly identified for the bundle). You can see exactly how much of the price you’re agreeing to pay will go towards said charity.

I was able to grab the Cybersecurity bundle, but by the time you’re reading this, that bundle will likely have expired (Monday, February 26, 2 PM Eastern time). However, there’s a week left on the O’Reilly Java 2024 bundle. There are 15 books in the bundle and you can get all 15 if you spend at least $25. $1 will get you 5 of them, $18, will get you 10. Not a bad deal. This particular bundle supports Code for America.

David Kahn, legendary author, has passed away

I first saw this at Schneier on Security. David Kahn, author of The Codebreakers, has passed away at 93. The Codebreakers was considered the best book on the history of cryptography; so much so that it’s reported that the NSA tried to prevent its initial publication. Regardless of what happened in those early days of the book, Kahn was later scholar-in-residence for the NSA and was a Hall of Honor inductee.

I remember reading parts of The Codebreakers about 20 or so years ago when I was studying a lot of cryptography due to work research into public key infrastructure (PKI) as we were looking at deploying certificate services where I worked. I think it’s time for a re-read.