Author: Pete

InfoSec

The CIA Triad: Availability

Open SignPreviously, we’ve introduced the CIA Triad and the components of its acronym: Confidentiality, Integrity, and Availability. We’ve already covered Confidentiality and Integrity, this time we’re going to cover Availability.

In the trinity of information security principles, known as the CIA Triad, ‘Availability’ is the leg that is most often easily attacked by “script kiddies” or ruined by our own success. Today, let’s unravel what Availability means in information security, its real-world significance, and the fallout when it’s compromised.

Understanding Availability

In the context of information security, Availability refers to ensuring that information and resources are accessible to authorized users when needed. It’s not just about having data; it’s about having data ready for use, unhindered by obstacles like system failures, cyberattacks, or natural disasters.

Ensuring Availability

Redundant Systems
These are backup systems that kick in when the primary system fails, ensuring continuous access to data. This would be very important if your system has a failure due to hardware failures. Do you have the ability for your active system to switch to another hot system, a warm system, or even a cold site? How quickly?
Regular Maintenance and Updates
Keeping systems updated and well-maintained to prevent downtime caused by software or hardware issues. Best way to stay out of trouble is to avoid trouble. You need to make sure you’re patched and your equipment is running well, as well as relying on things like SMART for hard drive health. This is also where knowing metrics like MTTF (Mean Time to Failure) are important. If you have components that are coming up on their expected shelf-life, you need to start mitigating now.
Disaster Recovery Plans
Preparing for the worst – from cyberattacks to natural disasters – to ensure rapid restoration of services. What do you do if something happens to an entire site? That can mean your local power grid if you’re self-hosting, or issues with cloud regions with the big providers (it happens… more than we’d like!). Just like with Redundant Systems, you should have Redundancy at both the micro and macro level for your system.

Real-World Examples

E-Commerce Platforms
Imagine an e-commerce site crashing on Black Friday. The lack of availability can lead to significant financial loss and customer dissatisfaction. All “scale-based” attacks don’t have to be Denial of Service (DOS) or Distributed Denial-of-Service (DDOS). Sometimes, you can DOS yourself by running a huge promotion or you can get squished by going viral on a site like Reddit.
Healthcare Systems
In healthcare, system availability can be a matter of life and death. If medical staff can’t access patient records promptly, patient care could be compromised. This is true at every leg of the chain. You don’t have to look too far into the past to remember the Healthcare.gov debacle where literally hundreds of millions of dollars were spent on a site that couldn’t stand up to everyone trying to sign up for “Obamacare”. You’d think those millions could buy you a few people who had worked at Facebook, Twitter, Reddit, Netflix, or somewhere where they might have had an idea how to ensure Availability through hard-learned lessons, but apparently not.
Banking Services
If an online banking platform is unavailable, customers cannot perform transactions, leading to frustration and potential financial complications. We just take this one for granted because banks have gotten so good at this, but imagine if you went to the store and tried to use your card and your bank (and just your bank) wasn’t playing ball today. I’ve been in stores where the “Credit Card Machine” was down, but I can’t think of one time that I couldn’t use my banking features due to my bank having an issue. I’m not saying it never happens, but this might just be the rarest version of this because they take Availability very seriously.

The Consequences of Poor Availability

When systems aren’t available, the consequences can be dire. We covered that a little bit with the real world examples, but here are some consequences boiled down:

Loss of Revenue
For businesses, downtime often translates directly into lost revenue, especially for services that depend on continuous online presence.
Damaged Reputation
Customers expect reliability. Frequent downtimes can tarnish an organization’s reputation and erode trust.
Operational Disruption
In sectors like manufacturing or logistics, lack of availability in information systems can lead to halted production lines or disrupted supply chains.

Protecting Against Availability Threats

To safeguard against threats to availability, organizations should:

Invest in Robust Infrastructure
This includes not only having backup systems but also ensuring that the infrastructure can handle high loads and resist cyberattacks. This one can be expensive, so a lot of people short change it at the beginning of their journey. “I can barely afford one server, how can I afford to pay for a second one I may never need?” I get it… but accepting a risk doesn’t make it go away. This is one that you’ll want to mitigate as soon as possible.
Implement Effective Monitoring Systems
These systems can alert administrators to potential issues before they cause downtime. Have you ever wondered what people are doing in Network Operations Centers (NOCs) and Security Operations Centers (SOCs)? This.. they are doing this. They are keeping their fingers on the pulses of all of the logs and metrics behind the systems, hoping to find signs of intrusions and failures and prevent them or respond as soon as possible.
Regularly Test Recovery Procedures
Regular testing ensures that, in the event of a system failure, the recovery processes are effective and efficient. Netflix has their Chaos Monkey code that just randomly shuts stuff off to ensure they can handle that happening regularly. They were the first company I heard of doing such a thing. They’ve since open-sourced it to share with others to potentially make everyone stronger. According to them, “Chaos Monkey randomly terminates virtual machine instances and containers that run inside of your production environment. Exposing engineers to failures more frequently incentivizes them to build resilient services.” Yep.

Conclusion

The ‘A’ in the CIA Triad – Availability – is a crucial component of information security. In our interconnected world, where we depend on instant access to information, ensuring that this information is readily available is as important as keeping it secure and intact. Knowing how to keep your systems running in the face of all that the world has to throw at you is vitally important and something you need to consider with your technology decisions.

InfoSec

The CIA Triad: Integrity

Wax SealPreviously, we’ve introduced the CIA Triad and the components of its acronym: Confidentiality, Integrity, and Availability. We’ve already covered Confidentiality and this time we’re going to cover the often overlooked Integrity.

In the world of information security, the CIA Triad is a model designed to guide policies for information security within an organization. While Confidentiality and Availability often steal the spotlight, today, we’re focusing on the often-understated ‘I’ of the triad: Integrity. It’s all about maintaining the trustworthiness and accuracy of data. Let’s explore why Integrity is pivotal and the real-world implications when it’s compromised.

What is Data Integrity?

Data Integrity in information security refers to the reliability and trustworthiness of data throughout its lifecycle. It’s about ensuring that information remains unaltered from its source to destination as well as during storage, retrieval, and processing.

Means of Ensuring Data Integrity

Here are some of the practical ways that we can ensure data integrity:

Hashing and Checksums
These are mathematical algorithms that create a unique digital fingerprint of data. Any alteration to the data changes this fingerprint, indicating a potential compromise. For sensitive files, you can create a checksum when the file is created. You publish those checksums and when you download the file or access it again, you can recreate the checksum and see if they match. This is very common when downloading software from reputable sites.
Access Controls
Limiting who can alter data ensures that only authorized personnel can make changes, reducing the risk of malicious alterations. This one can be a little less obvious, but basically it is a lot harder to add an article to NyTimes.com than it is to edit a Wikipedia page or publish a post on Reddit. That helps ensure that NyTimes.com contains only the information the owners want it to and ensure that it isn’t changed to represent something different from that.
Version Control Systems
These systems track changes to documents or codebases, allowing the recovery of earlier versions if unauthorized changes are detected. If you’re a software developer, this isn’t only Git or the equivalent. This also includes Track Changes in MS Word and file versioning inside something like DropBox or Sharepoint. Because every change is tracked and the details are recorded, this makes it less likely that the change can go unnoticed, or that it would become irrevocable.

Real-World Examples

When and how would we see this in play? And why would we care in our personal lives? Consider:

Financial Transactions
Imagine transferring money online, but the transaction details are altered, sending your funds to a hacker’s account. If integrity checks didn’t exist along the way, no one would know where the transfer went or that it wasn’t your original intentions. Integrity controls in banking systems are crucial to prevent such occurrences.
Healthcare Records
A patient’s treatment plan is based on their medical history. If this data is altered, it could lead to incorrect treatments, posing serious health risks. If there was no integrity around the records, imagine the disaster that could occur if a malicious agent removed dealdly allergies from a patient’s file. The patient could easily die.
Legal Evidence
In legal proceedings, the integrity of evidence is paramount. Any tampering with digital evidence can lead to wrongful convictions or acquittals. This is the same deal as the Healthcare Records. What if someone could create/update/delete evidence or even just tamper with the chain of custody documents to have the evidence thrown out?

The Consequences of Compromised Integrity

When data integrity is breached, the results can be catastrophic:

Financial Loss
In the business world, altered data can lead to incorrect financial decisions, affecting a company’s bottom line. You could topple markets if you could change the data in financial reports published to the market.
Mistrust and Reputation Damage
When data integrity is compromised, it can erode trust in an organization, damaging its reputation and leading to loss of customers or partners. How long would you stay with an organization that greeted you by the wrong name when you signed in, showed the wrong order history, and the wrong demographics? Or if the doctor discussed procedures or diagnoses that never occurred? You’d be out in a minute, talking bad about them to anyone who would listen!
Legal and Compliance Issues
Many industries have regulatory requirements for data integrity. Violations can lead to legal penalties and fines. Imagine if SEC reports, EPA reports, OSHA reports all contained incomplete or erroneous data. Someone would be on Larry King in bad way.

Protecting Against Integrity Threats

So now we know what can happen if we do it wrong, but how do we do it the right way? Protecting the integrity of data involves:

Regular Audits and Monitoring
Regular checks can detect and rectify any integrity issues before they escalate. This assumes that you know the “truth” to compare things to. This includes looking for data changes, unauthorized file access, revisiting permissions regularly, and taking Blue Teaming seriously.
Education and Awareness
Training staff on the importance of data integrity and the risks associated with data tampering. People don’t know what they don’t know. You have to make sure your staff is aware that this is important and that they follow procedures around Integrity.
Implementing Robust Security Protocols
This includes using encryption on your data, robust access controls, and secure backup systems.

The integrity of data is a cornerstone of information security. As more and more of our personal and professional lives are online, the accuracy and reliability of our data are more critical than ever. Understanding its importance, implementing measures to protect it, and being vigilant about potential threats are key steps in safeguarding the integrity of our information.

In a world where data drives decisions, let’s ensure the decisions are based on uncorrupted, trustworthy information.

InfoSec

The CIA Triad: Confidentiality

Spy Dressed in TrenchcoatDuring our introduction in the last blog post, we mentioned the “CIA Triad” and gave a quick rundown about what it is. As a reminder, it’s not related to any government agency; rather, it stands for Confidentiality, Integrity, and Availability – three pillars of infosec. Today, let’s zoom in on the first pillar – Confidentiality – and unpack its significance, with a sprinkle of real-world examples and what happens when it fails.

In the simplest of terms, confidentiality in information security refers to the practice of ensuring that information is not made available or disclosed to unauthorized individuals, entities, or processes. It’s about access and exposure control. Whether it is personal data, corporate secrets, or sensitive government information, confidentiality aims to keep it under wraps from those not cleared to view it.


The Mechanisms of Ensuring Confidentiality

Encryption
This is the process of encoding information so that only authorized parties can decode and access it. When you send an encrypted email, for instance, you’re ensuring that only the intended recipient with the right key can read it. Confidential data should always be encrypted at rest and in transit.
Access Controls
These are policies and technologies used to restrict access to data. Some examples passwords, biometric scans, or even simpler methods like locked file cabinets. Basically, we know that certain people are only allowed to access certain information. How do we first create a yes/no list and secondly, how do we make sure that you’re the person represented on the list?
Data Classification
By categorizing data based on its sensitivity, organizations can apply appropriate confidentiality controls. This is the easiest way to apply access controls broadly.
Pete can see public data and sensitive data, but not confidential or proprietary data. Luke can see public, sensitive, and confiential, but not proprietary. Jayson can see all kinds. Appropriate classifications can make access easier to maintain.

Real-World Examples

Healthcare
Under regulations like HIPAA in the U.S., patient health information must be kept confidential. Hospitals use secure databases with strict access controls to store patient records.
Banking
Financial institutions employ encryption to protect customer data during transactions. Your online banking session is an example where confidentiality is key to safeguard your financial information.
Legal Sector
Attorney-client privilege is a form of confidentiality. Communications are often encrypted to protect sensitive legal information from being accessed by outside parties.

The Consequences of Confidentiality Breaches

Now, what happens when confidentiality fails? The repercussions can be severe:

Identity Theft
If personal information like social security numbers or credit card details is leaked, individuals can face identity theft, leading to financial loss and a long road to credit recovery.
Corporate Espionage
For businesses, a breach of confidentiality can mean leaking trade secrets, resulting in a competitive disadvantage or even financial ruin.
National Security Threats
On a larger scale, if government secrets are exposed, it can lead to threats against national security and diplomatic relations.

Preventing Breaches of Confidentiality

The key to preventing breaches is a proactive approach:

Regular Training
Regularly educating employees on the importance of confidentiality and how to maintain it.
Up-to-Date Security Measures
Continuously updating security protocols and software to combat evolving threats.
Incident Response Planning
Having a plan in place in case a breach occurs, to minimize the damage.

Conclusion

In our increasingly digitized world, the importance of maintaining the confidentiality of information cannot be overstated. As individuals and organizations, understanding and applying the principles of confidentiality is not just a best practice but a necessity in safeguarding our data and, by extension, our digital identities.

Remember, a chain is only as strong as its weakest link. Let’s ensure confidentiality is a robust link in our information security chain.

InfoSec

A Primer on Information Security

Picture of a Safe Door
I’ve been spending a lot of time at work recently being involved in audits of our company’s security. Some of them we are paying for (3rd party pentesting), some are voluntary compliance (SOC 2), and some are from clients doing their due diligence on vendors. In conducting and discussing the requests and our answers, it occurred to me just how vital that having a good understanding of Information Security is becoming table stakes to be in the industry, whether you’re a budding programmer, an aspiring entrepreneur, or just someone curious about the tech world. Let’s dive into the basics in the first post of what I hope will become a series.

What is Information Security (Infosec)?

At its essence, information security (infosec) is about safeguarding data from unauthorized access and alterations. It’s the practice of defending our digital valuables – be it personal information, business data, or governmental records. We live in a world where data flows everywhere, and just like dams ensure water flows in controlled and safe ways, infosec ensures data remains confidential, intact, and accessible only by those meant to access it.

Why is Infosec Important?

Imagine writing a personal letter and leaving it at a coffee shop. Anyone could read it, modify it, or take it away. That’s what the digital world is like without information security. With the invention and expansion of the internet, we’re more connected than ever. That means that our data – from emails to credit card numbers – is exposed to potential misuse.

The CIA Triad is a common model to use to talk about information systems. CIA doesn’t stand for the United States Central Intelligence Agency, rather it is an acronym for these concepts:

  1. Confidentiality: This principle ensures that sensitive information is only accessed by those who have the right to view it. Think of it like putting a letter in a sealed envelope rather than leaving it open for all to see.
  2. Integrity: Ensuring data remains unaltered during storage or transmission is vital. It’s like ensuring that the letter you wrote reaches its destination without anyone changing the words inside.
  3. Availability: Data needs to be accessible when needed. Imagine sending a letter and ensuring it reaches its destination on time for whenever the recipient wants to read it. Availability in infosec ensures that systems and data are available when required.

What’s at Stake?

Every day, new vulnerabilities and threats emerge. From ransomware attacks holding data hostage to data breaches leaking sensitive information, it can seem like we’re in a Wild West scenario. Companies of all sizes heavily invest in securing the data that they generate and are entrusted with by having dedicated security teams (both offensive and defensive) to constantly remain vigilant while finding their own weaknesses to fix before the adversaries do. This can take many forms, including monitoring, proactive Bug Bounty Programs to engage ethical hackers, simulated attacks, and tabletop exercises, to name a few.

If these companies fail, the results can be disastrous. Compromising one or more points of the CIA Triad can directly affect a company’s revenue and reputation. One great example of this is what happened to LastPass after they had a large security incident. Customers left in droves for other alternatives like BitWarden, 1Password, and KeePass. That certainly will hurt LastPass’ revenue, but even worse is that the attack directly harmed their customers’ finances. The Verge reported that there was a potential link was made between the 2022 data theft and a total of more than $35 million in cryptocurrency that had been stolen, due the fact that almost all victims were LastPass users. Those are sobering consequences.

Why Should You Care?

As we plunge deeper into the digital era, infosec isn’t just a concern for IT departments but is everyone’s responsibility. Understanding infosec can not only make you a more informed digital citizen but can also open doors to a thriving career path. Even if you’re not interested in becoming a cybersecurity specialist, you should look to secure your online presence. Your security is only as strong as the weakest link and you should do all that you can to not be that weak link, and the journey into information security can be rewarding and eye-opening.

What’s Next?

Embarking on the infosec journey equips you with the knowledge to protect not just your data but also contribute to a safer digital ecosystem. From teaching to policy-making to ethical hacking, the field is vast and ripe with opportunity. Over the next few posts, I hope to explore these points more in depth and talk more about what we in technology can do to sharpen these tools in our own toolkits.

Business of Software

10 Tips for Managing Technical Debt

Throughout my career in software, I have learned that technical debt is not just an unavoidable consequence of software development, but a necessary part of it. To innovate and grow, sometimes we need to make strategic decisions that trade what I often term “the practical for the perfect”. However, if you never pay it down, technical debt can accumulate and become a barrier to progress. Here are some effective strategies that I’ve found in order to manage technical debt.

Tech Debt

1. Acknowledge and Track Technical Debt

The first step in managing technical debt is acknowledging its existence. It’s crucial to keep an open dialog about it within your team and make it part of the development process. Technical debt needs to be tracked work items in whatever system you work from (Jira, Trello, etc). Whatever you do, these decisions cannot just become “tribal knowledge” that can get lost with time. It should be documented what debt you incurred – and why – as well as what changes are needed when time is allotted.

2. Prioritize Debt Payment

All debts are not created equal. Some can cripple your progress and make your system impossible to change, while others are just a little annoying. Therefore, prioritizing which debts to pay first is essential. Just like paying of credit card debt usually involves some classification of interest rate, balance, etc, you should create a classification to rate and prioritize your technical debt across metrics that are valuable to you and your organization.

3. Regular Refactoring

Code refactoring is a critical practice in controlling technical debt. I encourage my developers to refactor as they go, which can often eliminate stray technical debt. For example, we may have created an inflexible “hack” method to get something done in the moment that was supposed to be a “one-time-only” deal. But, you know how those things go. Soon, there is a “second time only” and instead of making another “hack” method, we encourage a refactoring to make the first method more flexible and allow it to solve both scenarios (as well as future ones).

4. Dedicated Time for Debt Reduction

We’ve found it helpful to allocate dedicated time for addressing technical debt. Depending on the organization and the amount of debt, we have literally limited the amount of “new” work we would allow to be added to a sprint and included time for developers to work on tech debt work items. This not only helps in debt reduction but also encourages developers to take ownership of their code.

5. Continuous Integration

CI (Continuous Integration) can help prevent the accumulation of technical debt by catching problems early. Including an automated test suite that runs whenever changes are made gives developers immediate feedback if they’ve introduced an issue.

6. Code Reviews

Peer code reviews are an excellent practice to prevent the introduction of new technical debt. A second pair of eyes often catches potential issues that the original developer might have missed.

7. Invest in Training

Piggy-backing a little off of number 6… A well-trained development team is less likely to create technical debt in the first place. Continued training and learning is an investment to reduce future technical debt, as well as a great way to keep your team engaged and let them know that you’re interested and invested in their careers.

8. Quality over Speed

While it’s important to deliver quickly in a competitive environment, sacrificing code quality for speed is a recipe for technical debt. I tend to emphasize the importance of good coding practices, and remind our teams that “quick hacks” can and will cause problems down the line. It doesn’t mean that we can’t ever take a tradeoff, but we need to know the rules so that we can bend/break them strategically.

9. Documentation and Knowledge Sharing

Good documentation is another good way to control technical debt. Clear, concise, and up-to-date documentation of systems, architecture, and codebases reduces the chances of duplicating efforts or making uninformed decisions that can add to technical debt. Consider having knowledge sharing sessions within your team to ensure everyone understands the system and its quirks.

10. Tech Debt Retrospectives

Periodically, it is a good idea to have a Tech Debt Retrospective to consider the kinds of things that repeatedly add to tech debt and how the team is progressing on paying it down. This can be a useful way to see harmful patterns and create ways to prevent them.

(Bonus) Balancing Business Needs and Tech Needs

Lastly, it’s essential to remember that while technical debt should be managed, business needs often require making trade-offs. By maintaining an open dialog with the product team, we can strike a balance between delivering new features and keeping technical debt in check. We are paid to help the business, not just “build cool stuff” and “pad our resumes”. Falling too far to one side or the other can be a disaster. Too tech-focused and you can build something that is of no use to anyone (or worse… something that never gets finished due to IT Navel Gazing). Too business-focused and you build something that lacks utility for anything other than yesterday’s problems. Find the balance, learn to “speak business”, and find the compromises.

Technical debt management is ongoing and is about developing a mindset and behaviors that consider long-term implications while making short-term decisions. Remember, the goal is not to completely eliminate technical debt, but to keep it under control so it doesn’t hinder your team’s progress and your company’s growth.