Criminal IT: There's no cure-all for information security

It's no longer 'In God We Trust' but in data....

In last month's column, I described an argument for why computers might be considered intrinsically insecure - or at least, why a given program cannot be proved to be harmless before it is run, one possible form of insecurity.

If computers can therefore be considered by definition insecure, is that a good reason for why so many viruses propagate and why so many computer crimes occur? No, no more than one would blame losing the odd sock in the wash on Heisenberg's Uncertainty Principle, regarding the impossibility of knowing the position and momentum of a sub-atomic particle.

The intrinsic insecurity of computers - or of the mathematical model which is computation - is something of an extreme example. It says that there is no cast-iron, 100 per cent certain algorithm for evaluating a program other than to run it and to see whether or not it reaches a so-called 'halt state'. It says that to test a program it is necessary for that program to be run inside another, necessarily larger program, and that this program itself must be evaluated, inside a still larger one. But of course, there are other ways of defining and establishing the 'security' of an information system.

Information security is a cost - and there are two aspects to that cost. The first aspect is the most obvious one. Information security is established by the introduction of appropriate counter-measures to guard against potentially harmful situations. These counter-measures might take the form of firewalls, encryption, smartcards, tape backup systems and so forth, each one having an associated purchase, installation and maintenance cost; and each one guarding different aspects of confidentiality, integrity and availability of information resources.

These costs need to be justified, based on the expected exposure of those assets to different forms of risk, an evaluation of how likely or unlikely the risk might be in practice, and an assessment of how much the measures can do to protect those assets from the risks. This is classic 'cost-benefit' risk management, in which the only uncertainty is the probability of a given risk being realised. And of course, this is an uncertainty which can be removed if we could all agree to co-operate and share with one another our experiences with the different forms of risk.

The second aspect of the cost is, however, the more interesting one. For the hacker, the information security measures establish a form of cost associated with the difficulty or risk involved in breaching those measures. How much time does the hacker need to dedicate to the attempt? How likely are they to be caught and punished? What special software does the hacker need to create? Information security measures should protect the information assets, detect any security breaches and deter any attempts by emphasising how difficult they might be and how likely the attacker is to be discovered.

This creates a 'perceived cost' for the hacker - or the disgruntled insider or criminal intruder - indicating just how difficult, dangerous and expensive a given breach of security might be. Set against this, there is the 'perceived benefit' for the attacker - in terms of the money they might obtain or the satisfaction that they might gather for the particular incident.

'Security' then comes about where the perceived cost outweighs the perceived reward, and the attacker is dissuaded from the attempt - perhaps because other potential targets seem to be easier and more lucrative, or because the attacker realises they have a realistic prospect of being caught and punished. Security can therefore be established by ensuring that potential attackers are made aware of the risks and of the existence of suitable protective mechanisms - rather like the way that shops emphasise the existence of CCTV and their intention to 'prosecute shoplifters'.

There are other ways in which information security can be established for a system. Limitations can be placed on the activities and access capabilities of different processes within the computer system. Each element of data within the computer can have a number of access 'methods' associated with it - create, change, view, use and destroy, for example - and different processes can be provided with permission to use some or all of these methods depending on authentication and identification of responsible users. By sealing off different parts of the computer system - so that users cannot access administration tasks, and administrators cannot access user data - a steadily more secure environment can be created.

This is the basis of the widely used 'Orange Book' security scheme for determining levels of security, which can be used to develop ever more secure information processing environments.

Information security can therefore be established by the development of well-controlled environments, by the introduction of appropriate countermeasures and by an understanding of the real levels of threat and risk faced by the information.

The most important observation to recognise about information security, though, is that it is a process and not a property; it arises as a result of something you do rather than something that you have done. It cannot be bought as a commoditised product but needs to be implemented, managed, monitored and maintained over time. Perhaps it's as well that no program can be proved to be secure ahead of time; that it is necessary to ensure that the program's behaviour is monitored - so as to foster the realisation that information security needs to be worked at.

Given the levels of trust that our information-based society places in the computer, this security is becoming an ever more important element. Computer records help us judge the performance of our company and our staff, determine how much money we owe or are owed and even help to convict or exonerate defendants in a wide variety of different kinds of cases. Computer records have become the foundation of our society, the building blocks of our businesses and engines of state. It's no longer 'In God We Trust' but in data. As such, the data deserve to be as well-protected as we can manage.