Information hazard


    Throughout the information security industry, I was always confused by the ideological contradiction between what people involved in information security do and what they call their occupation.

    There are no objective methods for assessing the security of an information system. All existing methods can either talk about danger (it’s impossible, it’s impossible, there’s a hole), or they can say that the system meets some requirements of some certification authority ... And here, attention, watch your hands, compliance with these requirements is called safety criteria . Like, passed the certification for SFOD-12, which means it is safe. The main thing is to have a piece of paper. And the authors of this piece of paper - to pout more solidly, to prove with authority that there is nowhere safer.

    The reason is in the non-constructive sense of the word "security." What is a “safe system”? This is a system that does not have a part of the functional (for example, which does NOT provide access to information, or which does NOT provide any function). Thus, a safe system is a system in which EXCEPT described in the TOR there is NO OTHER functionality.

    If translated into the language of mathematics, then we take a finite set of functions (terms of reference), calculate its complement. Addition to what? In, this is the main question that does not describe modern information security. A complement to the set, which we do not know, which is infinite (or, if finite, beyond the boundaries visible to us). We describe in this infinite set individual types of attacks, bad configurations, design errors, etc., but this is the same as listing segments on a set of real numbers.


    To make it very clear: Suppose we reduce everything to a number line. A segment from 1 to 2 is our functionality. The rest is a functional incomprehensible to us, an area of ​​“danger”.

    So, a security expert arrives who says:

    if we have 0, this is a 0-vulnerability.
    If we have e, then this is an exponential vulnerability.
    If we have π, then this is a trigonometric-spherical denial of service.
    If we have a segment from 10 to 99, then this is a lot of specific two-digit attacks.
    If we have a segment from 100 to 999, then these are three-digit attacks.
    If we have attacks less than 2, but more than 1, then these are upper-boundary attacks.

    Is the principle clear? An expert can publish an unlimited number of lists of any degree of detail, with any set of ranges - but he will never cover the whole set of real numbers with them.

    This is precisely what information security does — by listing individual segments of an infinite set.

    The discipline itself is quite understandable, necessary, important ... But until then, until we start to hear something about the "security of the information system". It does not happen. No matter how many are listed - all the same, these are finite numbers versus infinity. Talk about danger - yes. About security - no.

    But the market requires security - and a simple “well, I won’t tell you about security, but this, this and this is definitely not worth doing,” comes a ridiculous wrapper - “the level of system security.” ... We conducted an audit of the system and now it’s not lim x → ∞ (2 / x) is safe, and lim x → ∞ (300 / x) is safe.

    At first glance, 300 is more than 2, we can say that the system is more secure . And with a closer look - as it was zero, it remained.

    UPD: As commenters kindly suggest, there is a certain “state of security” whose technical significance I would very much like to hear ...

    Also popular now: