A few years ago while I was working at Defense Cybercrime Center (DC3), one of my colleagues Terrence Lillard talked about the DDD triad in regards to what attackers want to do to organization's assets. I haven't heard anyone outside of him using that term, but I think it's worth sharing. I participated in an awesome mini-conference event last week with the Metasploit Developement team and this came up during my talk on Risk Management. When I asked the audience of seasoned security practicioners what was the opposite of the CIA triad, and few elements of the DDD triad where volunteered, but as a complete picture it was something new to them.
One of the first topics covered in Information Assurance training and certifications is the CIA Triad. CIA stands for "Confidentiality, Integrity, Availability", which are principles that you apply to your data and assets. I alway thought that the CIA triad is a bit vague when it comes to protecting assets. A much easier way is to change your point of view to the attacker's mindset.
The attacker wants to do three things to your data, "Disclosure, Destruction, Denial", which is the exact opposite of the CIA Triad. I call this the Attacker's Triad. As defenders we need to get back to the basics of information assurance, because at times we are all over the place. We need to identify and classify assets: many organizations are trying to protect everything, and fail at securing anything. From a fundamental aspect organizations don't know what data or assets are critical to their business.
Disclosure is the opposite of Confidentiality. Organizations need to do assessements and categorize their data. This rarely happens; employees need to be aware so they can protect corporate assets. For instance the Department of Defense (DoD) classifies data as:
- Top Security - disclosure would cause grave harm to country
- Secret - disclosure would cause significant harm to country
- Confidential - disclosure would cause embarrassment to country
- Unclassified - public dissemination
Companies usually wrap everything up into corporate "confidential" which leads to problems. Again, if you try to protect everything with the same level of security, you will fail. Corporations need to tier the confidentiality of their data in the same way the Government does:
- Confidential Level 3 - disclosure would cause grave harm to company (company closure)
- Confidential Level 2 - disclosure would cause significant harm to company (stock tanking, layoffs)
- Confidential Level 1 - disclosure would cause embarrassment to company (bad press)
- Public - public dissemination
Companies need to identify what disclosure of their assets means to them and their customers. They can then create prioritization for patching, hardening, etc. based on which assets need the most protection.
We also need to get out of the mindset that all compromises are end of the world: breaches should be categorized by the sensitivity of the data that was actually compromised. There have been breaches in the news lately where websites were breached; however, no non-public information was compromised, so the incident was not as severe as customers may have feared during the media frenzy.
Destruction is the opposite of integrity. Now that you've identified your assets and their criticality, you'll be able to determine what would happen if it was tampered with or deleted. Organizations should plan for both issues. They should ask themselves which assets an adversary would most likely want to tamper with or destroy. This is different for every organization: there is no cookie-cutter security model.
Denial is the opposite of Availability. Obviously when someone says "denial" the first thing you may think of is Denial of Service (DoS) attacks. DoS attacks in many cases don't cause significant damage to the business, though of course if your business relies on online sales, it will have much greater impact. The point here is that you need to evaluate your situtation. Obviously, if your customers can't access your website, it could be an issue, but in many cases disclosure of personal information would take a back seat to denial of their use. This is the most misunderstood item when it comes to network security coverage because anyone can be a victim of network saturation attacks.
Many organizations aren't evaluating what their assets are worth in regards to their business. They don't know what it will mean to their organization if their assets are disclosed, detroyed, or denied. This understanding should be the foundation of the organization's security infrastructure, incident response, disaster recovery, and business continuity strategies. In many cases, there is some kind of compliance regulations in place that will influence how the organization's classify some of their data; however, compliance should only be viewed as a minimum effort: part of, but not equivalent to a strategic security programs designed to address and protect the needs of the business.