v-research/cybersecurity

Boris Taratine's doubts

Opened this issue · 1 comments

rocchettomarco commented

Boris Taratine:
"i am not sure weakness/vulnerability is an absolute category or rather relative to the presence of an actor.

i am also not sure whether all weaknesses need to be understood, especially if we unlikely would know them all.

also, perhaps 27001 is consistent with a general understanding of cybersecurity, what i am in doubt of is whether a general understanding of cybersecurity is accurately describing the nature of the phenomenon."

Discussion on LinkedIn.

rocchettomarco commented

I won't focus on social engineering attacks and focus on SW, for simplicity, even when I use the more general term system.

Any weakness exploited by an actor is a behavior of the system (SW). The actor just plays the role of executing it, the rest is psychological. The fact is: (A) a behavior of a SW is there, and (B) we didn't expect it, (C) or we didn't expect its effects on other systems. Your first question deals with architectural/intensional weaknesses.

My answer to your challenge (1) is: absolute. We may not be able to predict all the actions of an active attacker, but we can categorize them based on their consequences/effects on systems' behaviors (maybe even in the case of social engineering attacks).

Challenge (3) asks: is a general understanding of cybersecurity describing the phenomenon? If phenomenon=cybersecurity then, tautologically, yes.
If we change your third question into: (3.1) is there, today, a general understanding of cybersecurity? And, if not, (3.2) can we ever reach it?

If, e.g., CIA (and the infosec view of 27001) is taken as correctly identifying secure systems, this is an axiom (or rather a dogma). Its opposite should be taken as a determination of insecurity=not(security)=not(CIA(system)). The fact that no one has an acceptable metric to distinguish (cyber)security and insecurity in general makes us reach the following inconsistent conclusion. If there is metric s.t. A is secure and not A is insecure, we should suspend any judgment (and insurances should be always fair on cybersecurity... Pfff, already proves the point). And this metric implies that we have the choice between a belief (related to the aforementioned dogma) of security or insecurity. But this doesn't seem to be possible (as in Herley's paper) because we have beliefs of security (a system which is believed to be - even just - confidential) and then we find ourselves wrong. So, to 3.1: no, there is no cybersecurity theory describing the phenomenon but (to 3.2) this doesn't imply that there is no such thing as a general theory of cybersecurity.

This helps us with challenge (2), which is rather religious (I smell the following doubt: if knowledge is the finite construction of a concept/weakness, if my general understanding is an extensional property of a system, we are unlikely to know weaknesses) - the argument so far shows that our belief in CIA drives us towards policies and procedures that are expensive and towards systems where CIA is believed to hold but doesn't. And even when it was not due to the customer (e.g. a customer with perfect 27001) as in the case where a confidentiality issue is due to a lack of understanding of the designer of the confidential system.

The answer to (2) deals with a concept (cybersecurity) and its limit (the knowledge of it, e.g., given a specific system). Take an open set limited by a function as representing an understanding on cybersecurity (so assume a negative answer to (2) due to the limiting definition, and not a "certain" and finite logic or construction), what is this limit? What is this function? This type of questions cannot be decided in general due to some Rice, Gödel and Turing :) but we are not at this stage of evolution yet. There is no agreement on what a system is​(it's architecture as a syntactic object). We also don't agree on what a system does (its behavior) as a function, but this is another game. Let's focus on the fact that we don't agree on which of the many mathematical objects can be taken as representative to express security related concepts such as CIA or 27001. Well, there aren't so many objects at this level... Natural numbers, zero and successor? Euclidean point and line? The existence of a primitive function and a connection between functions? They all create a structure which can be investigated to obtain CIA guarantees in an automated, numerical, way. Furthermore, an analysis related to CIA and 27001 (not just a verification) over such structures is not just a matter of expertise but is expertise which produces facts (they really can just be tested or falsified but... you know... give it or take it). Current expertise is worth a fortune in the current market, that is the economic value of such enterprise. Hard and impossible are two different things.