Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions


Ads by TechWords

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Michael R. Farnum's picture
Michael R. Farnum

Hitting the Security Nerve

More posts | Read bio

March 19, 2007 - 1:52 P.M.

Should the security CIA triad be the... uhhhh, CI line?

There's been a pretty big discussion going on over at the Matasano Chargen blog about whether or not availability problems are properly classified when they are referred to as security issues.  The discussion finds it's source in a recent advisory about a buffer overflow vulnerability in OpenBSD that could cause the attacked server to crash and burn.  Here's a quote from the advisory on how the OpenBSD team responded when they received the information on the vulnerability:

2007-02-26: OpenBSD team communicates that the issue is specific to OpenBSD. OpenBSD no longer uses the term "vulnerability" when referring to bugs that lead to a remote denial of service attack, as opposed to bugs that lead to remote control of vulnerable systems to avoid oversimplifying ("pablumfication") the use of the term.

The old school security guy in me wants to push up my sleeves and hold up my fists at such heresy.  Just because a bug does not lead to remote code execution does not mean it is not a security issue.  There are too many problems that can be caused by shutting down a system.  Often this type of attack is merely used as a distraction or possibly a way of entry to attack other systems.  If you are running an OpenBSD security appliance, doesn't an availability vulnerability turn on alarm bells?  If a company instigates a DDos at a rival to hurt their business, isn't that a security issue?  Ivan (who I assume worked on the advisory team) comments on the blog post:

We consider a remote DoS a security issue not only because it has a direct effect on availability but also because a remote DoS can be a convenient building block for a composite attack (for those lacking in creativity: think DNS).

Security should always be looked at from the risk perspective.  You can kill (almost) all risk of compromise of data by unplugging and turning off the system, locking it in a safe, and placing it behind a brick wall.  But if you need the data to conduct business, then your risk mitigation techniques are shoddy, and so your security is faulty.

 

Reply
The content of this field is kept private and will not be shown publicly.
* We require you to preview your comment before posting to prevent comment spam. Please read our comments policy before posting.

Related Posts

A stupid credit card thief
Some Sony Vaios go, "crackle-crackle, FZZZT"
Chrome: Google's biggest threat to your privacy
Global News Update: Thursday, September 4, 2008

Today's Top Stories

iPhone 3G owner sues Apple, AT&T over dropped calls, app crashes
Microsoft explains Seinfeld-Windows TV ad: just a 'teaser'
Mozilla: Firefox is faster than Chrome
Continuing coverage: Google's Chrome browser
Upcoming Microsoft patch lineup could be 'massive,' says researcher
Social Security numbers exposed on Iowa land-records Web site
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.