Old school rules, new school tools

By on
Old school rules, new school tools

It was a great security conference. The sponsored lunch had gone down a treat, the wine was excellent. The next speaker was being announced: "...will talk on the CIA Principles of Information Security." Yawn, that guy must be old enough to predate punched cards.

"Do the CIA principles keep you awake at night? Compliance, infrastructure, applications..." What on earth was he going on about? We all know CIA, we're just so busy fighting fires that we don't often think about them.

"Safe programming languages. In the days of ALGOL (a language so far ahead of its time, that it was not only an improvement on its predecessors, but also on nearly all its successors) it wasn't possible to have buffer overflows – the compiler automatically added array bounds checking code.

Programs still had bugs and gave the wrong results, but at least they couldn't be compromised to run malware.

"Validate your code. We had tools like lint – very picky, but it reached those errors the compiler didn't spot. The programmers hated it, but their code kept on working. Don't forget all those script files, macros and web pre-processors – not to mention the OS. It's much easier and more accurate to test code than attempt black-box vulnerability analysis.

"Don't run data. What sane person would buy an OS that can be destroyed by clicking on an icon in an email? It's what execute file permissions stop.

"Lock your system. The Winchester hard drives had write-protect switches. Once we loaded the OS and flicked the switch, no one could make changes unless they had the key to the computer room. Even DOS let you write-protect the OS floppy disk, so we didn't have viruses or rogue employees changing the system. Not everyone forgets: you can still find live-CD systems, read-only and immutable file system mounts.

"Lock those clients. We rarely had data theft problems, as the data files stayed on the servers. You could write down what was on your VDU, but you never had the whole database. Oh, I know you like more colours than just green, and that the first thin clients were rather slow – but servers, clients and networks are all ten times faster now. And there's no unauthorised data to steal.

"Santayana said: 'Those who cannot remember the past are condemned to repeat it.' Look back to the past, we've forgotten the solutions. They help us move from the false CIA of Compliance, Infrastructure and Applications to the real principles of Confidentiality, Integrity and Availability."

The applause woke me up. The effects of the wine must have made me doze off. Old-fashioned simple solutions to many of our current security issues – it must have been a dream. Or was it?

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?