1.2. Information Assurance: Dependability and Security of Networked Information Systems

As mentioned earlier, we view IA as encompassing both dependability and security areas. In this section, we briefly introduce key terminologies from these areas and present our view on the need for such an integrated view.

Information or computer security primarily focuses on the issues related to confidentiality, integrity, and availability (CIA) of information [7]. Confidentiality refers to ensuring that highly sensitive information remains unknown to certain users. Integrity refers to the authenticity of information or its source. Availability refers to ensuring that information or computer resources are available to authorized users in a timely manner. Other key security issues often added include accountability, non-repudiation, and security assurance [7]. Accountability ensures that an entity’s action is traceable uniquely to that entity; non-repudiation refers to ensuring that an entity cannot deny its actions; and security assurance refers to the confidence that the security requirements are met by an information system. Policy models, mechanisms, and architectural solutions have been extensively investigated by the security community to address issues related to specification and enforcement of the security requirements of networked information systems. In addition to proactive, preventive techniques, reactive techniques that involve detection followed by response and recovery continue to be developed to address the overall protection issues. Cryptographic techniques are widely used as mechanisms to achieve the above mentioned security goals.

The dependability area, on the other hand, has primarily focused on how to quantitatively express the ability of a system to provide its specified services in the presence of failures, through the measures of reliability, availability, safety, and performability [6]. Reliability refers to the probability that a system provides its service throughout the specified period of time. Availability, a key goal of security also, more specifically refers to the fraction of time that a system can be used for its intended purpose within a specified period of time. Safety refers to the probability that a system does not fail in such a way as to cause a major damage. Performability quantitatively measures the performance level of a system in the presence of failures. An important observation that can be made here is that of the richness of the quantitative techniques within the dependability area in contrast to the scarcity of such techniques in the security area. One reason for this is the difficulty in applying quantitative techniques for confidentiality and integrity issues, as well as the cryptographic techniques. Confidentiality and integrity issues were the primary security concerns for the security community for a considerable period of time and several “formal” approaches focused on these were developed to address the issues of verification and qualitative validation of security properties. Interestingly, both confidentiality and integrity issues are also sometimes considered as relevant dependability goals [8].

A related notion that attempts to capture both the security and dependability concerns is that of survivability. Survivability has been defined in various ways by different researchers and no consensus yet exists on its standard definition. One way to define survivability is as the capability of a system to fulfill its mission, in a timely manner, in presence of attacks, failures, or accidents [6]. A key goal here is to provide a quantitative basis for indicating that a system meets its security and dependability goals. A key motivation towards this direction is provided by the fact that absolute security is an unachievable goal, as indicated by the undecidability of the safety problem related to security shown by Harrison, Ruzzo, and Ullman in their seminal paper [9]. It is also virtually impossible to completely identify all the vulnerabilities in a networked information environment that is characterized by ever increasing heterogeneity of its components. In the face of such an insurmountable challenge, a key alternative is to set provisioning of an acceptable level of services in presence of disruptive events as a practical goal; in other words, a more realistic goal is that of ensuring a desired level of assurance that the required security and dependability goals are met by a system throughout its life cycle.

While there is an urgent need for solutions that integrate dependability and security, the two communities have largely remained separated, although efforts can be seen towards desirable interactions between them. A simple and often cited difference between the two areas is that dependability focuses primarily on faults and errors in the systems that are typically non-malicious in nature (primarily from the fault tolerance design area), while security focuses mainly on protection against malicious attempts to violate the security goals. However, such a difference is not accurate and can be seen in the various taxonomies developed within each community. For instance, the taxonomies for security vulnerabilities developed by Landwehr et al. [10] and later by Avizienis et al. [11] incorporate both intentional and unintentional sources of security vulnerabilities. The growing realization of the overlapping nature of the two areas can be seen among researchers in their efforts towards cross-pollinating the two areas in order to synthesize integrated frameworks.

This book first aims to highlight the overlapping aspect of the dependability and security areas (Figure 1.1), an understanding which we believe is fundamental to exploiting the synergies within the two communities. An integrated taxonomy that congregates the attributes of dependability and security is an important goal and some efforts towards this direction can be seen (e.g., Chapter 6). A natural outcome of the overlapping concerns of the two areas is that of using the well developed techniques in one area to address issues in the other or of synthesizing similar techniques from the two areas to create more effective, integrated solutions. One such area of cross-pollination can be seen in the use of fault-diagnosis techniques using fault trees in the fault tolerance community that parallels the use of attack trees/graphs to characterize security intrusions. Furthermore, correlating alerts and symptoms to more accurately identify the source of a problem and/or its consequences are important diagnostic activities related to both dependability and security. This commonality provides prospects for integrated diagnostic frameworks that can capture disruption scenarios related to malicious activities or non-malicious events. Such integrated fault and attack diagnosis and alert correlation approaches have already emerged as active research foci. An important observation related to security is the non-predictability of security threats and attacks; it makes modeling attackers significantly challenging. Furthermore, as mentioned earlier, the security area currently lacks viable quantitative techniques. These deficiencies add newer research challenges to generating integrated, holistic solutions to modeling, analysis, and evaluation of security and dependability of a networked information system to establish assurance of its quality (e.g., lack of vulnerability, or appropriate measures against possible threats) and eventually its trustworthiness. Sophisticated stochastic techniques, such as Markov models, which have been widely used for dependability analysis, are currently being adopted and extended to additionally address security issues as discussed in Chapter 7. Such quantitative techniques, as well as newer game-theory based approaches (e.g., Chapter 8), are also currently being pursued to address the challenges related to the coincident effect of all types of disruptive events. Furthermore, it is important to note that the security and dependability concerns related to different system or architectural layers/components, such as operating systems, applications, networks, wireless infrastructures, and so on, bring forth their unique challenges. In addition to developing solutions for these different types of IT environments, there is also a crucial need to synthesize these solutions to ensure the survivability of huge infrastructures against large scale cyber attacks, which could become a catastrophe for a society that now relies so much on the technology.

In summary, we characterize IA to encompass dependability and security concerns and emphasize that combined IA approaches that address security and dependability together is the needed direction because:

• Many threats to dependability and security are common or similar. Combined modeling of failures and security threats will help provide more accurate understanding of the underlying problems.

• There is a need for both qualitative and quantitative base when establishing the overall assurance that a system maintains a desired level of trustworthiness. Quantitative and qualitative techniques that are abundant in dependability and security areas, respectively, complement each other and will help create more effective IA solutions.

• In reality, all types of disruptive events (faults and attacks) may coexist within a single networked information system. Hence, all types of disruptive events should be modeled together so that any coincident effect of different disruptive events and their emergent characteristics can be more accurately understood.

• Different techniques developed within each area may be useful in the other area. For instance, design diversity and redundancy, which were typically employed in fault-tolerance community, have been beneficial for security. At the same time, a combined approach will avoid duplication of effort.