Monday, September 03, 2007

On Assurance vs Indication

Yes, this will tell the whole world how behind am I am blogging, but so be it :-) So, I wanted to respond to Rob's comments related to e-discovery here. So, Rob says: "In a nutshell, it [A.C. - e-discovery] is the process of collecting, searching, preserving and analysing digital information. [...] And there are some real security issues here: 1) If I have collected information from a system, how do I know that information hasn't already changed en route to collection? " [2-5 skipped, see the original post]

He then concludes with "So who's interested in this? Well, apparently not the real security guys" which is obviously absurd.

In reality, e-discovery is moderately hot and doing it better and more secure is of interest to vendors (more) and customers (less). However, there are perfectly good solution to the "issues" Rob brings, which kinda makes them not issues, really :-) Specifically:

  1. "If I have collected information from a system, how do I know that information hasn't already changed en route to collection?" Anton: encrypt it in transit; SSL, SSH work.
  2. "How do I know it hasn't been seen and manipulated, or copied?" Anton: encrypt + hash it in storage; SSL, SSL work too.
  3. "Between collection and searching, how do I know the index hasn't changed, and therefore the information I am now looking at is redundant?" Anton: log all access to system, check the access logs before searching. if you have doubts, reindex. Index is dynamic so you cannot checksum it.
  4. "How can I preserve information without it becoming prohibitively expensive?" Anton: burn a DVD! Or use one of those funky EMC or NetApp WORM storage boxes.
  5. "When I want to analyse this information, how do I know I'm analysing the right things?" Anton: this one is up to you :-)

At the same time, e-discovery is a little like forensics, you absolutely don't need it until the moment you can't live without it. Maybe this pushes the interest to dedicated e-discovery technologies down a bit?


Rob said...

Wow, this is a v old post, but I'm pleased you've come back to it.

You would think it was this easy wouldn't you? And the way you've answered certainly SEEMS to make sense. But this is a mistake that many people make.

1. SSL, SSH, etc does not *prove* that information hasn't changed en route, it merely makes it unlikely.
2. Ditto, plus hashes can be re-hashed if I have access to the information in storage.
3. What if the logs have been erased?
4. EMC WORM not prohibitively expensive? I was already envious of your brains, now I covet your money as well!! How do I burn Terabytes of, say, telco logs to DVD without it becoming an altogether bigger issue of management?
5. Badly phrased question on my part, I meant "how do I know the information is still the same as it was at origin", i.e. "the right things", not the right things to analyse.

I agree with your conclusion however, and think that in time this will become something that is pushed forwards by compliance rather than security needs. There are other arguments that the marketing people can use (as blogged recently), but that's another discussion entirely.

Anonymous said...

Your blog's informative is very rich in contents. I like your way of
presentation. At times I disagree with your views but thinking about it who
presents views that are acceptable to everyone. Keep posting your good

Anton Chuvakin said...

>it merely makes it unlikely.

Exactly!!! This is exactly why my post is called "On Assurance vs Indication."

Strong indication (via SS*) seems to be what the world needs now. And trying for "assurance" moves us into A1/EAL7-rated OSs with "verified design" and the domain of extreme paranoia (not the normal healthy security paranoia ...)

My #4 indicated that the problem is "solved," not that no better solution exists. Yes, WORM boxes are pricey and yes, managing DVD or tape racks is a pain, but this seems to be good enough to most people - who actually go into retaining info (many just don't...)

On #5: "how do you KNOW?" is an "assurance" question, let's not even go there: we live in the world of "strong indications."

How do you KNOW you chair does not have a bomb under it? Well, did you check? What if it was added later after you checked? What if you missed it? What if.... etc, etc /bad analogy alert! :-)/

Of course you don't KNOW in the strict sense of the word. But are pretty darn reasonably are that they haven't changed...

Rob said...

Actually I have an automated bomb detection unit under my chair which syslogs over ssh to a LogLogic LX, and archived to a LogLogic ST in case I have to prove it to the police.
I'd say it's "adequate", but it wouldn't stand up in court. :)

Anton Chuvakin said...

"Automated"? Are you SURE it is not buggy and is doing its job? :-)

Dr Anton Chuvakin