In the wake of the widespread failure of the Visa processing network on Friday last week  (see The Register for more details), I thought it might be time to revisit that useful aide memoire, C.I.A.:
This isn’t the first time I’ve written about this trio, and I doubt that it’ll be the last. However, this particular incident seems like a perfect example to examine the least-regarded of the three – availability – and also to cogitate somewhat on how the CIA is necessary, but not sufficient.
As far as we can tell, the problem with the Visa payment system came down to a hardware failure. As someone who used to work as a software engineer, I can tell you that this is by far the best type of failure, because there’s very little you can do about it once you’ve diagnosed it, which means that it quickly becomes SEP. Be that as it may, the result of this hardware problem was that a large percentage of the network was unable to access Visa processing capabilities correctly. Though ATMs generally worked, it seems, payment using card readers generally didn’t.
How is this a security problem? Well, one way to answer that question is to say that if security is about reducing risk to your business, then as this caused significant damage to Visa’s revenue stream – not to mention its reputation – then the risk materialised, and there was a security failure. I would be interested to know, however, how many organisations have their security teams in charge of ensuring up-time and availability of their systems in terms of guarding against vulnerabilities such as hardware failures. My suspicion is that the scope of availability-safeguarding by security teams is generally to the extent of managing denial of service or other malicious attacks.
I would argue that more organisations should consider this part of the security team’s mandate, to be honest, because the impacts are very similar, and many of the mitigations will be the same. Of course, if you’re already an integrated Ops team – or even moving to a DevOps or DevSecOps model – then well done you: I’m sure you’re 100% safe from anything similar befalling you.
Consistency and correctness
As I mentioned above, there’s a criticism which is often levelled at the CIA triad, which is that confidentiality, integrity and availability are not, on their own, sufficient to design and run a system.
The Visa incident is a perfect example of why this is the case. It appears that the outage was not complete, as even at card readers, some amount of information was going through when a transaction was attempted. This meant that for some (attempted) transactions, at least, debits were appearing on accounts even when they were not being recorded as credits at the vendor’s side. What does this mean? In simple terms, money was coming out of people’s accounts, but not going to the people they were trying to pay. I’m not an expert on retail banking, but I believe that this is pretty much the opposite of what how a financial transaction is supposed to work.
You can’t really blame this on a lack of confidentiality or a lack or integrity. Nor is it really to do with a lack of availability – it may have been a side effect of the same cause as the availability failures, but that doesn’t mean that it caused them.
These problems can be characterised in two ways: as a lack of consistency and/or a lack of correctness. In a system, data should be consistent across the system, so when a debit shows up with no corresponding credit, there is a a failure of consistency. This lack of consistency highlights a lack of consistency: in fact, the very point of double-entry book-keeping is to allow these sorts of errors to be spotted.
What this tells us is not only that CIA is not sufficient to ensure security within a system but also that there exist other mechanisms – some very ancient – that allow us to manage our systems and to mitigate failures.
1 – at time of writing. If you’re reading this after, say, the 10th or 11th of June 2018, then it was longer ago than that.
2 – unless there’s been another outage, in which case it may be time to start taking out cash and stuffing it into your mattress.
3 – in no sense is this a comment on the Central Intelligence Agency. I am unqualified to discuss that particular, august body. Nor would I consider it in my best interests to do so.
4 – it was actually founded in the month of September, according to the Interwebs.
5 – or the best interests of my readers.
6 – which can, admittedly, take quite a long time, as you’re probably looking in the wrong places if you, like me, generally assume that the bug is in your own code.
7 – Somebody Else’s Problem (hat tip to the late, great Douglas Adams).
8 – “cash points” (US), “holes in the wall” (UK).
9 – yes, we really do call them this: “I need to get some money from the hole in the wall”. It’s descriptive and accurate: what more do you want?
10 – no, I know you’re not, and you know you’re not, but this will make everybody else feel that little bit more nervous, and you can feel a little bit more smug, which is always nice, isn’t it?
11 – cue a link to one of my most favourite comics of all time: https://xkcd.com/552/.