September 8, 2011

Privacy as a concept- Integrity threats

In the last part of our privacy series, we discussed threats to privacy from a confidentiality perspective. For this part of the series, let’s look at the oft-overlooked privacy threats related to integrity.

Integrity threats

Whereas confidentiality deals with access to something, integrity is concerned with the modification of that something. Unlike confidentiality however, there is only one face to integrity to be concerned with and that is unauthorized or unexpected modification. I would submit that authorized modifications are to be expected and are not, in a general context, threat-worthy.

Now, before you guys and gals shower me with some hate, let me explain. Yes, we should be concerned with non-malicious changes. A typo during data entry could unintentionally exploit vulnerabilities in an application or potentially disclose sensitive data. However, I do not believe those are issues of integrity. The offenders were authorized after all and the system rightfully allowed the modification. The fact that the modification violated another security principle is exclusive from the authorization to make the modification in the first place. That is, we would have to say that something (e.g. confidentiality) and integrity were impacted, right?

With respect to integrity and unauthorized modification, I believe the following children categories complete our picture of privacy integrity threats.

Transcription, Processing, and Storage

Going back to our earlier example of shoe size versus credit card number for a moment, imagine that you have willingly disclosed both. Say you have just ordered a new pair of shoes and paid the online merchant via credit card: what are some possible threats to the integrity of your private information?

The first child category I see is transcription. Essentially, with a transcription threat private information (e.g. shoe size) ends up being mis-transcribed. In our example, you ordered a size 11 and somehow that is transcribed by the receiving to be size 10. Maybe this is not the biggest of deals- you get a smaller size and likely end up returning it. Yet, when we look a little deeper we can see that now an affiliate has modified private information in an unauthorized manner. Yep, that is an integrity issue. Keep in mind as well, this threat represents you (mis-keying the order), the system receiving the order (a crash causes the value to change), or a receiving clerk mis-keying the order.

The second child category of integrity threats is processing. Although closely related to transcription, the threat concept of processing focuses on receiving side processing of our private information. This could be the system consuming our private information as a predecessor to storage (the next category) or processing threats could also manifest as a system is reading our private information from storage. Clearly, the threat vector is the processing itself and the result is the same as transcription; private information undergoes an unauthorized modification.

Finally, the third child category relates to threats in storage. A typical example for this category would be corruption in the storage media. Another example might be a compromise that leads to your private shoe size or credit card information being maliciously altered (perhaps the adversary wants you to appear as if you have giant clown feet). I believe this might be the most serious category of threats since the previous two represent one-time events. In contrast, a storage threat realization will affect that private information for as long as there is no mitigation.

Overall, as much as we think about the confidentiality of our private information, we should have equal concern with respect to our private information’s integrity. I might suggest that integrity is of a larger concern since it goes so largely unnoticed. What do you think?

Next Time – Securing Privacy

In the next and final part of this series we’ll take a look at what we can do to assure the security of our private information. Until then, I’m going to take a cue from Al Gore and put it in my lockbox…