Mike Wills - The Official (ISC)2 SSCP CBK Reference

NOTEYou can think of nonrepudiation as being similar to submitting your income tax return every year or the many other government-required filings that we all must make no matter where we live or do business. Sometimes, the only way we can keep ourselves from harm is by being able to prove that we sent it in on time and that the government received it on time.

Email systems have been notorious for not providing reliable confirmation of delivery and receipt. Every email system has features built into it that allow senders and server administrators to control whether read receipts or delivery confirmations work reliably or correctly. Email threads can easily be edited to show almost anything in terms of sender and recipient information; attachments to emails can be modified as well. In short, off-the-shelf email systems do not provide anything that a court of law or an employment relations tribunal will accept as proof of what an email user claims it is.

Business cannot function that way. The transition from postal delivery of paper to electronic delivery of transactions brought many of the same requirements for nonrepudiation into your web-enabled e-business systems. What e-business and e-commerce did not do a very good job of was bringing that same need for nonrepudiation to email.

There are a number of commercial products that act as add-ons, extensions, or major enhancements to email systems that provide end-to-end, legally compliant, evidence-grade proof regarding the sending and receiving of email. A number of national postal systems around the world have started to package these systems as their own government-endorsed email version of registered postal mail. Many industry-facing vertical platforms embed these nonrepudiation features into the ways that they handle transaction processing, rendering reams of fax traffic, uncontrollable emails, or even postal mail largely obsolete.

Systems with high degrees of nonrepudiation are in essence systems that are auditable and that are restricted to users who authenticate themselves prior to each use; they also tend to be systems with strong data integrity, privacy, or confidentiality protection built into them. Using these systems improves the organization's bottom line, while enhancing its reputation for trustworthiness and reliability.

This element of the classic CIANA set of information security characteristics brings together many threads from all the others regarding permission to act . None of the other attributes of information security can be implemented, managed, or controlled if the system cannot unambiguously identify the person or process that is trying to take an action involving that system and any or all of its elements and then limit or control their actions to an established, restricted set. Note that the word authentication is used in two different ways.

Information is authenticated by confirming that all of the metadata about its creation, transmission, and receipt convey that the chain of trust from creator through sender to recipient has not been violated. Authentication of a sent email or file demonstrates that it was created and sent by a known and trusted person or process. This requires that access control as a process grants permission to users or the tasks executing on their behalf to access a system's resources, use them, change them, share them with others, or create new information assets in that system.

In access control terms, authentication validates that the requesting subject (process or user) is who or what they claim that they are and that this identity is known to the system. Authorization then allows that authenticated identity to perform a specific set of tasks. Taken together, this is what determines whether you are using someone else's computers or networks with their permission and approval or are trespassing upon their property.

1984 was a watershed year in public law in this regard, for in the Computer Fraud and Abuse Act (CFAA), the U.S. Congress established that entering into the intangible property that is the virtual world inside a computer system, network, or its storage subsystems was an action comparable to entering into a building or onto a piece of land. Entry onto (or into) real, tangible property without permission or authority is criminal trespass. CFAA extended that same concept to unauthorized entry into the virtual worlds of our information systems. Since then, many changes to public law in the United States and a number of other countries have expanded the list of acts considered as crimes, possibly expanding it too much in the eyes of many civil liberties watchdogs. It's important to recognize that almost every computer crime possible has within it a violation of permissions to act or an attempt to fraudulently misrepresent the identity of a person, process, or other information system's element, asset, or component in order to circumvent such restrictions on permitted actions. These authenticity violations are, if you would, the fundamental dishonesty, the lie behind the violation of trust that is at the heart of the crime.

SUNBURST and other attacks in 2020 and 2021 highlighted how little attention many organizations were paying to the physical control and interaction side of their information systems. Enterprises that did not directly use IT to control manufacturing systems, or command and control vehicles and heavy machinery, believed themselves safe from physical harm, and yet would blithely invest in smart buildings and IoT devices for use in their office environments. They believed that these operational technologies—OT systems that directly cause physical motion or action, or monitor and supervise systems that do—were sufficiently separated from their IT systems, such as their corporate data centers, that there was little danger of a vulnerability on one side of that IT-OT interface from causing harm to systems, data, and people on the other side. That has been shown to be a false hope.

Operational technologies (OT) include industrial control systems (ICS) and the supervisory, control, and data acquisition (SCADA) systems that direct their activities. OT also includes Internet of Things (IoT) devices, autonomous, mobile machines (from custodial devices to chaotic warehouse forklifts), and robots. Most smart city systems, particularly their mass transit, water and sewer, traffic control, and communications management systems are part of the OT world, as are smart building environmental, power, and security management systems at work and in the home. This list of OT use cases grows every day, and in each case, there are data sharing and collaborative control and supervisory linkages with IT systems at many levels. And in most cases, device control involves switching and detecting AC and DC power and signals as part of controlling physical actuators and sensors.

As older OT systems are being phased out, newer systems tend to be making greater use of the Common Industrial Protocol (CIP). This is a feature-rich set of functions that are used within OT architectures to provide management, real-time control, data acquisition, and safety intervention across an architecture. CIP can operate over IP networks, which allows OT regional control workstations to easily interact with organizational IT systems. OT and IT systems both share common problems, such as the challenges of establishing and maintaining a secure supply chain for software, firmware, and hardware updates. Access control problems are quite common; the information security hygiene measures you need to apply to almost every IT systems environment must also be applied to your organization's OT systems, although with different techniques and tools. Integrated visibility—having a SIEM-like insight into the combined IT / OT architecture of your organization—can be achieved, but it's not as straightforward as some vendors may make it seem.