In this article
- Control Frameworks
- Due Care vs. Due Diligence
- Security Governance Principals
- Security Personnel
- Threat Modeling
- Vendor, Consultant and Contractor Security
In this article
In this article, we will learn about the famous CIA Triad i.e. Confidentiality, Integrity, and Availability. Though these terms sound simple, they have good outreach and security posture is adequate for an organization if the concepts of CIA are well maintained. It is these three principles that often exploited through varying degrees of exploits/attacks.
Let’s discuss these concepts in detail.
Confidentiality revolves around the principle of ‘least privilege.’ This principle states that access to information, assets, etc. should be granted only on a need to know basis so that information which is only available to some should not be accessible by everyone. As you might have guessed already, the core for good confidentiality, or need to know, the principle is a strong data classification policy. Since without classifying Assets, Information, etc. it will difficult to maintain who has access to what. There are various levels in which the classification can be done considering the criticality of that Asset, Information, etc. I am sure who are new to this concept must be wondering isn’t that authentication whereas some might be aligning it with authorization. So here is what you need to know: Identification, Authentication, and Authorization are principles which are achieved through various access and privacy controls that support Confidentiality. For example, If Authentication principle has failed then the underlying information can be stolen which should be denied as per confidentiality. For example, data sent over a wire can be sniffed or stored in USB can be stolen. On the other hand, encryption process supports confidentiality since it protects (if used correctly) any sensitive information from being stolen or leakage by converting the plain text into cipher text which cannot be read easily. It should be noted that there are various algorithms for encryption, but it is up to individual/organization to select only strong ones.
Integrity makes sure that the information is not tampered whenever it travels from source to destination or even stored at rest. Information stored in underlying systems, databases, etc. must be protected through access controls and there should be an accepted procedure to change the stored/transit data. An example of Integrity which is used by many tools is ‘one way hashes’ wherein a hash of a particular set of data is calculated before transit and is sent along with the original message. At the recipient side, the hash is message received is computed and is compared with the hash received. If both hashes are different, it means that the message has lost its value.
Availability concept is to make sure that the services of an organization are available. For example, if you have been following press, then recently there was a news of a Distributed Denial of Service(DDoS) attack targeted towards Dyn, KrebsOnSecurity, BBC, etc. The motive behind these attacks is to bring down the respective services and therefore to defeat Availability. However, availability can also be defeated through some other disasters which can be man-made or through nature (like an earthquake, floods, etc.). Generally, companies tried to develop systems which are fault tolerant which is achieved through redundant systems/drives, etc. In case of disaster, the concept of alternate sites is used which are further classified into hot, warm and cold sites where a hot site is ready to run business with minimal disruption as is replica over the already running environment. A cold site is a just a site with physical facilities and need office setup to be done.
The importance of the whole CIA Triad is equally important, however, sometimes we need to give importance to one of them or a combination of them over the other as per the context. For example:
CISSP Instant Pricing – InfoSec
With the advancement of technologies, new challenges are posed for the CIA Triad. Some are:
So, CIA Triad is three concepts which have vast goals (if no end goals) in Information Security but with new types of attacks like insider threats, new challenges posed by IoT, etc. it now becomes even more difficult to limit and scope these 3 principles properly.