CIA Triad in Details… Looks Simple but Actually Complex

CIA stands for confidentiality, integrity and availability, which are said to be the three most important elements of reliable security.

In simple terms, the three parts of the CIA triad can be summarized as follows:

  • Confidentiality: limit who has access to information
  • Integrity: governs how and when information is modified
  • Availability: ensure people who are authorized to access information are able to do so.

Image result for cia triad

A complete security solution should adequately address each of these tenets.

Confidentiality:

The objective of Confidentiality is to prevent or minimize unauthorized access to data, objects or resources and ensure that no other than the intended recipient receive it or is able to read it.

Then, the question comes “How to violate/break confidentiality”; There are numerous intentional attacks focused on such as

  • Capturing Network traffic
  • Stealing password files from social engineering
  • Port scanning
  • Shoulder surfing
  • Eavesdropping  such as listening of telephone lines, network sniffing
  • Escalation of privileges

In Many instances, unauthorized disclosure of sensitive or confidential information could be because of following unintentional reasons

  • Human error
  • Oversight – An unintentional mistake resulting from failure to notice something.
  • Ineptitude – Lack on training
  • Failing to properly encrypt a transmission
  • Failing to fully authenticate a remote system before transferring data
  • Writing malicious code that opens a back door
  • Mis-routed faxes
  • Documents left on Printers
  • Walking away from an access terminal while data is displayed on the monitor.
  • Mis-configured security control.
  • Dumpster diving – the things we throw away such as Hard disk, Documents

There are also numerous countermeasures that can help to increase confidentiality against possible threats.

  • Encryption
  • Network traffic padding
  • Strict access control such as Locked Door, Security Guard, Permission on File/Folder/Database
  • Rigorous authentication procedures
  • Data classification
  • Extensive personnel training.

Sensitivity: It refers to the quality of information, which could cause harm or damage if disclosed. e.g. Nuclear Facility

Criticality: The level to which information is mission critical. The higher the level of Criticality, the more likely the need to maintain it.

Discretion: It is an act of decision where an operator can influence or control disclosure.

Concealment: It is an act of Hiding i.e. think of it as “camoflage” e.g. steganography i.e. hiding information under the guise of something else.   Often concealment can be viewed as a cover, Obfuscation or distraction.

Secrecy: It is an act of keeping something secret. e.g. protecting information with the help of encryption. Because without the encryption key, the information is not going to be accessible. another example could be a Coke Formula.

Privacy: It is an act of keeping information about person under safe custody. e.g. Personally Identifiable Information (PII)

Seclusion: It is an act of storing something in an “out of the way” location. e.g. Password Vault, Storage Vault

Isolation: It is an act of keeping something separate from the Rest. e.g. DMZ

Integrity

Accuracy: Integrity makes sure that the information Alteration should not occour wile the Object is in storage, in transit or in process.

Authenticity: Who is sending this information? Is the source Trusted?

Completeness: Having all needed and necessary parts e.g. Database Query

Consistency: Maintaining Data consistency e.g. Database replication

Integrity Protection: Keep bad person away from Data, Prevent Unauthorized Modification, Prevent Unauthorized modification from authorized users.

Integrity Verification: Verification of Data at the time of use e.g. Message Digest

Non-repudiation: It ensure that a Subject on an entity or who caused an event cannot deny that event occurred because of Subject.  e.g. Activity Logging, Digital certificates, session identifiers, Transaction Logs, Access Control mechanism.

Then, the question comes “How to violate/break Integrity”; There are numerous intentional attacks focused on such as

  • Viruses
  • Logic Bombs
  • Unauthorized Access
  • Errors in Coding and Application
  • Malicious Modification
  • System Back doors

In Many instances, there are numerous unintentional reasons lead to Integrity breaches include modifying/deleting files, entering invalid data, altering configurations, including errors in commands, codes and scripts

  • Human error
  • Oversight – An unintentional mistake resulting from failure to notice something.
  • Ineptitude – Lack on training
  • Introducing virus
  • Executing malicious code such as Trojan Horse
  • Writing malicious code that opens a back door
  • Mis-configured security control.

There are also numerous countermeasures that can help to increase Integrity against possible threats.

  • Object/Data Encryption
  • Strict access control such as Locked Door, Security Guard, Permission on File/Folder/Database
  • Rigorous authentication procedures
  • Intrusion detection system
  • Hash total verification
  • Interface restriction
  • Input/Function checks
  • Extensive personnel training.
  • Activity Logging

Availability

It means Authorized Subjects are granted timely and uninterrupted access to objects.

Usability: The state of being easy to use

Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capability.

Timeliness: Being prompt, on time

Then, the question comes “How to violate/break Availability”; There are numerous intentional attacks focused on such as

  • DoS/DDoS attacks
  • Object destruction
  • Communication Interruption
  • Device Failure
  • Software errors
  • Environmental issues i.e. Heat, Power Loss, Static, Flooding

In Many instances, there are numerous unintentional reasons lead to Availability breaches include accidentally deleting files, over-utilizing a hardware or software component, under-allocating resources and mislabeling or incorrectly classifying objects.

  • Human error
  • Oversight – An unintentional mistake resulting from failure to notice something.
  • Ineptitude – Lack on training
  • Mis-configured security control.

There are also numerous countermeasures that can help to increase Availability against possible threats.

  • Monitoring Performance and network traffic
  • Use of Firewall/Router to prevent DoS/DDoS attacks
  • Implementing Redundancy for critical system (Clustering)
  • Maintaining and testing backup systems.
  • BCP/DR site
  • Fault Tolerance design.
  • RAID

Remember:

The importance of the complete CIA Triad is equally very important, however, sometimes we need to give importance to one of them or a combination of them over the other as per the context and organisation needs. e.g.

  • Proprietary Information: Let’s assume we are dealing or examining proprietary information and finding priority among CIA Triad to assign to. In this case, since it is proprietary, the priority and importance should be Confidentiality i.e. limiting access to the underlying information itself.
  • Financial Information: In another example consider the scenario of financial information in a bank which is supposed to be protected. In this specific case, importance will be to protect the Integrity of the underlying information so that all the transactions remains at their true value.
  • Information Available to Public Consumption: Let’s now consider the case when some type of information is available for public consumption. Now in this case Availability will hold the priority because that is the main motive for this information to the public. Confidentiality will not be an issue in this since it is available to everyone whereas Integrity holds lower priority than Availability.

Hence, an interesting generalization of this concept of CIA prioritization is that in many cases Military and Government organizations tend to prioritize confidentiality above Integrity and Availability; whereas private companies tend to prioritize Availability over others.

 

 

 

 

 

 

 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.