The CIA Triad of confidentiality, integrity and availability is considered the core underpinning of information security. Every security control and every security vulnerability can be viewed in light of one or more of these key concepts. For a security program to be considered comprehensive and complete, it must adequately address the entire CIA Triad.
1. CONFIDENTIALITY
Most information systems house information that has some degree of sensitivity. It might be proprietary business information that competitors could use to their advantage, or personal information regarding an organization’s employees, customers or clients.
Confidentiality is about -- how well protected these information resources are from unauthorized access and misuse. Recently on date: 8-December-2020, FireEYE has reported that its collection of Red Teaming Tools have been stolen. It is a classical situation of Confidentiality has been breached!
We all know that any information which is confidential, often has a value. That's why, these systems are therefore under frequent attack as criminals hunt for vulnerabilities to exploit. Threat vectors include direct attacks such as stealing passwords and capturing network traffic, and more layered attacks such as social engineering and phishing.
Not all confidentiality breaches are intentional. A few types of common accidental breaches include emailing sensitive information to the wrong recipient, publishing private data to public web servers, and leaving confidential information displayed on an unattended computer monitor.
Let's us take the example of Healthcare industry. In healthcare, the obligation to protect client information is very high. It is mandatory. Not only do patients expect and demand that the healthcare providers protect their privacy, there are strict regulations governing how healthcare organizations manage security of client data. The Health Insurance Portability and Accountability Act (HIPAA) mandates the security/protection of privacy data of the clients, but it also regulate how the handling of personal health information by insurers, providers and claims processors. HIPAA rules clearly mandate administrative, physical and technical safeguards, and require all such organizations to conduct a thorough risk analysis.
There are many countermeasures that organizations put in place to ensure confidentiality:
-
Passwords, access control lists and authentication procedures use software to control access to resources.
-
These access control methods are complemented by the use encryption to protect information that can be accessed despite the controls, such as emails that are in transit.
-
Additional confidentiality countermeasures include administrative solutions such as Information Security Policies and Employee Training, as well as physical controls that prevent people from accessing facilities and equipment.
2. INTEGRITY
Integrity is about -- how well you protect the information from unauthorized alteration of any kind or the destruction. These measures provide assurance that your data is highly accurate and complete, and no untoward change has been made. The concept of integrity dictates that your data which is stored on your systems and which is transmitted between systems such as email remains intact throughout.
In order to practically achieve integrity, it is necessary that you control access at the system level, but also ensure that your system users are only able to alter the information they are legitimately authorized to alter.
Effective integrity countermeasures must also protect against unintentional alteration too, such as errors made by users, or data loss that is a result of any system malfunction.
Let us take the example of the finance industry where a particularly pointed need is there-- to ensure that all transactions across its systems/sub-systems are absolutely secure from tampering.
One of the most notorious financial data integrity breaches in recent times occurred in February 2016 when cyber thieves generated $1-billion in fraudulent withdrawals from the account of the Central Bank Of Bangladesh at the Federal Reserve Bank of New York. The hackers executed an elaborate scheme that included obtaining the necessary credentials to initiate the withdrawals, along with infecting the banking system with malware that deleted the database records of the transfers and then suppressed the confirmation messages which would have alerted banking authorities to the fraud. After the scheme was discovered most of the transfers were either blocked or the funds recovered, but the thieves were still able to make off with more than $60-million.
There are many countermeasures that you can put in place to protect integrity:
-
Access control and rigorous authentication can help prevent authorized users from making unauthorized changes.
-
Hash verifications and digital signatures can help ensure that transactions are authentic and that files have not been modified or corrupted.
-
Equally important to protecting data integrity are administrative controls such as separation of duties and training.
3. AVAILABILITY
Your information system must be available to your authorized users all the time.
Merely four days ago on Date: 14-December-2020, for example, a large many services of Google Inc such as YouTube, Hangout, Gmail, Google Maps, Google Photos, etc went down for some 45-minutes worldwide.
According to a statement by Google spokesperson, "Today, at 3.47 AM PT Google experienced an authentication system outage for approximately 45 minutes due to an internal storage quota issue. Services requiring users to log inexperienced high error rates during this period. The authentication system issue was resolved at 4:32 AM PT. All services are now restored." This is an perfect example of outage and the breach of Availability concept. Now you can understand it better.
Availability is about -- how timely and uninterrupted access your users have to your information system. Some of the most fundamental threats to availability are non-malicious in nature and include hardware failures, unscheduled software downtime and network bandwidth issues, the failure of any sub-system, etc. BUT, malicious attacks may include various forms of sabotage intended to cause harm to your organization by denying your users access to the information system.
The availability (and responsiveness) of your website, or your cloud-based service will surely be a high priority for you. You must recognize that disruption of website availability for even a short time can lead to loss of revenue, customer dissatisfaction and reputation damage to your organization. That hackers frequently use Denial of Service (DoS/DDoS) attacks to disrupt web services of all kind. In DoS attacks, hackers flood a server with superfluous requests, overwhelming the server and degrading service for legitimate users.
Over the years, service providers have developed sophisticated countermeasures for detecting and protecting against DoS/DDoS attacks, but hackers also continue to gain in sophistication and such attacks remain an ongoing concern.
Availability countermeasures to protect system availability are as far ranging as the threats to availability.
-
Systems that have a high requirement for continuous uptime should have significant hardware redundancy with backup servers and data storage immediately available.
-
For large, enterprise systems it is common to have redundant systems in separate physical locations.
-
Software tools should be in place to monitor system performance and network traffic.
-
Countermeasures to protect against D/DoS attacks include firewalls and routers.
-
Guys, what do you think of think about these fundamentals of Information Security, within the light of these latest breaches?
Kindly leave me your thoughts in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM