The CIA triad helps prevent attacks in all fronts. In this post we'll go over what the CIA triad actually is and how these 3 things can possibly cover the gamut of security infrastructure.
What The CIA Triad Is
No, I'm not referring to the infamous 3-letter intelligence agency here. In fact, CIA in the triad (or triangle) concept, is an acronym made up of Confidentiality, Integrity, and Availability. If this doesn't look familiar, you need to know it to pass any security certification exam.
If any one of these concepts is missing, you have not actually secured your system or data therein. Which one is most important depends on the organization's mission and goals.
- Confidentiality – restrictions on access and disclosure, protection of information, protection, authorization, privacy.
- Integrity – prevention of improper modification or destruction of information, nonrepudiation, accuracy, authenticity.
- Availability – reliable and timely access to information, use of information, reliable service, recovery of critical systems, business continuity.
Think of confidentiality as privacy. You're wanting to keep your data away from unauthorized people that could do damage to you or your organization. To meet this standard is to protect your data from general access.
One method of maintaining confidentiality is encryption. Another is authentication. Authorized user access is key here.
Think of integrity as consistency. You want to make sure your data maintains its quality as it's stored, transferred, or otherwise accessed. Inaccurate data is worthless.
Data is less likely to be changed when file privileges are in effect. Malicious people aren't the only worry here as equipment failure is something to watch out for. You also want to prevent corruption or general data loss from crashes and power surges.
One method of maintaining integrity is backing up files, configuration, and builds. Altered information or straight up data loss could be very costly. Maintaining trust in data is key here.
Think of availability as a provable way that your data is safe. You can't verify your data or systems are safe if you can't get to it. Even if you know no one will be able to get to it, what's the point of holding onto data or systems you can't use?
This facet of the triad is probably the most difficult one to achieve as there are so many things that can interrupt service or data availability. Your hardware and software must be up and able to be connected with. Besides data, if you can't process orders or information you could dead in the water when you're supposed to be making money.
You're value could suddenly become meaningless. One method of maintaining availability is to prevent bottlenecks by clustering systems. Maintaining timely and uninterrupted access to systems and information is key here.
Attacks Separated by Concept
1. Attacks on Confidentiality
- General unauthorized data copying from no protection, like an open database or repository.
- Cracking weak encryption.
- Man in the middle attacks to intercept data in transit
- Theft of personal storage devices like hard drives and flash drives.
- Malware attacks that open the door to other maliciousness.
- Straight up doxxing to bring attention to the private citizen's information for malicious reasons.
1.1 Goal of Attacks on Confidentiality
This is typically how cyber attacks begin, with wanting access to personal information like payment cards and personally identifiable information. Confidential information is stolen to achieve some type of personal, political, or economic gain.
2. Attacks on Integrity
- Sabotage by a competitor, disgruntled employee, or stalker to disrupt normal operations.
- Indirect compromises like typos or packet loss.
- Making a normally safe asset, like a website, unsafe by planting malware to distribute bad software to others.
- Falsifying records to perpetrate fraud.
- Making a normally safe asset into a zombie to serve in a botnet to disrupt others.
2.1 Goal of Attacks on Integrity
This type of cyber attack is by someone looking to damage information or systems so the people who need them are out of commission. Sometimes these are called slash and burn campaigns, as they are carried out with the goal of corruption as opposed to theft.
3. Attacks on Availability
- Preventing normal business operations by way of network disruption, like DDoS attacks.
- Preventing normal business operations by way of locking computer resources down within a network, such as Ransomware attacks.
- Deliberate network or power disruption to take infrastructure offline.
3.1 Goal of Attacks on Availability
This type of cyber attack is by someone looking to disrupt normal business activities directly, not like stealing information or causing chaos as the first 2 concepts involve. These attacks could be money makers as extortion is huge in this space. It could also be done to slow down or stop responses to other types of attacks.
Challenges of Maintaining the CIA Triad in the Modern World
Think of how well the CIA triad normally scales. By its very nature, the CIA triad helps prevent attacks and covers the gamut pretty well. However, emphases on new technologies or the availability of legacy technologies over networks has caused challenges in modern organizations.
There are more software companies than ever before. Application security, has become front and center due to the ease of attacks, especially on web applications.
Rapid application development has lead to DevOps, in which teams will usually prioritize business needs over security.
Many marketing agencies for example, are run by marketers that hire coders and don't have the emphasis application security. They probably don't even know what the OWASP Top Ten even is, let alone actively implementing the concepts.
Big Data Security
Big data is one of those things you always used to hear, over and over again. We can thank the advent of AI for switching gears here. While not actively discussed as much as it used to be, the practice of hoarding data still has massive privacy implications.
The vast amount of data that needs to be protected, along with the multitude of sources and formats makes this a recipe for disaster. All of this data, just to make some kind of use or gain insights from all the information.
More and more enterprises are moving to the cloud, especially municipal services. This move into the cloud comes with its own set of challenges, mainly who actually has access to the data and where the data is stored.
There are constant breaches of open databases and team setups. Cloud providers should really do a better job at helping enterprise users understand the implications of settings.
Critical Infrastructure Security
Aging critical infrastructure that was conceptualized and created without regard to network use and connection to future systems includes critical services such as electricity, water, traffic, and much more. Check out what DHS considers critical infrastructure by sector for more on this.
Due to the widespread nature and importance of this infrastructure, these sectors are vulnerable to cyber attacks. Besides disruption to essential services, we're potentially looking at large loss of life. Due diligence and contingency planning is crucial here.
Internet of Things (IoT) Security
IoT is one of those collection of technologies that everyone loves to hate. Critical infrastructure is technically part of this section of technology as well. Failure to secure this collection of devices can lead to massive botnet, not to mention huge privacy implications of sensitive data from multitudes of sources.
This set refers to the ever increasing number of devices that connect to the network. This isn't just computers, we're talking about printers, appliances, sensors, cameras, wearable devices, and more. This includes devices that traditionally have connected to the Internet and devices that traditionally have not be connected to the Internet.
IoT devices are especially vulnerable as they are shipped for ease of setup and use. Along with manufacturers not keeping up with security patching, most business owners and home users infrequently change default settings, when allowable by manufacturers.
Thanks for joining me for this article on how the CIA triad helps prevent attacks. To read more on this subject, check out the following resources:
- Confidentiality, Integrity, Availability: The three components of the CIA Triad by IT Security Community Blog (Security StackExchange)
- The CIA Triad and Its Real-World Application by Netwrix
- CIA Triad by Infosec Institute