The CIA Triad
Security objectives may be seen from different perspectives, but every security measure must achieve one of three goals, the three principles of security: confidentiality, integrity, and availability (CIA), often referred to as the CIA triad.
Most of the security violations fall into at least one of these concepts and understanding each one of them is critical in order to prevent attacks and protect our systems.
Confidentiality
Protecting confidentiality means providing adequate techniques to make sure that data is only accessed by allowed individuals. Depending on the type of information, more sensitive information requires a higher level of confidentiality.
- Personal information
- Account passwords
- Credit card account information
- Social security numbers
- Military secrets
Integrity
Integrity is the capability to ensure that the data has not been altered or changed from its original form; meaning that we are confident that the data arrives as it was sent.
Integrity applies not only to data but also to systems. For instance, if a threat actor changes the configuration of a server, firewall, router, switch, or any other infrastructure device, it is considered that he or she impacted the integrity of the system.[1]
An example of a system integrity violation is malware that deletes or corrupts system files required to boot the computer so it can cause a denial-of-service attack; errors such as programming errors i.e. bugs can also present an integrity violation; an attacker can also use an IoT modified device to send altered packets to a victim’s machine causing a denial-of-service condition.
An access control list (ACL) is an example of a control that helps to provide integrity. Another example is the generation of hash values that can be used to validate data integrity.[2]
Availability
Availability means ensuring that data is accessible when and where it is needed. Only individuals who need access to data should be allowed access to that data.[2]
Protecting availability is very critical in the IT industry; Low availability in an IT company such as ISPs (Internet Service Providers like Orange) is very beneficial to all concurrence, these companies will gain customers and money from its rival losses.
The most common attack facing availability is a denial of service attack (DOS).
Reference
Comments
Post a Comment