CIA Triad
Tejovrusha
[This is a beginner-friendly, easy-to-understand guide on a cybersecurity concept, CIA Triad, made so that even a non-tech person can grasp an idea on it easily.]
📑 Table of Contents
Introduction
What is the CIA Triad?
1. Confidentiality
Core Concepts of Confidentiality
Threats to Confidentiality
Real-life Attack: Equifax Data Breach
2. Integrity
Core Concepts of Integrity
Threats to Integrity
Real-life Attack: SolarWinds Attack
3. Availability
Core Concepts of Availability
Threats to Availability
Real-life Attack: WannaCry Ransomware
Additional Terms
Summary (TLDR)
Ever wonder how all our important and controversial information is on the internet yet seems to be maintained safely, without any danger to us and our data? That's because of the CIA triad.
So, what is CIA, you might ask? It is basically a guide on how organizations protect their data and systems from threats, whether by a hacker, any accident, or just a system failure. It is a foundation of all modern security practices.
The term CIA consists of 3 terms
1. Confidentiality
2. Integrity
3. Availability
They are like the 3 pillars for a basic secure system. Other than this, there are many other concepts for security too. But CIA is considered the basic necessity for any system, be it an app, a website, or any digital system.
Let's now dive a bit into each of these 3 pillars.
CONFIDENTIALITY:
As the name suggests, it’s about confidential data. In simple words, only an authorized user (right person) should be able to see or access particular information. For example, only you can have access to your own bank account details; not anyone on the website of your bank can know or have access to your credit card number and so on. If so, then it might be a huge problem. It's about preventing unauthorized access or disclosure of sensitive data (important or controversial data).
⮞ Core Concepts of Confidentiality:
Access control: using Authentication (verifying user's identity through username and password), Authorization (grant access right to specific data based on the user), Multifactor authentication (two-factor authentication), Role-based access control (access given based on the user's role), etc.
Data Encryption: using encryption algorithms like AES, RSA, etc. (converting a human-readable text into gibberish so the hacker trying to gain access to it understands nothing)
Data Masking: Hiding sensitive parts of data.
Information Classification: classifying data with a label as public, confidential, or top secret.
Security policies and procedures: creating formal rules on data access, data handling, and data sharing.
Physical security: restricting physical access to servers and other logs.
Network security: using firewalls, IDS (Intrusion Detection System), IPS (Intrusion Prevention System), and VPN (Virtual Public Network).
Endpoint security: protect end devices (like computers, laptops or mobile phones) through antivirus, encryption, etc.
Data loss protection (DLP): using tools to detect and prevent unauthorized transmission of sensitive data.
⮞ Threats of Confidentiality:
Eavesdropping: Hearing a conversation between two parties without their acknowledgement.
Social Engineering: getting a password or any sensitive data from a user by manipulating them.
Insider threat: a person inside an organization being the cause of the disclosure or accidentally letting in an unauthorized access by clicking on suspicious links.
Malware: a malicious code that can help hackers gain access to the system in which it gets injected.
Improper disposal of sensitive data: throwing away hard disks and documents without proper disposal of data contained within them.
⮞ Real-life attack:
※ Equifax data breach (2017)
So what basically happened is Apache Struts had found and informed Equifax about a patch that has to be fixed. But even after a span of 2 months, the company didn't seem to bother fixing it, giving the hackers an easy gateway. If you didn't know already, it is a company that helps hold onto all of the US's credit scores and other credit card details. The attackers used this opportunity and stole the SSN (social security number), DOB, and other sensitive data of over 143 million people. And also over 209k people’s credit card details were stolen. This cost about $700 million for the company to recover.
INTEGRITY:
Integrity is used to make sure that the information shouldn't be able to be modified or deleted while getting sent. It's about trusting the system over its entire lifecycle. The system should be true to itself. The data written and the data read by the receiver should be the exact same. For example, if you are sending your mobile number to someone, the receiver should receive the same number and not any modified number that could have been changed by any hacker midway. It's about maintaining the trust of the sender and receiver.
⮞ Core Concepts of Integrity:
Data validation: only correct and expected data enters the system.
Checksums & Hashing: any change in data, even a single bit, results in a different hash value (a hash value is a string of any length converted into that of a fixed length).
Digital signature: It is used to verify any user and also ensure that the data is not altered.
Version control & Audit logs: makes sure any change in data is logged in.
Redundancy & Backups: taking snapshots of the data or using the RAID concept (a concept for backing up data in multiple places).
Transaction Integrity (ACID property): Atomicity (a process is either done completely or not done at all), Consistency (goes from one valid state to another while making sure no information disappears out of nowhere), Isolation (a process doesn't get interfered with), Durability (once a process is committed, it remains the same even if the system crashes)
⮞ Threats of Integrity:
Ransomware attack: an attack where the hacker encrypts all the data in your system.
Man-in-the-middle attack: a hacker stands in the middle of the user and the server and provides data by disguising himself as the service provider by giving the information of his own or modified.
Data corruption: when hardware fails or any bug enters the system and changes the data.
Unauthorized modification: A malicious insider or attacker alters the records.
⮞ Real-life attack:
※ SolarWinds supply chain attack (2020)
SolarWinds developed software named 'Orion,' which contains many tools for network, IT, security, and log management and more, used by many big organizations and even the government. Attackers inserted a malicious code into the software update process, and it gave them an easy entrance to the software, which went unnoticed for many months until a cybersecurity organization tested it. This attack is called the Remote Access Trojan, or RAT attack.
AVAILABILITY:
Availability ensures that any authorized user would be able to access the resources they need, whenever and wherever they want. It makes sure the service is provided to the user without any flaws. For example, if you want to search for something on google.com, then you can just open it right away. You can use Google's service whenever and wherever you want, be it today, tomorrow, or even 5 years later, whether you are in the US, the UK, or even the Amazon forest, as long as you have a good internet connection. It's the ability of a server or any system to provide the service even if there was any attack happening on it. Basically having multiple servers as a backup even if one system fails.
⮞ Core Concepts of Availability:
Redundancy & Backups: taking snapshots of the data or using the RAID concept (a concept for backing up data and storing it in multiple places).
Fault tolerance: the ability of a system to function even if part of it fails.
Load balancing: having multiple servers to prevent overload.
Network and Infrastructure monitoring: monitoring the server or system's uptime, latency and anomalies (incorrect or erroneous information)
Denial of Service (DOS): Firewalls and Distributed DOS (DDOS) mitigation help prevent overload from malicious traffic.
Maintenance: having minimal and planned downtime, often pre-announced.
Cloud and Virtualization: offers elasticity and redeployment.
⮞ Threats of Availability:
DOS: Creating traffic on a system so that the user is bombarded with pop-ups saying something is wrong.
DDOS: performing a DOS attack on a distributed amount of users or a server.
Hardware or software failures: when the hardware of the server or the software fails due to any unexpected circumstance.
Natural disaster: flood, earthquake, or power failure.
Human error: accidental deletion of any software in the main server.
Ransomware attack: an attack where the hacker encrypts all the data in your system, making it impossible for you to access unless you pay any sum of money.
Resource Exhaustion: CPU or memory or storage overload.
⮞ Real-life attack:
※ WannaCry ransomware attack (2017)
It entered every vulnerable (easy to hack through any security holes present) system through a weakness in Windows software called Eternal Blue. It locked up all the files in those systems by encrypting them, and also the attacker demanded $300 in bitcoin to decrypt the files back. This attack affected about 230k systems across 150+ countries. This is said to be the biggest and most tragic cyberattack so far.
Additional terms:
- AUTHENTICITY:
The receiver should be able to verify that the message is truly from a trusted source or user.
- ACCOUNTABILITY:
Every user has a responsibility, and the user’s action should be kept on track by the system for forensics purposes after any security threat or attack or breach. The user shouldn't misuse their privilege.
SUMMARY (TLDR) :
So basically, the CIA triad helps the organization protect the user's data and the system.
It has 3 terms:
Confidentiality: privacy. making sure that only the right person can access the data.
Integrity: trustworthiness. making sure the data doesn't get changed midway.
Availability: accessibility. making sure the service or data is always available to the user.
Subscribe to my newsletter
Read articles from Tejovrusha directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by