Join Lisa Bock for an in-depth discussion in this video Introducing the CIA triad, part of Foundations of IT Security: Core Concepts.
- One of the fundamental principles of providing a secure system is that of ensuring confidentiality, integrity, and availability. Also called the CIA triad, it is widely recognized in information assurance models. Confidentiality is assurance of data privacy and protection against unauthorized disclosure. Confidential information can include personally identifiable information, such as Social Security, credit card information or account numbers, or, business information, such as financial data, employee records, and trade secrets.
An example of a violation of confidentiality would be a hacker gaining access and reading government emails. It is not always evident that information has been leaked. Therefore, individuals and businesses should take steps to ensure confidentiality by allowing only authorized individuals, processes, or devices to read the data. Let's take a look at this website, informationisbeautiful.net, and we'll take a look at the world's biggest data breaches.
On this website, we can see significant data breaches that have occurred over the years. Everyone and everything who accesses data should be authenticated in some manner, such as a user name and a password, or by swiping a card and entering a PIN. Access to data can be controlled by assigning permissions to folders and files only to authorized users and to only users that need access. That means, do not grant permission to a user who doesn't need access.
Encryption can protect against the loss of confidentiality by converting data into a scrambled format which is meaningless unless you have a key. We'll go to the website, atom.smasher.org, and we'll get an example of what it looks like when data is encrypted. Now, I'm going to put a little bit of data in this message box. Encryption plays an essential role in protecting electronic information in many of today's businesses. But, you can put whatever you like in there.
I'm going to say Encrypt my message. And that's what it would look like if it were to be encrypted. As you can see, this wouldn't make sense to anyone unless they have a key. All data, whether at rest or in motion, such as data in cloud storage or traveling across the network, should be encrypted. Integrity is protecting data from unauthorized modification. Data integrity can be compromised when information has been altered, or destroyed, either maliciously or accidentally.
An example of a violation of integrity would be a student going into the grades and changing his or her Algebra grade from a C to an A. To protect against violations of integrity, the network should be monitored for unusual or suspicious activity. Strong audit policies should be in place. And software intrusion detection systems, such as Tripwire, can be used to monitor checksums for unauthorized changes. Availability is ensuring data and services are available to authorized users when needed.
A denial of service attack is an attack against availability which sends multiple requests to a system in an effort to interrupt or suspend services to legitimate users. A simple denial of service attack is not effective. A distributed denial of service attack is more effective as it uses armies, or botnets, to launch an attack. I've gone to the website Digital Attack Map, and we can see here active distributed denial of service attacks.
There is a video. If we click on Understanding DDoS, where you can learn more about what is a distributed denial of service attack. There are, however, mechanisms that could be used to ensure data availability, such as keeping systems current and upgrading, when necessary. To prevent data loss, back up systems regularly and store in an off-site location. Today's networks and the internet of things pose unique challenges in managing information as all systems are essentially interconnected.
Utilize a layered approach and monitor to provide confidentiality, integrity, and availability. Let's do a quick challenge. If I gained access to the company's payroll information and read everyone's payroll information, that would be a violation of integrity, confidentiality or availability? If you said confidentiality you'd be correct as there was an unauthorized disclosure of data.
Note: This course maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals 98-367 certification exam and is recommended test prep viewing.
- Evaluating risks, threats, and vulnerabilities
- Minimizing the attack surface
- Avoiding worms and viruses
- Protecting your system from spyware
- Making web browsers more secure
- Securing wireless transmissions
- Encrypting files, folders, and drives
- Using virtual private networks