Which part of the CIA triad ensures that the data objects and resources are accessible only to authorized subjects as and when required?

Posted at 12:20h in Uncategorized by Ralph Heymsfeld 0 Comments

The CIA Triad of confidentiality, integrity and availability is considered the core underpinning of information security. Every security control and every security vulnerability can be viewed in light of one or more of these key concepts. For a security program to be considered comprehensive and complete, it must adequately address the entire CIA Triad.

Confidentiality means that data, objects and resources are protected from unauthorized viewing and other access. Integrity means that data is protected from unauthorized changes to ensure that it is reliable and correct. Availability means that authorized users have access to the systems and the resources they need.

If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to have an understanding of the importance of the CIA Triad, the definitions of each of the three elements, and how security controls address the elements to protect information systems.

Confidentiality

Confidentiality measures protect information from unauthorized access and misuse. Most information systems house information that has some degree of sensitivity. It might be proprietary business information that competitors could use to their advantage, or personal information regarding an organization’s employees, customers or clients.

Confidential information often has value and systems are therefore under frequent attack as criminals hunt for vulnerabilities to exploit. Threat vectors include direct attacks such as stealing passwords and capturing network traffic, and more layered attacks such as social engineering and phishing. Not all confidentiality breaches are intentional. A few types of common accidental breaches include emailing sensitive information to the wrong recipient, publishing private data to public web servers, and leaving confidential information displayed on an unattended computer monitor.

Healthcare is an example of an industry where the obligation to protect client information is very high. Not only do patients expect and demand that healthcare providers protect their privacy, there are strict regulations governing how healthcare organizations manage security. The Health Insurance Portability and Accountability Act (HIPAA) addresses security, including privacy protection, in the the handling of personal health information by insurers, providers and claims processors. HIPAA rules mandate administrative, physical and technical safeguards, and require organizations to conduct risk analysis.

There are many countermeasures that organizations put in place to ensure confidentiality. Passwords, access control lists and authentication procedures use software to control access to resources. These access control methods are complemented by the use encryption to protect information that can be accessed despite the controls, such as emails that are in transit. Additional confidentiality countermeasures include administrative solutions such as policies and training, as well as physical controls that prevent people from accessing facilities and equipment.

Integrity

Integrity measures protect information from unauthorized alteration. These measures provide assurance in the accuracy and completeness of data. The need to protect information includes both data that is stored on systems and data that is transmitted between systems such as email. In maintaining integrity, it is not only necessary to control access at the system level, but to further ensure that system users are only able to alter information that they are legitimately authorized to alter.

As with confidentiality protection, the protection of data integrity extends beyond intentional breaches. Effective integrity countermeasures must also protect against unintentional alteration, such as user errors or data loss that is a result of a system malfunction.

While all system owners require confidence in the integrity of their data, the finance industry has a particularly pointed need to ensure that transactions across its systems are secure from tampering. One of the most notorious financial data integrity breaches in recent times occurred in February 2016 when cyber thieves generated $1-billion in fraudulent withdrawals from the account of the central bank of Bangladesh at the Federal Reserve Bank of New York. The hackers executed an elaborate scheme that included obtaining the necessary credentials to initiate the withdrawals, along with infecting the banking system with malware that deleted the database records of the transfers and then suppressed the confirmation messages which would have alerted banking authorities to the fraud. After the scheme was discovered most of the transfers were either blocked or the funds recovered, but the thieves were still able to make off with more than $60-million.

There are many countermeasures that can be put in place to protect integrity. Access control and rigorous authentication can help prevent authorized users from making unauthorized changes. Hash verifications and digital signatures can help ensure that transactions are authentic and that files have not been modified or corrupted. Equally important to protecting data integrity are administrative controls such as separation of duties and training.

Availability

In order for an information system to be useful it must be available to authorized users. Availability measures protect timely and uninterrupted access to the system. Some of the most fundamental threats to availability are non-malicious in nature and include hardware failures, unscheduled software downtime and network bandwidth issues. Malicious attacks include various forms of sabotage intended to cause harm to an organization by denying users access to the information system.

The availability and responsiveness of a website is a high priority for many business. Disruption of website availability for even a short time can lead to loss of revenue, customer dissatisfaction and reputation damage. The Denial of Service (DoS) attack is a method frequently used by hackers to disrupt web service. In a DoS attack, hackers flood a server with superfluous requests, overwhelming the server and degrading service for legitimate users. Over the years, service providers have developed sophisticated countermeasures for detecting and protecting against DoS attacks, but hackers also continue to gain in sophistication and such attacks remain an ongoing concern.

Availability countermeasures to protect system availability are as far ranging as the threats to availability. Systems that have a high requirement for continuous uptime should have significant hardware redundancy with backup servers and data storage immediately available. For large, enterprise systems it is common to have redundant systems in separate physical locations. Software tools should be in place to monitor system performance and network traffic. Countermeasures to protect against DoS attacks include firewalls and routers.

Understanding the CIA Triad is an important component of your preparation for a variety of security certification programs. If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam.

In the CIA Triad, you may picture a man in a black suit solving crime and running behind criminals, we are not talking about that. Our CIA triad is a Fundamental cybersecurity model that acts as a foundation for developing security policies designed to protect data. Confidentiality, integrity, and availability are the three letters upon which CIA triad stands.

The CIA Triad is a common prototype that constructs the basis for the development of security systems. They are used to find vulnerabilities and methods to create solutions.

What is the CIA Triad in Cyber Security?

The CIA security triad model is constructed close to the principles of confidentiality, integrity, and availability of information are essential to the function of the business, and the CIA triad splits these three concepts into individual focal points. This differentiation is advantageous because it enables security teams to determine diverse methods by which they can address each problem. Ideally, when all three benchmarks are satisfied, the organization's security shape is more assertive and better qualified to handle threat incidents.

Like other unfortunate acronyms out there, one of them is the WTF (World Trade Federation), the CIA can often mean something else. It does refer to the Central Intelligence Agency. But when it comes to cybersecurity, it signifies something positively different.

In cybersecurity, the CIA refers to the CIA triad, a vision that concentrates on the balance between the confidentiality, integrity, and availability of data under the protection of your information security structure.

The objective of the triad is to help institutions construct their security strategy and develop policies and controls while also conforming as a foundational starting point for any unknown use cases, products, and technologies.

Components of the CIA Triad

Important components of triad of information security are:

1. Confidentiality

Confidentiality in information security assures that information is accessible only by authorized individuals. It involves the actions of an organization to ensure data is kept confidential or private. Simply put, it’s about maintaining access to data to block unauthorized disclosure.

To accomplish this, access to information must be supervised and controlled to prevent unauthorized access to data, whether done intentionally or accidentally. A critical component of preserving confidentiality is making assure that people without proper authorization are stopped from accessing assets that are important to your business.

Contrariwise, an adequate system also assures that those who need to have access should have the required privileges.

Confidentiality can be overstepped in many ways, for instance, via direct attacks developed to acquire unauthorized access to servers, web apps, and backend databases to breach or tamper with data. Network reconnoitering and other sorts of scans, electronic eavesdropping, and escalation of privileges by an attacker are just a few examples.

2. Integrity

This refers to the quality of something being unmodified or complete. In Information Security, integrity is about assuring that data has not been tampered with and can be trusted.

This helps to preserve the trustworthiness of data by holding it in the right form and immune to any inappropriate mutation. It creates the foundation for your assets and requires institutions to ensure uniform, precise, trustworthy, and secure data. If the information is imprecise or has been tampered with, it could signify a cyber-attack, vulnerability, or security incident.

Countermeasures that protect data integrity comprise encryption, hashing, digital signatures, and digital certificates by trusted certificate authorities (CAs) to organizations to verify their originality to website users, equivalent to the path a passport or driver’s license can be used to verify an individual's identity.

3. Availability

Systems, applications, and data are of small worth to an organization and its consumers if they are not available when authorized users require them. Fairly simply, availability indicates that networks, systems, and applications are up and operating. It assures that authorized users have timely, trustworthy access to resources when they are required.

Multiple things can threaten availability, including hardware collapse or software issues, power failure, natural circumstances beyond one's control, and human error. Perhaps the most well-known attack that jeopardizes availability is the denial-of-service (DoD) or DDoS attack, in which the performance of a server, system, web app or web-based service is knowingly and maliciously tarnished, or the system becomes completely inaccessible.

Countermeasures to help guarantee availability include redundancy in servers, internal networks, applications, hardware fault tolerance, regular software patching, system upgrades, backups, comprehensive disaster recovery plans, and DoS protection solutions.

To have a deep dive into these CIA triads and learn the implementation of these components in the organizations it’s always best to get guidance from an industry expert which can be retrieved by some good Cyber Security Courses online.

Examples of the CIA Triad in Practice

Data encryption is one method to assure confidentiality so that unauthorized users cannot retrieve or access the data to which they do not have permission access.

Access control is also an essential part of preserving confidentiality by governing which users have permission for accessing data.

Healthcare organizations that collect and operate patient data must maintain confidentiality and comply with HIPAA.

Event log management whenever the Security Incident happens and an Event Management system are important for ensuring data integrity.

Enforcing version control and audit trails to organizations IT structure will let your organization assure that its data is accurate and original.

Integrity in cyber security is a crucial component for organizations with compliance necessities. For example, a condition of SEC compliance conditions for financial services institutions requires providing correct and complete data to federal regulators.

Engaging a backup system and a BCDR plan is important for maintaining data availability.

Employing cloud solutions like AWS, Azure, or Google cloud for data storage services is one of the methods by which an organization can enhance the availability of data for its consumers.

The requirement for data to be available and accessible increases for sectors like financial services and healthcare.

Importance of CIA Triad

The CIA triad constitutes the core basis for the development of security systems and policies for institutions. As such, the CIA triad plays a critical part in maintaining your data safe and protected against growing cyber threats. When a security incident, such as information swiping or a security breach occurs, it is deemed that an organization has been unsuccessful in properly enforcing one or more of these regulations. The CIA triad is crucial to information security since it enriches security posture, enables organizations stay obedient with complex regulations, and guarantees business continuity.

The contrary of confidentiality, integrity, and availability is disclosure, alteration, and destruction.

Disclosure: When an authorized group gains access to your information.
Alteration: When data is altered or modified.
Destruction: When data, systems, or applications are destroyed or rendered inapproachable.

Why and When Should You Use the CIA Triad?

We use the CIA to evaluate data security of the security posture of the organization. It balances out the relationship between all the CIA triad pillars of confidentiality, integrity, and availability from a broad viewpoint. The framework requires that any attempt to secure digital information will not weaken another pillar of defense.

All the Certified Ethical Hacker certifications available across the globe will give your insight into why and when should you use the CIA triad for both offensive and defensive strategies in the organization.

Further, the CIA Triad effectively determines risk elements in information security systems and IT infrastructure. It is also a gateway for even more sophisticated risk assessment and management of security controls, such as the Common Vulnerabilities and Exposures (CVE) list and the National Vulnerability Database.

Goals of CIA in Cyber Security

The CIA Triad refers to the three objectives of cyber security Confidentiality, Integrity, and Availability of the organization's systems, network, and data.

Confidentiality: Preserving sensitive information confidential. Encryption services can save your data at rest or in transit and prevent unauthorized entry to shielded data.
Integrity: is the consistency of data, networks, and systems. This includes mitigation and aggressive measures to limit unapproved changes, while also having the capacity to retrieve data that has been compromised or lost.
Availability: refers to authorized users that can voluntarily access the systems, networks, and data required to achieve their daily tasks. Resolving hardware and software disputes, along with routine maintenance is essential to maintaining systems up and available.

Implementation of the CIA Triad with Best Practices

The CIA triad model can be used in several ways, including:

Discovering the best way to enforce authorization and authentication methods.
Comprehending how to keep customer, employee, and critical business data protected.
Assuring any new devices added to an organization are secure without introducing risks.

Best Practices of Confidentiality

Data should be handled based on the organization's demanded privacy.
Data should be encrypted using MFA or 2FA.
Maintain access control checklists and other file permissions updated.

Best Practices of Integrity

Assure employees are familiar with compliance and regulatory requirements to minimize human error.
Use backup and recovery strategies and software.
To assure integrity, use version control, access control, security control, logs, and checksums.

Best Practices of Availability

Utilize preventative efforts such as redundancy, failover, and RAID. Assure systems and applications are up to date.
Utilize network or server monitoring strategies.
Assure a BCDR plan is in place in case of data loss event.

CIA Triad Model: Pros And Cons

Pros of the CIA triad

Clarity: CIA model poses the quality of being specific, effortless, and precise to understand principles diminishing the risk of human blunder.
Well-Balanced: This Model allows to meet business decisions and safety needs by providing availability to security professionals and leaders.
Open-ended: There’s no permanent goal or status that you’re striving for with this model, which is useful as your organization develops and brings in new devices or upgrades data infrastructures.

Cons of the CIA triad

Restricted: The CIA triad model is best used when considering data, and so it might not be the correct tool to safeguard against social engineering or phishing attacks targeting workers.
Absence of specificity: The model’s unsophistication may also be a struggle for organizations with more undersized security knowledge or starting from scratch. On its own, the principle doesn’t furnish enough suggestions for building a comprehensive security model for an organization.
Not holistic: We don’t suggest only utilizing the CIA triad as your security model. Rather, it should be used alongside different models and frameworks to support you establish strong procedures and make effective judgments.

Brief History of the CIA Triad

When the information security professionals gained more intelligence and learned over the course of time, they saw a situation where they needed to form a CIA triad. In context, the word “confidentiality” was formalized in the 1976 U.S. Air Force study; on the other hand, Integrity was formalized in a 1987 paper. Commercial computing requires a special focus on the correctness of data.

It is believed that the concept of "availability" came into prominence in 1988 (but this date is unknown historically) due to the Morris worm attack, which at that time was distributed via the internet and had devastating effects back then on overall system downtime, affecting thousands of major UNIX machines. In 2008, there were estimates of $100,000,000-$10,000,000 in damage, and the internet had to be partitioned for days to repair the damage. Overall, the foundational concept of the CIA was given around 1998.

Example of the CIA Triad

Confidentiality

Solely authorized Payroll employees should have access to the employee finance payroll database.
It’s reasonable for eCommerce customers to expect that the personal information they provide to an organization (such as credit card, contact, shipping, or other personal information) will be protected in a way that prevents unauthorized access or exposure.
Those who work with an organization’s finances should be able to access spreadsheets, bank accounts, and other information related to the flow of money. Yet, the vast majority of different employees and possibly even certain executives may not be given access. To ensure these policies are followed, strict regulations have to be in place to determine who can see what.

Integrity

E-commerce customers, for example, expect product and pricing information to be accurate, and that quantity, pricing, availability, and other information will not be altered after they place an order. Banking customers need to be able to entrust that their banking details and account balances have not been tampered with.
If your company provides details about the CEO, senior managers, or any CXO on your organization's website, this information should have integrity. If it is incorrect or vulnerable to tamper with, the visitors who are visiting the website for information may suppose your organization is not trustworthy. Someone with a vested interest in damaging the reputation of your organization may attempt to hack your website and tamper with the descriptions, images, or titles of the executives to damage their reputation or the prestige of the business as a whole.
Compromising integrity most of the time is been done intentionally. An adversary may circumvent or bypass a security system like an intrusion detection system (IDS), change system configurations to permit unauthorized access to the assets or tamper with the logs maintained by the server to obscure the attack.
Integrity can be compromised by accident too. for example, Someone may accidentally enter the incorrect and insecure code or make another kind of unintentional or irresponsible mistake. Correspondingly, if the organization’s security structure including policies, procedures, and guidelines is inadequate or flawed, integrity can be violated without the person in the organization being accountable for the fault.

Availability

If there is a power outage or any instability and there is no BCDR plan in place to help consumers recover and re-establish access to essential servers and systems, the availability pillar from the CIA triad will be compromised.
Also, a natural disaster like a flood or severe hurricane will impact and stop consumers from heading to the office, which can interfere with the availability of their workstations and other official server and devices that provide business-critical service and information.
Availability can be impacted and compromised by some intentional acts as well as damage done on purpose and secretly, such as deployment of denial-of-service (DoS) attacks or ransomware.

Is the CIA Triad Limited as a Cyber Security Strategy?

As the quantity of data explodes and as the intricacy of ensuring that data has deepened, the CIA in information security may appear to be an oversimplification of the truth of modern-day cyber security strategy. Nevertheless, it is essential to remember that the Triad is not a strategy; rather, it is a starting place from which a security group can make a strategy.

It is a foundational concept on which to create a full-scale, strong cyber security strategy. It cannot eradicate trouble, but it can help prioritize systemic threats to address them better. Further, the CIA Triad cannot control all forms of compromise, but it helps decrease the probability of unnecessary exposure and can help reduce the effect of a cyber-attack.

Conclusion

CIA in cyber security is when a business maps out a security agenda, the CIA Triad can act as a valuable yardstick that explains the demand for the security controls that are considered. All security measures inevitably lead back to one or more of the three principles and KnowledgeHut’s Cyber Security courses online focus on all of these pillars profoundly.

Frequently Asked Question (FAQs)

1. What is the importance of the CIA in cyber security?

The CIA Triad is an information and data security model that directs an organization’s efforts toward guaranteeing the security of the user’s data or its confidential data

2. What are the goals of the CIA in security?

The goals of the CIA Triad are confidentiality, integrity, and availability, which are basic factors in information security. Information security protects valuable information from getting any unauthorized access, modification, and distribution of data or information.