The CIA Triad of IT Security

-: So now that you know the difference between cybersecurity and information security, we can study course proper by talking about the core information security principles. And by the way, when I say information security in here, I'm also referring to cybersecurity as well. So what exactly are these principles? We have three of them and they're typically referred to as the CIA triad. And no, I'm not talking about the Central Intelligence Agency from the US. I'm talking about confidentiality, integrity and availability. I promise you, I guarantee you that any kind of cybersecurity product or hardware or software or policy is always geared to achieving at least one of these three principles. So what exactly are they? Confidentiality basically means that data is only accessed by those who have the right to access that data. So sorry, if you don't have the necessary credentials, you cannot access this data. That's what confidentiality is aimed at achieving. And we do have several tools to help us achieve confidentiality. So tools like your encryption, passwords, biometrics, we'll talk about this later, all these are geared towards achieving confidentiality. But what about integrity? This simply ensures that the data has not been tampered with, it's not been altered, it's not been modified or if in fact it has been modified, it is by the right people. It is by somebody who had the right to modify that particular file. So that's what integrity is aimed at achieving. And we do have tools to help us achieve that, like your checksums, hashing and so on. All these are geared towards ensuring that the data has not been tampered with. And finally, availability. And this is one of the, well, this is the principle that junior security administrators with little experience often seem to forget. Availability simply means that the data and resources are actually available to be accessed by those with the right credentials. Again, the junior administrators, they always forget about availability. They focus on confidentiality, integrity and then always just take it for granted that the data, the resources, they'll always be available to whoever needs to access them, which isn't always the case. So we do have tools to ensure availability. So things like your network access, server and data availability and much more. All these are geared towards ensuring that availability is met. Now, we do have what we call the supporting principles, the AAA. We're talking about authentication, authorization and availability, or I'm sorry, accounting. So what exactly are these three? Authentication simply means that a user's identity is verified before they're given access to a particular kind of file. Think about it, right? Whenever you're trying to access maybe your email or maybe you've been logged out and you need to login back to your Netflix account, typically you'll have to provide a password, right? That password is supposed to help the server verify who you are. So the password in this case right now is the tool aimed at achieving authentication. Now, when it comes to authorization, this will determine what you are able to do once you've been given access through the authentication process. So say for example, you are trying to access a confidential file on a server. Before you can access that file, you verify who you are through authentication. Now, that you've been given access to the file, it doesn't necessarily mean that you can do anything you want to do with the file. What can you do with the file? You can view the file, you can modify the file, you can delete the file, you can transfer the file, you can copy the file, you can even delete the file, right? These are all different kinds of things you can do with the file, but what you can do will be determined by your level of authorization. So say for example, you have the lowest level, level one, maybe this would allow you to view the file, but you cannot do anything else. Level two will allow you to view the file, but maybe also make changes to the file and save those changes. Level three will allow you to view the file, make some changes and then maybe even download the file and so on. So maybe level five, which is like the highest, will allow you to do whatever you wanna do with the file. So that's what authorization is. The last one in here is accounting. This basically just keeps track of what users do with a particular kind of file or data. Now, this is very, very important, because if there was a data breach, maybe a file got downloaded illegally, accounting will be able to trace who in fact downloaded the file illegally. So accounting is just some form of accountability, right? That's basically what it is. So with the CIA and the AAA principles out of the way, let's talk about the opposing principles, which is the DAD. disclosure, alteration and deniability. These are what the bad guys, the cyber criminals, the hackers, these are what they aim to achieve. So what exactly is disclosure? This is the exact opposite of confidentiality. Here, data is accessed by non-authorized users, right? And they do have several tools like Trojans, brute force attacks or even physical theft. These are the tools and methods by which hackers could achieve disclosure. And then the exact opposite of integrity, which is of course alteration, where data has been compromised or has been modified. And then you have the tools like your malware, viruses, SQL injection, they go on and on and on. All these can be used by the bad guys to achieve alteration. And the last, which is the exact opposite of availability, deniability, where data isn't made available to those who need to access that data. And we have tools like your denial of service attacks, ransomware, all these we'll talk about later in the course. All these can be used by hackers to achieve deniability. So we have the CIA and then we have the DAD. Those are the acronyms that you should be aware of. But before we round this up, recently, there have been two new additional core principles that have been added to the CIA triad. This would be privacy, and with privacy, this simply refers to the right of an individual or user to control the use of their own personal information or also keep personal their activities online. And of course, in the world we live in today, this is becoming more of a sensitive topic, because you have governments around the world who want more access to the users' data. They're basically trying to strip away privacy from users. And of course, there's this big debate going on, but this is another core principle of cybersecurity and information security. And the fifth one is what we call non-repudiation. This basically is where a subject or a user cannot deny something such as creating, modifying or sending a resource. It's kind of similar to accounting, where again, with accounting, you can trace what each user did on a particular kind of file or data. So non-repudiation is just basically making it so that the user will not be able to deny that, oh, I never did this, it wasn't me. It was the one armed man, it was Nancy, it was Bob, I'm innocent. No, you're not, okay, we have the records. And with non-repudiation, we can prove that you are the one in fact who did this illegal thing. So that's what non-repudiation is meant to achieve. So that's basically it for the core information security principles. Thank you for watching, I will see you in the next class.