The CIA Triad of IT Security

-: All right, so let's start off by talking about the core information security principles, and these are typically referred to as the CIA triad. No, we're not talking about the Central Intelligence Agency. We're talking about confidentiality, integrity, and availability. These are the three core pillars of information and cybersecurity in general. Now, what exactly are these? Well, confidentiality simply means that data is accessed by only those with the right permit. So only those who are authorized to access a certain kind of data will be the ones to do so. If you don't have the authority to do so, you would not be able to view that data. So we typically would use tools like encryption, passwords, biometrics, two-factor authentication, multifactor authentication, and so on to achieve this particular goal. But we also have integrity, which means that the data has not been tampered or altered in any way. The data is as it's supposed to be. It's not been modified. We've not deleted anything. We've not added anything at all. It is pure. And typically, we would use tools like hashing and checksums to achieve this particular objective. And then availability, meaning that data and resources are available to be accessed or shared, which means that when you have the authority to access a certain kind of information, that information should be available for you to access. And of course, we'll make use of tools like network access, server and data availability, to achieve this particular objective. However, I also want you to know that we do have three additional supporting principles, which are the AAA. You have authentication, which is the process of verifying identity. So take, for example, whenever you try to log into a page, for example, you might need like a username or a password. So that's a way to authenticate yourself to prove that you are who you claim to be. And then authorization, the process of approving access. Now, there is a difference between authentication and authorization. Authentication is basically saying, hey, this is who I am. I am real. I am who I claim to be. Authorization is more about, okay, this is what you are able to do. These are the kinds of permissions that you are able to do. So authentication comes first. Maybe you've been authenticated. You've logged onto a server, and then whatever you can do on that server will come with authorization. And then the final supporting principle here will be accounting, which is the process of tracing actions to the source. So whatever a user does on a server or with a file, there will be evidence to prove that, okay, this is exactly what they did. There's accountability in short. Now let's take a look at the opposite triad, and that is the DAD triad. These are what the cybercriminals, basically the bad guys, this is what they try to achieve. They try to achieve disclosure, alteration, and deniability. Now, disclosure is of course the direct opposite to confidentiality, where data is accessed by non-authorized users. And they will use tools and weapons like Trojans, brute force attacks, and even physical theft sometimes. And then alteration being the direct opposite of integrity, where data will be compromised or tampered with. They can do so via malware, viruses, SQL injection, and so much more. And then of course, deniability, the exact opposite of availability, where data and resources are not made available to those who need it. And this can be achieved with the use of DoS attacks, denial-of-service or distributed denial-of-service, and then ransomware attacks. So you have the CIA triad, and then you have the DAD triad. Now, going back to the CIA triad, over the years, it has evolved to now also include the objective of privacy. So it's no longer just about confidentiality, integrity, availability. Privacy has also become a core objective of cybersecurity. And this simply refers to the right of an individual or user to manage or control the use of their personal information. Also, there is another objective which you'll hear about, and that's going to be non-repudiation. It's also one of the core pillars of information security nowadays. And this is basically where a subject cannot deny something, such as creating, modifying, or sending a resource. It's kind of similar to accounting, accountability, where whatever the user does, it can be traced back to them. Non-repudiation is very, very similar in that the user cannot in any way deny that, oh, I didn't do this. It wasn't me. It was someone else. No, that's not possible. That's what non-repudiation aims to achieve. So going back to the very beginning once again, the DAD triad... I'm sorry, the CIA triad, rather, confidentiality, integrity, availability. We've got three supporting principles, authentication, authorization, accounting. And then you have the DAD triad for the bad guys, disclosure, alteration, deniability, and then two additional pillars for cybersecurity that have evolved over time. You've got privacy and then non-repudiation as well. So thanks so much for watching the video. I will see you in the next class.