Calyptix Blog

InfoSec Fundamentals: The CIA Triad

by Calyptix, February 1, 2017

CIA TriadCybersecurity is a broad practice that fits within an even larger discipline known as “information security,” or InfoSec.

Simply stated, information security is the practice of protecting information and the systems that handle it. Understanding a few fundamentals of InfoSec can help you create a more holistic and sound security strategy for your IT business and clients.

 CIA Triad: The Foundation of InfoSec

The foundation of information security is based on three principles:

  1. Confidentiality – the protection of data from unauthorized access and disclosure.
  2. Integrity – the protection of data from unauthorized modification.
  3. Availability – the prevention of disruptions in authorized access to data.

A security strategy for small businesses must address all three principles to be effective. Security policies must be established to protect the company’s data form unwanted access, modification, and disruptions in availability.

Let’s dig further into each principle to better understand how it applies to small businesses.

CIA Triad 2Confidentiality

The aim of confidentiality in the CIA triad is to curb unauthorized use, viewership and disclosure of information – especially PII, or Personally Identifiable Information.

Most of the data breaches in the news are the result of a failure to protect data’s confidentiality.

In a nutshell, a typical data breach occurs when someone (such as a criminal) achieves access to data (such as credit card numbers) that they were not supposed to see. The confidentiality of this data has been compromised.

Ensuring confidentiality requires more than protecting data on a device. It also includes physical security to control access to the device itself.

For example, a stolen laptop could easily turn into a largescale breach that can costs a company thousands upon thousands of dollars if the information on the device isn’t protected.

Breaches of this nature seriously damage a company’s reputation as well as its relationship with its clients.

Another scenario in which confidentiality would be paramount for a business would be if a company has possession of trade secrets that they wish to keep from competitors.

If the confidentiality of these secrets is compromised by an unauthorized party, the company could stand to lose out on substantial profits in the future.

Fortunately, there are many ways IT providers can maintain the confidentiality of company and customer information.

Encryption is a great solution for keeping information secure, especially if the information will be stored on mobile devices.

Encryption works by scrambling the information in a file if it is accessed outside of an authorized environment, making it hard to intercept or to be used if a device storing the information is compromised.

Limiting the access each employee has to important information can also prevent a breach.

Employee access should correspond with their daily responsibilities only. An entry-level hire doesn’t need the same access to company information as a CEO.

Implementing access controls that require login or some other form of verification before the information can be viewed is another way to protect information confidentiality.

CIA Triad 3Integrity

Integrity in the CIA triad refers to the wholeness, accuracy, and consistency of a piece of information.

Unauthorized or unintentional changes made to important information can have severe results later on.

For example, an employee at a healthcare facility could mistype the address of a patient who is to receive test results. This small error could become a HIPAA breach if the results are then sent to and opened by the patient’s neighbor.

On a more nefarious note, a hacker could gain login credentials of a financial institution’s employee. Using these credentials, the hacker could then alter the institution’s customer data in a way that financially benefits the hacker.

Information that is altered in transit can be dangerous for a company and its customers as well.

A hacker could use a man-in-the-middle attack to intercept information sent to another computer.

The hacker could then alter the intercepted data to include misinformation or malicious code before forwarding the packet to its correct addressee.

There is also the risk of an unauthorized individual changing the authenticity of the source of the information.

Should a hacker gain control of your client’s website, they could easily disseminate information that looks authentic but isn’t.

Not only is the information source inauthentic, but the company could face customer distrust in the future due to the attack.

Ways to combat these issues include digital signature, cryptographic hash functions, and version controls.

Cryptographic hash functions or digital signatures can help determine whether a source is authentic or whether or not the information in the file has been altered.

Cryptographic hash functions use a mathematical algorithm that turns an original piece of data into a value.

The hash function on the receiving computer then unscrambles the value in order to produce a hash value, which acts like a verification code that the information came from the correct source.

Should either the source or the information in the file differ from the original in any way, the hash function will present a different hash code than the one of the original.

Digital signatures work as their name suggests. A signature is attached to a document as it is sent to the recipient. The recipient computer then compares the signature to the one it has for the file. If the signatures don’t match, then the document’s integrity is in question.

Version controls can help keep track of who makes changes to particular files, and when. This is useful for restoration of items that were incorrectly altered – intentionally or not.

CIA Triad 4Availability

In the CIA triad, keeping information consistently available for use is crucial for successful day-to-day business function.

Natural disasters, cyber attacks, and unexpected equipment failures can all halt operations by obstructing access to necessary information.

A company could be targeted by a variety of attacks, such as a ransomware or DDoS attack. Both attacks aim to disrupt the availability of data or systems.

Natural disasters can physically destroy devices storing important information, meaning the company could lose the data forever if it has not been properly backed up.

A router or server could suddenly stop working in the middle of a regular work day, preventing employees from accessing the information they need to do their work.

Depending on the severity of the event, a business can be without important data for a few hours to a few days.

Regularly backing up information and storing it in an off-site location is imperative to keeping information available in such occurrences.

Preparing multiple systems that can supply needed information should there be an attack or disaster can help keep information instantaneously available for a business and its clients.

Regularly updating and patching programs is a great preventative measure that can lessen the likelihood of a successful attack or the probability of a device failing.

CIA Triad: Three legs to stand on

Confidentiality, integrity, availability – three simple principles to create a holistic security plan for clients.

Implementing CIA triad protections on company information helps strengthen a company’s defense against hackers and human error.

Doing so can also save a company the headache and financial distress of dealing with a HIPAA or PCI DSS breach down the road.

 

top-security-threats-2016-report-CTA

 

Related Sources

The Ransomware Plague in Hospitals and Healthcare

Confidentiality, Integrity, and Availability (CIA triad)

Confidentiality, Integrity, Availability, and Safety

No Comments


    Leave a Reply

    Your email address will not be published Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

    *

    Search

    Follow us