cia2
3
Confidentiality, Integrity, Availability: The three components of the CIA Triad 2012-08-20 by Terry Chia. 4 comments In this post, I shall be exploring one of the fundamental concepts of security that should be familiar with most security professionals and students: the CIA triad. What is the CIA triad? No, CIA in this case is not referring to the Central Intelligence Agency. CIA refers to Confidentiality, Integrity and Availability. Confidentiality of information, integrity of information and availability of information. Many security measures are designed to protect one or more facets of the CIA triad. I shall be exploring some of them in this post. Confidentiality When we talk about confidentiality of information, we are talking about protecting the information from disclosure to unauthorized parties. Information has value, especially in today’s world. Bank account statements, personal information, credit card numbers, trade secrets, government documents. Every one has information they wish to keep a secret. Protecting such information is a very major part of information security. A very key component of protecting information confidentiality would be encryption. Encryption ensures that only the right people (people who knows the key) can read the information. Encryption is VERY widespread in today’s environment and can be found in almost every major protocol in use. A very prominent example will be SSL/TLS, a security protocol for communications over the internet that has been used in conjunction with a large number of internet protocols to ensure security. Other ways to ensure information confidentiality include enforcing file permissions and access control list to restrict access to sensitive information. Keeping valuable algorithms secret This is an excellent question on Security.Stackexchange that covers how to keep important information confidential. Similar questions can be found here. Integrity Integrity of information refers to protecting information from being modified by unauthorized parties. Information only has value if it is correct. Information that has been tampered with could prove costly. For example, if you were sending an online money transfer for $100, but the information was tampered in such a way that you actually sent $10,000, it could prove to be very costly for you. As with data confidentiality, cryptography plays a very major role in ensuring data integrity. Commonly used methods to protect data integrity includes hashing the data you receive and comparing it with the hash of the original message. However, this means that the hash of the original data must be provided to you in a secure fashion. More convenient methods would be to use existing schemes such as GPG to digitally sign the data. Why aren’t application downloads routinely done over HTTPS? This is a question regarding data integrity, with several suggestions on how to protect data integrity. You can find more questions with the integrity tag here. Availability Availability of information refers to ensuring that authorized parties are able to access the information when needed. Information only has value if the right people can access it at the right times. Denying access to information has become a very common attack nowadays. Almost every week you can find news about high profile websites being taken down by DDoS attacks. The primary aim of DDoS attacks is to deny users of the website access to the resources of the website. Such downtime can be very costly. Other factors that could lead to lack of availability to important information may include accidents such as power outages or natural disasters such as floods. view all posts This is a community blog for IT Security Stack Exchange. More community blogs are available at Blog Overflow. Subscribe via RSS Latest Articles QoTW #50: Does password protecting the BIOS help in securing sensitive data QoTW #49: How can someone go off-web, and anonymise themselves after a life online? Attacking RSA through Sound Debunking SQRL Stump the Chump with Auditd 01 Topics Access Controls (6) Attack (14) Authentication (11) Business (14) Community (10) Configuration (14) Crypto (17) Data (4) ethics (2) Firewall (1) Hijack (7) Network (5) News (10) Password (12) Question of the Week (27) Risk (12) Standards (8) Uncategorized (6) Virtualisation (1) Wireless (2) Twitter Follow @StackSecurity on Twitter! Latest Comments user40199: Hint to changing ID, remember information about you is exact science otherwise you have to be who it sees.... shookees: Truly nice insights! 24 hr locksmith,: very sweet blog and it content about Why do we lock our computers? very useful information also so... Search About Archive Generated with www.html-to-pdf.net Page 1 / 3
-
Upload
damannaughty1 -
Category
Documents
-
view
9 -
download
3
description
cia2
Transcript of cia2
« Exploiting ATMs: a quick overview of recent hacks | QOTW #33 – Communications infrastructure after a nuclear explosion »
4 Comments
Subscribe to comments with RSS.
Marinus says:2012-09-18 at 8:37 am
The problem is that the debate hasn’t progressed. http://telicthoughts.blogspot.com/2009/02/when-
one-thinks-of-securing-information.html
Reply to this Comment
Changing your ssh server’s port from the default: Is it worth it? | major.io says:2013-05-15 at 4:43 am
[...] Before I go any further, let’s settle the “security through obscurity” argument. (This couldprobably turn into its own post but I’ll be brief for now.) Security should always be applied inlayers. This provides multiple levels of protection from initial attacks, like informationgathering attempts or casual threats against known vulnerabilities. In addition, these layersof security should be applied within the environment so that breaking into one server aftergetting a pivot point in the environment should be just as difficult (if not more difficult) thanthe original attack that created the pivot point. If “security through obscurity” tactics makeup one layer of a multi-layered solution, I’d encourage you to obscure your environment aslong as it doesn’t affect your availability. [...]
Reply to this Comment
Major Hayden: Changing your ssh server’s port from the default: Is it worth it?| NIXway.com says:2013-05-17 at 9:35 am
[...] Before I go any further, let’s settle the “security through obscurity” argument. (This couldprobably turn into its own post but I’ll be brief for now.) Security should always be applied inlayers. This provides multiple levels of protection from initial attacks, like informationgathering attempts or casual threats against known vulnerabilities. In addition, these layersof security should be applied within the environment so that breaking into one server aftergetting a pivot point in the environment should be just as difficult (if not more difficult) thanthe original attack that created the pivot point. If “security through obscurity” tactics makeup one layer of a multi-layered solution, I’d encourage you to obscure your environment aslong as it doesn’t affect your availability. [...]
Reply to this Comment
CIA (Confidentiality, Integrity, Availability) | Handisonj says:2013-09-16 at 5:17 pm
[…] http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components… […]
Reply to this Comment
Leave a comment
Log inwith Stack Exchange
Name (required)
Mail (will not be published) (required)
Website
Submit comment
Confidentiality, Integrity, Availability: The three components of
the CIA Triad2012-08-20 by Terry Chia. 4 comments
In this post, I shall be exploring one of the fundamental concepts of security that should be familiar with
most security professionals and students: the CIA triad.
What is the CIA triad? No, CIA in this case is not referring to the Central Intelligence Agency. CIA refers to
Confidentiality, Integrity and Availability. Confidentiality of information, integrity of information and
availability of information. Many security measures are designed to protect one or more facets of the CIA
triad. I shall be exploring some of them in this post.
Confidentiality
When we talk about confidentiality of information, we are talking about protecting the information from
disclosure to unauthorized parties.
Information has value, especially in today’s world. Bank account statements, personal information, creditcard numbers, trade secrets, government documents. Every one has information they wish to keep a
secret. Protecting such information is a very major part of information security.
A very key component of protecting information confidentiality would be encryption. Encryption ensures
that only the right people (people who knows the key) can read the information. Encryption is VERY
widespread in today’s environment and can be found in almost every major protocol in use. A veryprominent example will be SSL/TLS, a security protocol for communications over the internet that has been
used in conjunction with a large number of internet protocols to ensure security.
Other ways to ensure information confidentiality include enforcing file permissions and access control list
to restrict access to sensitive information.
Keeping valuable algorithms secret
This is an excellent question on Security.Stackexchange that covers how to keep important information
confidential. Similar questions can be found here.
Integrity
Integrity of information refers to protecting information from being modified by unauthorized parties.
Information only has value if it is correct. Information that has been tampered with could prove costly. For
example, if you were sending an online money transfer for $100, but the information was tampered in such
a way that you actually sent $10,000, it could prove to be very costly for you.
As with data confidentiality, cryptography plays a very major role in ensuring data integrity. Commonly
used methods to protect data integrity includes hashing the data you receive and comparing it with the
hash of the original message. However, this means that the hash of the original data must be provided to
you in a secure fashion. More convenient methods would be to use existing schemes such as GPG to
digitally sign the data.
Why aren’t application downloads routinely done over HTTPS?
This is a question regarding data integrity, with several suggestions on how to protect data integrity. You
can find more questions with the integrity tag here.
Availability
Availability of information refers to ensuring that authorized parties are able to access the information
when needed.
Information only has value if the right people can access it at the right times. Denying access to
information has become a very common attack nowadays. Almost every week you can find news about
high profile websites being taken down by DDoS attacks. The primary aim of DDoS attacks is to deny
users of the website access to the resources of the website. Such downtime can be very costly. Other
factors that could lead to lack of availability to important information may include accidents such as
power outages or natural disasters such as floods.
How does one ensure data availability? Backup is key. Regularly doing off-site backups can limit the
damage caused by damage to hard drives or natural disasters. For information services that is highly
critical, redundancy might be appropriate. Having a off-site location ready to restore services in case
anything happens to your primary data centers will heavily reduce the downtime in case of anything
happens.
Conclusion
The CIA triad is a very fundamental concept in security. Often, ensuring that the three facets of the CIA triad
is protected is an important step in designing any secure system. However, it has been suggested that the
CIA triad is not enough. Alternative models such as the Parkerian hexad (Confidentiality, Possession or
Control, Integrity, Authenticity, Availability and Utility) have been proposed. Other factors besides the three
facets of the CIA triad are also very important in certain scenarios, such as non-repudiation. There have
been debates over the pros and cons of such alternative models, but it is a post for another time.
Thank you for reading.
Filed under Business
Tagged: availability , confidentiality , integrity
view all posts
This is a community blog for ITSecurity Stack Exchange. Morecommunity blogs are available atBlog Overflow.
Subscribe via RSS
Latest Articles
QoTW #50: Does password
protecting the BIOS help in securing
sensitive data
QoTW #49: How can someone go
off-web, and anonymise themselves
after a life online?
Attacking RSA through Sound
Debunking SQRL
Stump the Chump with Auditd 01
Topics
Access Controls (6)
Attack (14)
Authentication (11)
Business (14)
Community (10)
Configuration (14)
Crypto (17)
Data (4)
ethics (2)
Firewall (1)
Hijack (7)
Network (5)
News (10)
Password (12)
Question of the Week (27)
Risk (12)
Standards (8)
Uncategorized (6)
Virtualisation (1)
Wireless (2)
Follow @StackSecurity onTwitter!
Latest Comments
user40199: Hint to changing ID,
remember information about you is
exact science otherwise you have to
be who it sees....
shookees: Truly nice insights!
24 hr locksmith,: very sweet blog and
it content about Why do we lock our
computers? very useful information
also so...
Shalin: I draw these kinds of network
diagrams and I know how important
they are to understand network
concepts. Its...
Importance of Mining sector in
economic growth of Australia:
Thanks for sharing your real
experience. This will help...
SearchAbout Archive
Stack Exchange © 2014 Entries (RSS) and Comments (RSS). CC-Wiki
or
Privacy & Terms
Type the text
Generated with www.html-to-pdf.net Page 1 / 3
« Exploiting ATMs: a quick overview of recent hacks | QOTW #33 – Communications infrastructure after a nuclear explosion »
4 Comments
Subscribe to comments with RSS.
Marinus says:2012-09-18 at 8:37 am
The problem is that the debate hasn’t progressed. http://telicthoughts.blogspot.com/2009/02/when-
one-thinks-of-securing-information.html
Reply to this Comment
Changing your ssh server’s port from the default: Is it worth it? | major.io says:2013-05-15 at 4:43 am
[...] Before I go any further, let’s settle the “security through obscurity” argument. (This couldprobably turn into its own post but I’ll be brief for now.) Security should always be applied inlayers. This provides multiple levels of protection from initial attacks, like informationgathering attempts or casual threats against known vulnerabilities. In addition, these layersof security should be applied within the environment so that breaking into one server aftergetting a pivot point in the environment should be just as difficult (if not more difficult) thanthe original attack that created the pivot point. If “security through obscurity” tactics makeup one layer of a multi-layered solution, I’d encourage you to obscure your environment aslong as it doesn’t affect your availability. [...]
Reply to this Comment
Major Hayden: Changing your ssh server’s port from the default: Is it worth it?| NIXway.com says:2013-05-17 at 9:35 am
[...] Before I go any further, let’s settle the “security through obscurity” argument. (This couldprobably turn into its own post but I’ll be brief for now.) Security should always be applied inlayers. This provides multiple levels of protection from initial attacks, like informationgathering attempts or casual threats against known vulnerabilities. In addition, these layersof security should be applied within the environment so that breaking into one server aftergetting a pivot point in the environment should be just as difficult (if not more difficult) thanthe original attack that created the pivot point. If “security through obscurity” tactics makeup one layer of a multi-layered solution, I’d encourage you to obscure your environment aslong as it doesn’t affect your availability. [...]
Reply to this Comment
CIA (Confidentiality, Integrity, Availability) | Handisonj says:2013-09-16 at 5:17 pm
[…] http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components… […]
Reply to this Comment
Leave a comment
Log inwith Stack Exchange
Name (required)
Mail (will not be published) (required)
Website
Submit comment
Confidentiality, Integrity, Availability: The three components of
the CIA Triad2012-08-20 by Terry Chia. 4 comments
In this post, I shall be exploring one of the fundamental concepts of security that should be familiar with
most security professionals and students: the CIA triad.
What is the CIA triad? No, CIA in this case is not referring to the Central Intelligence Agency. CIA refers to
Confidentiality, Integrity and Availability. Confidentiality of information, integrity of information and
availability of information. Many security measures are designed to protect one or more facets of the CIA
triad. I shall be exploring some of them in this post.
Confidentiality
When we talk about confidentiality of information, we are talking about protecting the information from
disclosure to unauthorized parties.
Information has value, especially in today’s world. Bank account statements, personal information, creditcard numbers, trade secrets, government documents. Every one has information they wish to keep a
secret. Protecting such information is a very major part of information security.
A very key component of protecting information confidentiality would be encryption. Encryption ensures
that only the right people (people who knows the key) can read the information. Encryption is VERY
widespread in today’s environment and can be found in almost every major protocol in use. A veryprominent example will be SSL/TLS, a security protocol for communications over the internet that has been
used in conjunction with a large number of internet protocols to ensure security.
Other ways to ensure information confidentiality include enforcing file permissions and access control list
to restrict access to sensitive information.
Keeping valuable algorithms secret
This is an excellent question on Security.Stackexchange that covers how to keep important information
confidential. Similar questions can be found here.
Integrity
Integrity of information refers to protecting information from being modified by unauthorized parties.
Information only has value if it is correct. Information that has been tampered with could prove costly. For
example, if you were sending an online money transfer for $100, but the information was tampered in such
a way that you actually sent $10,000, it could prove to be very costly for you.
As with data confidentiality, cryptography plays a very major role in ensuring data integrity. Commonly
used methods to protect data integrity includes hashing the data you receive and comparing it with the
hash of the original message. However, this means that the hash of the original data must be provided to
you in a secure fashion. More convenient methods would be to use existing schemes such as GPG to
digitally sign the data.
Why aren’t application downloads routinely done over HTTPS?
This is a question regarding data integrity, with several suggestions on how to protect data integrity. You
can find more questions with the integrity tag here.
Availability
Availability of information refers to ensuring that authorized parties are able to access the information
when needed.
Information only has value if the right people can access it at the right times. Denying access to
information has become a very common attack nowadays. Almost every week you can find news about
high profile websites being taken down by DDoS attacks. The primary aim of DDoS attacks is to deny
users of the website access to the resources of the website. Such downtime can be very costly. Other
factors that could lead to lack of availability to important information may include accidents such as
power outages or natural disasters such as floods.
How does one ensure data availability? Backup is key. Regularly doing off-site backups can limit the
damage caused by damage to hard drives or natural disasters. For information services that is highly
critical, redundancy might be appropriate. Having a off-site location ready to restore services in case
anything happens to your primary data centers will heavily reduce the downtime in case of anything
happens.
Conclusion
The CIA triad is a very fundamental concept in security. Often, ensuring that the three facets of the CIA triad
is protected is an important step in designing any secure system. However, it has been suggested that the
CIA triad is not enough. Alternative models such as the Parkerian hexad (Confidentiality, Possession or
Control, Integrity, Authenticity, Availability and Utility) have been proposed. Other factors besides the three
facets of the CIA triad are also very important in certain scenarios, such as non-repudiation. There have
been debates over the pros and cons of such alternative models, but it is a post for another time.
Thank you for reading.
Filed under Business
Tagged: availability , confidentiality , integrity
view all posts
This is a community blog for ITSecurity Stack Exchange. Morecommunity blogs are available atBlog Overflow.
Subscribe via RSS
Latest Articles
QoTW #50: Does password
protecting the BIOS help in securing
sensitive data
QoTW #49: How can someone go
off-web, and anonymise themselves
after a life online?
Attacking RSA through Sound
Debunking SQRL
Stump the Chump with Auditd 01
Topics
Access Controls (6)
Attack (14)
Authentication (11)
Business (14)
Community (10)
Configuration (14)
Crypto (17)
Data (4)
ethics (2)
Firewall (1)
Hijack (7)
Network (5)
News (10)
Password (12)
Question of the Week (27)
Risk (12)
Standards (8)
Uncategorized (6)
Virtualisation (1)
Wireless (2)
Follow @StackSecurity onTwitter!
Latest Comments
user40199: Hint to changing ID,
remember information about you is
exact science otherwise you have to
be who it sees....
shookees: Truly nice insights!
24 hr locksmith,: very sweet blog and
it content about Why do we lock our
computers? very useful information
also so...
Shalin: I draw these kinds of network
diagrams and I know how important
they are to understand network
concepts. Its...
Importance of Mining sector in
economic growth of Australia:
Thanks for sharing your real
experience. This will help...
SearchAbout Archive
Stack Exchange © 2014 Entries (RSS) and Comments (RSS). CC-Wiki
or
Privacy & Terms
Type the text
Generated with www.html-to-pdf.net Page 2 / 3
« Exploiting ATMs: a quick overview of recent hacks | QOTW #33 – Communications infrastructure after a nuclear explosion »
4 Comments
Subscribe to comments with RSS.
Marinus says:2012-09-18 at 8:37 am
The problem is that the debate hasn’t progressed. http://telicthoughts.blogspot.com/2009/02/when-
one-thinks-of-securing-information.html
Reply to this Comment
Changing your ssh server’s port from the default: Is it worth it? | major.io says:2013-05-15 at 4:43 am
[...] Before I go any further, let’s settle the “security through obscurity” argument. (This couldprobably turn into its own post but I’ll be brief for now.) Security should always be applied inlayers. This provides multiple levels of protection from initial attacks, like informationgathering attempts or casual threats against known vulnerabilities. In addition, these layersof security should be applied within the environment so that breaking into one server aftergetting a pivot point in the environment should be just as difficult (if not more difficult) thanthe original attack that created the pivot point. If “security through obscurity” tactics makeup one layer of a multi-layered solution, I’d encourage you to obscure your environment aslong as it doesn’t affect your availability. [...]
Reply to this Comment
Major Hayden: Changing your ssh server’s port from the default: Is it worth it?| NIXway.com says:2013-05-17 at 9:35 am
[...] Before I go any further, let’s settle the “security through obscurity” argument. (This couldprobably turn into its own post but I’ll be brief for now.) Security should always be applied inlayers. This provides multiple levels of protection from initial attacks, like informationgathering attempts or casual threats against known vulnerabilities. In addition, these layersof security should be applied within the environment so that breaking into one server aftergetting a pivot point in the environment should be just as difficult (if not more difficult) thanthe original attack that created the pivot point. If “security through obscurity” tactics makeup one layer of a multi-layered solution, I’d encourage you to obscure your environment aslong as it doesn’t affect your availability. [...]
Reply to this Comment
CIA (Confidentiality, Integrity, Availability) | Handisonj says:2013-09-16 at 5:17 pm
[…] http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components… […]
Reply to this Comment
Leave a comment
Log inwith Stack Exchange
Name (required)
Mail (will not be published) (required)
Website
Submit comment
Confidentiality, Integrity, Availability: The three components of
the CIA Triad2012-08-20 by Terry Chia. 4 comments
In this post, I shall be exploring one of the fundamental concepts of security that should be familiar with
most security professionals and students: the CIA triad.
What is the CIA triad? No, CIA in this case is not referring to the Central Intelligence Agency. CIA refers to
Confidentiality, Integrity and Availability. Confidentiality of information, integrity of information and
availability of information. Many security measures are designed to protect one or more facets of the CIA
triad. I shall be exploring some of them in this post.
Confidentiality
When we talk about confidentiality of information, we are talking about protecting the information from
disclosure to unauthorized parties.
Information has value, especially in today’s world. Bank account statements, personal information, creditcard numbers, trade secrets, government documents. Every one has information they wish to keep a
secret. Protecting such information is a very major part of information security.
A very key component of protecting information confidentiality would be encryption. Encryption ensures
that only the right people (people who knows the key) can read the information. Encryption is VERY
widespread in today’s environment and can be found in almost every major protocol in use. A veryprominent example will be SSL/TLS, a security protocol for communications over the internet that has been
used in conjunction with a large number of internet protocols to ensure security.
Other ways to ensure information confidentiality include enforcing file permissions and access control list
to restrict access to sensitive information.
Keeping valuable algorithms secret
This is an excellent question on Security.Stackexchange that covers how to keep important information
confidential. Similar questions can be found here.
Integrity
Integrity of information refers to protecting information from being modified by unauthorized parties.
Information only has value if it is correct. Information that has been tampered with could prove costly. For
example, if you were sending an online money transfer for $100, but the information was tampered in such
a way that you actually sent $10,000, it could prove to be very costly for you.
As with data confidentiality, cryptography plays a very major role in ensuring data integrity. Commonly
used methods to protect data integrity includes hashing the data you receive and comparing it with the
hash of the original message. However, this means that the hash of the original data must be provided to
you in a secure fashion. More convenient methods would be to use existing schemes such as GPG to
digitally sign the data.
Why aren’t application downloads routinely done over HTTPS?
This is a question regarding data integrity, with several suggestions on how to protect data integrity. You
can find more questions with the integrity tag here.
Availability
Availability of information refers to ensuring that authorized parties are able to access the information
when needed.
Information only has value if the right people can access it at the right times. Denying access to
information has become a very common attack nowadays. Almost every week you can find news about
high profile websites being taken down by DDoS attacks. The primary aim of DDoS attacks is to deny
users of the website access to the resources of the website. Such downtime can be very costly. Other
factors that could lead to lack of availability to important information may include accidents such as
power outages or natural disasters such as floods.
How does one ensure data availability? Backup is key. Regularly doing off-site backups can limit the
damage caused by damage to hard drives or natural disasters. For information services that is highly
critical, redundancy might be appropriate. Having a off-site location ready to restore services in case
anything happens to your primary data centers will heavily reduce the downtime in case of anything
happens.
Conclusion
The CIA triad is a very fundamental concept in security. Often, ensuring that the three facets of the CIA triad
is protected is an important step in designing any secure system. However, it has been suggested that the
CIA triad is not enough. Alternative models such as the Parkerian hexad (Confidentiality, Possession or
Control, Integrity, Authenticity, Availability and Utility) have been proposed. Other factors besides the three
facets of the CIA triad are also very important in certain scenarios, such as non-repudiation. There have
been debates over the pros and cons of such alternative models, but it is a post for another time.
Thank you for reading.
Filed under Business
Tagged: availability , confidentiality , integrity
view all posts
This is a community blog for ITSecurity Stack Exchange. Morecommunity blogs are available atBlog Overflow.
Subscribe via RSS
Latest Articles
QoTW #50: Does password
protecting the BIOS help in securing
sensitive data
QoTW #49: How can someone go
off-web, and anonymise themselves
after a life online?
Attacking RSA through Sound
Debunking SQRL
Stump the Chump with Auditd 01
Topics
Access Controls (6)
Attack (14)
Authentication (11)
Business (14)
Community (10)
Configuration (14)
Crypto (17)
Data (4)
ethics (2)
Firewall (1)
Hijack (7)
Network (5)
News (10)
Password (12)
Question of the Week (27)
Risk (12)
Standards (8)
Uncategorized (6)
Virtualisation (1)
Wireless (2)
Follow @StackSecurity onTwitter!
Latest Comments
user40199: Hint to changing ID,
remember information about you is
exact science otherwise you have to
be who it sees....
shookees: Truly nice insights!
24 hr locksmith,: very sweet blog and
it content about Why do we lock our
computers? very useful information
also so...
Shalin: I draw these kinds of network
diagrams and I know how important
they are to understand network
concepts. Its...
Importance of Mining sector in
economic growth of Australia:
Thanks for sharing your real
experience. This will help...
SearchAbout Archive
Stack Exchange © 2014 Entries (RSS) and Comments (RSS). CC-Wiki
or
Privacy & Terms
Type the text
Generated with www.html-to-pdf.net Page 3 / 3
