Overview of the lesson
Confidentiality, Integrity, and Availability are the cornerstones of Information Security. These principles are so fundamental that anytime a cybersecurity incident occurs, one of these principles has been compromised.
What you'll learn
Every action that you perform on the Web — whether it’s placing an online order, checking your bank account, or signing up for a new social media platform — generates data. However, the problem with data is that it needs to be stored somewhere. And not just that it needs to be stored, but it also must be secured. This may sound easy, but in fact, companies struggle to offer high-quality online services while maintaining data security and ethicality. This lesson aims to explain the basic requirements that makes information or a system secure. Let’s get started.
Prerequisites | You should know what security is and be familiar with common security jargon. |
Objective | To get a comprehensive understanding of the fundamental principles of information security and why they are important. |
TL;DR |
|
Over time, computer engineers defined a set of three fundamental principles of information security: Confidentiality, Integrity, and Availability. These principles describe the core threat areas for information systems and provide the mandatory requirements for a system to be considered secure. Together, they are known as the “CIA Triad”.
This frameworkCIA Triad is so comprehensive that anytime a data breach is announced, a system is attacked, a website is taken down, or any other security incident occurs, there is — for sure — a violation of one or more information security principles.
In the previous lesson, we introduced the concept of vulnerability. Now, we can extend that definition and say that a vulnerability is a violation of the CIA Triad. Also, we talked about risk. Security professionals evaluate the risk of a vulnerability based on its impact over these three principles: Confidentiality, Integrity, and Availability. The more affected principles are, the dangerous a vulnerability becomes.
In the next section, we will discuss each security principle and then explore several real-world applications of the CIA Triad. Let’s start with Confidentiality.
From ancient times, people understood that information is power, but only if kept private. This first principle of information security, called confidentiality, says that information that should stay secret stays secret, and only authorised people may be able to access it. Considering the nature of the information collected and handled by most companies nowadays, confidentiality is a very important aspect. Moreover, some organisations working in finances, health, or e-commerce are obliged by law to protect the privacy of customers’ data.
The two mechanisms that allow us to keep the information confidential are access controlsAn access control is a security mechanism that controls access to systems and resources. and cryptography — these concepts are discussed in-depth in the next lessons.
The second principle, called Integrity, is concerned with the correctness, completeness, and trustworthiness of the information. Simply put, this principle says that information must be protected from being unauthorized changed, whether by human error or intentional tampering. User data travels across many systems while being processed, thus ensuring the integrity of the information both on-transit and on-rest is a crucial step from a security point of view. In most of the cases, attacks targeting the integrity are hard to detect and can cause significant damage. As Mike Gault — the founder of Guardtime, says, “A confidentiality breach in your car means someone learns your driving habits. An integrity breach means they could take over your brakes.”
The third, but not the least important principle of information security is availability. For information to be secure, it first must be available to the users when they need it. After all, how useful are encryption and access controls if the server is shutdown?
A system that is not fault-tolerant may allow an attacker to prevent legitimate users from having access to their data through a Denial-of-Service (DoS) attack. However, intentional interruption is not the only concern when we talk about availability. Natural disasters or human errorse.g., servers destroyed due to a fire/earthquake/flood, incorrect handling of data by an employee can also affect data availability.
So, for a system to be considered secure, it must meet all three fundamental attributes of information security. Let’s quickly recap their definition:
Without a strong understanding of these three principles, you will near-miss tons of vulnerabilities that are not so obvious.
I know — all these new concepts may sounds a bit too academic, so let’s take a simple example to illustrate the principles.
When you send data over the Internet (e.g., a message to a friend from a different country), it doesn’t go straight to your friend’s computer since you are miles away from him. Instead, your message travels across multiple other systems before reaching its destination, as illustrated in Figure 2.
This is quite similar to kids passing notes during classes, isn’t it? So let’s suppose Tom, a six-grade student, wants to send a secret note to his colleague, Alice. Unfortunately, Tom is too far to deliver the message himself, so he needs to pass it to Mike, who is closer to Alice. Next, Mike should pass the note to someone else and so on, until the note reaches Alice.
From an information security perspective, this scenario violates all the three principles described above. First, any of Tom’s colleagues along the path can read the message. Thus, the information is no longer confidential.
Second, any of Tom’s colleagues along the path can alter the content of the message. Thus, the information losses its integrity.
Last, any of Tom’s colleagues along the path can destroy the note, resulting in loss of availability.
Many times, people ask us: “Hey, I found this file or this endpoint, or I got this error. Do you think it’s a vulnerability? Should I report it?”. Well, when this question comes from a beginner, it’s understandable — it takes a bit until you understand how things work. But sadly, not all of these people are beginners. Some of them have several years of experience and still are not able to differentiate an intended behaviour from a vulnerability. Why?
Because they skipped the basics. This lesson is perhaps the most important so far, as we literally discussed the anatomy of a vulnerability, or in other words, what makes an application vulnerable. Without a strong understanding of these three principles, you will near-miss tons of vulnerabilities that are not so obvious.