CIA Triad
Hello there,
Welcome, this is my first post on medium. To begin, I am a computer science student and still learning (Please correct me if there’s anything wrong and hope my article can be useful).
First of all, in cyber security, we know the term C-I-A which stands for Confidentiality-Integrity-Availability. I’ve read some articles, watched videos and do a bit of research and found that this might be a strong basis for starting my journey in cyber security. I’d like to share some and I hope this picqued your interest.
Now for the first term, Confidentiality. I found that this term is often used when you are dealing with privacy. Imagine you are using an application that store your name, address, phone number, birth certificate, health record,etc. Then, that application is selling those data to some bad guys. In this case, the application is intentionally giving our private data. We might need to read the policy and find whether our data is used as intended or not. In another perspective, you can imagine an application like the above app but they don’t sell our data. However, the app is implementing a login feature that is vulnerable to some attacks, let’s say for example a broken authentication (You might want to read it in google). When the bad guys log in to your account, they might be able to see all those private information. In this case, this is unintentional and might be dangerous if some bad guys found this security hole.
Next is Integrity. I found that term integrity might refers to how we can be sure that something is true as it is, trusted and correct. Imagine if you are reading news from online application and the news are all about hoax or when you are learning at your campus and the lecturer teach you something wrong but insisting that he is correct. In my case, I might not read news from that app or I’ll dislike the the lecturer’s class. I think this is the same way in security system. You might want to keep the integrity of your system so that user keep trusting us and keep using our service without ease. In other perspective, let’s say we are in a local area network on a small business and you are in Financial division. You need to transfer an annual report to the manager. Let’s say a bad guy is intercepting the proccess of sending the report you sent to the manager and found that it is un-encrypted (you might want to google it) and can be tampered easily. The bad guy then changes some crucial information like changing the annual income to 50% of the original value. This might be a problem since there is no integrity in the data. This is a really made up example but I think might be able to demonstrate the means of integrity (data integrity in the example).
The last, Availability. Imagine that we have an application we love, it is secure and useful and amazing in all aspects, but it is unaccessible every once in a while because the server’s down. This might be really annoying when you need the app all the time. Availability is one of the main aspect we need in order to keep the service we offer working and accessible. Image if a company as big as facebook went down for a day, I think so much $$ is flying away from their side. One example of attack is DoS attack (You might want to search it at google : Denial of Serive), with this kind of attack, the bad guys could take all the resource your service has and then making it laggy or broke by requesting so much more than your service could handle. One way to stay secure is by implementing DoS protection appliance in firewall.
Talking about security hole, I found that we can assess our security system based on this CIA triad to know better about our system thus might minimize the flaw. Assessing is like series of brainstorming, mapping all the problem that might occur and prioritizing what’s critical and what’s less critical. Here is a really simple example:
Other than C-I-A, I found we can add other related things to our C-I-A triad like Fraud and Accountability. Fraud protection is like protecting your service so that there’s no bad guy that spread or use our service in a way that might cost us company reputation, user loyalty, etc. The term is really broad and I think googling is the best way to understand this. And for accountability, you might want to make sure that “anti-repudiation” system is implemented. Anti repudiation is put in place so that no one could deny that they have done something in our system(For example: an activity log).
I think that’s it about CIA triad. Thanks for reading, hope you find this interesting. Please correct me If I am wrong since I am learning too at the moment. :)
