Step five of building cybersecurity: Implementing the CIA triad to combat risks

Part 7 of Cybera’s Introduction to Cybersecurity series

Confidentiality, integrity and availability — also known as the CIA or AIC triad — is a model designed to guide policies and actions to build information security within an organization.

Confidentiality

The National Institute of Standard and Technology (NIST) defines confidentiality as: 

“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.”

There are three major steps to ensuring unauthorized parties do not have access to your organization’s information:

1. The information must have protections in place to prevent some users from accessing it.
2. These access limitations must ensure that only those who have authorization can view the information.
3. An authentication system must be in place to verify the identity of those with access to the information.

Authentication and authorization, defined by NIST below, are both vital to maintain confidentiality. 

• Authentication – “Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.”
• Authorization – “The right or a permission that is granted to a system entity to access a system resource.”

However, the concept of confidentiality primarily focuses on concealing or protecting that information.

One way to protect information is to store it in a private location or on a private network that is limited to those who have legitimate access to it. If a system must transmit the data over a public network, the organization should use a key that only authorized parties have access to, in order to encrypt the data.

Confidentiality of digital information also requires controls outside of the digital space. Shoulder surfing (the practice of looking over a person’s shoulder) is a non-technical way for an attacker to gather confidential information. Physical threats, such as the simple theft of electronic devices, also threaten confidentiality.

The consequences of a breach of confidentiality vary depending on the sensitivity of the protected data. A breach in credit card numbers, as in the case of the Heartland Payment Systems processing system in 2008, could result in lawsuits with payout well into the millions of dollars.

Integrity

In the information security realm, integrity normally refers to data integrity, or ensuring that stored data are accurate and contain no unauthorized modifications. 

In the context of information systems, the National Information Assurance Partnership defines integrity as:

“[The] quality of an Information System (IS) reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.
Note that in a formal security mode, integrity is interpreted more narrowly to mean protection against unauthorized modification or destruction of information.”

This principle — which relies on authentication, authorization and non-repudiation as the keys to maintaining integrity — essentially boils down to preventing those without authorization from modifying your data. By bypassing an authentication system or escalating privileges beyond those normally granted to them, an attacker can threaten the integrity of data.

Software flaws and vulnerabilities can also lead to accidental losses in data integrity, and can open a system to unauthorized modification.

Programs typically control when a user has read-to-write access to particular data, but a software vulnerability might make it possible to circumvent that control. For example, an attacker can exploit a Structured Query Language (SQL) injection vulnerability to extract, alter, or add information to a database. 

Disrupting the integrity of data at rest (i.e. data collected in a single place, such as on a file server, a workstation, USB stick, or in the cloud), or in transit, can have serious consequences.

Data at rest tends to have a logical structure that betrays its contents and value, i.e. credit card information, bank account numbers, personally identifiable information, and non-public information. Compared to data moving across a network (ie: data in transit), data at rest can represent an easier target for hackers and threat actors

Regardless of if your data is at rest or in transit, ensuring the integrity of that data is vital to any secure system. For example if it were possible to modify a funds transfer message passing between a user and their online banking website, an attacker could use that privilege to steal the transferred funds by altering the account number of the recipient. 

Availability

Information systems must be online and accessible to users (at all times) for them to provide any value. 

Attacks on availability are somewhat different from those on integrity and confidentiality. The best-known examples of such attacks are Denial of Service/Distributed Denial of Service (DoS/DDoS) attacks. A DoS can come in many forms, but typically disrupts a system in a way that prevents legitimate users from accessing it.

One form of DoS is resource exhaustion, whereby an attacker overloads a system (memory, CPU time, network bandwidth, etc) to the point that it no longer responds to legitimate requests. For example, an attacker can send so much traffic to the target system, it saturates the network and no legitimate request can get through.

Building up from the CIA triad

Understanding the components of the CIA triad and how to protect these core principles is important for any cybersecurity program. 

Each component acts as a pillar holding up the security of an organization. If any one is successfully attacked, companies can be breached. Authentication, authorization and non-repudiation are tools that can be used to protect these pillars, and understanding their importance and how they interact and depend on each other is necessary to maintain the strength of your organizations cybersecurity.

Where to find more information

We highly recommend reading up on the NIST cybersecurity guides, to find some useful frameworks and getting-started tips.

If you’re a public-sector organization in Alberta, you’re also welcome to reach out to us for some resources or advice. Cybera is Alberta’s research and education network facilitator, responsible for driving connections, collaborations and skills growth through the use of digital technology.

Cybera offers member driven cybersecurity services, and you can find more information about our security offerings for the public and academic sectors at cybera.ca/security/.

Cybera’s Introduction to Cybersecurity Series

• Introduction
• What is cybersecurity?
• Step one of building cybersecurity: What do you know? 
• Step two of building cybersecurity: What threats do you face?
• Step three of building cybersecurity: Threat vs Attacks
• Step four of building cybersecurity: Identifying your risks
• Step five of building cybersecurity: Implementing the CIA triad to combat risks

Engage with us in cybersecurity discussions

Are there particular cybersecurity topics you’d like to chat with us about, or have us organize a community discussion about? Let us know via security@cybera.ca.