Overview
Lecture 6 focuses on the foundational principles of cybersecurity encapsulated by the CIA triad: Confidentiality, Integrity, and Availability. These principles are the cornerstone of cybersecurity strategies and measures. This article provides a detailed explanation of these concepts, discusses criticisms of the CIA triad, and introduces related concepts. Additionally, it recommends further reading to deepen your understanding.
Key Concepts
1. CIA Triad
- Confidentiality: Ensuring that information is accessible only to those authorized to have access.
- Integrity: Safeguarding the accuracy and completeness of information and processing methods.
- Availability: Ensuring that authorized users have access to information and associated assets when required.
Detailed Breakdown
1. Confidentiality
Confidentiality involves preventing unauthorized disclosure of information. This means ensuring that sensitive information is not accessed by anyone who does not have the necessary permissions.
- Example: Encryption is a common method used to maintain confidentiality. By encrypting data, even if it is intercepted, it cannot be read without the decryption key.
2. Integrity
Integrity involves preventing unauthorized modification of data. This ensures that information remains accurate and reliable, and is not altered by unauthorized individuals.
- Example: Checksums and cryptographic hash functions are often used to verify the integrity of data. Any changes to the data will result in a different checksum/hash, indicating a potential integrity issue.
3. Availability
Availability ensures that information and resources are accessible to authorized users when needed. This involves protecting against disruptions that could prevent access to data or systems.
- Example: Redundant systems and regular backups help ensure that services remain available even in the event of a hardware failure or cyber attack.
Criticisms of the CIA Triad
1. Accountability
- Definition: The ability to hold individuals responsible for their actions in relation to information assets.
- Discussion: Some argue that accountability is not explicitly covered by the CIA triad. Accountability involves logging and monitoring user activities to ensure that actions can be traced back to responsible parties.
2. Non-repudiation
- Definition: Providing robust evidence that a particular event or action took place, such that the involved parties cannot deny it.
- Discussion: Non-repudiation ensures that actions cannot be denied by the user who performed them. This is crucial in legal and forensic contexts.
Related Concepts
1. System Functionality vs. Security Requirement
Some aspects, like accountability, might be considered more as system functionality rather than pure security requirements. However, ensuring the reliability of these functionalities falls back on aspects of the CIA triad.
2. Natural Disasters and Accidents
While natural disasters and accidents do not involve malicious intent, they can result in similar outcomes as cyber attacks, such as data loss or service disruption.
- Example: Data backup and disaster recovery plans are critical to address both natural disasters and cyber threats.
Book References for Further Reading
1. “Information Security Management Principles” by Andy Taylor, David Alexander, Amanda Finch, and David Sutton
This book provides a comprehensive introduction to the principles of information security, including detailed discussions on the CIA triad.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.