CIA in cybersecurity

Introduction to CIA triad model

Confidentiality, Integrity and Availability, also known as the CIA triad, is a model that has been developed to ensure that information security policies within an organization are in order. It can also be called the AIC triad to avoid being mistaken for the Central Intelligence Agency.
In this model, confidentiality has to do with restrictions put in place to ensure that data, information of a given company is accessible to only certain individuals, integrity is the guarantee that the information is trustworthy and accurate, that it cannot be altered in an unauthorised manner. Availability is the reliable access to the information by authorized individuals when needed. These principles have been called the three pillars of cybersecurity.

Background and history of CIA triad

Information Security or cybersecurity did not exist in the 1950s or even 1960s. Security then was all about physically guarding expensive machines and limiting access to them. Reliability of computers was the main issue. The CIA triad came to form over time as Confidentiality was traced back to the 1976 U.S. Air Force study.
As hardware and software development continued to progress in the 1970s, there was a shift in focus from computer security to information security.
During this period, ARPANET was still in its early years, the US Department of Defense commissioned a study that the Rand Corporation published as Security Controls for Computer Systems. It pointed out many potential threats and possible security measures that were needed at that time. This report came to be known as the Ware Report.
In the 1980s there was a switch from Confidentiality to commercial issues such as costs and business risks. Of which Integrity became a vital concept for both banks and businesses to avoid data being tampered with by unauthorized entities. In 1988, Morris Worm became the first DoS attack on the Internet. It was then, Availability became recognized as an essential aspect of information security.
By 1998, people saw the three concepts together as the CIA triad.

Elements in the CIA triad model

• Confidentiality: It simply entails privacy. It is the ability to protect data from those not authorized to view it. It prevents illegitimate access to sensitive information. A good example of confidentiality is the personal information of an e-commerce store. Sensitive information like credit card details, contact information, shipping details, and other information relating to signed up users of the e-commerce store needs to be secured in order to prevent illegal access and exposure. Violation of confidentiality can happen in many ways through direct attacks, human faults and electronic eavesdropping.

• Integrity: It has to do with the consistency, accuracy and trustworthiness of data over its entire lifecycle. Data should not be altered when it is still being processed, and steps have to be taken to ensure that not only unwanted changes to data are prevented but also reversed when it has been effected. For instance if an attacker alters sensitive medical data belonging to a patient that was able to undergo a test. There is every possible likelihood that the doctor will prescribe the wrong treatment that will have a negative effect on the health of the patient.

• Availability: It is the ability to ensure that information is consistently and always accessible when needed by authorized parties. This involves proper maintenance of hardware and technical infrastructure of systems that store and output this information. Certain issues that may cause non-availability of information are power loss or outage, operating system or application problems, storage failures, natural disasters or even human errors. Denial of service attack. (DOS) is the most common of these attacks that threaten the availability of information.

Confidentiality, Integrity and Availability

Cases and instances where the CIA triad is used

• Confidentiality: A good example of methods used to ensure confidentiality is requiring an account number or routing number when banking online. Data encryption is another common method of ensuring confidentiality. User IDs and passwords constitute a standard procedure; two-factor authentication (2FA) is becoming the norm. Other options include Biometric verification and security tokens, key fobs or soft tokens.

• Integrity: These include file permissions and user access controls. Version control may be used to prevent erroneous changes or accidental deletion by authorized users from becoming a problem. Data might include checksums, even cryptographic checksums, for verification of integrity. Also, digital signatures can further be used to provide effective nonrepudiation measures to ensure certain actions an individual did like messages sent, electronic document viewing and sending cannot be denied.

• Availability: Network, server, application, and service redundancy ensure availability of information. Hardware fault tolerance in servers and storage, DoS protection solutions, system upgrades, regular software patching, comprehensive disaster recovery plans, backups, etc. are all instances adhering to the availability principle of the CIA triad.

Importance of the CIA triad

The CIA triad is the guiding principle for the development of security systems in organizations. The CIA triad plays a very crucial role in keeping information safe and secure against cyberthreats. When information theft or security breach occurs, it often implies that an organization has been unsuccessful in implementing one or more of these principles in the CIA triad. As well as user data being compromised, all these are not good for an organisation when GDPR (General Data Protection Regulation) is violated.
However, depending on the organization’s security priorities or industry regulatory requirements or even the nature of the business the organisation is into, one of these principles may take priority over others.
For instance, in government agencies or financial institutions, integrity may take priority over confidentiality and availability. Availability of information is critical in e-commerce and healthcare sectors. However, there may be a trade-off in prioritizing one of the principles over others. But in all, organizations have to employ any of the aforementioned security controls to enhance their cybersecurity posture.

Challenges faced by the CIA triad

Internet of things security

This is a huge challenge as every year there is an increasing rate of growth in the number of internet enabled devices in the market. The Internet of Things (IoT) allows physical objects or “things” to collect and exchange information and it is prone to security risks. Sometimes, many of these devices have software that is easy to hack and very weak security passwords. While some of these devices do not transmit sensitive information, it is possible for a hacker to get enough information as IoT devices create new potential entry points for these hackers to get into a business or home network. If not protected, an IoT could be used as a separate attack vector or part of a thingbot.

Internet of things privacy

Almost any physical or logical entity or object that can be given a unique identifier and has the ability to communicate autonomously over the internet or a similar network are prone to attacks that can potentially access information you would want to keep as private. IoT devices are usually embedded with low power and low memory processors that limit the ability to process information at speed which mostly have a negative impact on efforts to maintain confidentiality and integrity in IoT systems. Digital signatures through public key infrastructure can help to mitigate these risks in IoT systems.

Big data

This poses a big problem to the CIA paradigm because of the ever increasing amount of data that needs to be protected. As technology advances, more devices are adding to the increasing volume of data in different formats. Also, because the main purpose of handling big data is often to collect and interpret the information, responsible data oversight is often lacking. This issue was brought to a public forum when Edward Snowden, a Whistleblower reported on the National Security Agency's collection of massive volumes of American citizens' personal data in the United States.

Best practices for implementing the CIA triad

CIA triad in cybersecurity

The main entrance for cyber risks and threats is their internet network. Inbound traffic can be riddled with potential malware and social engineering schemes, while outbound traffic that is not properly controlled can lead one to insecure websites and expose an organization to malicious attacks.
Protecting an organization's network and all related devices with advanced network security solutions is a necessary for achieving the CIA triad in an organization.

The built-in monitoring software paired with hardware firewalls can enable your individuals in an organisation to stay secure online no matter who or when they are communicating or interacting with, on the cloud. Ongoing monitoring, testing, and reporting in a single network protection solution is unavoidable nowadays to ensure the integrity of data, as well as your overall business security.

CIA triad in ISO 27001

ISO 27001 is a framework in information security that helps organisations keep information assets secure. The CIA triad is an integral principle of ISO 27001. Other security frameworks (like SOC 2 and PCI DSS) are also built around the CIA principles. ISO 27001 includes a risk assessment process, organisational structure, Access control mechanisms, Information security policies, procedures, monitoring and reporting guidelines.

During risk assessments and access control mechanisms, organizations measure the risks, threats and vulnerabilities that could compromise the confidentiality, integrity and availability of their systems and data. By implementing security controls to mitigate those risks, they satisfy one or more of the CIA triad’s principles.

Conclusion

Overview of lesson

When an organization maps out a security program, the CIA Triad can serve as a useful yardstick that justifies the need for the security controls that are considered. All security actions inevitably lead back to one or more of the three principles. The strategic management implications of using the CIA triad include developing appropriate mechanisms and processes that prioritize the security of customer information. The CIA triad’s application in businesses also requires regular monitoring and updating of relevant information systems in order to minimize security vulnerabilities, and to optimize the capabilities that support the CIA components.

Resources

• Andress, J. (2014). The basics of information security: Understanding the fundamentals of InfoSec in theory and practice.[(https://www.researchgate.net/publication/285378332_The_Basics_of_Information_Security_Understanding_the_Fundamentals_of_InfoSec_in_Theory_and_Practice_Second_Edition)]
• Syngress.Evans, D., Bond, P., & Bement, A. (2004). Standards for Security Categorization of Federal Information and Information Systems. National Institute of Standards and Technology, Computer Security Resource Center.[(https://csrc.nist.gov/csrc/media/publications/fips/199/final/documents/fips-pub-199-final.pdf)]
• Shabtai, A., Elovici, Y., & Rokach, L. (2012). Introduction to Information Security. In A Survey of Data Leakage Detection and Prevention Solutions (pp. 1-4). Springer US.