CIA Triad!
You may picture a man in a black suit solving crime and running behind criminals; we are not talking about that. While people outside the cyber security community might hear the phrase CIA Triad and think “conspiracy theory,” those in the cybersecurity field know that the CIA Triad has nothing to do with the ‘Central Intelligence Agency’. Instead, the CIA triad has everything to do with keeping data, networks, and devices safe and secure. C stands for Confidentiality, I stands for Integrity, and A stands for Availability. CIA triad is a fundamental security model that acts as a foundation for developing security policies designed to protect data. They are used to find vulnerabilities and methods to create solutions.
Confidentiality:
Confidentiality in information security assures that information is accessible only by authorized individuals. Roughly equivalent to privacy, confidentiality measures are designed to prevent sensitive information from unauthorized access attempts.
Integrity:
This refers to the quality of something being unmodified or complete. In Information Security, integrity is about assuring that the original data has not been tampered with and can be trusted. The consistency, accuracy and trustworthiness of data must be maintained over its entire lifecycle. Data must not be changed in transit, and steps must be taken to ensure it can’t be altered by unauthorized people — for example, in data breaches.
Availability:
It indicates that networks, systems, and applications are up and operating. Information should be consistently and readily accessible for authorized parties. This involves proper maintenance of hardware and technical infrastructure and systems that hold and display the information.
Brief History of CIA creation:
The CIA triad doesn’t have a single creator. The term confidentiality may have first been used in computer science as early as 1976 in a study by the U.S. Air Force. Likewise, the concept of integrity was explored in a 1987 paper titled “A Comparison of Commercial and Military Computer Security Policies” written by David Clark and David Wilson. That paper recognized that commercial computing had a need for accounting records and data correctness. The concept of availability became more widely used in 1988 due to the Morris worm attack, which at that time was distributed via the internet and had devastating effects back then on overall system downtime, affecting thousands of major UNIX machines.
By 1998, people were using the three concepts together as the CIA triad. That year, infosec researcher and consultant Donn B. Parker wrote a book called ‘Fighting Computer Crime’ that broadened the CIA triad to a ‘hexad’ consisting of three added elements: authenticity, possession or control, and utility. For more than two decades, organizations have had varying perspectives on the CIA triad, applying it to their cybersecurity strategies in ways that meet their needs.
Why is CIA Important?
The CIA triad makes the base for the development of security systems and policies for institutions. As such, the CIA triad plays a critical part in maintaining your data safe and protected against growing cyber threats. When a security threat 3emper, the CIA triad is especially important for navigating sources of vulnerabilities and helping discover what went wrong in the security system. From there, this information can be used to help inform weak points, address vulnerabilities, and identify areas of strength.
Practices for implementing CIA:
1. Confidentiality
a. Follow an organization’s data-handling security policies.
b. Use encryption and 2FA.
c. Keep access control lists and other file permissions up to date.
2. Integrity
a. Ensure employees are knowledgeable about compliance and regulatory requirements to minimize human error.
b. Use backup and recovery software services
c. Use version control, access control, security control, data logs and checksums.
3. Availability
a. Use preventive measures, such as redundancy, failover and RAID.
b. Ensure systems and applications stay updated. o Use network or server monitoring systems.
c. Have a data recovery and business continuity plan in place in case of data loss.
Cons of CIA:
1. Restricted: The CIA triad model is best used when considering data, and so it might not be the correct tool to safeguard against social engineering or phishing attacks targeting workers.
2. Absence of specificity: The model’s unsophistication may also be a struggle for organizations with more undersized security knowledge or starting from scratch. On its own, the principle doesn’t furnish enough suggestions for building a comprehensive security model for an organization.
3. Not holistic: We don’t suggest only utilizing the CIA triad as your security model. Rather, it should be used alongside different models and frameworks to support you in establishing strong procedures and making effective judgments.
Examples of CIA:
1. E-commerce
a) For eCommerce customers to expect that the personal information they provide to an organization (such as credit card, contact, shipping, or other personal information) will be protected in a way that prevents unauthorized access or exposure. It is Confidentiality.
b) E-commerce customers, expect product and pricing information to be accurate, and that quantity, pricing, availability, and other information will not be altered after they place an order. It is Integrity.
c) The information of the product, its tracking and payment recept is available at all times, without 4emperament even after the product is received for future refrences. It is Availability.
2. Banks.
a) The two-factor authentication (debit card with the PIN code) provides confidentiality before authorizing access to sensitive data.
b) The ATM and bank software ensure data integrity by maintaining all transfer and withdrawal records made via the ATM in the user’s bank accounting.
c) The ATM provides availability as it is for public use and is accessible at all times.
3. Companies.
a) Confidentiality: Those who work with an organization’s finances should be able to access spreadsheets, bank accounts, and other information related to the flow of money. Yet, the vast majority of different employees and possibly even certain executives may not be given access. To ensure these policies are followed, strict regulations have to be in place to determine who can see what.
b) Integrity: If your company provides details about the CEO, senior managers, or any CXO on your organization’s website, this information should have integrity. If it is incorrect or vulnerable to tamper with, the visitors who are visiting the website for information may suppose your organization is not trustworthy.
c) Availability: the legal data of the company, information spreadsheets as well employee database should be available whenever needed to the authorized persons.
Conclusion:
In conclusion, the CIA triad is a critical component of information security and should be considered in any business IT security plan. It provides a framework for evaluating the risk to data and determining the necessary measures to protect it. So as when a company maps out a security program, the CIA triad can serve as a useful yardstick that justifies the need for the security controls that are considered. All security actions inevitably lead back to one or more of the three principles.
By: Nandni Joshi