An essential part of cyber security is understanding important security objects often abbreviated as CIA. These CIA security objectives are essential in keeping information and systems secure.
What is CIA in Cyber Security? CIA stands for Confidentiality, Integrity and Availability in Cyber Security and collectively form important security objectives for many organizations to protect information and systems. These objectives are also known as the CIA triad and can be referred to as AIC too.
Security has a set of objectives to protect important assets, like systems and more importantly information. These objectives of confidentiality, integrity, and availability are commonly referred to as CIA. They can also be referred in reverse, as AIC, as some people prefer this way of representing the security objectives as Availability, Integrity and Confidentiality.
For the purposes for the rest of this article, I will look at these security objectives in the CIA manner and not the AIC fashion. The aims of security in the cyber world relies on ensuring the CIA objectives are met to some degree, ideally all the CIA objectives need to be met but this is not always going to be the case.
As there are always cost constraints along with time constraints that can affect how the CIA objectives are met, so a compromise is generally done, to ensure an adequate level of protection is still provided. By ensuring security controls, safeguards to different types of security processes and mechanisms, are all leaning to one aim and that is to protect important assets with the help of one or more of these security objectives.
The security objective of confidentiality is to protecting information to make sure only those people who are allowed to use the information are allowed to use it, with everyone else being excluded.
Information such as an organization plans and strategies for the future need to remain confidential with only those people who are authorized to see this information being allowed to do so.
If this information becomes known by other people who really should not be looking at this information, the confidentiality of the information becomes breached. With information falling into the wrong hands being detrimental to any organization’s aspirations.
Confidentiality ensures the information at all stages of its lifecycle is protected from:
- who has access to the confidential information (authorization)
- how the confidential information is used (processing)
- how the confidential information resides on systems (storage)
- how the confidential information is moved (transmission) around
By having effective control over these activities with confidential information, the chances of the information being disclosed to parties who are not authorized to access the information is minimized.
Only those people authorized to use the confidential information get to use the confidential information. Some form of access controls, identifying the correct people and authorizing them access is essential.
Important medical information for example, remains highly confidential with doctors being authorized to access it. Computer systems will use security measures like passwords, swipe cards and even biometrics (fingerprints) to ensure only the correct individuals can see this medical information.
How the confidential information is processed, that is used, is vitally important. Having authorization to get access to confidential information about a pending corporate takeover during a board meeting meets the principle of having authorization to see the confidential information.
But then using this confidential information to buy shares in the company being taken over for gain before the rest of the market knows is not the correct processing of the confidential information. This is insider trading and is highly illegal, punishable by large fines and incarceration.
Making sure the information can only be used for the purposes it is intended for is essential, so another example could be a police officer who has the authority to access the police computer system. With them only allowed to access information relating to any cases they are currently working on.
Looking up confidential information about other people on the police computer not related to the cases they are working on, will be a serious infringement of how the confidential information can be used. Even though the police officer has the authorization to look at information on the police computer, they can only do so if it is related to their current case load.
Securely storing confidential information is paramount in ensuring the information is protected from prying eyes. Common tactics include access controls and more importantly strong encryption standards, allowing for the confidentiality to remain intact even if the confidential information leaks or is stolen.
Examples where confidentiality has remained protected include data breaches, where hackers have managed to get access to information but due to the information being encrypted, the hackers have been unable to see the information contents. This has allowed the confidential information to remain confidential.
The confidentiality of information can be compromised if it can be snooped upon, or the identities of the parties sending and receiving the confidential information cannot be guaranteed. Sending confidential information to someone who is not who they say they are, allows the confidential information to end up in the hands of someone who does not have the authority to see the information.
Likewise sending confidential information across insecure communication channels like email or by using insecure websites for uploading information, puts the information confidentiality at risk.
By using techniques to identify all parties involved in communicating, digital signatures being a good example, and using secure communication channels that use encryption, the confidentiality of the information can be maintained.
Accessing confidential information
Getting access to information by impeding its confidentiality can be done a number of ways, including:
- Social engineering
- Lack of security training
By tricking someone to give access to information to which they are not authorized to see, is social engineering at work. It can be a simple as someone deliberately creating a distraction, so they can get hold of information, when the distraction is investigated.
To phoning the personal assistant of an organization’s CEO and pretending to be from the IRS, then tricking the personal assistant to give up confidential details about the CEO and the organization.
Hacking into computer systems and getting access to the information stored on databases and storage systems is commonplace today. With hackers being able to infiltrate systems and steal large amounts of confidential data, data that more often than not, has not been protected adequately enough.
Disclosure of confidential information can happen accidentally or for malicious reasons, that is intentionally.
Accidental disclosure happens from human error and from lack of awareness due to not having had enough training. Examples of accidental disclosure include:
- Leaving a USB stick on a desk without encryption enabled, can result in information on the USB stick falling into unauthorized hands. I have worked at places where people have had USB sticks disappear from their desk (most likely stolen) with the USB sticks containing important corporate information. More times than not, the information has not been encrypted and the resultant loss of information has led to people being fired.
- Forgetting to lock the computer screen when leaving the desk, allowing anyone who comes by to get access to the computer without entering a password. Ending up allowing unauthorized people access to information they really should not be seeing.
- Sending an email to a group of people without blind copying them in, will allow confidential information about the different customer email addresses to be visible to everyone who the email is sent to.
- Putting information in a place where it should not go, like putting employee details on the company website instead of the company intranet. Allowing non-company people to see detailed employee information they should not really be seeing.
One of the biggest cyber threats is the insider threat, where people who have access to information as part of their jobs, steal information or disclose information. Maybe they are disgruntled employees who see this as revenge against their employers, or they could be bribed by others to get them confidential information. Examples can include:
- Employees copying company data on their last few days to USB drives to take away with them when they leave.
- Employees printing off company data and taking this home for their personal use without authorization from their employer.
- Employees setting up programs to regularly siphon off company data to their private storage areas outside the company when they leave.
Lack of security training
Lack of security training can result in poor handling of confidential information. When I am travelling on public transport, mostly trains, I am still amazed at people who work in highly secretive jobs who openly read documents. Easily allowing people like me to see confidential information which I should not be seeing, simply because the person entrusted with this information follows poor information protection standards. Other examples of a lack of security training are:
- Opening attachments sent by email which could contain malicious programs designed to steal data.
- Clicking links in emails and on websites, which could contain malicious programs designed to steal data.
- Leaving confidential documents on desks long after everyone has left and gone home, in clear violation of clear desk policies.
The reliability and accuracy of the information and systems form the backbone of ensuring integrity. Without integrity the information’s value and the systems used are diminished, as the information is no longer accurate and therefore the information is no longer reliable.
The integrity of information can be put into question through some of the following ways:
- human error
- data corruption
- malicious activities
These activities that can affect the integrity of information and systems must be restricted to ensure the integrity of information and the systems involved.
Consider CCTV recordings, if over a 24 hour period the CCTV recordings are stored in storage in the cloud, then it could be said the 24 hours’ worth of recordings are reliable and accurate for the events taken place over the past 24 hours.
However, if the storage in the cloud can be accessed by many different people, who if they wanted to, could delete some of the CCTV recordings, we can’t be sure anymore whether any of the CCTV recordings have been tampered with. This puts the integrity of the information, that is, the CCTV recordings into question.
By ensuring access to the cloud storage where the CCTV recordings are stored is severely restricted helps in improving the integrity. Along with logging all access attempts to the cloud storage and restricting the permissions to delete the CCTV recordings from cloud storage, steps can be taken to ensure the integrity of the information.
In this case the CCTV recordings and the integrity of the systems involved with processing and storing the information, that is the cloud storage.
As humans we are not perfect and are prone to mistakes. It’s these mistakes that can lead to integrity being compromised and in this day and age, with more automation taking place, the level of human interaction is becoming less and less, leading to the accuracy of tasks previously done by humans becoming more reliable and accurate.
In Victorian times any calculations done were done using log tables and any error in the log tables would result in errors in the calculations. As the log tables were created by humans and the calculations being done were also done by humans, the integrity of the calculations suffered, as there were errors and limited rechecking of the calculations.
Today, computers are able to accurately check information, providing us with a level of confidence the information is accurate and reliable. But this doesn’t mean human errors still don’t occur, as entering the wrong information into a computer programs can result in integrity issues, like any the wrong data from a test or research, ultimately puts the integrity of the test or research into question.
Data can be corrupted by accident or through malicious means but with both types of data corruption, the integrity of the data, that is the information cannot be guaranteed for accuracy and reliability.
Malicious data corruption could occur, if for example a computer programmer fails to put in controls to ensure only the correct type of information is allowed into the website forms of their employer’s website. Without this validation check of the information being entered into the form fields, the chances of the information being entered being accurate is put into question.
Malicious users can enter information that is not reliable but more so they can enter information, that allows them to get access to even more information (SQL Injection attacks) and they can modify all the other information stored.
Accidental data corruption can occur through power outages where sufficient protections like backup power are not in place, or instances where the storage used for information runs out of capacity and causes existing information to become corrupted through overwrites. In such scenarios effective solutions are available to avoid data corruption.
Information’s integrity can be maliciously altered when proper safeguards to protect information are not used. Consider Man-in-the-Middle (MitM) attacks, where an eaves dropper gets access to information and modifies the information as it is being transmitted. The recipient of the information does not get the original information, they just get the modified information.
This modification affects the integrity of the information, so if the Man-in-the-Middle attack was able to capture information about a corporate takeover and change the information to deny any takeover was being planned.
This information would allow the eavesdropper to buy shares in the intended takeover organization at a greatly reduced price, as the market would assume no takeover is taking place. When the takeover does get confirmed, their shares would increase dramatically in value, allowing them to sell the shares of at a huge profit.
It’s fairly simple to protect against Man-in-the-middle attacks by simply using encryption, so anyone eavesdropping on any information being transmitted, will not be able to read the information unless they can decrypt it and without the cryptographic keys used to encrypt the information, this will prove to an impossible attack.
Information has little value if the people and systems who need to the information cannot get access to the right information. Information’s availability can become compromised if the:
- Information is no longer accessible
- Information accessibility levels change
- Information is not protected against interruption
Information is no longer accessible
When information is no longer accessible, this lack of availability can end up costing money and even lives. A hospital needs to have patient medical data available to make decisions which can make the difference in life threatening situations. Not having access to medical information for prolonged periods could result in misdiagnosis, incorrect medicinal dosages to incorrect operational procedures.
Hospitals not only spend vast amounts on protecting the availability of medical data, but some also use paper-based systems to ensure there is a backup of information available to use, should the computer systems fail.
Information accessibility levels change
Some information’s importance relies on it being available in a timely manner, as the value of the information changes with time. If this type of information becomes delayed, it is slower availability can have an effect on decision making and outcomes.
Consider a stockbroker relies on real-time market information to allow them to make decisions about how to buy and sell shares. If the real-time information is not available in real-time, that is, it becomes delayed, the stockbroker is unable to make trades based on having qualified information.
Information is not protected against interruption
When the availability of information is compromised, the consequences can affect the integrity and the confidentiality of the information. The information is no longer the right information expected by the people and systems who want to use this information.
As the information may become corrupted and therefore unreliable, or the information protection controls like access control and encryption could fail, allowing confidential information to be accessible by people and systems who should not have access.
To ensure the availability of the information in its intended form requires systems to fail safely without damaging information and without compromising who or what has access to the information.
A firewalls availability is compromised by failure and there is no backup firewall, thereby allowing access into computer systems. Hackers gain entry into one of the systems protected by the firewall and install a program to capture credit card information by skimming all credit card details entered into the organizations website.
The firewall is brought back online within 24 hours but not checks are done for any intrusion or malicious damage, with the organization carrying on as normal without realizing credit card details of their customers is being systematically stolen every time a transaction is made.
The confidentiality of the credit card information has been compromised due to the unavailability of the firewall and this confidential information is now visible to hackers who have no authority to view this information.
Organizations spend vast amounts of resources in ensuring the availability of information from the likes of stock markets, social media organizations like Facebook to Twitter, to medical organizations.
They have backup systems, backup data centers with back up power supplies to computer systems with duplicate components, so should one component fail, a backup component is available.
Any failures in the availability of information should be done in a manner that does not compromise the integrity of the information.
A company is using encryption to protect their information but due to availability issues, the encryption fails, resulting in the information not being encrypted anymore.
Availability’s scope includes backup and archives, information that’s not current may still require storing until a time it’s required, as well as having a backup of current information just in case there is a problem with the information currently being used.
Confidentiality, Integrity and Availability examples
Confidentiality, Integrity and Availability examples below are designed to make it easier to understand these concepts by using examples tailored to real world situations. Where confidentiality, integrity and availability issues comes into play.
Peter goes for a meeting with the payroll department to discuss some new tax information updates required. The senior payroll clerk is delayed, so as Peter waits in their office, he notices a bunch of papers with details of one of his fellow employees. Peter decides to look at the bunch of papers and finds he can see the salary of everyone in his department.
What tenant of security has just been violated by Peter reading this information?
Confidentiality is to make sure information is only available to authorized users and as an unauthorized user, Peter has looked at information he has no authority to view. As such this is a breach of confidentiality.
Peter goes for a meeting with the payroll department to discuss some new tax information updates required. The senior payroll clerk is delayed from another meeting and Peter notices they have left their computer unlocked. Peter decides to look at his payroll record and make changes to how much he is paid.
Peter changes the figures to double his salary, hoping no one will notice the change he has made.
What tenant of security has just been violated by Peter changing this information?
Integrity is to ensure information ONLY gets deleted or modified by authorized users and as an unauthorized user, Peter has changed his salary information which he has no authority to change. As such this is a breach of integrity.
Mary works for a fashion supplier; she is involved with providing the latest prices to the shops who stock the fashion items across the United States. She regularly updates the pricing information on the company products portal, which the shops use when they put their orders in.
One day, whilst she is working away, her connection to the company products portal is cut short and her web browser displays a message ‘Website not found’.
She phones up the IT Support department, only to be advised the data center where the website for the company products portal is located, is under attack in a massive denial of service attack by hackers. The shops are unable to connect to the company’s product portal, so are unable to get the latest pricing or order stock.
What tenant of security could it be said has been violated by company information not being available to customers from the malicious denial of service attack?
Availability is to ensure information is available for all those who need the information. The hacker’s denial of service attack has compromised the availability of the information with the company product portal not being able to supply this information.
Confidential, Integrity and Availability, abbreviated as CIA, are important security objectives of all organizations. Allowing them to protect their information so only the right people can see accurate and reliable information they are authorized to see when they want to see it.