CIA – CONFIDENTIALITY,
INTEGRITY, AND AVAILABILITY
OBJECTIVES
•
Explain and discuss the 3 pillars of the CIA triad
•
Give examples of each of the 3 pillars
WHY THE CIA TRIAD?
•
Information security can really boil down to 3 key components.
•
If any one of the 3 pillars breaks, we are not secure
•
All parts must remain intact
FIPS 199
•
U.S. federal government special publication that outlines the standards for
security categorization of Federal Information and Information Systems
•
Breaks down categorization of information
•
Based off FISMA compliance – Federal Information Security Modernization
Act
CONFIDENTIALITY
•
Definition according to Title 44 of the U.S. Code: “Preserving authorized
restrictions on information access and disclosure, including means for protecting
personal privacy and proprietary information”
•
How it applies according to FIPS 199: “A loss of confidentiality is the
unauthorized disclosure of information”
•
Brief Explanation: The ability to keep things secret
•
Examples: Encryption, Passwords, Access Control Lists
INTEGRITY
•
Definition according to Title 44 of the U.S. Code: “Guarding against improper
information modification or destruction, and includes ensuring information
non-repudiation and authenticity”
•
How it applies according to FIPS 199: A loss of integrity is the unauthorized
modification or destruction of information
•
Brief Explanation: The ability to ensure information remains the same and original
from the source
•
Examples: Hashing, checksums
AVAILABILITY
•
Definition according to Title 44 of the U.S. Code: “Ensuring timely and reliable
access to and use of information”
•
How it applies according to FIPS 199: A loss of availability is the disruption of
access to or use of information or an information system.
•
Brief Explanation: The ability to ensure systems remain available and
functioning
•
Examples: Using load balancers, RAID, server clustering
EXAMPLES OF FAILURES
•
Confidentiality – You name the latest breach – they are everywhere. Target,
Home Depot, Heartland breaches
•
Integrity – phpMyAdmin attack of 2012
•
Availability – Large scale DDoS attacks such as Mirai botnet
CONCLUSION
•
Users and admins should always consider the CIA triad in any point in the
system lifecycle
•
It’s up to the administrator to make sure they are ensuring security is built in!
Chia sẻ với bạn bè của bạn: |