All articles in the "Introduction to Cyber Security" series
- Cyber Security. Not What I thought
- Basics of Cyber Security Requirements
- The CIA Triad
- Introducing the ASD
- Introducing the Essential 8
- Mapping Strategies to controls
- Threats, Vulnerabilities, and Risks
- Introduction to Risk and Risk Management
- ICT Assets and Asset Registers
- Cyber Threat Awareness
- Introduction to Cyber Incident Response Plan
- Risk Management and Cyber Controls
- Risk Mitigation Plans
- Implement Security Controls
- Measuring Security
- Exploring Implementation Discrepancy
- CIRP as a Mitigation Strategy
The CIA Triad
Foundations of Cybersecurity
The CIA Triad, an acronym for Confidentiality, Integrity, and Availability, is a fundamental model for developing and evaluating security policies. It’s a core framework that cybersecurity professionals use to prioritise and protect data and networked systems. It as a guide to what a good security program should achieve.
Imagine the EFTPOS network suddenly shuts down, your pay banking details are altered, or your medical records leak online. These situations highlight the three primary risk associated with the CIA that need to be guarded against
Confidentiality
Confidentiality ensures that data is accessed only by authenticated and authorised individuals. It is about protecting sensitive information from unauthorised viewing. This is like restricting access to a sensitive employee database so only payroll staff can view salary details.
Key concepts and methods related to confidentiality include:
- Encryption: The process of converting data into a code to prevent unauthorized access.
- Access Controls: Limiting who can see what. This includes things like usernames, passwords, and permission levels.
- Data Masking: Hiding sensitive data by replacing it with a non-sensitive equivalent.
- Physical Security: Securing physical devices and documents that contain confidential information.
A breach of confidentiality is a data breach, where there unauthorised access to sensitive information.
Integrity
Integrity is the assurance that data is accurate, consistent, and trustworthy throughout its entire lifecycle. It’s about protecting data from unauthorised modification or deletion. This is like tamper prrof seals on a document, guaranteeing that it hasn’t been tampered with.
Key concepts and methods related to integrity include:
- Hashes and Checksums: These are unique digital fingerprints that can be used to verify that a file has not been altered.
- Digital Signatures: A cryptographic method that ensures the authenticity and integrity of a message or file.
- Version Control: Systems that track changes to files, allowing for a rollback to previous, unaltered versions.
A breach of integrity can have severe consequences, from corrupted records to the insertion of malicious code.
Availability
Availability ensures that systems, services, and data are accessible to authorised users when needed. It is about making sure that the resources are there for the right people, at the right time. This is like cloud services stay ensure they stay online, even if one data centre goes down.
Key concepts and methods related to availability include:
- Redundancy and Backups: Creating multiple copies of data and systems to ensure that if one fails, another can take its place.
- Disaster Recovery Planning: A detailed plan for how to restore IT infrastructure after a major disaster.
- System Maintenance: Regular patching and upgrades to prevent service interruptions.
- DDoS Mitigation: Defending against attacks designed to make a service unavailable by flooding it with traffic.
A breach of availability can lead to service outages, financial losses, and damage reputation.
The CIA Triad in Action
The three elements of the CIA Triad are deeply interconnected. Improving one can sometimes affect another. For example, tightening access controls to improve Confidentiality might unintentionally reduce Availability. Alternatively, the access controls implemented for Confidentiality can enhance Integrity controls. A balanced cybersecurity strategy carefully considers this trade-off.
If you imagine a the CIA Triad as a triangle and the priorities of a business or the nature of an industry to be a point represented somewhere with in that triangle, you would see that point closer to Availability for and Operational Technology in a refinery, demonstrating the a priority in engineering out down time. A government agency might be positioned more to Confidentiality due to privacy requirements. Finally a data backup service would position their point of priority closer to Integrity based on the need for data assurance.