CIA Triad
Confidentiality
Measures used to ensure the protection of secrecy of data, objects, or resources
Goal - prevent or minimize unauthorized access to data
Focuses security measures on making sure that no one other than the intended recipient of a message receives it or is able to read it
Examples of security controls
Encryption
Access controls
Steganography
Object
passive element in a security relationship
Examples
Files
Computers
Network connections
Applications
Subject
Active element in a security relationship
Examples
Users
Programs
Computers
Sensitivity
quality of information, which could cause harm if disclosed
Discretion
an act of decision where an operator can influence of control disclosure in order to minimize harm or damage.
Criticality
level to which information is mission critical
the higher the level of criticality the more important it is to maintain confidentiality of the information.
Concealment
act of hiding or preventing disclosure
Often viewed as means of cover, obfuscation, or distraction
Concept of attempting to gain protection through hiding, silence or secrecy
Secrecy
act of keeping something a secret or preventing the disclosure information
Privacy
keeping information confidential that is personally identifiable
Seclusion
Storing something in an out of the way location
Provide strict access controls
Help enforcement of confidentiality protections
Isolation
Act of keeping something separated from others
Prevent commingling of information or disclosure of information
Integrity
Integrity
Concept of protecting the reliability and correctness of data
Prevents unauthorized alterations of data
Ensures that data remains correct, unaltered and preserved
Proper integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities as well as mistakes made by authorized users
Three perspectives
Preventing unauthorized subjects from making modifications
Preventing authorized subjects from making unauthorized modifications, such as mistakes
Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent, and verifiable
Attacks focused on violation of integrity
Viruses
Logic bombs
Unauthorized access
Errors in coding and applications
Malicious modification
Intentional replacement
System back doors
Events that lead to integrity breaches
Modifying or deleting files
Entering invalid data
Altering configurations
Errors in commands, codes and scripts
Introducing a virus
Executing malicious code
Countermeasures
Strict access control
Rigorous authentication procedures
Intrusion detection systems
Object/data encryption
Hash total verifications
Interface restrictions
Input/function checks
Extensive personnel training
Other concepts, conditions and aspects
Accuracy - being correct and precise
Truthfulness - being a true reflection of reality
Authenticity - being authentic or genuine
Validity - being factually or logically sound
Nonrepudiation - not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
Accountability - being responsible or obligated for actions and results
Responsibility - being in charge or having control over something or someone
Completeness - having all needed and necessary components or parts
Comprehensiveness - being complete in scope; the full inclusion of all needed elements
Availability
Availability
Authorized subjects are granted timely and uninterrupted access to objects.
Offers a high level of assurance that the data, objects, and resources are accessible to authorized subjects
To maintain availability controls have to be in place to ensure
Authorized access
Acceptable level of performance
Quickly handle interruptions
Provide for redundancy
Maintain reliable backups
Prevent data loss or destruction
Threats to availability
Device failure
Software errors
Environmental issues
DoS attacks
Object destruction
Communication interruptions
Events that lead to availability breaches
Accidentally deleting files
Overutilizing a hardware or software component
Under-allocating resources
Mislabeling or incorrectly classifying objects
Countermeasures
Designing intermediary delivery systems properly
Using access controls effectively
Monitoring performance and network traffic
Use firewalls and routers to prevent DoS attacks
Implementing redundancy for critical systems
Maintaining and testing backup systems
Other concepts, conditions, and aspects of availability
Usability - state of being easy to use or learn or being able to be understood and controlled by a subject.
Accessibility - assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations
Timeliness - prompt, on time, within a reasonable time frame, or providing low-latency response
AAA Services
Identification
claiming to be someone else when trying to access a secured area or system
Subject has to provide an identity to a system to start the process of authentication
Authentication
proving that you are who you claim to be
Process of verifying or testing the subject is who they claim to be
Authentication factor used to verify identity
Passwords
Pins
Keys, tokens, smartcards
Biometrics
Authorization
defining the permissions of a resource and object access for a specific identity
Making sure that the requested activity or access to an object is allowed given the rights and privileges assigned to the identification identity
Auditing
recording a log of the events and activities related to the system and subjects
Process by which unauthorized or abnormal activities are detected on a system
Accounting (accountability)
reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions
Established by linking a human to the activities of an online identity through auditing, authorization, authentication and identification mechanisms.
Last updated