When attempting to secure an information system, you focus on three primary attributes of the system:
- Confidentiality: can actors who should not have access to the system or information access the system or information?
- Integrity: can the data or the system be modified in some way that is not intended?
- Availability: are the data or the system accessible when and how it is intended to be?
Together, these concepts make up the CIA (Confidentiality, Integrity, Availability) triad and in large part, are the primary items that you will focus on when securing a system as part of standard deployment, maintenance, or assessment.
It is also important to note that in some cases, you may be far more concerned with one aspect of the CIA triad than others. For instance, if you have a personal journal that contains your most secret thoughts, the confidentiality of the journal may be far more important to you than the integrity or the availability. In other words, you may not be as concerned about whether someone can write to the journal (as opposed to reading it) or whether or not the journal is always accessible. On the other hand, if you are securing a system that tracks medical prescriptions, the integrity of the data will be most critical.
When you are securing a system and an issue is discovered, you will have to consider which of these three concepts, or which combination of them, the issue falls into. This helps you understand the problem in a more comprehensive manner and allows you to categorize the issues and respond accordingly. It is possible to identify vulnerabilities that impact a single, or multiple items from the CIA triad. To use a web application with a SQL injection vulnerability as an example:
- Confidentiality: a SQL injection vulnerability that allows an attacker to extract the full contents of the web application, allowing them to have full access to read all the data, but no ability to change the information or disable access to the database.
- Integrity: a SQL injection vulnerability that allows an attacker to change the existing information in the database. The attacker can’t read the data or prevent others from accessing the database.
- Availability: a SQL injection vulnerability that initiates a long-running query, consuming a large amount of resources on the server. This query, when initiated multiple times, leads to a denial of service (DOS) situation. The attacker has no ability to access or change data but can prevent legitimate users from accessing the web application.
- Multiple: a SQL injection vulnerability leads to full interactive shell access to the host operating system running the web application. With this access, the attacker can breach the confidentiality of the system by accessing data as they please, compromise the integrity of the system by altering data, and if they so choose, destroy the web application, leading to a compromise of the availability of the system.
The concepts behind the CIA triad are not overly complicated, and realistically are items that you are working with intuitively, even if you don’t recognize it. However, it is important to mindfully interact with the concept as it can help you recognize where to direct your efforts. This conceptual foundation will assist you with the identification of the critical components of your systems and the amount of effort and resources worth investing in correcting identified problems.
Another concept that we will address in detail is risk, and how it is made up of threats and vulnerabilities. These concepts are not too complex, but they are easy to get wrong. We will cover these concepts in detail later on, but at a high level, it is best to think of risk as what you are trying to prevent from happening, threat as who would do it to you, and vulnerability as what allows them to do it. Controls can be put in place to address the threat or vulnerability, with the goal of mitigating the risk.