Chapter-3-Maintaining Confidentiality, Integrity and Availability (1).pdf

Full Transcript

CYBERSECURITY FUNDAMENTALS
CYB281

Chapter 3

Maintaining Confidentiality, Integrity and Availability

9/12/2024 1
 Chapter Objectives
After completing this chapter, a student will be able to:

Understand the concept of Information assurance.
Explain the differences between Information assurance and
cybersecurity.
Explain data confidentiality, data integrity and availability services.
 Contents

INFORMATION ASSURANCE CONFIDENTIALITY INTEGRITY AVAILABILITY
FUNDAMENTALS
 Information Assurance Fundamentals
 “Assurance” in security engineering is defined as the degree of
confidence that the security needs of a system are satisfied.

 Information assurance (IA) is the practice of assuring information and
managing risks related to the use, processing, storage and transmission
of information. Information assurance includes protection of the
integrity, availability, authenticity, non-repudiation and confidentiality
of user data.
 Information assurance vs. cybersecurity

Information Assurance

Traditional field that existed before the Digital Age.

Focus on strategy and protection of all information, both digital and
physical.

Protects organizations’ information systems and assets, physical and
digital.
 Information assurance vs. cybersecurity (Cont..)

Information Assurance

Tools and strategies include everything from user education, high-tech
systems, firewalls and anti-virus technology to locked file cabinets
paper shredders.

Threats emanate from cyberspace; unauthorized personnel accessing
protected information on-premises.
 Information assurance vs. cybersecurity
(Cont..)
 Cyber Security

Innovative field that keeps pace with fast-changing technology, tactics
and threats.

Focus on protecting digital information and managing risk.

Protects information and data, but also functional systems (ex. electrical
grid, transportation infrastructure, any devices connected to the Internet
of Things (IoT).
 Information assurance vs. cybersecurity
(Cont..)

 Cyber Security

Tools and strategies include everything from user education, high-tech
systems, firewalls, anti-virus technology to penetration testing and bug
bounty initiatives.

Threats emanate from cyberspace and computer-to-computer
communications.
 Information Security vs. Information
Assurance
 Information security is purely concerned with protecting data and systems, while
information assurance is holistic, encompassing additional elements like risk
management, business continuity, disaster recovery, compliance, and the overall
trustworthiness of the information environment.

 Information security professionals are dedicated to ensuring the protection of
Confidentiality, integrity, availability, authentication, authorization, and
nonrepudiation principals for each system they protect.

 The security of systems, applications and services must include controls and
safeguards to offset possible threats, as well as controls to ensure confidentiality,
integrity and availability.
 Information Security
Information security is intended to protect information that has value to
people and organizations
–This value comes from the characteristics of the information:
Confidentiality
Integrity
Availability
Information security is achieved through a combination of three (CIA)
security requirements.
 What is CIA Triad?

The CIA Triad is a guide for measures in information security.

The CIA triad serves as a tool or guide for securing information system,
devices, networks, communications and related technological assets.
 CIA Triad

The CIA Triad is a model that shows the
three main objectives needed to achieve
information security.
 Confidentiality

 Confidentiality ensures that sensitive information are accessed only by an
authorized user and kept away from unauthorized user to posses them. It is
implemented using security mechanism such as usernames, passwords, access
control list (ACL) and encryption.

 Assuring that unauthorized parties do not have access to a piece of
information is a complex task.
 Integrity

 In the information security realm, integrity normally refers to data integrity or
ensuring that stored data are accurate and contain no unauthorized modifications.

 Integrity ensures that information are in a formal that is true and correct to its
original purposes.

 Integrity is implemented using security mechanism such as data encryption and
hashing.
 Integrity (Cont..)

 Software flaws and vulnerabilities can lead to accidental losses in data integrity
and can open a system to unauthorized modification.

 Disrupting the integrity of data at rest or in a message in transit can have serious
consequences.

 Ensuring the integrity of this type of message is vital to any secure system.

 Software manufacturer wants to ensure that the executable file is received by users
without modification.
 Availability

 Information systems must be accessible to users for these systems to
provide any value.

 If a system is down or responding too slowly, it cannot provide the
service it should.

 Availability ensures that information and resources are available to
those who need them. It is implemented using methods such as
hardware maintenance, software patching and network optimization.
 Availability (Cont..)

 Availability ensures that information and resources are available to
those who need them. It is implemented using methods such as
hardware maintenance, software patching and network optimization.

 Attacks on availability are somewhat different from those on integrity
and confidentiality. The best-known attack on availability is a denial of
service (DoS) attack.
 Availability (Cont..)

 The resources in question may be memory, CPU time, network
bandwidth, and/or any other component that an attacker can influence.

 Authentication, authorization, and nonrepudiation are tools that system
designers can use to maintain these pillars.
 Benefits of the CIA Triad

Data security
and privacy:

Proactive risk Benefits of
prevention the CIA Compliance
Triad

Comprehensiveness
 Benefits of the CIA Triad (Cont..)

The CIA triad provides multiple benefits to businesses, especially to ones
that deal with sensitive data. The benefits of triad implementation include
the following:
 Benefits of the CIA Triad (Cont..)

1- Data security and privacy: The most obvious benefit is ensuring
preparedness in the face of today's sophisticated cyber attacks and other
unauthorized attempts to access, steal or manipulate valuable data.

2- Compliance: Ensuring the confidentiality, integrity and availability of
sensitive information means regulations and legal frameworks that exist to
safeguard this information are followed.
 Benefits of the CIA Triad (Cont..)

3- Proactive risk prevention: When applied correctly, the triad creates an
environment where security risks are proactively prevented. Existing
vulnerabilities are identified and mitigated to prevent future threats.

4- Comprehensiveness: The three components mean that security teams
aren't just concerned with thwarting attackers, but they're also ensuring
the veracity and availability of their data. For example, when a large
volume of data is needed for analysis, following the CIA triad means the
data is available and accessible when needed.
Best practices for implementing the CIA Triad

In implementing the CIA triad, an organization should follow a general
set of best practices. These can be divided into the three subjects and
include the following:
Best practices for implementing the CIA Triad
(Cont..)
1. Confidentiality:

Follow an organization's data-handling security policies.
Use encryption and Two-Factor Authentication (2FA).
Keep access control lists and other file permissions up to date.
Best practices for implementing the CIA Triad
(Cont..)
2. Integrity:

Ensure employees are knowledgeable about compliance and
regulatory requirements to minimize human error.
Use backup and recovery software and services.
Use version control, access control, security control, data logs
and checksums.
Best practices for implementing the CIA Triad
(Cont..)
3. Availability:

Use preventive measures, such as redundancy, failover and
redundant array of independent disks (RAID).
Ensure systems and applications stay updated.
Use network or server monitoring systems.
Have a data recovery and business continuity plan in place in
case of data loss.
Summarizing of The CIA Triad

Questions? Confidentiality Integrity Availability
The information is The information is The information is available
safe from accidental safe from accidental to authorized users when
What is the CIA? or intentional or intentional needed.
disclosure. modification or
alteration
What is the purpose of the Data is not Data is not Data is available.
CIA? disclosed tampered.
How can user achieve the Encryption Hashing and digital Backups and redundant
CIA? signature. systems
Opposite of the CIA? Disclosure Alteration Destruction