CIA Triangle and Related Concepts

Dr. Greg Bernstein

January 14th, 2021

CIA Triangle

References

C.I.A.

No, not the U.S. Government Agency

  • Confidentiality
  • Integrity
  • Availability

Confidentiality 1

From MDN/NIST:

Confidentiality refers to protecting information from being accessed by unauthorized parties. In other words, only the people who are authorized to do so can gain access to sensitive data.

Imagine your bank records. You should be able to access them, of course, and employees at the bank who are helping you with a transaction should be able to access them, but no one else should. A failure to maintain confidentiality means that someone who shouldn’t have access has managed to get it, through intentional behavior or by accident.

Confidentiality 2

From MDN/NIST:

Such a failure of confidentiality, commonly known as a breach, typically cannot be remedied. Once the secret has been revealed, there’s no way to un-reveal it. If your bank records are posted on a public website, everyone can know your bank account number, balance, etc., and that information can’t be erased from their minds, papers, computers, and other places. Nearly all the major security incidents reported in the media today involve major losses of confidentiality.

Integrity 1

From MDN/NIST:

Integrity refers to ensuring the authenticity of information—that information is not altered, and that the source of the information is genuine. Imagine that you have a website and you sell products on that site. Now imagine that an attacker can shop on your web site and maliciously alter the prices of your products, so that they can buy anything for whatever price they choose. That would be a failure of integrity, because your information—in this case, the price of a product—has been altered and you didn’t authorize this alteration.

Integrity 2

From MDN/NIST:

Another example of a failure of integrity is when you try to connect to a website and a malicious attacker between you and the website redirects your traffic to a different website. In this case, the site you are directed to is not genuine.

Integrity 3

From the CISSP Study Guide

Other concepts, conditions, and aspects of integrity include the following:

  1. Accuracy: Being correct and precise
  2. Truthfulness: Being a true reflection of reality
  3. Authenticity: Being authentic or genuine
  4. Validity: Being factually or logically sound

Integrity 4

From the CISSP Study Guide

  1. Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
  2. Accountability: Being responsible or obligated for actions and results
  3. Responsibility: Being in charge or having control over something or someone
  4. Completeness: Having all needed and necessary components or parts
  5. Comprehensiveness: Being complete in scope; the full inclusion of all needed elements

Nonrepudiation 1

From the CISSP Study Guide

Nonrepudiation ensures that the subject of an activity or who caused an event cannot deny that the event occurred. Nonrepudiation prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

Nonrepudiation 2

From the CISSP Study Guide

Nonrepudiation is made possible through identification, authentication, authorization, accountability, and auditing. Nonrepudiation can be established using digital certificates, session identifiers, transaction logs, and numerous other transactional and access control mechanisms. A system built without proper enforcement of nonrepudiation does not provide verification that a specific entity performed a certain action. Nonrepudiation is an essential part of accountability. A suspect cannot be held accountable if they can repudiate the claim against them.

Availability

From Wikipedia

For any information system to serve its purpose, the information must be available when it is needed. This means the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.

Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system, essentially forcing it to shut down.

Enhanced Model

Data States

TODO

Safeguards

TODO

The McCumber Cube

TODO

Authentication, Authorization, and Accounting (AAA) Services

Controlling Access and Modification

  • Controlling access to information is key for confidentiality
  • Controlling who can modify information is key to integrity
  • Controlling access to a system can be key to availability

Steps in Access/Modification Control 1

From the CISSP Study Guide

  1. Identification: Claiming to be an identity when attempting to access a secured area or system
  2. Authentication: Proving that you are that identity
  3. Authorization: Defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity

Steps in Access/Modification Control 2

From the CISSP Study Guide

  1. Auditing: Recording a log of the events and activities related to the system and subjects
  2. Accounting (aka accountability): Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions

Identification

From the CISSP Study Guide

Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorization, and accountability (AAA). Providing an identity can involve typing in a username; swiping a smart card; waving a proximity device; speaking a phrase; or positioning your face, hand, or finger for a camera or scanning device…

Authentication

From the CISSP Study Guide

The process of verifying or testing that the claimed identity is valid is authentication. Authentication requires the subject to provide additional information that corresponds to the identity they are claiming. The most common form of authentication is using a password (this includes the password variations of personal identification numbers (PINs) and passphrases). Authentication verifies the identity of the subject by comparing one or more factors against the database of valid identities (that is, user accounts). The authentication factor used to verify identity is typically labeled as, or considered to be, private information…

Authorization

From the CISSP Study Guide

Once a subject is authenticated, access must be authorized. The process of authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. In most cases, the system evaluates an access control matrix that compares the subject, the object, and the intended activity. If the specific action is allowed, the subject is authorized. If the specific action is not allowed, the subject is not authorized.

Auditing

From the CISSP Study Guide

Auditing, or monitoring, is the programmatic means by which a subject’s actions are tracked and recorded for the purpose of holding the subject accountable for their actions while authenticated on a system. It is also the process by which unauthorized or abnormal activities are detected on a system. Auditing is recording activities of a subject and its objects as well as recording the activities of core system functions that maintain the operating environment and the security mechanisms. The audit trails created by recording system events to logs can be used to evaluate the health and performance of a system.

Accountability

An organization’s security policy can be properly enforced only if accountability is maintained. In other words, you can maintain security only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject’s identity and track their activities. Accountability is established by linking a human to the activities of an online identity through the security services and mechanisms of auditing, authorization, authentication, and identification.

Additional Concepts

Least Privilege

TODO

Perimeter, Layered, Zero Trust

TODO

// reveal.js plugins