CIA Triad Foundations & Confidentiality Deep-Dive

CIA Triad – Foundational Overview

  • "CIA" stands for Confidentiality, Integrity, Availability (in some courseware you may see it reordered as AIC).
  • Referred to throughout the course as the foundational anchors; every later topic is traced back to one or more legs of the triad.
  • Graphic shown in the video visualises three equal-length sides of a triangle:
    • Confidentiality: Keep secrets secret – only authorised subjects (people, processes, systems) can read the data.
    • Integrity: Protect data from unauthorised or unnoticed modification (e.g.
      adding an extra 00 to a bank balance).
    • Availability: Ensure data/services remain reachable for authorised users when needed.
  • Business context decides which leg receives emphasis:
    • Public-facing website → high Availability & Integrity, moderate Confidentiality.
    • Online payment platform → very high Confidentiality & Integrity, still needs Availability (customers must be able to pay).
  • Cyber-security professional’s recurring task: Find a usable–secure balance – “super secure but unusable” ≠ useful.

Confidentiality (Leg 1)

  • Typical Hollywood narrative: elite hacker steals secrets; real world more often ≈ human error or basic deception.
  • Breach impact is identical whether from a disgruntled insider, naïve admin mistake, or sophisticated compromise – the secret is out.
  • Investigating how informs remediation, but confidentiality is already lost.

Threat Categories

  • Cryptanalysis / Breaking Encryption
    • Modern algorithms (e.g. AES) are extremely robust.
    • Attack feasible only if:
    • Algorithmic weakness exists (rare).
    • Implementation/usage flaw exploited (side-channel leakage, poor key management, wrong mode, etc.).
    • Example estimate: With current commodity hardware, cracking a properly implemented high-entropy AES-encrypted password could take 50100 years\approx 50\text{–}100\ \text{years}.
  • Side-Channel Attacks
    • Exploit unintended information (timing, power use, EM radiation) rather than math itself.
  • Social Engineering
    • Far easier than math; convince Bob to reveal the password rather than brute-force.
    • Will be explored in depth later in course.
  • Malware / Key-Loggers
    • User visits malicious site or clicks email link → device infected → keystrokes captured → attacker gains credentials next login.
  • Inadequate Network Segmentation (IoT / Smart Devices)
    • Smart TVs, thermostats, garage door openers, fish-tank sensors often ship:
    • Unpatchable or rarely patched firmware.
    • Default passwords & minimal security.
    • When left on production LAN, they form an easy pivot point for attackers.

Mitigation & Best Practices (People, Processes, Technology)

  • People
    • Emphasise awareness-raising training – goal: behaviour change, not check-box compliance.
    • Well-trained staff report more incidents → paradoxically higher ticket volume is a positive security health indicator.
  • Processes
    • Mandatory security training cadence, but ensure fresh content; avoid mind-numbing identical quarterly slide decks.
    • Clear incident-reporting workflow (e.g. forward suspected phishing to IT-Sec).
  • Technology
    • Multifactor Authentication (MFA): After password, admin must type a time-based token from phone.
    • Even with stolen username/password, attacker lacks second factor.
    • Proper Segmentation for IoT: Place smart devices on isolated VLAN / guest network, remove defaults, apply firmware updates when available.

Integrity (Leg 2)

  • Protects accuracy, consistency, trustworthiness of information over its entire life-cycle.
  • Example consequence: Extra 00 in bank ledger → financial chaos and legal exposure.
  • Closely intertwined with confidentiality (often same controls such as encryption, access controls) but distinct aim: detect/stop modification, not just reading.

Availability (Leg 3)

  • Services/data must be reachable at required performance levels.
  • Over-hardening that blocks legitimate use undermines business objectives – “secure but down” is still a failure.

Relationship Among the Legs

  • Security decisions are risk-based trade-offs:
    • Increasing one leg can sometimes reduce another (e.g. very strict access controls might slow customer transactions).
    • Goal: Align with business mission & tolerance.

Practical / Ethical / Philosophical Notes

  • Breach responsibility: whether insider or attacker, organisation must still notify, remediate, and preserve trust.
  • Usability ethics: Designers have duty not to impose unusable security that pushes users toward insecure work-arounds.

Course Roadmap Connections

  • Upcoming lectures will dive deeper into:
    • Advanced cryptography & side-channel mitigations.
    • Social-engineering methodologies & defence.
    • Architecture patterns for availability & resiliency.
    • IoT hardening & segmentation strategies.

Key Takeaways

  • CIA Triad is foundation of the foundation – keep it top-of-mind for every security decision.
  • Confidentiality failure is binary – once secret is known, damage done regardless of breach method.
  • Modern encryption is strong; human factors are weakest link.
  • Effective security program weaves together:
    • Engaged, educated people.
    • Well-documented, enforced processes.
    • Appropriately deployed technology.
  • Measure training success by behavioural change & incident reporting volume, not merely training hours logged.
  • Segment and patch IoT devices; treat them as semi-trusted at best.

End-of-Lecture

  • Lecture ends; next video will extend these foundations.