CIA Triad Foundations & Confidentiality Deep-Dive
CIA Triad – Foundational Overview
- "CIA" stands for Confidentiality, Integrity, Availability (in some courseware you may see it reordered as AIC).
- Referred to throughout the course as the foundational anchors; every later topic is traced back to one or more legs of the triad.
- Graphic shown in the video visualises three equal-length sides of a triangle:
- Confidentiality: Keep secrets secret – only authorised subjects (people, processes, systems) can read the data.
- Integrity: Protect data from unauthorised or unnoticed modification (e.g.
adding an extra 0 to a bank balance). - Availability: Ensure data/services remain reachable for authorised users when needed.
- Business context decides which leg receives emphasis:
- Public-facing website → high Availability & Integrity, moderate Confidentiality.
- Online payment platform → very high Confidentiality & Integrity, still needs Availability (customers must be able to pay).
- Cyber-security professional’s recurring task: Find a usable–secure balance – “super secure but unusable” ≠ useful.
Confidentiality (Leg 1)
- Typical Hollywood narrative: elite hacker steals secrets; real world more often ≈ human error or basic deception.
- Breach impact is identical whether from a disgruntled insider, naïve admin mistake, or sophisticated compromise – the secret is out.
- Investigating how informs remediation, but confidentiality is already lost.
Threat Categories
- Cryptanalysis / Breaking Encryption
- Modern algorithms (e.g. AES) are extremely robust.
- Attack feasible only if:
- Algorithmic weakness exists (rare).
- Implementation/usage flaw exploited (side-channel leakage, poor key management, wrong mode, etc.).
- Example estimate: With current commodity hardware, cracking a properly implemented high-entropy AES-encrypted password could take ≈50–100 years.
- Side-Channel Attacks
- Exploit unintended information (timing, power use, EM radiation) rather than math itself.
- Social Engineering
- Far easier than math; convince Bob to reveal the password rather than brute-force.
- Will be explored in depth later in course.
- Malware / Key-Loggers
- User visits malicious site or clicks email link → device infected → keystrokes captured → attacker gains credentials next login.
- Inadequate Network Segmentation (IoT / Smart Devices)
- Smart TVs, thermostats, garage door openers, fish-tank sensors often ship:
- Unpatchable or rarely patched firmware.
- Default passwords & minimal security.
- When left on production LAN, they form an easy pivot point for attackers.
Mitigation & Best Practices (People, Processes, Technology)
- People
- Emphasise awareness-raising training – goal: behaviour change, not check-box compliance.
- Well-trained staff report more incidents → paradoxically higher ticket volume is a positive security health indicator.
- Processes
- Mandatory security training cadence, but ensure fresh content; avoid mind-numbing identical quarterly slide decks.
- Clear incident-reporting workflow (e.g. forward suspected phishing to IT-Sec).
- Technology
- Multifactor Authentication (MFA): After password, admin must type a time-based token from phone.
- Even with stolen username/password, attacker lacks second factor.
- Proper Segmentation for IoT: Place smart devices on isolated VLAN / guest network, remove defaults, apply firmware updates when available.
Integrity (Leg 2)
- Protects accuracy, consistency, trustworthiness of information over its entire life-cycle.
- Example consequence: Extra 0 in bank ledger → financial chaos and legal exposure.
- Closely intertwined with confidentiality (often same controls such as encryption, access controls) but distinct aim: detect/stop modification, not just reading.
Availability (Leg 3)
- Services/data must be reachable at required performance levels.
- Over-hardening that blocks legitimate use undermines business objectives – “secure but down” is still a failure.
Relationship Among the Legs
- Security decisions are risk-based trade-offs:
- Increasing one leg can sometimes reduce another (e.g. very strict access controls might slow customer transactions).
- Goal: Align with business mission & tolerance.
Practical / Ethical / Philosophical Notes
- Breach responsibility: whether insider or attacker, organisation must still notify, remediate, and preserve trust.
- Usability ethics: Designers have duty not to impose unusable security that pushes users toward insecure work-arounds.
Course Roadmap Connections
- Upcoming lectures will dive deeper into:
- Advanced cryptography & side-channel mitigations.
- Social-engineering methodologies & defence.
- Architecture patterns for availability & resiliency.
- IoT hardening & segmentation strategies.
Key Takeaways
- CIA Triad is foundation of the foundation – keep it top-of-mind for every security decision.
- Confidentiality failure is binary – once secret is known, damage done regardless of breach method.
- Modern encryption is strong; human factors are weakest link.
- Effective security program weaves together:
- Engaged, educated people.
- Well-documented, enforced processes.
- Appropriately deployed technology.
- Measure training success by behavioural change & incident reporting volume, not merely training hours logged.
- Segment and patch IoT devices; treat them as semi-trusted at best.
End-of-Lecture
- Lecture ends; next video will extend these foundations.