The CIA Triangle in Information Security
In 2018, 72% of large businesses and 31% of small businesses identified breaches or attacks. The average cost of these attacks has risen an enormous 27% from the previous year. Though it is perhaps difficult to admit, the weak link that facilitates these attacks is more often than not – the human users.
As a part of an information security training, and any attempt to minimise potential risks, there are three principles upon which professionals typically focus: Confidentiality, Integrity and Availability. This is known as the CIA Triad.
- Confidentiality: secure information is only accessible to authorised individuals.
- Integrity: secure information, or systems are always accurate and complete.
- Availability: secure information is always accessible to those who need it.
The confidentiality of information is often the first aspect of cybersecurity considered, certainly when it comes to many high-profile ‘hacks’ that are reported in the headlines. When a nefarious actor gains unauthorised access to an organisation’s user data, such as emails or payment information, this is a compromise of confidentiality.
When protecting the confidentiality of information, how the data is stored plays a large role. In the case of a data breach, organisations should only store sensitive information in protected formats. The difference between encrypted data, and plain-text data being stolen, can have a significant impact upon the result of a data confidentiality breach.
In 2018, the Information Commissioner’s Office fined Heathrow Airport £120,000 for the loss of an unencrypted and non-password protected memory stick. The USB device contained a variety of sensitive information, including the personal data of security staff, as well as information regarding security protocols that could have aided malicious actors.
Though hashed or encrypted files are significantly more difficult for a bad actor to exploit, organisations cannot simply rely on these methods to protect the confidentiality of their information.
Both the accuracy and completeness of information are integral to an organisations ability to function. Integrity focuses on ensuring that data has not been tampered with and that it can be trusted as authentic and reliable.
It should be noted that integrity isn’t just about protecting data whilst being stored, but also whilst it is being used, and whilst in transit. As with the confidentiality of information, integrity relies on both encryption and hashing, as well as employing other processes such as digital signatures, intrusion detection systems and stringent organisational procedures.
A specially designed piece of malicious software named Stuxnet infected an Iranian nuclear enrichment facility. Though the facility’s systems were air-gapped (i.e. not connected to systems outside the facility), outside actors engineered a situation in which an employee unwittingly compromised the facility by plugging in an infected USB stick. By compromising the accuracy and integrity of these systems, the creators of Stuxnet were able to significantly affect the facility’s ability to function.
As you can assume, the value of information reduces dramatically if users or an organisation cannot access it. Put simply, availability is that the networks and systems are functioning properly, and authorised parties can access resources, data and information, as and when they are needed.
Whilst a great deal of availability is reliant on the maintenance of digital systems, those digital systems are also reliant upon physical preconditions, and thus availability is dependant upon consistent power, a lack of human errors and the functionality of hardware.
Perhaps one of the most memorable recent failures of availability was the 2017 NHS WannaCry ransomware crisis. Thanks to the NHS’ outdated systems, critical information was rendered inaccessible because of a computer worm, with staff having to resort to pen and paper records in lieu of their electronic documents. Costing the NHS an estimated £92 million, WannaCry seriously endangered the lives of UK citizens, as well as infecting over 300,000 computers worldwide.
Applying the CIA Triad
For each principle that makes up the CIA triad, we have a prime example of its importance in relation to reliable information security. Depending on your organisation, industry and general requirements, there are many ways in which the CIA triad's principles can be applied.
Part of any organisation’s implementation of these principles, is the prioritisation of needs and requirements. For example, as the confidentiality of data is increased, this can negatively impact upon the availability, and likewise, as availability may increase, this could degrade the integrity of the data.
As with many aspects of life, information security can frequently involve trade-offs, though ensuring that your organisation’s data is adequately confidential, accurate, complete and accessible is no longer optional. Likewise, ensuring that staff are adequately trained in these principles, and other foundations of information security, is now an essential for any organisation.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Will Certificate Transparency Help to Rebuild Confidence in Certificate Authorities? Blog by information security training provider Hut Six Security
In 2018 it was discovered thousands of websites had been hijacked by crypto-mining code, known as a "Cryptojacking" attack. Including UK Gov and ICO websites.
Spear Phishing Part 3: With 50% of receivers clicking on an attachment or link, users are 10 times more likely to make this mistake than with generic phishing emails.
Can the introduction of the confirmation of payee requirement reduce APP scams? Blog by cybersecurity awareness training provider Hut Six.
All businesses know it's a threat, but how can you spot a spear-phishing email? Blog by Information Security awareness training provider Hut Six.
Human Rights and the Growing Surveillance Economy: Surveillance capitalism can mean your information being sold to the highest bidder. Blog by Hut Six
HP firmware issue: The technology manufacturer Hewlett Packard has announced a firmware issue that could affect thousands of enterprise users. SSDs sold by the company are at risk.
How is a spear-phishing email created? Cybersecurity blog from information security awareness training provider Hut Six Security.
How is it that information security and cyber security differ, and why is it that people frequently use these terms interchangeably?
Facebook ICO fine and the cost of poor information security. Blog from information security awareness training provider Hut Six Security.