What is CIA Triad of Information Security?
Modern hackers are able to hack absolutely everything, from airplanes, cars, sensor equipment and ending with locks with TSA function, voting booths and medical devices.
The overall picture is even worse. Former director of the National Security Agency, Mike McConnell, suspects that China has cracked “all major corporations” of the United States. Edward Snowden found that the US government keeps track of national and international hacks. And, according to the Ponemon Institute, in 2014, 110 million Americans turned to the authorities with complaints that their personal data had been compromised.
The system is broken. It no longer provides security to people, companies, or the government. The worst thing is that no one knows how to fix it all.
If you do not install bad software on your computer and do not allow bad people to go to it, then you have nothing to worry about.
The attackers target “endpoints” (any device or sensor connected to the network) needed to hack the network. These “endpoints” are usually protected by firewalls, certificates, passwords, and so on.
In the early days of the Internet, hacking the network was relatively easy. Today, most private networks have a huge number of “endpoints” that provide reliable protection. However, there are still too many vulnerabilities that hackers can use for their own purposes. As Ajay Arora, CEO of the file protection company “Vera”, notes: “There is no more perimeter. This is a dream of the past.”
However, the security paradigm is still focused on perimeter protection, because, frankly, no one knows what else can be done.
This is the basic human instinct for assessing risk and taking or taking any action on this risk. This is the essence of security, which is the body of knowledge that provides a framework around this instinct.
The information security community has a model for assessing and responding to threats, at least as a starting point: confidentiality, integrity and availability.
Accessibility means ensuring continued support for your services and providing administrators with access to core networks and management. Hacker attacks such as “denial of service” or “delete data” put accessibility at risk.
Integrity means assessing whether critical data and software of your network and system are at risk of malicious threats, unauthorized access and various errors or not. Viruses and malware violate the integrity of the systems they infect.
These three concepts quite often contradict their nature. Imagine that company information is available via extranet. This accessibility reveals attack vectors that could compromise data privacy. Similarly, a company with burdensome confidentiality requirements will impede the company’s desire to provide data to customers and partners. Or perhaps they wanted the data to be available so quickly that the development of the site was abandoned and led to data leakage between users – the lack of data integrity.
Based on this, whoever or something else is developing software has different meanings to the CIA. Imagine that a retail website can assess accessibility by integrity or confidentiality, while the bank is likely to rate confidentiality in terms of accessibility and integrity. This does not mean that everyone is not evaluated in each case, but each scenario has a different value of these values depending on the main risks.
Of all the above components, integrity is the least understood and the most obscure. Many people do not realize that breaking it is a huge threat to governments and modern business.
Meanwhile, cybersecurity remains focused solely on confidentiality. Her mantra is to “encrypt everything.” This plays a key role in ensuring proper security, but without integrity protection, the keys that ensure the security of encrypted data are in themselves vulnerable. This even applies to proven encryption algorithms such as AES-GCM.
Loss of integrity is a greater danger than loss of confidentiality. To be convinced of the truth of this, it is necessary to simply compare the different types of violations:
- Violating your car’s privacy means that someone will learn about how you are used to driving. Violation of integrity means that they can harm you, for example, so that your brakes fail.
- Violation of the confidentiality of the energy network reveals information about the operation of the system. Violation of integrity exposes critical systems to possible failure or shutdown.
“A breach of confidentiality in the military industry means that hackers can get information about the vulnerabilities of weapons systems. Violation of integrity means that they can gain control over these systems.
Most companies focus on encryption and perimeter protection in the post-perimeter world. Their security plans underestimate accessibility and rarely affect integrity.
Speaking to Congress this fall, James Klapper, director of National Intelligence, said that the biggest threat to national security is “cyber operations that can change or manipulate electronic information in order to compromise its integrity and not remove or violate access to it.” The director of the National Security Agency, Michael Rogers, shares his point of view.
What we can do?
Part of the problem is technology that the cybersecurity sector relies on. The public key infrastructure (PKI) has remained dominant for decades. It prevents unauthorized access to systems or messages. PKI ensures that only those who have the right “key” can access the content. However, hackers attack “all windows and doors”, and as soon as they get inside, the IEC becomes useless. That is why most companies have no idea about who is hiding in their systems and what they do there.
Integrity-assisting devices, in turn, will act not as locks, but as an alarm. They will be able to control all parts of the network, ranging from access points around the perimeter and ending with confidential data inside it, and to warn if something changes unexpectedly. This technology is no longer a pipe dream.
The challenge is to effectively scale these technologies for practical implementation. That’s what the security community should focus on.