Confidentiality
Prevent or minimize unauthorized access to data while in storage, in process, and in transit.
Attacks focused on violation of confidentiality
- Capturing network traffic,
- Stealing password files,
- Social engineering techniques,
- Port scanning,
- Eavesdropping,
- Sniffing,
- Escalation of privileges etc.
Events that lead to confidentiality breaches
- Failing to properly encrypt a transmission,
- Failing to fully authenticate a remote system before transferring data,
- Leaving open otherwise secured access points,
- Accessing malicious code that opens a backdoor,
- Misrouted faxes,
- Documents left on printers,
- Walking away from an access terminal while data is displayed on monitor etc
Countermeasures
- Encryption for data at rest (whole disk, database encryption),
- Encryption for data in motion (IPSec, TLS, PPTP, SSH)
- Network traffic padding (technical),
- Strict access control (physical and technical),
- Rigorous authentication procedures (technical),
- Data classification (administrative and technical), and
- Extensive personnel training (administrative)
Other aspects of confidentiality includes
- Sensitivity refers to the quality of information, which could cause harm or damage if disclosed.
- Discretion an act of decision where an operator can influence disclosure to minimize damage.
- Criticality the level to which information is mission critical.
- Concealment an act of hiding or preventing disclosure. (Security through obscurity)
- Secrecy an act of keeping something a secret or preventing the disclosure of information.
- Privacy act of keeping personally identifiable information confidential that might cause harm, embarrassment, or disgrace to someone if revealed.
- Seclusion involves storing something in an out-of-the-way location.
- Isolation an act of keeping something separated from others. Prevent commingling of information
Integrity
Protect the reliability and correctness of data. Integrity protection prevents unauthorized alterations of data and ensures that data remains correct, unaltered, and preserved.
Integrity can be examined as:
- Prevent unauthorized subjects from making modifications
- Prevent authorized subjects from making unauthorized modifications
- Maintain internal and external consistency of objects so that their data is a correct and true reflection of the real world
Attacks focused on violation of integrity
- Viruses, logic bombs,
- Unauthorized access,
- Errors in coding and applications,
- Malicious modification, Intentional replacement, and
- System backdoor
Countermeasures
- Strict access control (physical and technical),
- Rigorous authentication procedure (technical),
- Configuration management (system integrity),
- Change control (process integrity),
- Software digital signing,
- Intrusion detection systems (technical),
- Object/data encryption (technical),
- Hash total verifications (data integrity),
- Interface restrictions, Input/function checks (technical), and
- Extensive personnel training (administrative)
- Accuracy: Being correct and precise
- Truthfulness: Being a true reflection of reality
- Authenticity: Being authentic or genuine
- Validity: Being factually or logically sound
- Nonrepudiation: Not being able to deny having performed an action
- Accountability: Being responsible or obligated for actions and results
- Responsibility: Being in charge or having control over something or someone
- Completeness: Having all needed and necessary components or parts
- Comprehensiveness: Being complete in scope; the full inclusion of all needed elements
Availability
Authorized subjects are granted timely and uninterrupted access to objects; offers a high level of assurance that the data, objects, and resources are accessible to authorized subjects.
Threats to availability
- Device failure,
- Software errors, and
- Environmental issues (heat, static, flooding, power loss etc)
Attacks focused on violation of availability
- DoS attacks,
- Object destruction, and
- Communication interruptions
Events that lead to availability breaches
- Accidentally deleting files,
- Over-utilizing a hardware or software component,
- Under-allocating resources, and
- Mislabeling or incorrectly classifying objects.
Countermeasures
- Design intermediary delivery systems properly,
- Use access controls effectively,
- Monitor performance and network traffic,
- Use firewalls and routers to prevent DoS attacks,
- Implement redundancy for critical systems (RAID, clustering, load balancing, disk shadowing, failover clustering), and
- Maintain and test backup systems
Other aspects of integrity includes
- Usability: state of being easy to use or able to be understood and controlled by a subject.
- Accessibility: assurance that widest range of subjects can interact with a resource regardless of their capabilities or limitations.
- Timeliness: Being prompt, on time, within a reasonable time frame, or providing low-latency response.
Availability depends on both integrity and confidentiality. Without integrity and confidentiality, availability cannot be maintained.
CIA Priority
- Military/government organizations, IT systems: tend to follow CIA Triad
- Private companies, Operational technology: tend to follow AIC
Reference
Mike Chapple. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide.
Shon Harris. CISSP All-in-One Exam Guide.
Shon Harris. CISSP All-in-One Exam Guide.
