Hills Are Alive: In the Disney classic, “The Sound of Music,” the troublesome but optimistic nun turned nanny, Maria, is teaching the Von Trapp children how to sing since they did not know how. She starts into song saying “Let’s start at the very beginning, a very good place to start, when you read begin with A-B-C, when you sing begin with do-re-mi.” Here at the Cyber Tripwire, we change that second part a bit to apply to cybersecurity. “When you cyber, begin with C-I-A.” OK, so maybe it won’t be sung by teenagers around the world and I’ll have to postpone my song writing career.
C-I-A: With cybersecurity, getting back to the basics is as easy as C-I-A … Confidentiality, Integrity, and Availability. These are the high level basics. Confidentiality means that only the people who are supposed to access the data have access. Integrity means that there are no unauthorized changes to data at all during transmission, in use, or while stored. Availability means that the computer resources are ready and can be accessed by legitimate users. Together they are referred to as the “C-I-A Triad.” For most organizations a chink in the armor of any of the three could cause havoc. Let’s look at each one closer.
Confidentiality: The importance of confidentiality differs depending on your industry. If you have a secret recipe like Colonel Sanders, it is critical. If your organization handles any personal information, the protection of that confidential information is required by law. Here are some examples of failure to maintain confidentiality. An unauthorized person accesses data. An unauthorized process gains access to data. Consider a hacker that uses malware to copy your data. An unauthorized person accesses an approximate data value, a range. For instance if someone found out that an employee’s salary is within a certain range. Loss of confidentiality could even be an unauthorized person finding out that a piece of data exists. If you are sending personal information over unencrypted email, the confidentiality of the data is highly at risk.
Integrity: Integrity does not necessarily require hacker intervention to be lost. It is possible to lose integrity through careless use by an authorized user. For instance, a user that accidently saves unapproved modification to a file without realizing it. Information system errors could also affect the integrity of data. In order for data to have integrity, it needs to be precise, accurate, meaningful and useful. Modification made must use acceptable ways and only by authorized people or processes. When a hacker captures unencrypted data, changes it, and sends it to the original recipient, the integrity of that data is lost.
Availability: Availability allows authorized users to access and use network resources, like a printer or a website. Available resources must complete the service request in a reasonable time. When I was in college, I remember that the telephone networks lost availability every Mother’s Day. The telephones circuits could not handle the flood of calls. Similar things happen today on the internet when there is an Amazon Day or occasionally during Cyber Monday. When hackers use malware to overload a particular service or website, it is called a Denial Of Service (DOS) attack. A DOS attack is intended to remove the availability of its victim’s resources. As many of you know from experience, you don’t need a hacker to lose availability. It could be lost with a malfunctioning resource, or an upgrade gone bad.
Auf Weidersehen: So there it is, the basics of cybersecurity, the C-I-A Triad. Now, we can all go back and singing the rest of the Von Trapp family songs – “So long, farewell, auf weidersehen, good night.”