CIA AND DAD TRIAD

Introduction

Information Security is not only about securing information from unauthorized access. Information Security is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information can be physical or electronic one. Information can be anything like Your details or we can say your profile on social media, your data in mobile phone, your biometrics etc. Thus Information Security spans so many research areas like Cryptography, Mobile Computing, Cyber Forensics, Online Social Media etc.

Information security (sometimes referred to as InfoSec) covers the tools and processes that organizations use to protect information. This includes policy settings that prevent unauthorized people from accessing business or personal information. InfoSec is a growing and evolving field that covers a wide range of fields, from network and infrastructure security to testing and auditing.

Information security protects sensitive information from unauthorized activities, including inspection, modification, recording, and any disruption or destruction. The goal is to ensure the safety and privacy of critical data such as customer account details, financial data or intellectual property.

What is CIA triad?

Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization. The model is also sometimes referred to as the AIC triad (availability, integrity and confidentiality) to avoid confusion with the Central Intelligence Agency. Although elements of the triad are three of the most foundational and crucial cybersecurity needs, experts believe the CIA triad needs an upgrade to stay effective.

Figure 1: CIA Triad

Confidentiality is roughly equivalent to Confidentiality measures are designed to prevent sensitive information from unauthorized access attempts. It is common for data to be categorized according to the amount and type of damage that could be done if it fell into the wrong hands. More or less stringent measures can then be implemented according to those categories.

Sometimes safeguarding data confidentiality involves special training for those privy to sensitive documents. Training can help familiarize authorized people with risk factors and how to guard against them. Further aspects of training may include strong passwords and password-related best practices and information about social engineering methods to prevent users from bending data-handling rules with good intentions and potentially disastrous results.

Integrity involves maintaining the consistency, accuracy and trustworthiness of data over its entire lifecycle. Data must not be changed in transit, and steps must be taken to ensure data cannot be altered by unauthorized people (for example, in a breach of confidentiality).

These measures include file permissions and user access controls. Version control may be used to prevent erroneous changes or accidental deletion by authorized users from becoming a problem. In addition, organizations must put in some means to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash.

Availability means information should be consistently and readily accessible for authorized parties. This involves properly maintaining hardware and technical infrastructure and systems that hold and display the information.

This is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed and maintaining a properly functioning operating system (OS) environment that is free of software conflicts. It’s also important to keep current with all necessary system upgrades. Providing adequate communication bandwidth and preventing the occurrence of bottlenecks are equally important tactics.

To understand how the CIA triad works in practice, consider the example of a bank ATM, which can offer users access to bank balances and other information. An ATM has tools that cover all three principles of the triad:

• It provides confidentiality by requiring two-factor authentication (both a physical card and a PIN code) before allowing access to data
• The ATM and bank software enforce data integrity by ensuring that any transfers or withdrawals made via the machine are reflected in the accounting for the user’s bank account
• The machine provides availability because it’s in a public place and is accessible even when the bank branch is closed

Best practices for implementing the CIA triad

Confidentiality

• Data should be handled based on the organization’s required privacy.
• Data should be encrypted using 2FA.
• Keep access control lists and other file permissions up to date.

Integrity

• Ensure employees are knowledgeable about compliance and regulatory requirements to minimize human error.
• Use backup and recovery software.
• To ensure integrity, use version control, access control, security control, data logs and checksums.

Availability

• Use preventive measures such as redundancy, failover and RAID. Ensure systems and applications stay updated.
• Use network or server monitoring systems.
• Ensure a data recovery and business continuity (BC) plan is in place in case of data loss.

What is DAD triad?

Like every concept in security, the CIA Triad can be a double edged sword. Where there is a good side, there is an opposite bad side to consider as well. In the lack of each of the CIA Triad, you are given the DAD triad.

Figure 2: DAD triad

Disclosure : Information disclosure, also known as information leakage, is when a website unintentionally reveals sensitive information to its users. Depending on the context, websites may leak all kinds of information to a potential attacker, including:

• Data about other users, such as usernames or financial information
• Sensitive commercial or business data
• Technical details about the website and its infrastructure

Occasionally, sensitive information might be carelessly leaked to users who are simply browsing the website in a normal fashion. More commonly, however, an attacker needs to elicit the information disclosure by interacting with the website in unexpected or malicious ways. They will then carefully study the website’s responses to try and identify interesting behavior.

Alteration: An unauthorized change of information, covers three classes of threats. The goal may be deception, in which some entity relies on the modified data to determine which action to take, or in which incorrect information is accepted as correct and is released. If the modified data controls the operation of the system, the threats of disruption and usurpation arise. Unlike snooping, modification is active; it results from an entity changing information.

Data Diddling is unauthorized altering of data before or during entry into a computer system, and then changing it back after processing is done. Using this technique, the attacker may modify the expected output and is difficult to track. In other words, the original information to be entered is changed, either by a person typing in the data, a virus that’s programmed to change the data, the programmer of the database or application, or anyone else involved in the process of creating, recording, encoding, examining, checking, converting or transmitting data.

Figure 3: Data Diddling

Denial : It is an type of a aspect which is targeted towards depriving legitimate users from online services. It is done by flooding the network or server with useless and invalid authentication requests which eventually brings the whole network down, resulting in no connectivity. As a result of this, users are prevented from using a service.

Denial of service (DoS) is a type of cyber attack designed to disable, shut down or disrupt a network, website or service. Typically, a malware is used to interrupt or inhibit the normal flow of data into and out of a system to render the target useless or inaccessible for a certain period. An example of a DoS attack: when a website is accessed massively and repeatedly from different locations, preventing legitimate visitors from accessing the website.

How are the CIA and DAD Triads Mutually Exclusive?

Each point of the CIA and DAD triangle are exact opposites of each other. If one a CIA principle is absent, then a DAD principle is present. Thus, you cannot have both at the same time. You could not have both a Denial and Availability at the exact same time, it is either one or the other.

Disclosure: Attempts to defeat confidentiality

Alteration: Attempts to defeat integrity

Destruction: Attempts to defeat availability

The CIA and DAD triads are classic models of information security principles

• Confidentiality measures seek to prevent unauthorized access to information or systems.
• Integrity measures seek to prevent unauthorized modification of information or systems.
• Availability measures seek to ensure that legitimate use of information and systems remains possible.

In summary, these are very basic concepts to grasp. Each principle covers such a broad generalization, that it is easy to place almost anything in relation to it.