Simply, securing an environment is achieved by applying the security conecpts. These concepts are:
1- Confidentiality.
2- Integrity.
3- Availability.
4- Authenticity.
5- Nonrepudiation.
When an organization introduces a sesurity control, such as firewall, it actually introduces a control that address one of the above security concepts.
Note: the first three concepts combined are commonly called CIA triad.
Now, let’s walk through these concepts and see how they could be achieved and the conssequences of implementing the improperly.
Confidentiality
Confidentiality is meant to protect the screcy of data, objects, or resources by ensuring that only authorized users can access them. In other words, the objective of confidentiality is to limit the likelihood of data disclosure.
Examples of violation means
– An eavesdropper uses wireshark to listen to the communication between a user and a file server in order to read confidential information while in transit.
– An attacker expolits weak authentication on a database server to get unauthorized access to the server in order to steal confidential data.
Confidentiality Controls
Encrypting the data, while stored, in transit, or while being processed, should prevent the disclosure of sensitive information to unauthorized individuals. Also, implementing strong access control mechanism could restricts the attacker ability to gain access to read data.
Integrity
Integrity is meant to protect against unauthorized alteration of data. In other words, the objective of integrity is to maintain the correctness and reliability of data.
Examples of violation means
– An attacker intercepts the communication between a user and a file server in order to alter the information while in transit.
– A student expolits weak authentication on a database server to get unauthorized access to the server in order to modify his own grades.
Integrity Controls
Sending/storing data along with its hash could verify that the data is not changed. Also, implementing strong access control mechanism could restricts the attacker ability to gain access to modify data.
Availability
Integrity is meant to protect against interrupted access to resources. In other words, the objective of availability is to ensure that a resource is accessible to the authorized users whenever they need.
Examples of violation means
– An attacker overwhelm your web server in order to make it unreachable by your customers.
– An attacker encrypts the files resides on a server in order to prevent the authorized employees from accessing it.
Availability Controls
Providing redundancy for critical components whenever possible such that failure doesn’t cause a full outage. Adopting load balancing is another control to prevent any one system from becoming overloaded. Also, maintaining reliable backups could Protects against data loss or catastrophic failure. And implementing strong access control mechanism could restricts the attacker ability to gain access to a resource in order to destruct it.
Authenticity
Authenticity is meant to verify that data you have is genuine and originated from a claimed source.
Examples of violation means
– An attacker manipulates the DNS records so that users are redirected to a malicious website that looks like a legitimate one. This breaks authenticity because the website users believe they are visiting is not the real site, even though it appears so.
– An attacker distributes malware disguised as legitimate software updates. If the software is not signed with a valid digital certificate, its authenticity cannot be verified, allowing users to unknowingly install harmful programs from an unauthentic source.
– An attacker sends an email that appears to come from a trusted source, such as a bank or email provider, but the sender is fake.
Authenticity Controls
Using Public Key Infrastructure (PKI) to issue and validate digital certificates could verify the authenticity of websites, software, and users.
Nonrepudiation
Nonrepudiation is meant to prevent the sender from denying their actions or communications later.
Examples of violation means
– When a user sends a sensitive document, they can later claim they never sent it.
– If a system does not log user actions (e.g., file deletions, configuration changes), then users can deny performing those actions later.
– When multiple employees use the same login credentials for a system or device, it’s impossible to prove who performed an action. If something goes wrong, each person can deny responsibility, violating nonrepudiation.
Nonrepudiation Controls
Using digital signature could prove who performed an action. Also, maintaining audit logs could provide evidence of user activity and help prove accountability in case of a dispute. And each user should have their own login credentials, and shared accounts should be strictly prohibited. This allows all actions to be uniquely tied to one individual, preventing users from denying responsibility.