There’s three methodologies that cut to the core of cyber security, and they’ll come up time and time again. There’s the defenders goal, confidentiality, integrity, availability called the CIA triad, additionally non-repudiation. The attackers goals, disclosure, alteration, disruption, and impersonation the opposite of the CIA triad. Then there’s the thing we’re fighting over, data which come in three states: At rest, in transit, or in use.
As a general rule of thumb these terms and methodologies will be shared and used through all aspects of cyber security. Engineers, architects, and management should be able to tie back whatever they’re talking about back to these concepts, at least in a broad sense. Especially if they’re talking to a general audience.
Let’s dive into the first one of them a bit more.
The CIA Triad
Private, Secret. So long as the information is only available to the people that should have access to that information confidentiality is maintained. Confidentiality with no integrity is being unsure if the cocaine in a police evidence room is cocaine, or has been swapped out for baking powder. Confidentiality with no availability is not having the combination to your own lock box, and confidentiality with repudiation is not being able to audit whose been inside and the actions they’ve taken.
The ability to know that when the sun rises tomorrow, it’s the same sun. So long as you can prove no change has occurred it’s a success. Integrity with no confidentiality is knowing Wikileaks is legitimate, with no availability is knowing that there’s only one sun but I can’t exactly go check whenever I want. Integrity with repudiation is getting the toe from a kidnapped person, sure I can validate it’s their toe but it really doesn’t identify the kidnapper.
Uptime. Calculated by time up divided by time up and time down. The most straight forward of the pieces, and the one that means that while yes throwing your computer in a volcano is securing it. It is not the perfect solution because why did you even have a computer in the first place.
The ability to attribute an action with certainty. Simply put, knowing where to point the finger. It differs from the CIA triad, and isn’t apt to the same comparisons. It relies on having a record of auditable events, with authorized users to ensure each event is traceable to an account.
All of these parts matter, but how much they matter changes and fluctuates on what the problem is. For example Bitcoin and other cryptocurrencies use public ledgers as a way to ensure integrity of transactions, making transactions visible to everyone and duplicating transaction logs throughout the globe with servers working together to sync their ledgers. All the while though, the system sacrifices any semblance of confidentiality.
NIST, the National Institute of Standards and Technology has an established process on categorizing systems into low medium and high for confidentiality, integrity, and availability you can checkout here. The short version of it is if it’s more important, i.e. has a higher cost if effected, or more likely to be targeted, i.e. has a higher chance to be compromised, apply ‘more’ security.