Methodology & Terminology 101, Defender

Introduction

There’s three methodologies that cut to the core of cyber security, and they’ll come up time and time again. There’s the defenders goal, confidentiality, integrity, availability called the CIA triad, additionally non-repudiation. The attackers goals, disclosure, alteration, disruption, and impersonation the opposite of the CIA triad. Then there’s the thing we’re fighting over, data which come in three states: At rest, in transit, or in use.

Image result for ransomware
Ransomware like Wannacry, and Petya are out to compromise the availability of data at rest through disruption. The malware doesn’t effect confidentiality, integrity, or non-repudiation as a first order effect.

As a general rule of thumb these terms and methodologies will be shared and used through all aspects of cyber security. Engineers, architects, and management should be able to tie back whatever they’re talking about back to these concepts, at least in a broad sense. Especially if they’re talking to a general audience.

Let’s dive into the first one of them a bit more.

The CIA Triad

Confidentiality

Image result for cia triad
Note: Non-repudiation isn’t traditionally part of the CIA Triad, but the CIA triad is usually criticized for not including it. So for the purpose of building a well rounded understanding of objectives we’ll include it.

Private, Secret. So long as the information is only available to the people that should have access to that information confidentiality is maintained. Confidentiality with no integrity is being unsure if the cocaine in a police evidence room is cocaine, or has been swapped out for baking powder. Confidentiality with no availability is not having the combination to your own lock box, and confidentiality with repudiation is not being able to audit whose been inside and the actions they’ve taken.

Integrity

The ability to know that when the sun rises tomorrow, it’s the same sun. So long as you can prove no change has occurred it’s a success. Integrity with no confidentiality is knowing Wikileaks is legitimate, with no availability is knowing that there’s only one sun but I can’t exactly go check whenever I want. Integrity with repudiation is getting the toe from a kidnapped person, sure I can validate it’s their toe but it really doesn’t identify the kidnapper.

Availability

Uptime. Calculated by time up divided by time up and time down. The most straight forward of the pieces, and the one that means that while yes throwing your computer in a volcano is securing it. It is not the perfect solution because why did you even have a computer in the first place.

Non-Repudiation

The ability to attribute an action with certainty. Simply put, knowing where to point the finger. It differs from the CIA triad, and isn’t apt to the same comparisons. It relies on having a record of auditable events, with authorized users to ensure each event is traceable to an account.

Wrap Up

Confidentiality as a number one priority.

All of these parts matter, but how much they matter changes and fluctuates on what the problem is. For example Bitcoin and other cryptocurrencies use public ledgers as a way to ensure integrity of transactions, making transactions visible to everyone and duplicating transaction logs throughout the globe with servers working together to sync their ledgers. All the while though, the system sacrifices any semblance of confidentiality.

NIST, the National Institute of Standards and Technology has an established process on categorizing systems into low medium and high for confidentiality, integrity, and availability you can checkout here. The short version of it is if it’s more important, i.e. has a higher cost if effected, or more likely to be targeted, i.e. has a higher chance to be compromised, apply ‘more’ security.

Edited 3/13/2019

Leave a Reply

Your email address will not be published. Required fields are marked *