Editor’s note: Wired for Safety is a weekly column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer College. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a doctoral student at Northeastern University. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
[I]nformation security is the practice of ensuring the confidentiality, integrity and availability — or CIA, for short — of information. The primary mission of cybersecurity professionals is to ensure the CIA of the information they are hired to protect.
More specifically, what is the CIA?
Confidentiality has to do with ensuring the information is not intentionally or unintentionally disclosed to those who shouldn’t have access.
That is a simple example. What if you are hired to protect the private data of millions of consumers (address, Social Security number, birthdate, etc.) and someone breaches it? The Equifax breach is an egregious example of a confidentiality attack.
The disclosure of medical information is a severe confidentiality attack; so is displaying the personal information of secret agents or undercover police officers (all of which have occurred). The latter two examples could result in the death of the agents or family members. That is an extreme example, but it is meant to emphasize that confidentiality attacks can have disastrous results. Breaches also could lead to the loss of business customers or hefty fines or lawsuits.
Integrity involves ensuring that information cannot be modified from its original state by an unauthorized party. Integrity attacks are very damaging because the information can no longer be trusted if there are no trails to detect what exactly was changed or modified.
If someone is able to access your bank account and transfer money from or through it, that is an integrity attack. Or imagine if someone modified the data of a patient about to undergo surgery or the details of a prescription.
Hackers once gained access to a forum for people with epilepsy and posted a seizure-inducing image. It was also used in a targeted attack against a journalist this year. Imagine if someone modified an airport’s computer system to assign the wrong gates for a particular flight or derailed trains in a public transport system.
Availability requires ensuring that information is available when needed. You should be able to access your bank account information 24/7 with minimal delays or unexpected outages. When you go to the airport, you expect all computer systems to be working so you can catch your flight on time. Imagine the delays if an airport’s computer systems go down. Well, don’t just imagine it — it happened to British Airways. While the British Airways incident wasn’t a cyberattack, it is an example of the rippling global impact when a critical service is not accessible.
Such attacks can be costly and time-consuming to fix. Consumers expect online services to work to get their job done, place orders, get in contact with vendors, and enable the movement of people and products.
Availability breakdowns can occur in a variety of ways: computer attack, power outage, software upgrade glitch, damage from a disgruntled employee taking a hammer to the computer, or something as simple as someone tripping over the cord to the networking rack. The Mirai botnet used devices such as digital cameras to interrupt access to major service providers including Twitter, CNN and Netflix.
It is essential to understand that a security-related event may affect not just one of the CIA principles, but more. If an adversary accesses your bank account (confidentiality breach) and changes your password (integrity and availability), all three of the CIA are impacted.
Cybersecurity professionals cannot prevent all types of attacks. There are always the unknown attacks. The most common type are zero-day attacks, which exploit a vulnerability before a fix is available in the affected software or system. There are also malicious employees or employees who abuse their power, such as the one who deleted President Donald Trump’s Twitter account, or those with access to data from a previous employer.
Protecting the CIA triad is our primary mission and why we are always asking questions about organization processes. The more we know and understand, the better we can protect data. The more every employee understands about the value of information, the better they can help protect data.
