Timeline of the History of Information Security
Which are the three main information security principles?The three main security principles include:
- Confidentiality: Protect against unauthorized access to information.
- Integrity: Protect against unauthorized modification of information. Even if an adversary can't read your data, they can either corrupt it or selectively modify it to cause further damage later on.
- Availability: Protect against denial of access to information. Even if an adversary can't access or modify your data, they can prevent you from accessing it or using it. For example, they can destroy or congest communication lines, or bring down the data server.
These principles have also been called security goals, objectives, properties or pillars. More commonly, they are known as the CIA Triad.
Security practitioners consider these principles important but vague. This is because they're about the "what" but not the "how". They have to be translated into clear practices based on context. They have been applied to IT infrastructure, cloud systems, IoT systems, web/mobile apps, databases, and so on. Actual practices may differ but can be related to the CIA triad.
What are some variations of CIA?
It's been said that the CIA Triad is focused on technology and ignores the human element. The Parkerian Hexad therefore addresses the human element with three more principles:
- Possession/Control: It's possible to possess or control information without breaching confidentiality.
- Authenticity: This is about proof of identity. We should have an assurance that the information is from a trusted source.
- Utility: Information may be available but is it in a usable state or form?
Another variation is the McCumber Cube. It includes the CIA Triad but also adds three states of information (transmission, storage, processing) and three security measures (training, policy, technology).
Other published security principles have come from OECD, NIST, ISO, COBIT, Mozilla, and OWASP.
What are some means of achieving the CIA security goals?
Authorization, authentication and the use of cryptography are some techniques to achieve the CIA security goals. These have been sometimes called Security
Mechanisms. These mechanisms are designed to protect assets and mitigate risks. However, they may have vulnerabilities that threats will attempt to exploit.
Confidentiality is often achieved via encryption. Hackers in possession of encrypted data can't read it without the requisite decryption keys. File permissions and access control lists also ensure confidentiality. For integrity, a hash of the original data can be used but this hash must itself be provided securely. Alternatively, digital certificates that use public-key cryptography can be used. For availability, there should be redundancy built into the system. Backups should be in place to restore services quickly. Systems should have recent security updates. Provide sufficient bandwidth to avoid bottlenecks.
People must be trained to use strong passwords, recognize possible threats and get familiar with social engineering methods.
What are some common approaches to enhancing information security?
Complex systems are hard to secure. Keep the design simple. This also minimizes the attack surface. For example, a search box is vulnerable to SQL injections but a better search UI will remove this risk. Use secure defaults such as preventing trivial passwords. Give users or programs the least privilege to perform their function. When failures occur, ensure they're handled with correct privileges.
There's better defence in depth. This means that multiple levels of control are better than a single one. Security at application layer alone is not enough. Secure server access, network communications, wireless access, user interface, and so on. Don't trust third-party services. Have a clear separation of duties to prevent fraud. For example, admin users shouldn't be allowed to login to the frontend with same privileges and make purchases on behalf of others.
Avoid security by obscurity. This means that we shouldn't rely on hidden secrets. For example, even if source code is leaked or encryption algorithms are known, the system should remain secure.
Prefer decentralized systems with replication to centralized ones.
Could you mention some threats or attacks by which hackers can compromise the security principles?
Sniffing data communications, particularly when it's not encrypted, is an example of breach of confidentiality. ARP spoofing is an example of sending false ARP messages so that traffic is directed to the wrong computer. Phishing is a breach of integrity since the hacker's website tricks a visitor into thinking it's the genuine website.
Repeatedly sending a request to a service will overload the server. Server will become progressively slower to response to requests and even crash. This Denial-of-Service (DoS) attack make the service unavailable.
For databases, SQL injection is a big threat allowing hackers access to sensitive data or extra privileges. Buffer overflow vulnerabilities can be exploited to modify data. DoS attacks are possible with databases and their servers.
In any case, record all transactions and events. This leads to better detection of intrusions and future preventions. Have a good recovery plan. Perform frequent security tests to discover vulnerabilities.