The Goal of cybersecurity, which is also known as the CIA TRIAD, is a common term known to both cybersecurity professionals, and those just starting to get into cybersecurity.
Cybersecurity professionals from various experience explain the purpose or the goals of cybersecurity; in ensuring the Confidentiality, Integrity, and Availability with respect to Data. This means that data should be treated as being confidential, data should maintain its integrity and must not be manipulated or altered, and data must be available at any time or upon request.
However numerous factors must be considered based on various organizations, or persons when considering the goals of cybersecurity (TRIAD CIA).
Image of Triad in Cybersecurity
Factors based on various organization, when considering goals of cybersecurity; what do you mean by that?
There is no need for confusion about that, we will address these factors, but first let’s have a proper idea, and definitions of the TRIAD.
WHAT IS CONFIDENTIALITY?
Confidentiality can be defined as steps taking to ensure that data and information isn’t disclosed or made known to any entity or persons that is unauthorized to access such data or information. This means that even within an organization, unauthorized persons may not and cannot be able to access data belonging to even them or any personnel working or conducting business with the said organization, if they are not authorized to access such data, whether it is from their computer or a physical location that such information is securely stored.
Image of source: penneo.com
Image of Data confidentiality in Cybersecurity
WHAT IS DATA INTEGRITY?
We can define integrity as the accuracy of data or ensuring data hasn’t been corrupted, altered or even modified by unauthorized persons. It implies at all times data and information must be accurate, even in the occurrence of technical issues or service downtime, when the server where these information and data is stored is back online, the data should still maintain its consistency and accuracy as it was stored before the service downtime.
Data integrity includes non-repudiation, data is created in such a way that it cannot be arguably denied that the data is not authentic or is inaccurate. Do not worry this will be explained in detail further more as we progress.
Image of source: penneo.com
Image of Data encrypted to ensure data (message) integrity.
WHAT IS DATA AVAILABILITY?
When we talk about availability it is quite broad, it is not just about the information itself, it involves also the process in which the information is stored, the storage and communication mechanism used in accessing the information and relaying it, and security controls that were put in place and despite all these ensuring that the service is 99.9% uptime (Must be readily available whenever it is requested by the authorized party).
The challenge that data availability faces most times, is attributed to DDOS (Distributed-Denial-Of-Service), whereby the storage housing these data and information has been compromised by threat actors, who in turn overload the server holding these information’s, thereby resulting into downtime.
Image of source: fixitgearware.com
Image of encrypted data readily available upon request.
Let’s discuss and have a clear understanding about confidentiality, Integrity, and availability from:
- An organization perspective
- An employee perspective
- An employer perspective
- Customers perspective
- The Government agencies perspective.
CONFIDENTIALITY FROM AN ORGANIZATION PERSPECTIVE:
Confidentiality from an organization perspective varies, for instance let’s say you work in the general hospital, a clinic that deals with various patients and you are not a medical doctor, as a matter of fact you work as a receptionist or clerk at the counter. Patients’ diagnosis and medical ailments cannot be accessed by the clerk, but such records can be accessed by any medical doctor in the organization, for future reference in diagnosing patients’ ailment or changes in their health.
If we view confidentiality of information and data from this perspective, we can say all medical doctors in that hospital or clinic, have authorized access, while the clerk or receptionist has unauthorized access. Therefore, confidentiality would be breached, if the clerk has access to private diagnosis of a patient, also if anyone aside the medical doctor, has access to such data, we can also say data or information confidentiality has been breached.
Therefore, understanding Confidentiality of the patient’s medical diagnosis, here means anyone who is not a medical doctor of that organization, who has access to the patient’s medical records and diagnosis, is said to have breached The Confidentiality of data.
CONFIDENTIALITY FROM AN EMPLOYEE PERSPECTIVE:
An employee who is employed by an organization, is mandated by the rules and policies of the organization to keep all data and information confidential. The rise of social media is a launchpad for people to communicate with one another, but we cannot ignore the dangers imposed by technological changes.
A competitive organization or threat actor can create a false profile, to connect to an employee of a targeted organization in order to obtain information’s such as: companies that the organization does business with, the next shipment of their company’s hardware, even as far as where does the founder or stakeholders live. A successful social engineering techniques can lead to doxing.
The employee would have compromised confidentiality (giving out private information) as well as the false profile (having unauthorized access to the information), which may lead to the security compromise of the persons whose information or data were obtained, or even the organizations business partners. Employees are to treat all information, data, and even personnel’s of their organization with utmost confidentiality.
CONFIDENTIALITY FROM AN EMPLOYER PERSPECTIVE:
Considering that an employer successfully conducts an interview, with certain candidates not being successful; documents such as academic results, home address, email address, and phone number of candidates should be treated with confidentiality even if the candidate does not successfully gain the employment.
Information’s that were submitted during the application process should only reside within the organization, and not released to third party entity or marketing agencies.
Although this might be difficult to ascertain if the data or information provided by the job seeker is safe with the employer or not, organization are mandated to ensure that the data is treated with utmost confidentiality. If the organization sells such data to third party marketing organizations, we can define from the Job seeker perspective that their data has been accessed by unauthorized party, as the third party were not the sole aim why they released their private data in the first place.
It can be said, from the employer’s perspective, that the data has been granted unauthorized access (Job seeker didn’t grant that their data be used outside the purpose of the employment they seek), and from the Job seeker perspective that their data confidentiality has been compromised.
Image of source: raptorservices.com
Image of consent sought by employer to use Data for other purposes.
CONFIDENTIALITY FROM CUSTOMER’S PERSPECTIVE:
Although you might say how does confidentiality applies to a customer, or maybe it doesn’t. The truth remains that as long as you talk about cybersecurity, data and information confidentiality applies to everyone and every entity.
Considering signing up for a service such as online banking with your bank, and assets such as ATM, Credit and Debit cards were issued to you, to enable customers conduct financial transactions anywhere in the world even when they are on vacation.
Such assets (credit cards, debit cards, and ATM), are to be treated with great confidentiality, customers are in no circumstances, allowed to disclose such information to a third-party.
Talking about third parties, the question comes what if the customer wishes to make purchases or shop online, that requires them to disclose credit card information and data associated with it. That is where the customer firstly has to be sure that the third-party application is a legitimate one, and on the side of the third-party shopping app, they are governed by the PCI-DSS (Payment Card Industry and Data Security Standards), which also involves confidentiality and storage of data provided by their customers using their services.
CONFIDENTIALITY FROM GOVERNMENT AGENCIES PERSPECTIVE:
The government agencies deal with citizens information and data. Although government agencies and organizations are not restricted by Law on how they choose to use these citizens data, however within the organization there are restrictions, on who can access such data. This is where information and data can be considered classified. There are three levels to information classification Top Secret, Secret, and Confidential.
Information regarding the nuclear codes of a country, would be kept confidential only to be accessed by the president of a country as it is a Top-Secret information.
Government agencies working within the organization, without a clearance cannot access such information’s.
If you are conversant with certain movies, you could see someone with felony charges, who has worked for the FBI, went rogue, and is on the radar of the CIA.
When the CIA tries to ask one of their intel at the FBI, for the information of the syndicate the CIA is chasing, you could hear words like “The information is classified and I can’t have access to it”.
Here we could deduce, that although the CIA secret intel who works for the FBI has access to the system, they are restricted from accessing such information, which is considered confidential and they are not authorized to access it.
Data and information confidentiality in a government agency perspective, is considered to be within the persons or people working withing the government agency.
INTEGRITY FROM AN ORGANIZATION PERSPECTIVE:
Data Integrity and non-repudiation is very important. Considering that organization are not prone to cyber breaches, data can be intercepted when in transmission (in motion), when in use, or at rest.
Organizations should ensure that when data are in motion, or in use they are encrypted across the network, which implies that if the data were intercepted wrongfully, they make no meaning to the external entity that intercepted that data (they are unreadable). This will ensure that the data are accurate at all times.
Non-repudiation; a case study when a patient visits the hospital for a routine check-up, and their previous records stated they have some mild headache by Dr. John, a new diagnosis by Dr. Doe detects a tumor in their brain, that means that the previous record will be modified (by the doctor stating new findings with regards to the patient’s health).
This means that Dr. Doe has to modify the previous records, to assist the next doctor in tracking the customers medical history in the case of their next visit to the clinic. There should be a section, that allows the doctor to sign, and as well track the I.D of the doctor, in other not to deny that they are the one responsible for additional findings, which resulted in the modification the patient’s previous medical records.
Also, modification of the patient medical records should be done by only authorized doctors, to ensure accuracy, data integrity, and non-repudiation by the entity that modified the data.
INTEGRITY FROM AN EMPLOYEE PERSPECTIVE:
Data integrity from an employee’s perspective is as simple as understanding from filling the form 1-9 during an employment process, down to information provided by customers doing business with the company they work for.
You could ask, how can an employee modify data, I thought it was only hackers or threat adversaries? Now consider an employee who works for an organization furnished a data that says they are 50-years old, and by the standard of the organization, they are to retire by let’s say 55-years old.
The employee wishing to work more, may decide to have unauthorized access to the system, and back-date their age. This will result to data corruption, as it will affect the company’s ability to ascertain those that are genuinely due for retirement and those who are not.
Data in this instance is said to have been corrupted, as the employee who gained unauthorized access to data even thou it belongs to them, has modified the data which they are not by right have access to do so.
On the customers aspect, employee might decide to modify the delivery address of a customer, with the intention of stealing goods or diverting services paid by a legitimate customer to the organization that the employee works for.
An instance, Mr. Fanta who works for amazon as a package distributor for customers who make purchases from amazon online shopping, may decide to print a wrong address on the customers package, which is different from the address supplied by the customer, and divert it to the syndicate they work with.
While the customer awaits their package, they might not know the rogue employee has decided to divert it to the address of syndicate the employee works with, on the system it will legitimately read that the address of the syndicate was supplied by the customer, unknown to the customer that the address was modified by the employee.
This can be considered, from the employee perspective, that they have corrupted the data supplied by the customer, hence affecting the data integrity.
INTEGRITY FROM AN EMPLOYER PERSPECTIVE:
When we talk about data integrity from an employer’s perspective, we have to first understand what sort of business does the employer do or conduct? Then we have to consider it from the perspective of non-repudiation.
Then having a proper understanding, we can further try to understand how can an employer corrupt a data? Let’s have BEC (Business Email Compromise) Scams, as a case study, an employer e.g., managing director, may issue an email to the finance officer to do transfers to an account they furnished for malicious funds diversion, then upon successful wire-transfer, the director, may decide to have access to the finance officer email account, and delete traces of such authorization.
Financial auditing may lead to the finance officer paying deeply for what they are not aware off, as a result of no evidence, that shows the managing director authorizing such transaction.
However if the finance officer, in the bid to confirm such authorization, may decide to CC, other top personnel, who are above the hierarchy of the managing director, as well as asking for secret questions or other relevant documents (as describe by the organization policies), before conducting such transaction, even when the managing director successfully deletes the email from the finance officer, other top entities of the organization will still have a copy of the email, as they were copied, by the finance officer during the course of the conversation.
A proof that the managing director cannot deny (non-repudiation).
Image of source: fixitgearware.com
Image of integrity from non-repudiation perspective.
INTEGRITY FROM CUSTOMER’S PERSPECTIVE:
Considering data integrity from a customer’s perspective is as simple as what does the customer purchase, and the information they provided during a purchase, and who it belongs to.
A customer who makes a purchase from a vendor online should only be able to modify certain data’s e.g., home address, credit card information update etc. If a vendor’s system is not adequately secured, the customer if has programming skills, could modify information such as number of items they paid for, during an online purchase. A customer may shop for 10-items, and if the system isn’t secure may proceed to modify the information from 10 to 20-items, as well as falsify the actual amount they paid.
This will incur financial losses to the online vendor, as the initial data supplied by the customer is said to have been corrupted, and data integrity has been compromised.
INTEGRITY FROM GOVERNMENT AGENCIES PERSPECTIVE:
Unauthorized persons working for government agencies without adequate security clearance, should never have the ability to modify or delete data of citizens or even case files that is in the government agencies custody.
When we talk about data integrity from government agencies perspective, we consider information that will aid the agency to track criminals or even citizens not to be accessed by unauthorized personnel’s.
External entity (threat adversaries), should also not have access to where these data are stored, as they could corrupt or even delete the data, which in turn, compromise data integrity.
AVAILABILITY FROM AN ORGANIZATION PERSPECTIVE:
The availability of data can be affected by server downtime. Data and information in modern time and age as we know is digitally stored.
Servers, where these data are stored are constantly queried, in other to retrieve information. Flooding the server with numerous requests at a time, more than what it can be able to accept may lead to the server crashing known as a server downtime.
Also, attackers can also flood the server with DDOS attacks. Organizations should ensure that there are backup servers, or servers that house sensitive data that they require to run their day-to-day businesses is always 99.9% uptime.
If the information can’t be accessed at any point in time, when it is requested, we can say for a fact that Data availability has been compromised.
AVAILABILITY FROM AN EMPLOYEE PERSPECTIVE:
Employee can be a clerk, customer care representative, or a technical support team. These individuals handle customer complaints, technical solution requests, or even organizational policies that are to be adhered to, when working in various department of the organization.
These data should be readily available upon request either by a superior team member, or even the technical support team that can handle such difficulties requested by a customer of the organization. The data should be only available to the organization team members that are authorized to access such information.
We can take for example when discord customer third party support team was compromised, sensitive information belonging to customers were stolen by the threat actors who hacked the support team account.
AVAILABILITY FROM AN EMPLOYER PERSPECTIVE:
Employer (Managing Director) can request data from a lower ranking department let’s say the HR (Human resources), located at another branch of the organization.
This request could be list of staffs of the organization, or even list of items procured within the last 6months to 1-year by the company. The data should be readily available upon request, when the director tries to access the data.
If the data is stored in the cloud or remote server; at all times the server should be online, and can only be accessed by personnel’s who have the authorization to access the remote server.
In the event of a compromised server, or the organization providing the storage service facility is offline, the data might not be readily available upon request. A situation of such nature, is said to have compromised the availability of data, to the employer (managing director).
AVAILABILITY FROM CUSTOMER’S PERSPECTIVE:
Availability from a customer’s perspective is quite complex, as data that might be available to a customer who uses a medical screening system, and data available to customer who banks with a financial institution definitely varies.
A customer who requests information from a financial institution would only have access information pertaining to their bank accounts for example: bank transactions, bank balance, transaction fees deducted during a transaction.
The same customer cannot be able to access history of financial debits from the medical clinic for the times they visited the doctor. Although, they made payment using the POS(Point-On-Sale) machine, at the clinic when they visited for their routine check-up, however the clinic is not responsible for handling financial transactions.
So, availability of data with regards to the medical centre to the customer, would only be data involving diagnosis of the customer (patient), and although these data belong to the customer, they are not released directly to them.
They have to bring an authorization letter from the doctor of another clinic they wish to visit, and the authorization letter would be confirmed by the appropriate person before releasing the data to the Doctor from another clinic that made such request. In most cases, the records are not released to the customer (patient), but rather emailed or sent directly to the doctor who sent the authorization letter (made the request).
AVAILABILITY FROM GOVERNMENT AGENCIES PERSPECTIVE:
Government agencies rarely face data unavailability from their perspective as they possess the most sophisticated systems and hardware components in handling data on a global scale.
However, they are not prone to cyber-attack. Threat actors constantly deploy a DDOS (Distributed-Denial-Of-Service) wiping away important information’s and data stored by the government agencies.
In other to ensure data is always ready upon request, government agencies have numerous hot-sites (We will discuss this in subsequent articles). When a security breach occurs, the agencies can switch to the next hot-site, which usually has mirrored data (Same data), of the primary site.
Data unavailability as a result of threat actors attacking; when considered from government agencies perspective (FBI,CIA,NASA), rarely occurs when compared to smaller organizations.
Data availability when considered from individuals who work for government agencies, can only be made available if they or accessed by persons who have security clearance to do so.
Put your comments below in the comment section on your thoughts about this.