An examination of the potential problems that can arise on a poorly secured system will help in understanding the need for security

#Бельгибаева А.К. Information security and the CIA triad

Belgibayeva Alfiya

S.Toraighyrov Pavlodar State University, Kazakhstan

Information security and the CIA triad

An examination of the potential problems that can arise on a poorly secured system will help in understanding the need for security. Three basic kinds of malicious behavior are:

– Denial of service.

– Compromising the integrity of the information.

– Disclosure of information.

Denial of Service. Denial of service occurs when a hostile entity uses a critical service of the computer system in such a way that no service or severely degraded service is available to others. Denial of service is a difficult attack to detect and protect against, because it is difficult to distinguish when a program is being malicious or is simply greedy.An example of denial of service is an Internet attack, where a attacker requests a large number of connections to an Internet server. Through the use of an improper protocol, the attacker can leave a number of the connections half open. Most systems can handle only a small number of half-open connections before they are no longer able to communicate with other systems on the net. The attack completely disables the Internet server.

Compromising the Integrity of the Information. Most people take for granted that the information stored on the computer system is accurate, or at least has not been modified with a malicious intent. If the information loses its accuracy, the consequences can be extreme. For example, if competitors hacked into a company’s data base and deleted customer records, a significant loss of revenues could result. Users must be able to trust that data are accurate and complete.

Disclosure of Information. Probably the most serious attack is disclosure of information. If the information taken off a system is important to the success of an organization, it has considerable value to a competitor. Corporate espionage is a real threat, especially from foreign companies, where the legal reprisals are much more difficult to enforce. Insiders also pose a significant threat. Limiting user access to the information needed to perform specific jobs increases data security dramatically.

Information security (IS) is designed to protect the confidentiality, integrity and availability of computer system data from those with malicious intentions.

The CIA triad is one of the core principles of information security. It is made up of three main components: Confidentiality, Integrity and Availability. There is a continuous debate about extending this classic trio. Issues such as Non– Repudiation do not fit well within the three core concepts. Legality is also becoming a key consideration for practical security installations.

The Parkerian hexad is a set of six elements of information security that adds three additional attributes to the three classic security attributes of the CIA triad. The Parkerian Hexad attributes are the following:

– Confidentiality

Is the information protected from unauthorized disclosure and observation?

Elements of security that help enforce confidentiality are: encryption, authentication, access control, physical security, and permissions.

– Integrity

Is the information complete, whole and unchanged from the previous state?

Element of security that help enforce integrity: hashing techniques.

– Availability

Are information and systems available so that they can be accessed in a timely manner for the intended purpose?

Elements of security that help maintain availability: tolerance and redundancy techniques – disk redundancies, server redundancies, site redundancies, backups, alternate power and cooling systems.

– Non-Repudiation or Authenticity

Is the information genuine, valid, and not fraudulent?

Elements of security that help maintain availability: digital signatures, logging.

– Possession or Control

Is the information is the control of the authorized individuals?

– Utility or Usefulness

Is the information usable for its intended purpose?

Information security handles risk management. Anything can act as a risk or a threat to the CIA triad or Parkerian hexad. Sensitive information must be kept - it cannot be changed, altered or transferred without permission. For example, a message could be modified during transmission by someone intercepting it before it reaches the intended recipient. Good cryptography tools can help mitigate this security threat.

Digital signatures can improve information security by enhancing authenticity processes and prompting individuals to prove their identity before they can gain access to computer data.

Information systems security does not just deal with computer information, but also protecting data and information in all of its forms, such as telephone conversations.

Risk assessments must be performed to determine what information poses the biggest risk. For example, one system may have the most important information on it and therefore will need more security measures to maintain security. Business continuity planning and disaster recovery planning are other facets of an information systems security professional. This professional will plan for what could happen if a major business disruption occurs, but still allow business to continue as usual.

References:

1. Acuff, Jr., A. Marshall. "Information Security Impacting Securities Valuations: Information Technology and the Internet Changing the Face of Business," Institute of Internal Auditors, 2000.

2. Barbara Guttman and Edward A. Roback. An Introduction to Computer Security: The NIST Handbook, 1995.

3. Micki Krause and Harold F. Tipton Handbook of Information Security Management, 1998.