31st

JAN
2018

Getting serious about security? Think about C.I.A (Confidentiality, Integrity and Availability)

Posted By:
Lifeline Design

While the term "CIA Triad” sounds like the title of some pulpy novel you'd pick up in an airport book store, the reality couldn't be further from the truth. The CIA Triad is a well-known security cyber security model. If you're interested in protecting your data, it's something you should get familiar with as well!

According to the model, there are three crucial components of security that each demand their own approach and protection methods.

Confidentiality 

Confidentiality can be thought of as similar to privacy. It's all about keeping data out of the wrong hands while maintaining access to valid users. Low-hanging fruit on this branch includes obvious things like password protection on work devices and sensitive databases, or two-factor authentication on email accounts. However, there is a lot more to consider when you want to keep sensitive information confidential and secure!

Management of confidential information takes thought and care. Think about situations where an employee may take work-related material out of the building on his/her laptop, or even something like a USB drive. There likely isn't anything sinister about their motives (they're probably just trying to do their jobs), but just by removing that info from the building and putting it on a device that could be lost, stolen, or duplicated, they've added an additional risk factor to consider. 

Many types of malware are specifically designed to expose private information. A simple key-logger can be enough to breech your entire business on the right machine. This isn't even considering other types of snooping programs or attempts to compromise email accounts and so on. 

Of course, we shouldn't forget that confidentiality isn't just limited to electronic documents either. Any print outs, hard copies, or physical media needs to be properly secured as well. All the fancy encryption in the world won't help if you just toss all your sensitive documents in an unlocked file cabinet at the end of the day!

Extremely sensitive information (we're talking in the realm of privileged knowledge and intelligence services) may require extraordinary measures. So called "air-gapped” computers that lack a connection to the internet are often employed by businesses contracted to work on particularly sensitive projects.

So what should you do as a business to address the confidentiality axis of the triad?

  • Create a hierarchy of data. What data do you handle that you would consider sensitive? How sensitive is this information? Is it lightly like an internal call list, or very sensitive such as customer billing info and credit card numbers. Who needs access to that information on a regular basis? Who doesn't? Start by building up this information and develop a security plan around these points.
  • Consider special training for employees. Hopefully you're already coaching employees on good email hygiene (be suspicious of external unsolicited mail, never open attachments, always confirm the identity of the recipient before sending sensitive info, etc). You may also need to train your employees on what is acceptable to take off premises, or proper procedure for destroying sensitive documents before throwing them out (ward off those dumpster divers).
  • Ensuring the security of your tools and systems. If you're unclear about the security measures being used by your database provider, CRM software, or whatever else, don't leave it to chance. Contact your provider and get a rundown of their precautions.

Integrity

Integrity is all about keeping your data in a safe, predictable state. This means protecting it from unintentional or malicious modification, deletion, or any other kind of tampering. 

Admittedly, a lot of this depends more on your tools and service providers. Encryption isn't something the average user can really control other than through purchasing decisions. When working with any kind of database or CRM, you would expect things like user accounts, invoice records, and employee data would naturally be kept secure as par for the course. That said, there is still plenty you can do as an end user to help protect your data integrity.

  • Review your tools and be sure you have the means to recover or reverse any accidental or unintentional changes. Everyone makes mistakes, and sooner or later someone is going to delete a user profile they didn't mean to, or a word doc everyone is depending on. 
  • Keep periodic backups of important info. Preferably, you want these to be regularly performed and held in a secure location off-site. These backups are important for two reasons. One, you have a series of snapshots to refer to in the event that something goes wrong and you need to track down when you started working off the wrong information. Two, storing them in a separate location will ensure that a calamity at the office (a fire, flood, Godzilla attack)  won't spell doom for your backups as well.
  • Limit access to important data. This overlaps with what we talked about in Confidentiality, but the fewer people who have access to important info means fewer chances of mistakes or inappropriate modification. It also makes it easier to track down a mistake when there are only a few people who could have made one.
  • Simple and easy, but use those read-only flags for important docs. If you work off a shared drive or common database, it can be a good idea to make long-standing, vital documents read-only. It only takes a few clicks and it can prevent a world of headaches.

Availability

Availability is about the ability to access your data when you need to. It doesn't matter how good or secure your data is if you and your employees can't get to it when you need it. Availability is an interesting part of the triad because of the way it overlaps, and can even conflict with, the other priorities.

Think about it, access is vital for a business that wants to stay flexible and responsive, but the more you make data accessible, the more precarious it becomes. A great example of this we all probably deal with in our personal lives is with auto-completing logins and passwords. Most of us don't want to have to enter all our information just to check our email, so we get lazy and save that password. Fair enough, but what happens if someone with nefarious goals got access to your computer? Might be a long shot at home, but fairly plausible at work when lots of people are moving around all day. Then think about things like your e-banking login – something that is even more vulnerable than your email. And what if you don't usually check it on your home PC, but on your cell phone while out and about? That little convenience of not having to put in your password could cause you a lot of grief if you lose your phone.

It wouldn't seem like it on first blush, but lots of cybercrime is based on this attack avenue as well. The whole idea behind ransomware is to hold your data hostage so you can't use it without paying a fee, while DDoS attacks deny both you and your customers access to your website. In this way, availability has an interesting hardware component that should be considered as well.

  • Again, off-site backups are your best friend. Ransomware isn't nearly as threatening when it will only set you back a few hours worth of work instead of several months.
  • Invest in your tools and access. A highspeed connection might sound like a luxury in the business setting, but the less time you spend waiting for things to load  or files to transfer, the more work you'll get done. Professional web hosting services that offer protection from DDoS protection might seem like an expense, but it's far cheaper than losing several days of work due to some hacker's prank.
  • Consider a backup power supply. Obviously not every business is going to be able to afford or need an emergency generator, but even a commercial power supply for key PCs in the business can be worth their weight in gold.  

All together

The important thing to remember about the CIA triad is that no individual component is more important than any other. If you really want to get serious about cybersecurity, you need to consider each part of the triad and the ways they intersect and pull at each other. There is no such thing as 100% secure, instead you need to assess your unique risks, what is most important to your businesses ability to operate, and design your security to support those elements.