The three fundamental items upon which security is based together are known as the CIA triad (see Figure 3.1). You will see these concepts presented throughout this book.
- Confidentiality The concept of keeping private information away from individuals who should not have access. Any time there is an unintentional release of information, confidentiality is lost. As an example, if Black Hat Bob can intercept an email between the CEO and the CIO and learn their latest plans, confidentiality has been broken and there is a lapse of security. Other attacks on confidentiality include sniffing, keystroke monitoring, and shoulder surfing.
- Integrity The concept of integrity means that data is consistent and that it hasn't been modified. This modification can result from access by an authorized or unauthorized individual or process. Integrity must also prevent modification of data while in storage or in transit. For example, if I could access my bank account and change the bank balance by adding a few zeroes . . . well, that's not such a big deal to me, but the bank might not be happy because they would suffer a serious lapse of integrity.
- Availability The concept of availability is pretty straightforward. You should have reliable and timely access to the data and resources you are authorized to use. A good example of a loss of availability is a DoS attack. No, it doesn't give the perpetrator access, but it does prevent legitimate users from using the resource.
Figure 3.1. CIA security triad.
Which one of these three is most important? Well, that depends. They are all important, but organizations are unique. Different elements of the CIA triad will take the lead in different companies. For example, your local bank might consider integrity the most important, but an organization that does data processing might see availability as the primary concern.