Scribd
Upload
9 views

Introduction To Cyber Security, CIA Triad

Uploaded by

K. Majidh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
9 views

Introduction To Cyber Security, CIA Triad

Uploaded by

K. Majidh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

1

CYBER SECURITY
INTRODUCTION
Computer Security 2

• Protection of the items you value, called the assets of a


computer or computer system, basically hardware,
software, and data.
The Vulnerability–Threat–Control
Paradigm 3

Vulnerability
• Weakness in a system for example, in procedures, design, or
implementation, that might be exploited to cause loss or harm.
Threat
• Set of circumstances that has the potential to cause loss or harm.
An analogy to differentiate threat and
vulnerability 4
5

• Control
• An action, device, procedure, or technique that removes or reduces
a vulnerability

• Controls prevent threats from exercising vulnerabilities.


• A threat is blocked by control of a vulnerability
C-I-A triad
A foundation for thinking about security. 6

• Confidentiality:
the ability of a system to ensure that an asset is viewed
only by authorized parties

• Integrity:
the ability of a system to ensure that an asset is modified
only by authorized parties

• Availability:
the ability of a system to ensure that an asset can be
used by any authorized parties
7

ISO 7498-2 [ISO89 ] adds to them two more properties that


are desirable, particularly in communication networks:

• Authentication: the ability of a system to confirm the


identity of a sender
• Nonrepudiation or Accountability: the ability of a system to
confirm that a sender cannot convincingly deny having sent
something
8

• Harm can also be characterized by four acts:


• interception
• interruption
• Modification
• fabrication
More about C-I-A triad 9

• Confidentiality
The definition of confidentiality is straightforward: Only
authorized people or systems can access protected data.
• Confidentiality relates most obviously to data, although we
can think of the confidentiality of a piece of hardware (a
novel invention) or a person (the whereabouts of a wanted
criminal).
10
• properties that could mean a failure of data confidentiality:
o An unauthorized person accesses a data item.
o An unauthorized process or program accesses a data item.
o A person authorized to access certain data accesses,other data not
authorized (which is a specialized version of “an unauthorized person
accesses a data item”).
o An unauthorized person accesses an approximate data value (for example,
not knowing someone’s exact salary but knowing that the salary falls in a
particular range or exceeds a particular amount).
o An unauthorized person learns the existence of a piece of data (for
example, knowing that a company is developing a certain new product or
that talks are underway about the merger of two companies).
11
12

• The general pattern of these statements: A person,


process, or program is (or is not) authorized to access a
data item in a particular way.
• We call the person, process, or program a subject
• the data item an object
• the kind of access (such as read, write, or execute) an access mode,
and the authorization a policy.
Integrity 13

• Integrity is harder to pin down than confidentiality. As Stephen Welke and


Terry Mayfield [WEL90 , MAY91 , NCS91a ] point out, integrity means
different things in different contexts.
if we say that we have preserved the integrity of an item, we may mean that the item is
• precise
• accurate
• unmodified
• modified only in acceptable ways
• modified only by authorized people
• modified only by authorized processes
• consistent
• internally consistent
• meaningful and usable
14

• . Welke and Mayfield recognize three particular aspects of


integrity—authorized actions, separation and protection of
resources, and error detection and correction
Availability 15

• Availability applies both to data and to services (that is, to


information and to information processing
• an object or service is thought to be available if the
following are true:
• It is present in a usable form.
• It has enough capacity to meet the service’s needs.
• It is making clear progress, and, if in wait mode, it has a bounded
waiting
time.
• The service is completed in an acceptable period of time.
Criteria to define availability 16

• Timely response to our request.


• Resources are allocated fairly so that some requesters are
not favored over others.
• Concurrency is controlled; that is, simultaneous access,
deadlock management, and exclusive access are supported
as required
• Fault tolerance
• The service or system can be used easily and in the way it
was intended to be used
Fig: Availability and Related Aspects 17
18

• “Computer security seeks to prevent unauthorized viewing


(confidentiality) or modification (integrity) of data while
preserving access (availability).”

You might also like