The Components Of The Cia Triangle

Published Date: 02 Nov 2017

Solution: The main components of C.I.A. triangle are

Confidentiality is the ability to fleece information from those people who unauthorized to view it. It is perhaps the most evident aspect of the CIA triangle when it comes to security; but similarly, it is also the one which is attacked most often. Cryptography and Encryption methods are the example of an attempt to make sure confidentiality of data transferred from one computer to another.

Integrity

The capability to ensure that the data is accurate and unchanged representation of the original secure information. One type of the security attack is to capture some important data and make changes to it before distributing it on to the intended receiver.

Availability

It is very important to ensure that the information apprehensive is readily accessible to the authorized viewer at every time. Some types of security attack try to deny access to the suitable user, either for the sake of inconveniencing them, or because there is some subordinate effect. For example, by breaking a web site for the particular search engine, the rival may become more popular.

However , the present day needs have made these three concepts alone inadequate because they are limited in the scope and cannot encompass the constantly changing environment of the IT industry . The CIA triangle , therefor, has been expanded into more comprehensive list of critical characteristics and process , which area as follows:

Privacy: Information that is collected , used, and stored by organization is intend only for the purposes stated by the data owner at the time it was collected Privacy as the characteristic of information does not signify freedom from observation , but in this context , privacy means that information will be used in ways to known to the providing it.

Identification: Any information system possesses the characteristic of Identification when it is able to recognize individual users. Identification is the first step in gaining access to secured material , and it serves as the foundation for subsequent authentication and authorization. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Identification is typically performed by means of a user name or other ID

Authentication: user authenticates with his personal identification. The identity provider passes the nominal identity information essential to service manager for authentication to allow an authentication decision . Digital identities are gradually being used to facilitate the execution of transactions in many domains. When developing and analyzing digital identity skills, it is important to consider the type and objective of warehouse, type of digital content, security of system, security of communication channel, diversity of users' stage, number of users, even the perceptions and replies of end users also. Different authentication processes are as follows:

The most common and used to authentication process is Log-in ID and Password-based Access log-in is also called as log on, sign in, or sign on which classifies oneself to the system so as to obtain access. The primary use of a computer login procedure is to validate the identity of any computer user or computer software attempting to access the computer's services . Another common authentication process is IP Filtering or IP authentication.

Authorization: Authorization describes users' permissions as access to digital means and degree of its usage. Authorization is approved to successfully authenticate users according to their rights information existing in an Access Management System (AMS) (Lynch, 2009). Authorization also addresses the issue of accountabilities assigned to different people involved in development of digital repository/library and their corresponding authorities in as addition, deletion, editing and uploading of records in digital collection. Authorization is more thought-provoking than authentication, especially for widely distributed digital content providers.

Significance: A simple but widely-applicable security model is the CIA triangle; stands for Confidentiality, Integrity and Availability; these three key principles which should be certain in any kind of secure system. This principle is appropriate across the whole subject of the Security Analysis, from access to a user's internet history to security of encrypted data across the internet. If any one of the three can be ruptured it can have serious penalties for the parties concerned. Information Security Attributes i.e.,Confidentiality, Integrity and Availability .Information Systems are categorized in three main portions, hardware, software and the communications with the aim to help identify and apply information security standards, as the mechanisms of the protection and prevention, at three levels :  physical, personal and organizational. Fundamentally, procedures or policies are employed to tell administrators, users and the operators how to use the products to confirm information security within the organizations

Question 2: Discuss the difference between a threat and an attack. Describe how a vulnerability

may be converted into an attack.

Answer: Difference between threat and attack can be said as:

Threats

Attacks

(i)A security threat is expressed as potential for the occurrence of an attack.

(i) security attack is action taken against the target with the intention of deed harm

(ii)the categories as follow:

Internal threats

External threats

Structured threats

Unstructured threats

(ii) The categories as follows:

Reconnaissance

Access

Denial of service

Worms, viruses, and Trojan horses

(iii) Example: Two Kazakhstan Employees story – information extortion

In 2002, two employees in a company in Kazakhstan allegedly got

admittance to Bloomberg L.P. financial information database because their

company was an partner of Bloomberg. They allegedly call for $200,000 from Bloomberg to disclose how they got admittance to the database.

Bloomberg released an offshore account with $200,000 balance, and requested the pair to London to individually meet with Michael Bloomberg.

At the meeting there were police officials who detained two alleged extortionists.

(iii) Example:

ISP Panix story – pharming

In 2005, the Domain Name for the large New York ISP Panix was seized to point users to site in the Australia.

Once the original address was relocated to the new address, genuine site was difficult to reach. It is believed that this spasm was result of ‘social engineering’ – the attacker tricked the personnel into entering the incorrect IPaddress into their DNS records.

Vulnerability means a weaknesses or fault in a system or protection mechanism that opens it

to attack or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door..

A vulnerability is identified weakness in the controlled system, where controls are not existent or are no longer effective. Dissimilar threats, which are always exist, attacks only happen when the specific act can cause loss. For example, the threat of harm from the thunderstorm is exist throughout the summer in several places, but the attack and its related risk of loss only exist for duration of an authentic thunderstorm. If system have more weakness than there is more chances to attack and vice versa. The above section discusses how vulnerability leads to attack.

Question 3: Describe an information security policy. Explain why it is critical to the success of

an information security program.

Answer:

Information Security policies are the course of action used by organization to convey instructions from management to those who perform duties and these are also said to be organizational laws to ensure information security. Each security policy must maintain the standard. We can say that standards are more detailed statements of what must to be done to comply with policy. To make the information policy should be effective .

Design of information security program originates with creation and/or review of organization’s information security policies, standards, and the practices. Then, selection or design of information security architecture and development and use of the detailed information security blueprint constructs plan for the future success. Without the policy, blueprints, and planning, organization is not capable to meet information security desires of several communities of interest

These policies shows how issues to be addressed and the technologies should be used and the societies of interest must ponder policies as basis for all information security efforts. Since the Security policies are minimum expensive controls to perform but most difficult to deploy and it is also difficult to shape policy. That’s why it is critical to the success of an information security program

When we make the information technology program it continuously begins with formation and/or evaluation of organization’s information security policies , standards , and the practices . Then it must be accurately read, understood and agreed to by all associates of the organization.

Question 4: Discuss the elements of the Security Education Training and Awareness program. Explain the factors that can influence the effectiveness of a security training program.

Answer: Security Education, Training, and Awareness (SETA) programs provide the effective risk justification strategies; improve security stature, and protection valued corporate assets.  The aim of SETA program is to "decrease the number of inadvertent security breaches by the employees, contractors, consultants, vendors, and the business partners who come into interaction with its information possessions".  It sets a security tone for organization by placing out employee expectations.  A SETA program consists of the three fundamentals: security education, training, and awareness.

1)    Security education – Personnel in the information security department are fortified to use their proper education.  Colleges and universities are example of organizations that provide formal coursework in an information security.  Because numerous institutions have no allusion for the type of skills that are essential for the particular job, they regularly refer to certifications existing in that field.

 

2)    Security training – This area involves so long as staff associates with hands-on instruction to allow them to properly accomplish their jobs.  Management of information security can either one develop training curriculum in-house or outsource it.  Good training methods are necessary to the overall success of the training program.  Using the erroneous training method can lead to needless expense and poorly trained personnel.  Nevertheless of delivery technique, good training suites always use the finest practices.

 

3)    Security awareness –security awareness program is least frequently used, but most effective security technique.  Security awareness programs:

established stage for learning by varying organizational attitudes in the direction of security and

recap users of the actions to be followed.  When developing awareness package, it is significant to focus on people both as part of problem and the solution, abstain from with terminology that confuses the user, offer just enough comprehensive information, and teach users on how cracks in security can affect their jobs.

Factors that influence the effectiveness of SETA can be said as:

(1)Lack of communication: If the communication between the trainers and trainee isn’t effective then the training given to the trainees can’t be effective. It leads to compromise with the effectiveness of SETA program.

(2)Lack of involvement: The official related to SETA program should be involved by heart. If there involvement is compromised then whole program effectiveness is compromised.

(3)Lack of interest: There should be interest of the people to whom we are providing the knowledge of information security education , training and awareness program. If the people who are benefited by this SETA program are not interested then how can we say about the effectiveness of the program.

(4)Lack of Knowledge: In organizations when we implement the SETA Program then personnel’s don’t have sufficient knowledge to take advantage of this program. We should first educate about the information security and then implement the SETA program so that it would be more effective.

(5)Use of Modern Technology: We should impart modern technologies to our SETA program so that it can be deliver more effectively and interactive manner.

Question 5: Discuss the difference between enterprise information security policy, issue-specific security policy, and system-specific security policy.

Answer: The main points about these policies are as follows:

Enterprise Information Security Policy (EISP):

Sets planned direction, scope, and tone for all security efforts within an organization

Executive-level manuscript, usually enlisted by or with CIO of organization

Usually addresses acquiescence in two areas

Confirm meeting necessities to establish program and accountabilities allotted therein to numerous organizational components

Use of stated disadvantages and disciplinary actions.

Issue-Specific Security Policy (ISSP):

The ISSP:

Addresses precise regions of the technology

Necessitates frequent informs

Comprises statement on organization’s situation on

particular issue

Three methods when making and handling ISSPs:

Generate a number of autonomous ISSP documents

Generate a single full ISSP document

Generate a integrated ISSP document

Systems-Specific Policy (SysSP)

SysSPs normally classified as the standards and processes used when configuring or retaining systems

Systems-specific procedures fall into two groups

Access control lists (ACLs)

Configuration rules

Both Microsoft Windows and Novell Netware 5.x/6.x families translate ACLs into configurations used to control access

ACLs permit configuration to restrict admittance from someone

and anyplace

Rule policies are more particular to operation of a system than ACLs

Several security systems necessitate specific configuration writings telling systems what actions to accomplish on each set of info they process

This discussion is enough to tell the differences among the different policies.