Understanding the CIA Triad in 2022

A question I commonly see when individuals are trying to break into the Cybersecurity industry is: What do I need to understand to be successful and make it?

My response has always been to start at the CIA Triad (also referred to as the CIA Triad Principles). The Triad is a strong fundamental approach on how we handle and protect data, systems or other valuable assets. The CIA Triad stands for Confidentiality, Integrity and Availability. Think of it as part of an equilateral triangle where all sides are equal and no one principle is more important than the other. It only takes one side to fall in order for the contents inside the triangle to be exploited.

As you progress in your cybersecurity journey, you will often refer back to these principles to determine how an asset can be better protected or risk better mitigated. Let’s dive in further into the CIA Triad security model.

Confidentiality

Confidentiality (privacy) is assuring the correct person(s) have access to the material or data while it is in-transit, at-rest or processing. This can be achieved by a variety of primary controls including: Two-Factor/Multifactor Authentication (2FA/MFA), Encryption, Access Controls, Classification, Watermarking and more.

What are the threats to Confidentiality?

Things that threatened confidentiality include (but are not limited to): Human Error, Weak Passwords, Lack of Strong Encryptions. Eavesdropping (including Dumpster Diving) and Insider Threats.

Integrity

Integrity is assuring that the data or systems cannot be altered or destroy by unauthorized person(s). This can be achieved by a variety of primary controls including (but not limited to): Hashing, Auditing, Setting File Permissions, Backups and Message Digests.

What are the threats to Integrity?

Things that threatened Integrity include (but are not limited to): Data Diddling, Human Error, Vulnerable Software, Insider Threat and Ransomware.

Availability

Availability is assuring that the data can be accessed by authorized person(s) whenever requested. This can be achieved by a variety of primary controls including (but not limited to): Firewalls, Load Balancers, Uninterruptable Power Supplies (UPS), Business Continuity Plan and Disaster Recovery Plan (BCP/DR) and Backups.

What are the threats to Availability?

Things that threatened Availability include (but are not limited to): Human Error, Default Passwords (on security appliances), Power Outages, Natural Disasters, Ransomware and Insider Threats.

Below is a more in-depth video of the CIA Triad. It will cover things in greater depth as well as a few extra tips that are not outlined on this blog.

EXAM TIP: When studying, I find it useful to approach question sets by asking yourself where it lies on the CIA Triad. This will give you a strong hint as to what answer you should be looking for. For instance, if the question is talking about DDOS mitigations, the question is likely referencing Availability. You want to make sure the responses line up with ensuring the information is available when it needs to be (i.e. Load Balancers, Firewalls, Backups). It wouldn’t make much sense to apply a Confidentiality control like watermarking to ensure Service Level Agreements (SLA).

Be sure to have a firm grasp on the CIA Triad and if you have any questions or suggestions, please feel free to reach out to me.


To support this blog, this post may contain affiliate links. Please read our Privacy Policy for more information.
Drawing on over two decades of experience in the Information Technology industry, I have acquired a diverse range of roles that have shaped my distinctive outlook. Through this journey, I have developed into an accomplished authority in risk management, catering to Fortune 500 companies and small businesses on a global scale. Over the past 12 years, my primary focus has centered on empowering small business owners and insurance professionals to comprehend the ramifications of cyber incidents and effectively mitigate the risks associated with potential data breaches. My passion for cybersecurity has inspired me to create the Sage Knows IT blog. Through this platform, I aim to help small business owners and aspiring IT professionals understand the roadmap of the IT industry based on my experiences. Information Technology and Information Security are crucial for our future, and I hope my blog will motivate those who are interested in joining this ever-evolving field.

Related Posts

10 Ways to Improve Your Math Skills for Cybersecurity

10 Ways to Improve Your Math Skills for Cybersecurity

As highlighted in our earlier discussion, The Intersection of Math and Cybersecurity, a solid grasp of mathematics is indispensable within the realm of cybersecurity. The specific demands…

The Intersection of Math and Cybersecurity - Does Cybersecurity Require Math?

The Intersection of Math and Cybersecurity

During my weekend exploration of a renowned Q&A platform, I unexpectedly encountered a question that left me intrigued. I couldn’t help but wonder if the original poster (OP) was playfully jesting or sincerely seeking knowledge. This curious moment brought forth a reminiscent smile as I recalled the age-old adage we all encountered during our early school years: “Math is fundamental to all endeavors.” However, an interesting twist emerged: Does this axiom extend its influence into the intricate realm of Cybersecurity?

Client Confidence Crisis: How Neglecting Security Practices Can Drive Customers Away

In today’s digital landscape, establishing an Information Systems Security Program (ISSP) is no longer optional but a crucial necessity for organizations. This blog post explores the vital importance of implementing an ISSP early on and understanding the factors that influence its establishment and modification. Senior management’s role in championing ISSPs is emphasized, as their buy-in and recognition of its significance set the tone for organizational security practices.

However, misconceptions and flawed reasoning often hinder the adoption of robust security measures. From the belief that “it will never happen to us” to relying solely on insurance coverage, these notions can prove detrimental to an organization’s security posture. Furthermore, assumptions that clients don’t care about security or that the cloud provides ultimate protection are debunked, shedding light on the evolving expectations and regulations surrounding data protection.

The ugly truth emerges as we delve into the constant threat of internet vulnerability scans and the risks organizations face when vulnerabilities are discovered. This post aims to dismantle these flawed mindsets, highlighting the need for a comprehensive security approach beyond insurance coverage and the importance of addressing vulnerabilities proactively.

Stay tuned for the upcoming parts of this conversation, where we will explore additional influential factors and provide insights into developing effective ISSPs. Together, let’s navigate the complex world of system security and ensure the protection of your organization’s invaluable assets.

Maximizing Email Security: Understanding the Importance of DKIM, SPF, and DMARC

Email is a crucial part of our daily lives, but unfortunately, it’s also a popular target for cybercriminals who use various tactics like spam, phishing, and spoofing to scam people. The FTC recently issued a warning to users of MetaMask and PayPal about phishing scams that are currently circulating through fake emails. The scam claims that the user’s cryptocurrency wallet has been blocked and encourages them to click a link and update their wallet to prevent the loss of their crypto. To protect email users from these threats, authentication protocols like DKIM, SPF, and DMARC are strongly recommended.

Top 10 Cybersecurity Job Sites

Top 10 Job Sites for Cybersecurity Professionals

As the world continues to rely heavily on technology, the demand for cybersecurity professionals continues to grow. Cybersecurity jobs offer high salaries, job security, and a wide range of career options. However, finding the right job can be challenging.

Investigating the FAA Outage: Separating Fact from Fiction

On January 11th, the Federal Aviation Administration (FAA) experienced a nationwide outage that caused widespread delays and cancellations for flights across the United States. The outage was caused by a problem with the FAA’s NOTAM (Notice To Air Mission) system.

NOTAMs are messages issued by the FAA to provide pilots with important information about flight restrictions, hazards, and other critical information. The NOTAM system is a critical component of the FAA’s air traffic control infrastructure, and the outage caused a ripple effect throughout the entire aviation system.

RSS109
Twitter638
YouTube0
YouTube
Pinterest0
fb-share-icon
LinkedIn
Share