CIA Triad

00:03

[Music]

00:06

hello everyone

00:07

welcome back in today's lecture we will

00:09

see the cia triad

00:12

as usual we will start the session with

00:14

the outcomes

00:15

upon the completion of this session the

00:17

learner will be able to

00:19

outcome number one we will define

00:21

computer security

00:23

outcome number two we will know the key

00:25

objectives of computer security

00:27

outcome number three we will understand

00:29

the c i

00:30

a triad and outcome number four we will

00:33

know various levels of

00:35

impact of security breach before we step

00:38

into the cia triad

00:40

let's see the definition of computer

00:42

security the computer security

00:44

definition is as follows the protection

00:46

afforded to an automated information

00:49

system

00:49

in order to attain the applicable

00:51

objectives of preserving

00:52

the integrity availability and

00:55

confidentiality of

00:56

information system resources which

00:58

includes hardware

01:00

software firmware information or data

01:03

and telecommunications and this is the

01:05

definition of computer security by

01:07

nist which is a government organization

01:10

of the united states

01:12

i know you will find many key terms in

01:14

the definition

01:15

i will just provide you an easy way to

01:17

understand this definition

01:18

let's figure out the three important key

01:21

terms of the definition

01:22

number one the integrity number two the

01:25

availability

01:26

and number three confidentiality if we

01:29

understand all these three key terms

01:31

then the definition will be easy

01:33

ultimately we are going to provide

01:35

security to the system

01:36

the system includes both hardware and

01:38

software not only hardware and software

01:41

we should also focus on the firmwares or

01:44

the data or the information that is

01:46

processed by the system

01:47

and not only this the telecommunications

01:50

as well

01:50

what is telecommunications it is the

01:52

communication

01:53

at a distance so in this subject we are

01:55

going to focus

01:56

on security in all aspects of the

01:59

computer networks

02:00

and obviously computer networks has a

02:03

lot of things to deal with

02:04

if these three key objectives are clear

02:07

that is the integrity availability and

02:09

confidentiality that the definition will

02:11

be clear

02:12

anyway we are going to see these three

02:14

key terms elaborately

02:16

in the cia triad part let's now step

02:19

into the cia triad

02:21

what is the cia triad the name itself

02:24

says that it is a triad tri means three

02:26

so there are three key elements of this

02:29

c i a triad

02:30

let's see what are the three key

02:32

elements we can see the first element is

02:34

the confidentiality

02:36

the second one is the integrity and the

02:38

third one is the availability and we can

02:40

notice that

02:41

everything is for the data and the

02:43

services we are going to do with the

02:45

computer system

02:46

all right let's see the key terms

02:48

elaborately firstly we will focus on the

02:50

first key element

02:52

the confidentiality when we say

02:54

something is confidential what do you

02:56

mean by that

02:57

it means others should not understand

02:59

except the parties who are involved in

03:00

that transaction

03:02

say if i am drafting a letter to my

03:03

friend and if i mention that it is

03:05

confidential

03:06

this confidential message means it

03:08

should be known to me

03:10

as well as to my friend right because

03:12

these two parties are legitimate parties

03:14

involved in this transaction

03:16

now if an anonymous person receives this

03:18

letter or message

03:19

and if he sees the message or the

03:21

content what is there in the transaction

03:23

then ultimately there is loss of privacy

03:25

right so obviously we don't have any

03:27

confidentiality when somebody sees the

03:29

message

03:30

so we need to prevent unauthorized

03:32

access and disclosure

03:34

unauthorized access means nobody else

03:36

can access

03:37

except the right entities who are

03:39

involved in the transaction and

03:40

disclosure means the message should not

03:42

be open enough

03:43

to be simple if the message is encrypted

03:46

no one else can see what is the message

03:48

except the sender and the receiver right

03:50

because the sender and the receiver only

03:51

will know what is the message what is

03:53

the key what is the encryption algorithm

03:55

everything right

03:56

generally encryption algorithms are kept

03:58

public and keys only

04:00

are kept secret anyway i will talk about

04:02

this later for time being just

04:04

understand

04:04

confidentiality means we need to protect

04:07

the data that is being transmitted

04:09

if it is encrypted obviously it provides

04:11

confidentiality because

04:13

no one else can see what it is right it

04:15

is a scrambled text that they are seeing

04:17

no one else should be able to understand

04:20

what is the message that is being

04:21

transmitted between the sender and the

04:23

receiver

04:24

this is exactly confidentiality let's

04:26

come to the second key element

04:28

in cia triad which is the integrity i

04:30

will just give you a formula like this

04:32

sent is equal to received whatever the

04:36

sender is sending

04:37

the same message only the receiver

04:38

should receive for example if you are

04:40

performing a banking transaction of 1000

04:43

rupees

04:44

obviously the transaction should involve

04:46

only 1 000 rupees

04:48

what if an attacker modifies this as 10

04:50

000 rupees

04:51

not only the modification of amount by

04:53

the attacker

04:54

let's assume the destination address or

04:56

the destination account is given

04:58

as the attacker's account just imagine

05:01

this for an example this may not be real

05:03

and this may not be seeming to be a

05:04

perfect example

05:05

but i wanted to make you to understand

05:07

the severity of modification of message

05:10

i wanted to explain you what is

05:11

integrity so we don't want any

05:14

modification of messages by the

05:16

unauthorized people

05:17

say you want to transfer some fund to

05:19

your friend but unfortunately the fund

05:22

is being transmitted or transferred

05:24

to somebody else account that is

05:25

attackers account obviously this has

05:28

happened because of the modification

05:29

of the messages that is being

05:31

transmitted between the sender and the

05:32

receiver

05:33

by the attackers so this transaction

05:35

should not be permitted by the system

05:37

and the security system should be able

05:39

to find out that this is not the message

05:41

that was sent by the sender

05:42

in other words the security system

05:44

should ensure that this is not the

05:45

transaction that was initiated by the

05:47

sender

05:48

so integrity means we need to ensure

05:50

that there is no modification of the

05:52

message that is being transmitted

05:54

so whatever the sender is sending that

05:57

only the receiver should receive

05:58

and if there is any modification in the

06:00

message that is being transmitted the

06:02

system should be able to find out that

06:04

and it should discard that message so

06:06

integrity is also one of the key terms

06:08

of the cia triad

06:10

and coming to the third key element

06:12

which is the availability

06:14

availability means we need to ensure the

06:16

timely and the reliable access to the

06:18

system

06:19

say for example if you are hitting

06:20

google.com if you hit now it will work

06:23

if you hit after one hour it will work

06:25

if you hit after 10 days it will work

06:27

because you trust that google server

06:30

will be always available

06:32

at the same time there may be many

06:33

attacks that may be launched against

06:35

google.com server

06:36

but still google server is a very

06:38

secured one and google is able to

06:40

provide its service to the customers or

06:42

the users who access it

06:44

without any flaws so that's the power of

06:47

a security

06:48

system i will also provide you one more

06:50

example imagine you have a bank account

06:52

and you want to access your banking

06:54

server

06:54

you are expecting the banking server to

06:56

respond you with the requested data

06:59

what if an attacker has launched an

07:00

attack on the banking server

07:02

and disrupted the service so when you

07:04

access the banking server you are not

07:06

getting the service that you are

07:07

expecting

07:08

obviously we don't encourage that

07:09

because whenever we want a service we

07:11

expect the system to provide service to

07:13

us

07:13

and this service should be a timely and

07:16

a reliable service as well

07:18

there will be attackers always on the

07:19

internet and our security system is

07:21

expected to provide security to the

07:23

system

07:24

and to the users and whenever any attack

07:26

is launched on the server

07:28

we expect the server should withstand

07:30

that attack it should still be able to

07:32

provide access to the servers in the

07:34

same way as it was in the perfect

07:36

situation

07:36

and that's it about the cia triad let's

07:39

now navigate to the levels of impact

07:41

of security breach when there is a

07:44

security breach

07:45

in the organizational data or to the

07:47

server or to an individual

07:49

basically there will be three levels of

07:51

impact number one

07:52

is the low level impact number two is

07:55

the medium level impact

07:56

and number three is the high level

07:58

impact we will see the various levels of

08:00

impact of security breach one by one now

08:03

firstly we will focus on low level

08:05

impact if your system is affected by

08:07

some attacks

08:08

and the low level impact means there is

08:10

a limited adverse effect

08:12

on organizations operation or

08:14

organizational assets or

08:16

individual that is the system is

08:18

affected with minor

08:19

harm or minor damage or in terms of

08:21

financial aspects

08:23

it is a minor financial loss if the

08:26

effect of the attack is negligible then

08:28

it falls in the low level impact

08:30

and coming to the next level of impact

08:32

which is the medium level of impact

08:34

it has a serious adverse effect on

08:37

organizational operation

08:39

or organizational assets or even serious

08:41

adverse effect on

08:42

individual so the loss may be a

08:44

significant loss or a significant damage

08:47

or a significant harm that is caused to

08:49

the organization or to the individual

08:51

and this medium level of impact means

08:53

the attack may be involving in the loss

08:55

of life

08:56

or even serious life threatening issues

08:58

also

08:59

and coming to the final level of impact

09:01

which is the high level impact

09:02

so when the medium itself is very

09:04

dangerous think about the high level

09:06

impact so everything is gone

09:08

right so the reputation everything high

09:10

level impact of security breach means

09:12

the organization

09:13

has catastrophic adverse effect it means

09:16

severe adverse effect on organizational

09:19

operations or organizational assets or

09:21

individual it is a complete disaster to

09:24

the organization

09:25

so these are the three levels of impact

09:27

of security breach

09:28

and this could be for an individual or

09:31

for an organization

09:32

or for an organizational data or for the

09:34

information system

09:36

or for any kind of stuff that really

09:38

needs security

09:39

before we step out let's see the

09:41

additional features of cia triad

09:44

basically the cia triad includes only

09:46

three key elements right the

09:47

confidentiality

09:48

the integrity and the availability we

09:51

also have two more additional elements

09:53

and the additional elements are number

09:55

one the authenticity and number two

09:58

accountability authenticity is the

10:00

property of being genuine and being able

10:02

to verify the part is

10:04

involved say if the sender is going to

10:05

send some message to the receiver

10:07

say if the receiver is receiving a

10:09

message and the receiver should be able

10:11

to verify that the message is from the

10:13

right party

10:14

or the message is from the trusted

10:16

source we will call this property as

10:18

authenticity in other words let's say

10:20

you are accessing google.com

10:22

suppose if you give a request from your

10:23

browser as www.google.com

10:26

and you are expecting that your request

10:27

is going to google server and not any

10:29

bogus server

10:30

right when the request is received by

10:32

google server and google should be able

10:34

to verify that it is from you

10:35

so this is we call as authentication or

10:38

authenticity

10:39

and coming to the next additional

10:40

element which is accountability

10:42

say for example accountability is also

10:44

an essential part of an information

10:46

security plan

10:47

it means every individual who works with

10:50

an organization or who works with an

10:51

information system

10:53

should have specific responsibilities

10:55

for information

10:56

assurance every user who access the

10:58

system has their own roles and

11:00

responsibilities

11:01

and whatever the actions the users

11:03

perform the system should keep records

11:06

of their activities

11:07

why system should keep track of the

11:09

activities because

11:11

later if any attack is launched or if we

11:13

find that something is suspicious

11:15

then the system should permit forensic

11:17

analysis later

11:18

to trace the security breaches so in

11:20

order to do that we need to ensure that

11:22

the system is

11:23

accountable every user is given some

11:25

responsibility

11:27

and every user should access only to

11:29

that level of privilege

11:30

or it must ensure that the users are not

11:33

misusing their privileges

11:35

let's see some real time examples for

11:37

confidentiality

11:38

integrity and availability the first one

11:41

we will see

11:42

is confidentiality for example the

11:44

banking account information say you have

11:46

your mobile phone and you have your

11:48

banking

11:48

app in your mobile phone if you request

11:51

some data from your banking server

11:52

and from the banking server to your

11:54

mobile phone or to your desktop from

11:56

where you are going to access

11:58

the data traffic must be encrypted what

12:01

if the data is not encrypted

12:03

obviously there are chances for the

12:04

attackers to see what information is

12:06

being transferred between the sender and

12:08

the receiver

12:09

so we don't encourage that should happen

12:11

so encryption is one of the ways we can

12:13

achieve

12:14

confidentiality if the message is

12:16

encrypted

12:17

except the server and you who are

12:19

accessing the system

12:20

no one else can understand what it is so

12:22

the message must be encrypted

12:24

encryption is one of the ways to achieve

12:27

confidentiality

12:28

coming to the second example which is

12:30

integrity the patient's information

12:32

say for example there is a hospital

12:34

management system let's assume someone

12:36

is having some disease and that person

12:38

is installed with some sensors

12:40

and the sensors are installed on his

12:42

body in this hospital management system

12:44

the doctor can be anywhere in the world

12:47

and the patient can also be anywhere in

12:49

the world but still doctor and patient

12:51

relationship

12:52

can exist seamlessly because of the

12:53

powerful internet connectivity and the

12:56

iot concepts the internet of things

12:58

in this example the patient is wearing a

13:00

sensor and the patient or doctor need

13:02

not be in person

13:04

to do the medical treatment or to get

13:06

the medical treatment

13:08

and what is the role of the sensor you

13:09

know the sensor is going to report the

13:11

heartbeat rate periodically to the

13:13

doctor

13:14

by other servers let's assume the server

13:16

is going to collect all the heartbeat

13:18

information that is sent by the sensor

13:20

so obviously whatever the sensor is

13:23

sensing the heartbeat value that should

13:25

be stored without any alteration in the

13:27

server

13:28

only then the doctor will be able to

13:30

provide right treatment to the patient

13:32

if the sensor is sensing the right value

13:34

and the right value is sent to the

13:36

server but

13:37

during the travel if an attacker is

13:39

modifying the value

13:40

and if this modification is stored in

13:42

the server and when the doctor sees this

13:44

modified value and

13:46

is giving some treatment based on this

13:48

this could be

13:49

a life threatening issue also it could

13:52

even lead to lethality or fatality

13:55

let's assume the heartbeat value that is

13:56

sensed by the sensor is 70

13:58

and this 70 is now being transmitted to

14:01

the receiver that is the server

14:03

what if the attackers captures this

14:05

packet and modifies it as 150.

14:07

so the treatment may go wrong right

14:09

because of this so all patients

14:11

information must be

14:12

confidential and not only confidential

14:15

it should also have the property of

14:17

integrity

14:18

so whatever the sender is sending that

14:20

only the receiver should receive

14:22

no modification should be permitted so

14:24

this is an example for integrity

14:26

and coming to the next one the

14:28

availability example

14:30

authentication service let's assume

14:31

there is a server which is providing

14:33

authentication service

14:34

and whenever user wants to carry out any

14:36

activity this user must be verified or

14:39

authenticated by the authentication

14:40

server

14:41

and this authentication server should be

14:43

always available because user may

14:44

request data access

14:46

at any point of time so authentication

14:48

is one of the important services that

14:50

should be always available

14:52

we can take google as an example also

14:54

just think anytime you access google.com

14:56

you will be able to get the access

14:58

because google.com server is available

15:00

all the time

15:01

and whenever you request any service you

15:04

should get that service that's what as

15:05

an end user we will expect right

15:07

the examples that are shown here just

15:09

for understanding concepts but in

15:11

reality

15:12

every application or every organization

15:15

has their own set of policies

15:16

their confidentiality level or their

15:18

confidentiality need will be different

15:20

from each other say for example the

15:23

integrity requirement or the

15:24

availability requirement or the

15:26

confidentiality requirement

15:27

for every individual or an organization

15:29

varies so it has to be followed as per

15:31

the policies they frame

15:33

i hope these examples will help you to

15:35

understand what is confidentiality

15:37

integrity and availability and that's it

15:39

guys i hope now you understood the

15:41

computer security

15:42

the key objectives of computer security

15:44

we also understood the cia triad

15:47

and we also have seen various levels of

15:49

impact of security breach

15:51

i hope you guys enjoyed today's lecture

15:53

i'll see you in the next lecture and

15:55

thank you for watching