Third party cookies may be stored when visiting this site. Please see the cookie information.

Penguin Fortress YouTube Channel

Video transcript: CISSP Domain 1 - CIA Triad

This is a transcript for a video linked here: CISSP Domain 1 - CIA Triad.

Video transcript - CISSP Domain 1 - CIA Triad

00:00:00.480 --> 00:00:07.280

this is the first in a series of videos i'll be

making on cyber security concepts these will be

00:00:07.280 --> 00:00:13.600

based around some of the principles in the sisp

certification exams but also useful for anyone

00:00:13.600 --> 00:00:19.440

interested in learning more about IT security

and how to keep your system safe when appropriate

00:00:19.440 --> 00:00:25.040

i'll be referring to real-world examples and in

future videos i'll be demonstrating some simulated

00:00:25.040 --> 00:00:30.080

attacks this is something you'd be interested

in please subscribe and click the notification

00:00:30.080 --> 00:00:37.920

icon to see future videos this is from the

domain one of cisp security and risk management

00:00:40.800 --> 00:00:47.360

one of the key security models is the cia triad

this is a high level concept which stands for

00:00:47.360 --> 00:00:55.440

confidentiality availability and integrity looking

at these in turn let's start with confidentiality

00:00:55.440 --> 00:01:01.360

this is the first aspect of the cia triad it's

about keeping data secret so that it can only

00:01:01.360 --> 00:01:06.960

be accessed by those who have the appropriate

permissions it extends beyond information about

00:01:06.960 --> 00:01:12.800

a person and may also involve restricting

access to data objects and resources whilst

00:01:13.680 --> 00:01:20.640

must continue to allow authorized access breaches

of confidentiality may not always be intentional

00:01:21.280 --> 00:01:26.720

they could be the result of a human error lack of

oversight lack of understanding or incompetence

00:01:28.080 --> 00:01:32.000

clearly there have been many breaches of

security some of which have hit the headlines

00:01:33.280 --> 00:01:37.360

t-mobile have experienced data breaches

which resulted in personal information

00:01:37.360 --> 00:01:45.440

of millions of their customers being stolen

the sony attack in 2014 where terabytes of

00:01:45.440 --> 00:01:52.560

data were stolen from sony's servers including

some unreleased films and to look at some of the

00:01:52.560 --> 00:01:57.120

specific aspects of confidentiality i'm going

to break this down into a number of points

00:01:58.240 --> 00:02:02.560

versus sensitivity this is about

information which could cause harm or damage

00:02:04.800 --> 00:02:08.160

discretion this is information

00:02:08.160 --> 00:02:13.840

which if it was acted upon could influence

or control events or cause harm or damage

00:02:16.640 --> 00:02:22.320

criticality a measure of how critical the

information is particularly to a corporation

00:02:26.720 --> 00:02:34.880

concealment concealment is a way of hiding

or preventing disclosure if you're looking at

00:02:34.880 --> 00:02:39.920

concealing information it shouldn't be just about

not linking to it and the information's still

00:02:39.920 --> 00:02:45.360

there hoping that people don't find it it's

about making sure the information is hidden

00:02:46.480 --> 00:02:52.560

so that they're not aware of it as

well as it being unaccessible to them

00:02:55.760 --> 00:03:03.520

secrecy and this is the act of keeping something

secret and privacy which is keeping information

00:03:03.520 --> 00:03:09.600

confidential particularly information which is

personally identifiable or may cause embarrassment

00:03:12.240 --> 00:03:18.720

seclusion is about storing something out

of a weight location usually with strict

00:03:18.720 --> 00:03:23.520

access controls for example you may have

a different place to store credit card

00:03:23.520 --> 00:03:26.320

information rather than it

being in the normal database

00:03:29.280 --> 00:03:34.800

isolation is similar to seclusion but takes it

a step further so it may be that you actually

00:03:34.800 --> 00:03:41.040

store those credit card information in a way

that can only be accessed by certain systems

00:03:42.240 --> 00:03:45.840

so in a separate system that's

isolated from the others

00:03:50.720 --> 00:03:58.080

the second aspect of the cia triad is integrity

which is about the reliability and correctness

00:03:58.080 --> 00:04:06.000

of data it involves preventing unwar unauthorized

alterations which may be malicious activities such

00:04:06.000 --> 00:04:13.840

as someone looking to change their grade a classic

from the film war games or a virus destroying data

00:04:13.840 --> 00:04:20.560

or it could be through a mistake by authorized

users controls must be in place to restrict access

00:04:20.560 --> 00:04:30.080

to data objects and resources confidentiality and

integrity depend on each other perhaps an extreme

00:04:30.080 --> 00:04:37.520

example of what damage can be done with integrity

is with the stuxnet computer one this considered

00:04:37.520 --> 00:04:42.800

to have been a cyber weapon and it caused

substantial damage to the iranian nuclear program

00:04:43.840 --> 00:04:48.640

in that case it wasn't the data that was being

corrupted but it was targeted the code for the

00:04:48.640 --> 00:04:55.680

programmable logic controllers plcs and it caused

the gas centrifuges to spin out of control causing

00:04:55.680 --> 00:05:00.960

physical damage if we look at integrity in a bit

more detail you can break this down into a number

00:05:00.960 --> 00:05:07.520

of points as well there's the accuracy data needs

to be accurate needs to be correct and precise

00:05:09.280 --> 00:05:12.720

truthfulness it should be a

true reflection of reality

00:05:14.720 --> 00:05:22.000

validity means it's factually or logically

sound accountability and this is that the

00:05:22.000 --> 00:05:26.160

operators should be responsible for their

actions and the results of those actions

00:05:28.960 --> 00:05:37.840

responsibility should be someone or something

in charge or having control over the data

00:05:40.080 --> 00:05:45.920

completeness data should be complete including

all the necessary components and parts it's

00:05:45.920 --> 00:05:54.800

no good having only part of a personal details

and comprehensive it should be complete in scope

00:05:56.160 --> 00:06:05.200

and then the final aspect of the cia triad is

availability availability it's about having

00:06:05.200 --> 00:06:11.600

uninterrupted access to the services the system

should have sufficient processing capability

00:06:11.600 --> 00:06:18.240

bandwidth and timeliness as deemed necessary

threats can include denial of service attacks

00:06:18.240 --> 00:06:23.680

environmental and human errors which could arise

due to lack of oversight or lack of competence

00:06:25.280 --> 00:06:30.160

it could be a result of badly configured

services including security rules

00:06:32.080 --> 00:06:36.960

here's some real examples a denial of service

attack can be difficult to protect against

00:06:36.960 --> 00:06:39.280

particularly if distributed across a botnet

00:06:40.640 --> 00:06:45.520

the problem is that the cost of resources such as

bandwidth and processing to allow genuine access

00:06:46.880 --> 00:06:50.720

i had some of my own software which i

experienced the denial of service attack on

00:06:51.440 --> 00:06:55.920

in that case the attacks were from a single

address i was able to add code to detect

00:06:55.920 --> 00:07:03.520

a potential attack and block against it a much

worse example was the wannacry ransomware it's

00:07:03.520 --> 00:07:11.280

a significant impact on the uk national health

service in 2017. in that case it was a crypto

00:07:11.280 --> 00:07:17.280

worm which would infect and encrypt computers that

were running an unpatched version of windows 7

00:07:18.160 --> 00:07:23.680

had a significant impact on the its systems

and the ability to provide medical care

00:07:25.040 --> 00:07:30.240

fortunately a kill switch was discovered

by marcus hutchkins whilst often credited

00:07:30.240 --> 00:07:35.600

as a white attacker for this he had a darker

side including working on the kronos malware

00:07:37.520 --> 00:07:40.640

so look at the cia triad in more detail

00:07:41.600 --> 00:07:49.840

and there's a few concepts here so first

one is usability it needs to be easy to use

00:07:52.400 --> 00:07:57.840

and accessibility should be a wide range of

subjects that can interact with the resource

00:08:01.040 --> 00:08:04.480

timeliness and this means should be prompt

00:08:04.480 --> 00:08:11.840

on demand reasonable response

time including low latency

00:08:14.080 --> 00:08:18.160

the cia triad is not the only model for

applying security there are many others

00:08:18.800 --> 00:08:26.320

one example is the DAD or dad triad

this takes the opposite approach

00:08:26.320 --> 00:08:31.840

of cia in that by identifying the things

that you want to avoid rather than the

00:08:31.840 --> 00:08:39.840

things that you desire which was the

cia triad these are D for disclosure

00:08:41.360 --> 00:08:44.560

A for alteration and then D for destruction

00:08:47.680 --> 00:08:55.360

and then we can also look at some other models

the aaa or aaa model it's an important one which

00:08:55.360 --> 00:09:00.240

i'll be covering in a future video which

looks at authorization and authentication

00:09:02.720 --> 00:09:08.320

i'm going to leave it there for now i hope this

has been useful if so please give it a like so i

00:09:08.320 --> 00:09:14.160

know that these are worthwhile and people are

responding to this i'll be looking at putting

00:09:14.160 --> 00:09:17.920

more of these together and if you're

interested in watching those future videos

00:09:17.920 --> 00:09:21.200

please subscribe to this channel

and click on the notification icon

00:09:21.760 --> 00:09:25.920

to get notified about the future

videos thanks for watching

Previous Application Security Testing
Application Security Testing