The CIA Triangle (no, not those guys)
The CIA triangle makes up the three things that security is always concerned with; confidentiality, availability, and integrity. Quite simply, confidentiality means that only those who should have access do. Integrity says that I can trust the information I get from the system. And availability means I'm able to access the information when I need it in a reasonable amount of time.
Balancing these three things is what it's all about. It's easy to make something really secure. I can just lock a hard drive in a waterproof safe and drop it into the ocean, but then no one can access it. And that's why it's a triangle. Just like the three angles of a triangle add up to form 180 - so too do these three concepts have to balance to form a cohesive security policy.
So with that goal in mind, we can now look at common security concepts. These include what constitutes a risk, threat, threat agent, vulnerability, countermeasure, asset and so forth. But rather than throw a bunch of definitions at you, I'd like to share a diagram that shows how each relates to the other. From there, I believe it's fairly intuitive.
Security Concept Relationships
So with this diagram in mind, lets give each concept a more concrete example. A hacker (threat agent) poses a danger (threat) because they may potentially find some outdated code that is vulnerable to sql injection (vulnerability). This constitutes a risk (which is measurable) to an asset. Should the vulnerability be exploited the result is a loss of information, reputation, etc. (exposure). This can potentially be prevented / mitigated by a safeguard which directly affects the threat agent. And thus the cycle is complete.
Bringing it together
So let's bring this together. We saw that the goal of security is balancing the CIA triangle. And now we see how various concepts relate to one another. So what does that mean?
It means that as a business, the decision has to be made about where priorities lie. Complete focus cannot be given to any one area, so risks have to be measured and the costs to install and maintain safeguards has to be figured. What is a large risk befitting a large response for one company is not likely to be the same for another.
In future posts, I will be further exploring this idea through the discussion of various security frameworks and architectures. These can form a strong foundation on which a company can build their security management system. (assuming they have one!)
Nice Post, Very informative! Nowadays CISSP is one of the best cyber security certification. If you want to learn more then you can take the CISSP training by the reputed training company. Thanks!
ReplyDeleteHi, This is a great article. Loved your efforts on it buddy. Thanks for sharing this with us. CISSP training.
ReplyDeleteHey, It's nice post.
ReplyDeleteShare more information about CISSP Certification Training
Hey,
ReplyDeleteI read you post and i enjoy it. CISSP Training
Keep Posting
Good luck