CIA... Not that one

Every field has some fundamental law that every other aspect of the field builds upon. For Cybersecurity, that is the CIA triad, and no that's not for the Central Intelligence Agency.

CIA in this context stands for Confidentiality-Integrity-Availability, the three fundamental aspects of Cybersecurity. This is one of the first things taught in any Cybersecurity education program, and needs to be the knowledge any person wanting to be in Cybersecurity obtains first.

The words are mostly self explanatory as to what they mean, but I'll explain them anyway.

Confidentiality

Confidentiality is the first aspect of the CIA triad, but what does it mean in the context of Cybersecurity? Well, it basically means that only the entity who created the data and the entity meant to receive the data can read it. Notice I use the word entity. This word was carefully chosen, as it can be a person or a device, or some other communication endpoint. There can also be only one receiving entity, or multiple.

A breach of confidentiality is rather obvious: Someone sees the data they weren't meant to see. Most commonly, we ensure Confidentiality by using encryption, which is converting a plaintext data into ciphertext. There are many algorithms which do this, of three primary types: symmetric, asymmetric, and hashing. Each one serves a different purpose and works differently than the others.

Symmetric Encryption

Symmetric encryption uses a single key for encryption and decryption. In other words, the key used to convert plaintext into ciphertext is the same key used to convert the ciphertext into plaintext. This type of encryption is extremely fast, but lacks some of the protections of asymmetric encryption. Not to say it is unsecure. The key problem with symmetric encryption is how to securely transfer the cipher key to the receiving party in a secure manner. Example of Symmetric encryption include the Advanced Encryption Standard (AES), which is favored by the U.S. Government, as well as ChaCha20 and Data Encryption Standard (DES, or the Triple DES, 3DES), and many others.

Asymmetric Encryption

Asymmetric encryption is also known as Public Key Cryptography. In this form of encryption, there are two keys, one for encryption, one for decryption. A user generates a key pair, one called a public key and one called a private key. As the names explain, they keep the private key secure and ensure only they have access, they give the public key to anyone and everyone. Examples of Asymmetric encryption include Rivest-Shamir-Adleman (or RSA, named after the people who developed the algorithm), Elliptic Curve Cryptography (ECC), and El Gamal, amongst others.

When it comes time to encrypt a file, it is encrypted using the public key and decrypted with the private key. If a file is encrypted with the private key, anyone who has the public key can decrypt it, and since the public key is meant to be publicly available, it provides no real security benefit. However, that doesn't mean the private key is only for decrypting.

Asymmetric encryption is also very good at what is called cryptographic signing. this basically means that the person with the private key is affirming that they made this file, and if it is changed at any point that signature is broken (until re-signed). This is very commonly done in emails (to affirm that I sent the email) and in package maintenance for Linux (to affirm that I made the package).

Hashing

Hashing is the final major type of encryption, and it is also known as one-way encryption. This is because when something is hashed, it is impossible to "decrypt" that hash. Hashing is primarily used with Integrity, so we'll go into more detail there.

Integrity

Integrity is the second aspect of the CIA triad. Integrity basically means that the data hasn't changed between the time it was made and the time it was received. This is primarily verified using a technique known as hashing, which I briefly mentioned earlier. When a piece of data is hashed, the entirety of the data is read and compressed into a small alphanumeric code. This alphanumeric code is unique to that exact data. So User A would make a hash of their data, and then send the data and the hash to User B (the hash should be sent through a separate secure communication medium than how the data is sent). User B would then hash the data again using the same algorithm, and compare their hash to the one User A sent. If it matches, then they can feel confident it is the same piece of data and wasn't modified in transit.

There are many algorithms out there that do this, including Message Digest (MD, of which MD5 is the most common) and Secure Hashing Algorithm (SHA, of which SHA256 and SHA512 are becoming the most common). With each algorithm, if even a single bit is changed in the data, it creates a wildly different hash. There are of course several types of attacks against hashes.

Changing the Hash

This is the easiest and most common attack against hashing. Basically, the attacker would do their modification of the data and hash it themselves with the same algorithm User A would have hashed it with. Then when it is transmitted to User B, they get the modified file and the new hash instead of the hash made by User A.

To explain this better, here's an example scenario:

1. User A creates an executable named BitcoinMiner.exe. This is a safe file and hashes it with SHA256, resulting in a hash of FC24BF0CF9BD18EF9C80C040720A0BF6FFFC54859173A2E303B34BCB3A6AABF1. He then uploads the file and his hash to his website.
2. Attacker has already compromised User A's website. He sees him upload this file and knows that since User A is a popular developer, many people will download this file. Attacker downloads the file and adds in a stealer, designed to steal a user's crypto wallet and any keys required to make transfers. He then hashes this modified file (also called BitcoinMiner.exe) with SHA256, resulting in a hash of D02F52363CB58072ED7FFE200300A2764C90F31027F03ACF3FC54E4BB469A470.
3. If Attacker only replaces the file on the website but not the hash, it will be apparent to any user who does a hash against the file, as it won't match the hash provided by User A. So when he replaces the file, he also replaces the hash on the website.
4. User B downloads the file from User A's website. He conducts his own SHA256 hash against the file, and receives the same hash listed on the website, D02F52363CB58072ED7FFE200300A2764C90F31027F03ACF3FC54E4BB469A470. Because the hash matches the website's hash, he trusts the file and executes the file.

This is a very common attack, and is hard to defend against if you are User B. I won't go into deep detail on the protections against this if you are User A. To make it short, you'd host the hash on a separate website that is secured using separate login information and hosted in a different way in hopes that it isn't also compromised by Attacker.

Hash Collisions

Hash collisions, also known as a Birthday attack, are extremely uncommon. This would basically be when two files result in the same hash. With more modern algorithms, like SHA256 and SHA512, this has not been proven to be possible. But with legacy algorithms, like MD5 and SHA1, we have seen collisions in hashes. The likelihood is still astronomically low, but once it is considered broken it is generally no longer used, as can be seen in NIST's 2015 policy on Hash Functions.

Availability

Availability is the last major aspect of the CIA triad. Availability basically means that the data is there when it is needed. A breach of availability occurs when someone goes to access a piece of data and it is not available to them at that time. Availability is usually resolved using High Availability (HA) techniques, such as multiple servers holding the same data, or load balancing between multiple servers to avoid Distributed Denial of Service (DDoS) attacks.

Which brings us to the most common attack against availability: DDoS. DDoS is when a large amount of devices request the same data at the same time, resulting in the server being unable to process requests for valid requests. This is commonly seen in attacks by the hacker collective Anonymous. DDoS attacks are simple in theory and simple in execution. It is possible to rent botnets on the dark web, which give access to thousands, hundreds of thousands, and potentially even millions of devices that will execute an attack against a desired target.

Defense against a DDoS is almost always done using these high availability techniques and by using Content Distribution Networks (CDNs) like Cloudflare. But with DDoS attacks reaching the Terabits per Second (Tbps) in terms of throughput, even many large companies can't handle this without companies like Cloudflare, Akamai, and other similar organizations. In addition, if an attacker determines the actual IP address or other public-facing method of reaching your organization in a way that lacks the protections of a company like Cloudflare, they can take you offline even with these kinds of companies in front of your DNS records.

This concludes the CIA portion of this post. However, CIA doesn't tell the whole story of security, so I wanted to go into one more short portion of this post. The Parkerian Hexad. The Parkerian Hexad adds three additional attributes to the CIA triad. So the full attributes of the Parkerian Hexad are: Confidentiality-Integrity-Availability-Authenticity-Possession or Control-Utility. So let me do a brief discussion on these last three attributes that are also essential to security.

Authenticity

Authenticity refers to being able to confirm that data was sent by a certain individual. The way I describe it sounds like Integrity (that the data hasn't changed), but it means in a different way. It means being able to confirm that User A is actually the one who sent it, and User A can't claim it wasn't them. This is also known as non-repudiation.

I spoke briefly on how this is done previously, but to reiterate it: Public-key Cryptography (Asymmetric Encryption) provides for digital signatures. A digital signature on a file is used to provide non-repudiation.

Possession or Control

This is closely related to the idea of confidentiality, but there is a key difference. In confidentiality, a breach occurs when an attacker or user reads data that wasn't meant for them. User A send data to User B who is the only one who should read it, but User C also reads it. That is a breach of confidentiality.

Possession or Control simply means that data is always in control of that who is expected to control it. The best way to explain this is I send you a packet of data that is encrypted. An attacker is using a Man-in-the-Middle attack to copy every packet of data that is sent. They temporarily gain control of the packet, but they are unable to read its contents. The packet is sent on to you unmodified and only you end up reading the contents as intended. Confidentiality was not breached here, as only you and myself read it. But control was lost as I didn't intend for the attacker to gain control of that packet.

Utility

Utility just means usefulness. The data is useful when you go to use it. This doesn't necessarily mean that you get a file and think "What's the point of this?" This means something like: You created an encrypted vault on your computer and stored some sensitive data, let's say your birth certificate, in that vault. You come back a month later when you need it, but you forgot the password to the vault and you are unable to access the data. A breach of utility has occurred at this point, as you are unable to access data. It's not a breach of availability, because the data is still there and can be accessed if you knew the password.

I hope this post was helpful and that you enjoyed it. If you have any other topics that would be of interest to you, please feel free to reach out and ask for me to cover a topic, and I'll work on coming up with a good post as long as I know enough about that request.