Fundamental Security Concepts

Every security decision ever made—from ancient encryption ciphers to modern zero-trust architectures—can be understood through a single, elegant framework: the CIA Triad. This deceptively simple model consists of three fundamental principles: Confidentiality, Integrity, and Availability.

Understand these three concepts deeply, and you possess the lens through which all security analysis becomes possible. Breach reports, compliance frameworks, penetration testing methodologies, security architecture reviews—every aspect of information security maps back to protecting or attacking one or more elements of the CIA Triad.

This isn't merely academic taxonomy. The CIA Triad is the operational vocabulary of security professionals worldwide. When a CISO reports to the board about risk, they're discussing threats to confidentiality, integrity, or availability. When a security engineer designs a system, they're implementing controls that address each pillar. When an attacker plans their approach, they're targeting weaknesses in one or more of these areas.

The CIA Triad didn't emerge from a single moment of insight—it evolved over decades as computing systems transitioned from isolated mainframes to globally interconnected networks. Understanding this history illuminates why these particular three principles became foundational.

Early Computing Era (1960s-1970s):

In the era of time-sharing mainframes, confidentiality dominated security concerns. Multiple users shared expensive computing resources, and preventing unauthorized access to others' data was paramount. The Bell-LaPadula model (1973), developed for the U.S. Department of Defense, formalized confidentiality through its famous "no read up, no write down" principle—ensuring classified information couldn't flow to unauthorized parties.

Data Processing Era (1970s-1980s):

As computers began processing financial transactions and medical records, integrity emerged as equally critical. The Biba model (1977) addressed this with its inverse principle: "no read down, no write up"—protecting data from corruption by less trusted sources. The Clark-Wilson model (1987) further refined integrity concepts for commercial environments, introducing well-formed transactions and separation of duties.

Networked Era (1980s-present):

The explosion of networked systems brought availability into sharp focus. Systems that users couldn't access when needed were useless, regardless of how confidential or accurate their data remained. The first major denial-of-service attacks in the late 1980s demonstrated that availability was a security concern, not merely an operational one.

Confidentiality ensures that information is accessible only to those authorized to view it. This seemingly simple definition conceals layers of complexity—who decides authorization? How is it enforced? What constitutes "access"? How do we handle partial disclosure?

Formal Definition

Confidentiality protects against unauthorized disclosure of information. It guarantees that sensitive data—whether at rest, in transit, or in use—remains inaccessible to unauthorized parties, including:

• External attackers attempting to steal data
• Malicious insiders with legitimate system access but not data access
• Accidental exposure through misconfiguration or human error
• Inferential disclosure through data aggregation or analysis

Dimensions of Confidentiality

Confidentiality operates across multiple dimensions that security architects must address:

Data States:

• At rest: Data stored in databases, filesystems, backups
• In transit: Data moving across networks
• In use: Data actively processed in memory

Disclosure Types:

• Direct disclosure: Unauthorized party obtains actual data
• Indirect disclosure: Attacker infers data through side channels
• Aggregation disclosure: Combining public data reveals private information

Confidentiality Attack Vectors

Understanding how confidentiality fails illuminates how to protect it. Major attack categories include:

Network-Based Attacks:

• Eavesdropping/Sniffing: Capturing unencrypted network traffic
• Man-in-the-Middle (MITM): Intercepting and potentially modifying encrypted communications
• Traffic Analysis: Inferring information from patterns even in encrypted traffic

System-Based Attacks:

• Unauthorized Access: Gaining access through stolen credentials or privilege escalation
• Memory Attacks: Extracting data from RAM, swap space, or crash dumps
• Side-Channel Attacks: Exploiting CPU cache timing, power consumption, or electromagnetic emissions

Human-Based Attacks:

• Social Engineering: Manipulating authorized users into disclosing information
• Insider Threats: Authorized users intentionally exfiltrating data
• Accidental Disclosure: Misconfigured systems, misdirected emails, lost devices

Real-World Case Study: The Equifax Breach (2017)

The Equifax breach compromised personal data of 147 million Americans—social security numbers, birth dates, addresses, and driver's license numbers. This confidentiality failure illustrates multiple lessons:

Root Cause: An unpatched Apache Struts vulnerability (CVE-2017-5638) allowed attackers to execute commands on web servers. The patch had been available for two months before the breach.

Failure Cascade:

1. Vulnerability scanning failed to identify the unpatched system
2. Network segmentation was inadequate—attackers moved laterally
3. An expired internal SSL certificate prevented intrusion detection for 76 days
4. Database encryption relied on keys stored alongside the encrypted data

Impact: $700 million settlement, executive resignations, and lasting reputational damage. The breach demonstrated that confidentiality requires defense in depth—no single control suffices.

Integrity ensures that information remains accurate, complete, and unmodified except by authorized processes. While confidentiality asks "Can they see it?", integrity asks "Can they trust it?"

Formal Definition

Integrity protects against unauthorized modification or destruction of information. It guarantees that:

• Data hasn't been altered during storage or transmission
• Only authorized operations modify data in authorized ways
• Changes are traceable and attributable
• System configurations remain in their intended state

The Trinity of Integrity

Integrity encompasses three related but distinct properties:

Data Integrity: The actual content of information remains unchanged. A database record shows the same values as when legitimately entered. A transmitted message arrives exactly as sent.

System Integrity: The system itself operates as designed. Software hasn't been modified by malware. Configurations match their intended state. The platform can be trusted to process data correctly.

Origin Integrity (Authenticity): Information genuinely comes from its claimed source. A software update actually originated from the vendor. An email genuinely came from the stated sender. This overlaps with authentication but focuses on data rather than users.

Integrity Attack Vectors

Integrity attacks modify or destroy data without authorization:

Modification Attacks:

• Data Tampering: Altering database records, files, or network packets
• Code Injection: SQL injection, XSS, command injection modifying application behavior
• Configuration Manipulation: Changing system settings to weaken security
• Log Tampering: Modifying audit logs to hide malicious activity

Destruction Attacks:

• Ransomware: Encrypting data making it unusable without payment
• Wiper Malware: Deliberately destroying data without possibility of recovery
• Cascade Failures: Corrupting data that propagates through dependent systems

Supply Chain Attacks:

• Compromised Updates: Malicious code inserted into legitimate software updates
• Build System Attacks: Modifying code during compilation/packaging
• Dependency Poisoning: Injecting malicious code into shared libraries

Integrity in Network Protocols

Network protocols implement integrity at multiple layers:

Transport Layer:

• TCP checksums detect transmission errors (but not malicious modification)
• TLS record layer MACs protect against tampering
• SSH uses authenticated encryption (ChaCha20-Poly1305, AES-GCM)

Application Layer:

• HTTPS combines TLS integrity with certificate-based authentication
• DNSSEC adds digital signatures to DNS responses
• Code signing verifies software authenticity

Cryptographic Considerations:

• Hash functions must be collision-resistant (no two inputs produce same output)
• SHA-1 is deprecated; SHA-256/SHA-3 are current standards
• Length extension attacks require HMAC rather than simple hash(secret || message)

Availability ensures that information and systems are accessible to authorized users when needed. Perfectly confidential and accurate data is worthless if users can't access it. Availability transforms security from mere protection into enabling business operations.

Formal Definition

Availability protects against unauthorized denial of service. It guarantees that:

• Systems remain operational during expected usage patterns
• Authorized users can access information and services when needed
• Recovery from failures occurs within acceptable timeframes
• Capacity meets legitimate demand

Measuring Availability

Availability is typically expressed as "nines" of uptime:

Each additional "nine" requires exponentially more investment in redundancy, automation, and testing.

Availability Attack Vectors

Denial of Service attacks target availability through various mechanisms:

Volumetric Attacks:

• Bandwidth Exhaustion: UDP floods, DNS amplification, NTP reflection overwhelm network capacity
• Connection Exhaustion: SYN floods, Slowloris consume connection slots
• Application Exhaustion: Resource-intensive requests deplete CPU, memory, or disk

Protocol Attacks:

• TCP State Attacks: Manipulating connection state tables
• DNS Attacks: Cache poisoning, recursive query floods
• BGP Hijacking: Redirecting traffic to black holes

Application Layer Attacks:

• HTTP Floods: High-volume legitimate-looking requests
• Regex DoS (ReDoS): Crafted inputs causing exponential regex processing
• Hash Collision DoS: Inputs that degrade hash table performance to O(n²)

Physical and Environmental:

• Power Failures: Inadequate UPS and generator capacity
• Natural Disasters: Floods, earthquakes, fires affecting data centers
• Ransomware: Encrypting systems makes them unavailable

Real-World Case Study: The 2016 Dyn DDoS Attack

On October 21, 2016, the Mirai botnet launched a massive DDoS attack against Dyn, a major DNS provider. The attack demonstrated how availability failures cascade through interconnected systems:

Attack Characteristics:

• Peak traffic: 1.2 Tbps from ~100,000 IoT devices
• Three waves over approximately 11 hours
• Exploited compromised cameras, DVRs, and routers

Impact:

• Major websites unavailable: Twitter, Reddit, Netflix, Spotify, GitHub
• DNS resolution failures prevented access even to sites not attacked directly
• Estimated hundreds of millions in economic impact

Lessons Learned:

1. Dependency Concentration: Relying on a single DNS provider created a single point of failure
2. IoT Security Matters: Insecure consumer devices became attack infrastructure
3. Defense Requires Diversity: Multiple DNS providers, anycast routing, and geographic distribution improve resilience

The three pillars of the CIA Triad often exist in tension. Strengthening one can weaken another. Understanding these tradeoffs is essential for designing balanced security architectures.

Common Tensions

Confidentiality vs. Availability:

• Strong encryption adds processing overhead, potentially impacting performance and availability
• Strict access controls may lock out legitimate users during emergencies
• Air-gapped systems maximize confidentiality but severely limit availability

Integrity vs. Availability:

• Comprehensive verification checks add latency
• Requiring multi-party approval for changes slows operations
• Immutable logs grow without bound, eventually consuming storage

Confidentiality vs. Integrity:

• Fewer people with data access means fewer who can verify its accuracy
• Encrypted data is harder to audit for integrity
• Compartmentalization prevents holistic data quality checks

Finding the Right Balance

The correct balance depends on the specific system, data, and organizational context:

Risk Assessment Drives Prioritization:

1. Identify assets: What data and systems require protection?
2. Assess threats: Who might attack and through what vectors?
3. Evaluate impact: What's the cost of each type of security failure?
4. Determine priorities: Which pillar matters most for each asset?
5. Design controls: Implement mechanisms that match priorities

Context Examples:

• Hospital Emergency Room: Availability dominates—a doctor must access patient records immediately. Slightly relaxed confidentiality controls (break-glass access) are acceptable to save lives.

• Nuclear Launch Codes: Confidentiality and integrity are paramount. Systems can be somewhat less available (requiring deliberate effort to access) to maximize security.

• Public Government Records: Integrity is critical—citizens must trust official data. Confidentiality is minimal (public information). Availability should be high.

While the CIA Triad remains foundational, security practitioners have proposed extensions to address properties not fully captured by the original three pillars.

The Parkerian Hexad

Donn B. Parker proposed expanding the triad to six elements:

1. Confidentiality — Same as CIA Triad
2. Integrity — Same as CIA Triad
3. Availability — Same as CIA Triad
4. Possession/Control — Physical control over data, separate from access
5. Authenticity — Proof of genuine origin
6. Utility — Data in a format that meets user needs

NIST Cybersecurity Framework

NIST's framework organizes security functions differently:

• Identify — Understanding assets and risks
• Protect — Safeguards to ensure service delivery
• Detect — Identifying security events
• Respond — Actions when incidents occur
• Recover — Maintaining resilience and restoration

While structured differently, these functions still protect CIA properties.

The CIA Triad is most valuable as an analytical framework for evaluating and designing secure systems. Here's how to apply it systematically:

Step 1: Asset Classification

For each data type or system, assess the impact of violating each CIA property:

Step 2: Threat Identification

For each asset, identify threats to each pillar:

• What could cause unauthorized disclosure?
• What could cause unauthorized modification?
• What could cause service disruption?

Step 3: Control Selection

Match controls to threats, ensuring coverage of all pillars:

• Confidentiality: Encryption, access control, data masking
• Integrity: Hashing, signatures, audit logs, input validation
• Availability: Redundancy, backups, DDoS protection, monitoring

The CIA Triad provides the foundational framework for all information security work. Let's consolidate the key concepts:

What's Next:

With the CIA Triad established as our analytical foundation, we'll next explore Authentication—the mechanisms by which systems verify the identity of users and entities. Authentication is the gatekeeper that enables confidentiality controls and the foundation for accountability and non-repudiation.