Third party cookies may be stored when visiting this site. Please see the cookie information.

Penguin Fortress YouTube Channel

Video transcript: CISSP Domain 1 - CIA Triad

This is a transcript for a video linked here: CISSP Domain 1 - CIA Triad.

Video transcript - CISSP Domain 1 - CIA Triad




00:00:00.480 --> 00:00:07.280

this is the first in a series of videos i'll be

making on cyber security concepts these will be



00:00:07.280 --> 00:00:13.600

based around some of the principles in the sisp

certification exams but also useful for anyone



00:00:13.600 --> 00:00:19.440

interested in learning more about IT security

and how to keep your system safe when appropriate



00:00:19.440 --> 00:00:25.040

i'll be referring to real-world examples and in

future videos i'll be demonstrating some simulated



00:00:25.040 --> 00:00:30.080

attacks this is something you'd be interested

in please subscribe and click the notification



00:00:30.080 --> 00:00:37.920

icon to see future videos this is from the

domain one of cisp security and risk management



00:00:40.800 --> 00:00:47.360

one of the key security models is the cia triad

this is a high level concept which stands for



00:00:47.360 --> 00:00:55.440

confidentiality availability and integrity looking

at these in turn let's start with confidentiality



00:00:55.440 --> 00:01:01.360

this is the first aspect of the cia triad it's

about keeping data secret so that it can only



00:01:01.360 --> 00:01:06.960

be accessed by those who have the appropriate

permissions it extends beyond information about



00:01:06.960 --> 00:01:12.800

a person and may also involve restricting

access to data objects and resources whilst



00:01:13.680 --> 00:01:20.640

must continue to allow authorized access breaches

of confidentiality may not always be intentional



00:01:21.280 --> 00:01:26.720

they could be the result of a human error lack of

oversight lack of understanding or incompetence



00:01:28.080 --> 00:01:32.000

clearly there have been many breaches of

security some of which have hit the headlines



00:01:33.280 --> 00:01:37.360

t-mobile have experienced data breaches

which resulted in personal information



00:01:37.360 --> 00:01:45.440

of millions of their customers being stolen

the sony attack in 2014 where terabytes of



00:01:45.440 --> 00:01:52.560

data were stolen from sony's servers including

some unreleased films and to look at some of the



00:01:52.560 --> 00:01:57.120

specific aspects of confidentiality i'm going

to break this down into a number of points



00:01:58.240 --> 00:02:02.560

versus sensitivity this is about

information which could cause harm or damage



00:02:04.800 --> 00:02:08.160

discretion this is information



00:02:08.160 --> 00:02:13.840

which if it was acted upon could influence

or control events or cause harm or damage



00:02:16.640 --> 00:02:22.320

criticality a measure of how critical the

information is particularly to a corporation



00:02:26.720 --> 00:02:34.880

concealment concealment is a way of hiding

or preventing disclosure if you're looking at



00:02:34.880 --> 00:02:39.920

concealing information it shouldn't be just about

not linking to it and the information's still



00:02:39.920 --> 00:02:45.360

there hoping that people don't find it it's

about making sure the information is hidden



00:02:46.480 --> 00:02:52.560

so that they're not aware of it as

well as it being unaccessible to them



00:02:55.760 --> 00:03:03.520

secrecy and this is the act of keeping something

secret and privacy which is keeping information



00:03:03.520 --> 00:03:09.600

confidential particularly information which is

personally identifiable or may cause embarrassment



00:03:12.240 --> 00:03:18.720

seclusion is about storing something out

of a weight location usually with strict



00:03:18.720 --> 00:03:23.520

access controls for example you may have

a different place to store credit card



00:03:23.520 --> 00:03:26.320

information rather than it

being in the normal database



00:03:29.280 --> 00:03:34.800

isolation is similar to seclusion but takes it

a step further so it may be that you actually



00:03:34.800 --> 00:03:41.040

store those credit card information in a way

that can only be accessed by certain systems



00:03:42.240 --> 00:03:45.840

so in a separate system that's

isolated from the others



00:03:50.720 --> 00:03:58.080

the second aspect of the cia triad is integrity

which is about the reliability and correctness



00:03:58.080 --> 00:04:06.000

of data it involves preventing unwar unauthorized

alterations which may be malicious activities such



00:04:06.000 --> 00:04:13.840

as someone looking to change their grade a classic

from the film war games or a virus destroying data



00:04:13.840 --> 00:04:20.560

or it could be through a mistake by authorized

users controls must be in place to restrict access



00:04:20.560 --> 00:04:30.080

to data objects and resources confidentiality and

integrity depend on each other perhaps an extreme



00:04:30.080 --> 00:04:37.520

example of what damage can be done with integrity

is with the stuxnet computer one this considered



00:04:37.520 --> 00:04:42.800

to have been a cyber weapon and it caused

substantial damage to the iranian nuclear program



00:04:43.840 --> 00:04:48.640

in that case it wasn't the data that was being

corrupted but it was targeted the code for the



00:04:48.640 --> 00:04:55.680

programmable logic controllers plcs and it caused

the gas centrifuges to spin out of control causing



00:04:55.680 --> 00:05:00.960

physical damage if we look at integrity in a bit

more detail you can break this down into a number



00:05:00.960 --> 00:05:07.520

of points as well there's the accuracy data needs

to be accurate needs to be correct and precise



00:05:09.280 --> 00:05:12.720

truthfulness it should be a

true reflection of reality



00:05:14.720 --> 00:05:22.000

validity means it's factually or logically

sound accountability and this is that the



00:05:22.000 --> 00:05:26.160

operators should be responsible for their

actions and the results of those actions



00:05:28.960 --> 00:05:37.840

responsibility should be someone or something

in charge or having control over the data



00:05:40.080 --> 00:05:45.920

completeness data should be complete including

all the necessary components and parts it's



00:05:45.920 --> 00:05:54.800

no good having only part of a personal details

and comprehensive it should be complete in scope



00:05:56.160 --> 00:06:05.200

and then the final aspect of the cia triad is

availability availability it's about having



00:06:05.200 --> 00:06:11.600

uninterrupted access to the services the system

should have sufficient processing capability



00:06:11.600 --> 00:06:18.240

bandwidth and timeliness as deemed necessary

threats can include denial of service attacks



00:06:18.240 --> 00:06:23.680

environmental and human errors which could arise

due to lack of oversight or lack of competence



00:06:25.280 --> 00:06:30.160

it could be a result of badly configured

services including security rules



00:06:32.080 --> 00:06:36.960

here's some real examples a denial of service

attack can be difficult to protect against



00:06:36.960 --> 00:06:39.280

particularly if distributed across a botnet



00:06:40.640 --> 00:06:45.520

the problem is that the cost of resources such as

bandwidth and processing to allow genuine access



00:06:46.880 --> 00:06:50.720

i had some of my own software which i

experienced the denial of service attack on



00:06:51.440 --> 00:06:55.920

in that case the attacks were from a single

address i was able to add code to detect



00:06:55.920 --> 00:07:03.520

a potential attack and block against it a much

worse example was the wannacry ransomware it's



00:07:03.520 --> 00:07:11.280

a significant impact on the uk national health

service in 2017. in that case it was a crypto



00:07:11.280 --> 00:07:17.280

worm which would infect and encrypt computers that

were running an unpatched version of windows 7



00:07:18.160 --> 00:07:23.680

had a significant impact on the its systems

and the ability to provide medical care



00:07:25.040 --> 00:07:30.240

fortunately a kill switch was discovered

by marcus hutchkins whilst often credited



00:07:30.240 --> 00:07:35.600

as a white attacker for this he had a darker

side including working on the kronos malware



00:07:37.520 --> 00:07:40.640

so look at the cia triad in more detail



00:07:41.600 --> 00:07:49.840

and there's a few concepts here so first

one is usability it needs to be easy to use



00:07:52.400 --> 00:07:57.840

and accessibility should be a wide range of

subjects that can interact with the resource



00:08:01.040 --> 00:08:04.480

timeliness and this means should be prompt



00:08:04.480 --> 00:08:11.840

on demand reasonable response

time including low latency



00:08:14.080 --> 00:08:18.160

the cia triad is not the only model for

applying security there are many others



00:08:18.800 --> 00:08:26.320

one example is the DAD or dad triad

this takes the opposite approach



00:08:26.320 --> 00:08:31.840

of cia in that by identifying the things

that you want to avoid rather than the



00:08:31.840 --> 00:08:39.840

things that you desire which was the

cia triad these are D for disclosure



00:08:41.360 --> 00:08:44.560

A for alteration and then D for destruction



00:08:47.680 --> 00:08:55.360

and then we can also look at some other models

the aaa or aaa model it's an important one which



00:08:55.360 --> 00:09:00.240

i'll be covering in a future video which

looks at authorization and authentication



00:09:02.720 --> 00:09:08.320

i'm going to leave it there for now i hope this

has been useful if so please give it a like so i



00:09:08.320 --> 00:09:14.160

know that these are worthwhile and people are

responding to this i'll be looking at putting



00:09:14.160 --> 00:09:17.920

more of these together and if you're

interested in watching those future videos



00:09:17.920 --> 00:09:21.200

please subscribe to this channel

and click on the notification icon



00:09:21.760 --> 00:09:25.920

to get notified about the future

videos thanks for watching









Previous Application Security Testing
Application Security Testing