Breaking Down Cybersecurity: The Real Meaning Behind the Jargon
Cyber security is often conflated with the term confidentiality, but that is not correct. Traditionally, professionals tend to define it as being about confidentiality, integrity and availability (known as the CIA triad), but that's not quite right either. So what is it?
In the process of advising on our new cyber security legislation, I've had to stop and reflect on what cyber security really is, and how we can explain it in simple but clear terms: Putting to one side the semantic discussions about terminology that professionals often love to have, and focussing instead on what cyber security really means in practice.
Essentially there are five elements to consider: Confidentiality, Integrity, Availability, Authenticity and Non-repudiation (these are often called the pillars of information assurance).
The two additional terms are authenticity and non-repudiation: Authenticity means knowing who did something; non-repudiation means being able to prove it. They are not quite the same: I know my son broke my office window because he was the only one who plays football in the garden; I can prove it because his sister saw him kick the ball.
The five of these elements interact: you cannot have one without the others if you want to have trust.
You can't have good cyber security without establishing trust, so we all need to understand what they mean. Here I explain each of these terms, along with some examples and reference incidents to help.
Confidentiality
Explanation: Confidentiality ensures that information is accessible only to those authorized to have access. It's about keeping data private and protected from unauthorized access.
Example: Think of online banking. Your financial details are confidential, which means they are protected so that only you and the bank can access them. Encryption, which scrambles data so that it can only be read with a special key, is a common method used to ensure confidentiality.
Reference incident: In 2017, the credit reporting agency Equifax experienced a massive data breach. Hackers accessed personal information of approximately 147 million people. This included Social Security numbers, birth dates, addresses, and more. The confidentiality of personal and sensitive information of millions of people was compromised, leading to risks of identity theft and fraud.
Integrity
Explanation: Integrity involves maintaining the accuracy and completeness of data. It ensures that information is not altered in an unauthorized manner.
Example: When you receive a bank statement, you trust that the transactions listed are exactly what you carried out and haven’t been changed in any way. Banks use various security measures to ensure that the data in your statement matches the actual transactions you made.
Reference incident: In 2010, the Stuxnet computer worm targeted Iranian nuclear facilities. The malware subtly altered the speed of centrifuges involved in the uranium enrichment process while displaying normal operating information to the monitoring systems. The integrity of the information and operations was compromised, causing physical damage to the centrifuges without the operators realizing it until the damage was severe.
Availability
Explanation: Availability ensures that data and services are available to authorized users when needed. This means keeping systems running and accessible, without improper interference or disruptions.
Example: For a website like Amazon, it’s important that the site is available and functioning whenever you want to make a purchase. This is managed through redundant systems and regular maintenance to prevent downtime.
Reference incident: In 2016, a major distributed denial-of-service (DDoS) attack targeted the DNS provider Dyn. This attack made major websites like Twitter, Spotify, and Reddit temporarily unavailable to millions of users.
Impact: The availability of these popular services was severely disrupted, highlighting vulnerabilities in the infrastructure of the internet.
Authenticity
Explanation: Authenticity means verifying that data, transactions, and communications are genuine. It confirms that sources and identities are who they claim to be.
Example: When you log into your social media account, you might receive a message with a code to your phone to confirm it’s really you. This two-factor authentication process is a way of ensuring authenticity by verifying that the person accessing the account is the legitimate owner.
Reference incident: In 2011, hackers broke into the network of RSA Security and stole information related to their SecurID authentication tokens. This breach compromised the authenticity of the token system used by thousands of organizations globally to secure access to networks. With the stolen information, attackers could potentially impersonate legitimate users, accessing confidential company networks and data.
Non-repudiation
Explanation: Non-repudiation prevents individuals or entities from denying their actions related to data or transactions. It provides a way to guarantee that someone cannot deny the authenticity of their signature on a document or a message they send.
Example: When you sign for a package on delivery, digital or on paper, there is a record that you received it. This is a form of non-repudiation, as you cannot later claim that you did not receive the package.
Reference incident: In 2016, emails and documents from the US Democratic National Committee (DNC) were hacked and leaked by WikiLeaks. Some DNC officials repudiated the authenticity of these documents, suggesting possible alterations by hackers as part of Russian interference in the U.S. presidential election. Despite these claims, investigations affirmed the authenticity of the emails. The leak had significant political repercussions, contributing to discord and mistrust within the Democratic Party, influencing public opinion during the election, and leading to the resignation of several DNC officials. US Prosecutors later indicted members of Russian hacking group Fancy Bear for the original breach.
___
Matt Palmer is an award winning cyber security leader. He currently runs the national cyber defence function for a small island state. He can be found on linkedin or on bluesky.