The CIA Triad Explained
3 pillars of security that can help you solve any security question
đ Hi, this is Akash with the very first post on Cracking The Security Interview. I write about security engineering and breaking into worldâs best security teams.
This week Iâm sharing how you can solve any security problem with 3 core concepts in security; Confidentiality, Integrity and Availability.
Your understanding of security depends on how well you internalize,
đ Confidentiality
â Integrity
đ˘ Availability
No security conversation can begin without talking about the CIA triad.
Any security incident can be explained as violation of one or more of these properties.
While brainstorming ideas for the first post on Cracking The Security Interview, I couldnât think of any other topic that was more important.
đ The Concept
The entire security field is built on the CIA triad. Letâs quickly go over what they mean,
Confidentiality
Youâre trying to restrict access to only authorized individuals. The password youâve set for your home smart lock. You donât want random people accessing your home, do you?
Integrity
You care more about the accuracy of the information than keeping it secret. Youâre uploading a picture on your favorite social media app. You canât do much when someone creates a deep fake copy using your face. But your friends and family want to see your activity, not this âfakeâ image.
Availability
You want to ensure authorized folks can access information when they want. Imagine youâre driving a futuristic car. You want airbags to stay available for individuals in the vehicle at all times.
đ Real-World Walkthrough
To solidify our understanding, weâll use the example of your laptop!
â ď¸ Assumption: Youâre using a Linux based operating system.
Why? I donât know, maybe because weâre in security.
Step 1: You enter the power button, a signal is sent to your motherboard. Then BIOS checks to confirm if everythingâs working.
Step 2: Bootloader comes next. It loads the operating system step-by-step. The bootloader is also responsible for verifying the integrity of the boot and recovery partitions.
Operating system is open sourced, thereâs no confidentiality expectation. But integrity is important. If an attacker is able to sneak in malware into your boot partition, the game's over.
Step 3: Bootloader loads the operating system and kernel takes over the control. It starts important programs and background services. You are greeted with the login screen.
What will happen if you donât see a login screen? Remember the Blue Screen of Death (BSOD)? Your ability to do anything requires this login service to be running. Availability is the property you want to preserve.
Step 4: You authenticate using your credentials. Now you see your home screen.
This is an authorized space. Unauthorized parties are not welcome here. Confidentiality becomes critical. Imagine a broken authentication granting access to anyone. Confidentiality is breached.
đ đ Parting Thoughts
In interviews, you get asked to assess the security of a system. Keep in mind that any security event revolves around the CIA triad. As we walked through the âusing your laptopâ example, hereâs what you can do:
Walk through the event/information flow with the interviewer
Recognize which of the 3 properties are important for each step
Note down what happens when it goes wrong
Mitigate findings using controls and safeguards
Now, letâs do some exercise. Imagine a digital interaction and letâs think âWhat can go wrongâ following these steps.
Share in the comments!
đŚâđĽ Interview Questions
In your experience, have you faced situations where prioritizing one pillar of the CIA triad meant compromising another? How did you navigate this trade-off?
You identify a vulnerability that, if exploited, could cause a major data breach. However, fixing it will temporarily disrupt a critical service. How do you balance confidentiality, integrity, and availability when making your decision?
Let's say you're tasked with hardening the security posture of a system. Describe your approach to identify potential risks.
đ đŹ Get In Touch
Want to chat? Find me on LinkedIn.
If you want me to cover a particular topic in security, you can reach out directly on akash@chromium.org.Â
If you enjoyed this content, please đ share it with friends and consider đ subscribing if you havenât already. Your đ response really motivates me to keep going.