By Mark R. Lupo, CBCP
Most of us are familiar with the three letter combination, CIA, with our minds immediately going to visions of international espionage and the Central Intelligence Agency. When it comes to our digital information, though, these three letters take on a different meaning. Within the digital realm, these three letters, C.I.A., refer to characteristics of our digital footprint that are referred to as the Information Triad, qualities of our electronic information that we expect to remain constant unless we decide to modify them.
In order for us to understand the cyber threats that are persistently active against us, we must first have an understanding of the Information Triad. As we better understand this Information Triad, we can begin to see how cyberattacks are categorized, based on which aspect of the Information Triad they are directed to in the attack. Once we understand how the cyber threat is attacking our digital information, we can then begin to implement more effective strategies to protect that information. To illustrate this idea, let’s consider your house and, within one of your bedrooms, in a cabinet drawer, you have a special journal. In the journal are personal pictures, thoughts and ideas you have that you place a special value on and would like to keep private. A burglar knows that you have this journal within your house, though he doesn’t know exactly where it is located.
In the first case, one day, this burglar breaks into your house through one of the back windows. He goes through all the rooms in your house, searching for something of value. He comes to the cabinet drawer, opens it and rummages around. He locates your journal and decides to take it with him. He exits your house the way he came in and heads back to his house Once back to his place he looks through your journal and decide to place some of those personal photos online. In doing so, this burglar has just violated one of the first characteristics of digital information, that of confidentiality, the idea that we have the right to keep information private. When someone accesses our digital information and, either removes it from our system to publicize it or just accesses it and looks at it themselves, they have just violated the confidential nature of that information.
In the second scenario, this same burglar breaks in to your house and, after an extensive search, finds your journal in the cabinet drawer. This time, instead of removing the journal, he decides to change some words in the journal and to put some of his own pictures to replace some of your photos in the journal. He then returns the journal to the cabinet drawer where he found it and leaves the house. The journal is still there, right where you left it, though it is not the same. The contents have been changed and the consistency of the information has been violated. This illustrates the second characteristic of our digital information, that of integrity, the expectation that the digital information we create will remain unchanged unless we decide to change it, that it is secure from an outside individual modifying it without our consent.
In the third scenario, the burglar again reenters our house through an open back window and this time, instead of removing the journal or modifying it, he just goes and changes all of the locks to your house and when you get home to go inside realize that your key will no longer work to let you in. This burglar has just made your home inaccessible to you, unless you obtain the new key. He has violated the characteristic of availability to your information. You can no longer enter your own house without the new key and in order to obtain the new key, you will have to pay this burglar something.
Thus, these three characteristics of digital information comprise the Information Triad: Confidentiality, Integrity and Availability. Cyberthreats are developed and categorized to violate one or more of these three aspects of our digital information and we will explore these in great detail in our next entries. Until then…