• Computer network vulnerabilities identified in the Ware Report. Source: Pot 2016.
    Computer network vulnerabilities identified in the Ware Report. Source: Pot 2016.
  • Security objectives have dependencies. Source: Stoneburner 2001, fig. 2-1.
    Security objectives have dependencies. Source: Stoneburner 2001, fig. 2-1.
  • The CIA information security triad. Source: Vonnegut 2016.
    The CIA information security triad. Source: Vonnegut 2016.
  • McCumber Cube is designed to address cybersecurity. Source: Morrow 2012.
    McCumber Cube is designed to address cybersecurity. Source: Morrow 2012.
  • Ontology of information security. Source: Cherdantseva and Hilton 2012, slide 6.
    Ontology of information security. Source: Cherdantseva and Hilton 2012, slide 6.

Information Security Principles

User avatar
sangeetha-prabhu
940 DevCoins
Avatar of user arvindpdmn
arvindpdmn
7 DevCoins
2 authors have contributed to this article
Last updated by arvindpdmn
on 2019-05-26 12:19:36
Created by sangeetha-prabhu
on 2019-05-25 10:30:29
Improve this article. Show messages

Summary

Information can be private or public, personal or generic, valuable or commonplace, online or offline. Like any other asset, it has to be protected. This is more important online where hackers can steal or misuse information remotely even without any physical access to where that information resides.

In line with evolving technology, data security practices have evolved from high-level principles into more detailed set of practices and checklists. In practice, there's no single list of principles that everyone agrees on. Many lists exist, each one customized for its context.

Milestones

1950

Information Security or InfoSec doesn't exist in the 1950s or even in the 1960s. Security is all about physically securing access to expensive machines. Reliability of computers is the main concern. As hardware and software becomes standardized and cheaper, it's only in the 1970s that there's a shift from computer security towards information security.

1970
Computer network vulnerabilities identified in the Ware Report. Source: Pot 2016.

In the early years of the ARPANET, the US Department of Defense commissions a study that's published by the Rand Corporation as Security Controls for Computer Systems. It identifies many potential threats and possible security measures. The task force was chaired by Willis H. Ware. In time, this report becomes influential and is known as the Ware Report.

1972

James P. Anderson authors Computer Security Technology Planning Study for the USAF. This is published in two volumes. In time, this comes to be called the Anderson Report.

1973

Multics was a timesharing operating system that started in 1965 as a MIT research project. In the summer of 1973, researchers at MIT look at the security aspects of Multics running on a Honeywell 6180 computer system. They come up with broad security design principles. They categorize these into three categories with due credit to J. Anderson: unauthorized release, unauthorized modification, unauthorized denial.

1980

Prior to the 1980s, security was influenced by the defence sector. In the 1980s focus shifts from Confidentiality to commercial concerns such as costs and business risks. Among these is the idea of Integrity since it's important for banks and businesses that data is not modified by unauthorized entities.

1988

Morris Worm becomes the first DoS attack on the Internet. Thus, Availability is recognized as an essential aspect of information security.

1989

In the JSC-NASA Information Security Plan document we find the use of the term CIA Triad. However, the term could have been coined as early as 1986.

1998

To complement InfoSec, Information Assurance (IA) emerges as a discipline. This is more about securing information systems rather than information alone. With the growth of networks and Internet, Non-Repudiation and Authentication become important concerns. Non-repudiation means that parties can't deny having sent or received a piece of information.

2001
Security objectives have dependencies. Source: Stoneburner 2001, fig. 2-1.

NIST publishes Underlying Technical Models for Information Technology Security. It identifies five security objectives: Availability, Integrity, Confidentiality, Accountability and Assurance. It points out that these are interdependent. For example, if confidentiality is compromised (eg. superuser password), then integrity is likely to be lost as well.

2002

Donn B. Parker expands on the CIA Triad by adding three more items: authenticity, possession or control, and utility. Parker also states that it's best to understand these six principles in pairs: confidentiality and possession, integrity and authenticity, and availability and utility. In time, these six principles have come to be called Parkerian Hexad.

Discussion

  • Which are the three main information security principles?
    The CIA information security triad. Source: Vonnegut 2016.
    The CIA information security triad. Source: Vonnegut 2016.

    The three main security principles include:

    • Confidentiality: Protect against unauthorized access to information.
    • Integrity: Protect against unauthorized modification of information. Even if an adversary can't read your data, they can either corrupt it or selectively modify it to cause further damage later on.
    • Availability: Protect against denial of access to information. Even if an adversary can't access or modify your data, they can prevent you from accessing it or using it. For example, they can destroy or congest communication lines, or bring down the data server.

    These principles have also been called security goals, objectives, properties or pillars. More commonly, they are known as the CIA Triad.

    Security practitioners consider these principles important but vague. This is because they're about the "what" but not the "how". They have to be translated into clear practices based on context. They have been applied to IT infrastructure, cloud systems, IoT systems, web/mobile apps, databases, and so on. Actual practices may differ but can be related to the CIA triad.

  • What are some variations of CIA?
    McCumber Cube is designed to address cybersecurity. Source: Morrow 2012.
    McCumber Cube is designed to address cybersecurity. Source: Morrow 2012.

    It's been said that the CIA Triad is focused on technology and ignores the human element. The Parkerian Hexad therefore addresses the human element with three more principles:

    • Possession/Control: It's possible to possess or control information without breaching confidentiality.
    • Authenticity: This is about proof of identity. We should have an assurance that the information is from a trusted source.
    • Utility: Information may be available but is it in a usable state or form?

    Another variation is the McCumber Cube. It includes the CIA Triad but also adds three states of information (transmission, storage, processing) and three security measures (training, policy, technology).

    Other published security principles have come from OECD, NIST, ISO, COBIT, Mozilla, and OWASP.

  • What are some means of achieving the CIA security goals?
    Ontology of information security. Source: Cherdantseva and Hilton 2012, slide 6.
    Ontology of information security. Source: Cherdantseva and Hilton 2012, slide 6.

    Authorization, authentication and the use of cryptography are some techniques to achieve the CIA security goals. These have been sometimes called Security Mechanisms. These mechanisms are designed to protect assets and mitigate risks. However, they may have vulnerabilities that threats will attempt to exploit.

    Confidentiality is often achieved via encryption. Hackers in possession of encrypted data can't read it without the requisite decryption keys. File permissions and access control lists also ensure confidentiality. For integrity, a hash of the original data can be used but this hash must itself be provided securely. Alternatively, digital certificates that use public-key cryptography can be used. For availability, there should be redundancy built into the system. Backups should be in place to restore services quickly. Systems should have recent security updates. Provide sufficient bandwidth to avoid bottlenecks.

    People must be trained to use strong passwords, recognize possible threats and get familiar with social engineering methods.

  • What are some common approaches to enhancing information security?

    Complex systems are hard to secure. Keep the design simple. This also minimizes the attack surface. For example, a search box is vulnerable to SQL injections but a better search UI will remove this risk. Use secure defaults such as preventing trivial passwords. Give users or programs the least privilege to perform their function. When failures occur, ensure they're handled with correct privileges.

    There's better defence in depth. This means that multiple levels of control are better than a single one. Security at application layer alone is not enough. Secure server access, network communications, wireless access, user interface, and so on. Don't trust third-party services. Have a clear separation of duties to prevent fraud. For example, admin users shouldn't be allowed to login to the frontend with same privileges and make purchases on behalf of others.

    Avoid security by obscurity. This means that we shouldn't rely on hidden secrets. For example, even if source code is leaked or encryption algorithms are known, the system should remain secure.

    Prefer decentralized systems with replication to centralized ones.

  • Could you mention some threats or attacks by which hackers can compromise the security principles?

    Sniffing data communications, particularly when it's not encrypted, is an example of breach of confidentiality. ARP spoofing is an example of sending false ARP messages so that traffic is directed to the wrong computer. Phishing is a breach of integrity since the hacker's website tricks a visitor into thinking it's the genuine website.

    Repeatedly sending a request to a service will overload the server. Server will become progressively slower to response to requests and even crash. This Denial-of-Service (DoS) attack make the service unavailable.

    For databases, SQL injection is a big threat allowing hackers access to sensitive data or extra privileges. Buffer overflow vulnerabilities can be exploited to modify data. DoS attacks are possible with databases and their servers.

    In any case, record all transactions and events. This leads to better detection of intrusions and future preventions. Have a good recovery plan. Perform frequent security tests to discover vulnerabilities.

References

  1. Cherdantseva, Y. and J. Hilton. 2012. "The Evolution of Information Security Goals from the 1960s to today." February. Accessed 2019-05-24.
  2. Chia, Terry. 2012. "Confidentiality, Integrity, Availability: The three components of the CIA Triad." IT Security Community Blog, StackOverflow, August 20. Accessed 2019-05-24.
  3. Deniz, Yeshim. 2019. "Three Pillars of CIA Triad IoT Security." Blog, PHP Journal, March 12. Accessed 2019-05-26.
  4. Estrin, Eyal. 2019. "Fundamental Cloud Security Concepts Part 1 – CIA." GÉANT Cloud Services. Accessed 2019-05-26.
  5. Golovatenko, Illya. 2018. "The Three Dimensions of the Cybersecurity Cube." Swan Software Solutions, December 13. Accessed 2019-05-24.
  6. MIT. 2019. "Multics." MIT. Accessed 2019-05-24.
  7. Morrow, Stephanie. 2012. "About McCumber Cube." InfoSec Blog, June 15. Accessed 2019-05-26.
  8. Mozilla Developer. 2019. "Confidentiality, Integrity, and Availability." MDN Web Docs, March 23. Accessed 2019-05-24.
  9. Mozilla InfoSec. 2019. "Security Principles." Mozilla Foundation. Accessed 2019-05-24.
  10. OWASP. 2015. "Category:Principle." OWASP, July 29. Accessed 2019-05-26.
  11. OWASP. 2016. "Security by Design Principles." OWASP, August 03. Accessed 2019-05-24.
  12. Pender-Bey, Georgie. 2012. "The Parkerian Hexad." In fulfillment of the Master of Science in Information Security Program, Lewis University. Accessed 2019-05-24.
  13. Pot, Justin. 2016. "This 1970 memo outlined every cybersecurity threat we face today." Digital Trends, April 18. Accessed 2019-05-26.
  14. Saltzer, Jerome H. 1974. "Protection and the Control of Information Sharing in Multics." Communications of the ACM, vol. 17, no. 7, pp. 388-402, July. Accessed 2019-05-24.
  15. Saltzer, Jerome H. and Michael D. Schroeder. 1975. "The Protection of Information in Computer Systems." Originally published at MIT. Accessed 2019-05-24.
  16. Stoneburner, Gary. 2001. "Underlying Technical Models for Information Technology Security." NIST Special Publication 800-33, December. Accessed 2019-05-26.
  17. TechTarget. 2019. "confidentiality, integrity, and availability (CIA triad)." WhatIs, TechTarget. Accessed 2019-05-26.
  18. Technopedia. 2017. "The 7 Basic Principles of IT Security." May 19. Accessed 2019-05-26.
  19. Vonnegut, Sarah. 2016. "The Importance of Database Security and Integrity." Blog, Altibase, June 24. Accessed 2019-05-24.
  20. Wikipedia. 2019. "Information security." Wikipedia, May 05. Accessed 2019-05-24.
  21. Yobicash. 2018. "The Holy Trinity of Data Security: What you need to know about the CIA Triad." Yobicash, via Medium, February 24. Accessed 2019-05-26.

Milestones

1950

Information Security or InfoSec doesn't exist in the 1950s or even in the 1960s. Security is all about physically securing access to expensive machines. Reliability of computers is the main concern. As hardware and software becomes standardized and cheaper, it's only in the 1970s that there's a shift from computer security towards information security.

1970
Computer network vulnerabilities identified in the Ware Report. Source: Pot 2016.

In the early years of the ARPANET, the US Department of Defense commissions a study that's published by the Rand Corporation as Security Controls for Computer Systems. It identifies many potential threats and possible security measures. The task force was chaired by Willis H. Ware. In time, this report becomes influential and is known as the Ware Report.

1972

James P. Anderson authors Computer Security Technology Planning Study for the USAF. This is published in two volumes. In time, this comes to be called the Anderson Report.

1973

Multics was a timesharing operating system that started in 1965 as a MIT research project. In the summer of 1973, researchers at MIT look at the security aspects of Multics running on a Honeywell 6180 computer system. They come up with broad security design principles. They categorize these into three categories with due credit to J. Anderson: unauthorized release, unauthorized modification, unauthorized denial.

1980

Prior to the 1980s, security was influenced by the defence sector. In the 1980s focus shifts from Confidentiality to commercial concerns such as costs and business risks. Among these is the idea of Integrity since it's important for banks and businesses that data is not modified by unauthorized entities.

1988

Morris Worm becomes the first DoS attack on the Internet. Thus, Availability is recognized as an essential aspect of information security.

1989

In the JSC-NASA Information Security Plan document we find the use of the term CIA Triad. However, the term could have been coined as early as 1986.

1998

To complement InfoSec, Information Assurance (IA) emerges as a discipline. This is more about securing information systems rather than information alone. With the growth of networks and Internet, Non-Repudiation and Authentication become important concerns. Non-repudiation means that parties can't deny having sent or received a piece of information.

2001
Security objectives have dependencies. Source: Stoneburner 2001, fig. 2-1.

NIST publishes Underlying Technical Models for Information Technology Security. It identifies five security objectives: Availability, Integrity, Confidentiality, Accountability and Assurance. It points out that these are interdependent. For example, if confidentiality is compromised (eg. superuser password), then integrity is likely to be lost as well.

2002

Donn B. Parker expands on the CIA Triad by adding three more items: authenticity, possession or control, and utility. Parker also states that it's best to understand these six principles in pairs: confidentiality and possession, integrity and authenticity, and availability and utility. In time, these six principles have come to be called Parkerian Hexad.

Tags

See Also

  • Cloud Security
  • Network Security
  • Three Rs of Security
  • Information Security Certifications
  • Security Onion
  • Cryptography

Further Reading

  1. Saltzer, Jerome H. 1974. "Protection and the Control of Information Sharing in Multics." Communications of the ACM, vol. 17, no. 7, pp. 388-402, July. Accessed 2019-05-24.
  2. Smith, Richard E. 2012. "A Contemporary Look at Saltzer and Schroeder’s 1975 Design Principles." IEEE Security & Privacy, vol. 10, no. 6, November-December. Accessed 2019-05-26.
  3. Yobicash. 2018. "The Holy Trinity of Data Security: What you need to know about the CIA Triad." Yobicash, via Medium, February 24. Accessed 2019-05-26.
  4. Mozilla InfoSec. 2019. "Security Principles." Mozilla Foundation. Accessed 2019-05-24.
  5. Villanova University. 2015. "The History of Information Security." February 02. Accessed 2019-05-24.
  6. Pender-Bey, Georgie. 2012. "The Parkerian Hexad." In fulfillment of the Master of Science in Information Security Program, Lewis University. Accessed 2019-05-24.

Article Stats

Author-wise Stats for Article Edits

Author
No. of Edits
No. of Chats
DevCoins
1
0
7
1399
Words
0
Chats
3
Edits
1
Likes
634
Hits

Cite As

Devopedia. 2019. "Information Security Principles." Version 3, May 26. Accessed 2019-10-17. https://devopedia.org/information-security-principles