What is Information Security
Information security is the practice within Computer Science that revolves around the protection of Assets.
The CIA Triad
For security of these assets to be maintained, certain principles must be implemented, these are The CIA Triad, which has 3 key goals:
- Confidentiality - Keeping assets secret
- Integrity - Keeping assets whole
- Availability - Keeping access to assets to only those who need it, when they need it
Vulnerabilities, Threats, and Controls
These are key concepts within Information Security that pertains around how assets can be attacked and how to protect assets against attacks
- Vulnerabilities - This is a flaw within the information system that can be exploited to cause loss or harm
- Threats - This is something that has the potential to cause loss or harm, often by exploiting Vulnerabilities
- Controls - This is a protective measure that removes or reduces Vulnerabilities
Three Golden Rules of Information Security
There are three golden “rules” of Computer Security or Information Security
Three Golden Rules ~ Robert Morris, American Cryptographer
do not own a computer; do not power it on; and do not use it.
Significance of this quote?
The entire purpose of this quote is to show that true security isn’t possible. What organisations and individuals should do instead of to make a system as secure as possible that is economically feasible and appropriate to the value of assets.
Warning
Anyone who says that Assets are 100% secure aren’t being truthful
Relation to The CIA Triad
This quote, ironically relates pretty well to the The CIA Triad. It fulfills the fundamental principles of Integrity because if there is no computer, if its not turned on and if its not used then there can be no Assets to alter. It also fulfills Confidentiality for the same reason as integrity as there is no reason to protect Assets if no assets exist.
However where this breaks is Availability, for all the points that fulfills Integrity and Confidentiality is the same reason why it breaks Availability. If there is no computer, you have no availability to Assets, ultimately breaking The CIA Triad
Examples pertaining to this quote
For instance, a company that focuses on private personal information would spend more financially on Integrity to keep their data whole and without corruption, Availability to make sure their data can be accessed at all times by the required parties, and Confidentiality to ensure their data is not only protected from Vulnerabilities that maybe exploited but also such that it adheres to local regulations and laws, like General Data Protection Regulation or Data Safety Act
This wouldn’t be the case for someone who wants to protect off-the-shelf computer or software, while it may have value to them it can be replaced whereas Assets such as data cannot