Section 1.2 Learning the Lingo
In general, the technical fields are laden with acronyms and obtuse vocabulary. Unfortunately security is no exception to this rule. Three of the most important acronyms you should be aware of to start are CIA, AAA, and DRY.
CIA.
This image is a diagram designed to visually represent the CIA triad, which stands for Confidentiality, Integrity, and Availability. These are foundational principles in information security.
The diagram uses a symbolic triangle or text labels to connect each of the three components. The surrounding text provides detailed definitions and examples for each principle of the CIA triad.
While the Central Intelligence Agency does have a role to play in information security, for our purposes CIA is an acronym used to remember the three foundational information security principles: confidentiality, integrity, and availability. These ideas form the cornerstone of security and should be ever-present in your thoughts.
Confidentiality refers to the practice of keeping secret information secret. For example, if an e-commerce site stores credit card numbers (a questionable practice to begin with) those credit card numbers should be kept confidential. You would not want other users of the site or outsiders to have access to your credit card number. Many steps could be taken to ensure the confidentiality of user credit card numbers, but at this point it is enough to understand that maintaining confidentiality is a principle of security.
Integrity is an assurance that data has not been corrupted or purposefully tampered with. As we discussed previously, data is very valuable, but how valuable is it if you can’t be sure it is intact and reliable? In security we strive to maintain integrity so that the system and even the controls we have in place to guard the system can be trusted. Imagine that e-commerce site again. What would happen if an attacker could arbitrarily change delivery addresses stored in the system? Packages could be routed to improper addresses and stolen and honest customers would not receive what they ordered, all because of an integrity violation.
Availability means that a system should remain up and running to ensure that valid users have access to the data when needed. In the simplest sense, you could ensure confidentiality and integrity by simply taking the system off line and not allowing any access. Such a system would be useless and this final principle addresses that. Systems are designed to be accessible and part of your security plan should be ensuring that they are. You will need to account for the costs of implementing confidentiality and integrity and make sure that the resources are available to keep the system working. In an extreme case, denial of service (DoS) attacks can actually target availability. By keeping this principle in mind, hopefully you can mitigate some of those risks.
AAA.
This image is a diagram visually representing the AAA concepts in information security, which stand for Authentication, Authorization, and Accounting.
Another acronym you’re going to encounter in many different contexts is AAA. It stands for Authentication, Authorization, and Accounting and it is used in designing and implementing protocols. These concepts should be remembered when designing security plans.
Authentication is the process of confirming someone’s identity. This may be done with user names and passwords or more frequently via multi-factor authentication ( MFA) which requires not only something you know, but something you have (fingerprints, key fob, etc.).
Authorization refers to keeping track of which resources an entity has access to. This can be done via a permission scheme or access control list ( ACL). Occasionally you will encounter something more exotic where authorization limits users to interactions during a particular time of day or from a particular IP address.
Accounting refers to tracking the usage of resources. This may be as simple as noting in a log file when a user has logged in to keeping track of exactly which services and user uses and how long they use them. Accounting is incredibly important because it allows you to not only monitor for possible problems, but also inspect what has occurred after a problem is encountered. Accounting also allows system administrators to show irrefutably what actions a user has taken. This can be very important evidence in a court of law.
DRY.
While we’re dispensing knowledge in the form of three letter acronyms (TLAs), another important acronym to keep in mind is DRY: Don’t Repeat Yourself.
"Say something once, why say it again?"— Talking Heads, Psycho Killer1
Talking Heads. (1977). Psycho killer [song]. On Talking Heads:77. Sire Records.
This is of course not entirely literal. Just because you’ve explained something to a coworker once does not mean that you shouldn’t explain it again. It is meant as more of a guide for how you make use of automation and how you design systems. Increasingly security experts are not being asked to analyze a single system, but a network of hundreds if not thousands of systems. In this case you should make use of scripts and tools to make sure you are not manually doing the same thing over and over. Have you found a good way of testing to see if a part of a system is secure? Put it in a script so that you can reuse the test on other systems. This same logic applies to how systems are designed. Do you have a database of user login info? Reuse that database across multiple systems. In short, "Don’t repeat yourself!"
You have attempted 1 of 1 activities on this page.