๐ Cybersecurity
The CIA Triad: Foundation of Cybersecurity
Confidentiality
Prevents unauthorized access to sensitive information using firewalls, encryption, and access controls
Integrity
Ensures no unauthorized modifications through hashing and integrity monitoring solutions
Availability
Guarantees legitimate user access via fault tolerance, clustering, and backup systems
๐ Nonrepudiation
Nonrepudiation complements the CIA triad by preventing someone from denying they took an action. Digital signatures provide proof that messages truly originated from their claimed sender.
Understanding the DAD Triad
The DAD triad represents the three key threats to cybersecurity, each mapping directly to a CIA principle:
Disclosure
Unauthorized exposure of sensitive information, violating Confidentiality
Alteration
Unauthorized modification of data or systems, violating Integrity
Denial
Disruption of legitimate access to resources, violating Availability
Breach Impact Categories
Security incidents create diverse organizational impacts across five key areas:
| Impact Category | Description | Examples |
|---|---|---|
| ๐ฐ Financial | Direct and indirect monetary damages | Incident response costs, revenue loss, competitive disadvantage |
| ๐ข Reputational | Loss of customer and stakeholder trust | Negative publicity, reduced business volume, brand damage |
| ๐ฏ Strategic | Inability to meet major goals/objectives | Product launch delays, competitive disadvantage, market position loss |
| โ๏ธ Operational | Disruption of day-to-day functions | Slow processes, manual workarounds, delivery delays |
| โ๏ธ Compliance | Violation of legal/regulatory requirements | HIPAA violations, PCI DSS fines, regulatory sanctions |
Security Control Framework
๐ Control Categories (By Mechanism)
Technical: Firewalls, encryption, IPS | Operational: User reviews, log monitoring | Managerial: Risk assessments, planning | Physical: Locks, fences, cameras
| Control Type | Purpose | Examples |
|---|---|---|
| ๐ก๏ธ Preventive | Stop issues before they occur | Firewalls, encryption, access controls |
| โ ๏ธ Deterrent | Discourage attackers from attempting | Warning signs, guard dogs, barbed wire |
| ๐ Detective | Identify events that already occurred | IDS, security cameras, log analysis |
| ๐ง Corrective | Remediate existing security issues | Backup restoration, patch deployment |
| โ๏ธ Compensating | Mitigate risk when standard controls can’t be used | Network isolation for legacy systems |
| ๐ Directive | Inform employees of security objectives | Policies, procedures, training materials |
Data Protection Strategies
Data at Rest
Stored on drives, tapes, cloud. Protect with encryption and access controls
Data in Transit
Moving over networks. Protect with TLS/SSL and VPNs
Data in Use
Active in memory. Protect with secure processing and memory encryption
๐ Data Minimization Techniques
Hashing: One-way transformation using hash functions | Tokenization: Replace with unique identifiers via lookup tables | Masking: Partial redaction (X’s over sensitive digits) | DLP Systems: Agent-based and network-based monitoring to prevent data exfiltration
Key Takeaway
Modern security professionals must balance the CIA triad objectives (Confidentiality, Integrity, Availability) through carefully selected technical, operational, managerial, and physical controls while understanding breach impacts across financial, reputational, strategic, operational, and compliance categories, and implementing robust data protection strategies for data at rest, in transit, and in use.
Classifying Threat Actors
Modern threat actors differ across four critical attributes:
| Attribute | Range | Impact |
|---|---|---|
| ๐ Location | Internal โ External | Insiders have access and knowledge advantages |
| ๐ Sophistication | Unskilled โ APT | From borrowed tools to zero-day exploits |
| ๐ฐ Resources | Limited โ Unlimited | Hobbyist spare time to nation-state budgets |
| ๐ฏ Motivation | Thrill โ Strategic | Impacts targeting, persistence, and methods |
Major Threat Actor Types
Unskilled Attackers
Low SkillScript kiddies use automated tools with limited knowledge. Pose real threats due to freely available attack tools and unfocused, opportunistic targeting.
Hacktivists
Variable SkillMotivated by political/social causes. Groups like Anonymous demonstrate powerful collective action. Risk detection for their beliefs.
Organized Crime
High SkillFocus on illegal financial gain through ransomware, fraud, and dark web operations. Skilled attackers with substantial resources.
Nation-State (APT)
Expert LevelAdvanced Persistent Threats with unlimited resources. Exploit zero-day vulnerabilities for political, military, and economic objectives.
Insider Threats
Variable SkillEmployees/contractors with authorized access. Existing knowledge and permissions make them particularly dangerous regardless of skill.
Competitors
Variable SkillEngage in corporate espionage to steal IP, customer data, and strategic plans. Often leverage dark web markets or insiders.
Understanding Attacker Motivations
๐ฏ Primary Motivations Behind Cyberattacks
Data Exfiltration | Espionage | Service Disruption | Blackmail | Financial Gain | Political/Philosophical Beliefs | Ethical (White-hat) | Revenge | Disruption/Chaos | War
Understanding motivations helps predict targeting patterns and defend effectively. For example, hacktivists target organizations based on political disagreement, while organized crime focuses on profitable targets with weak defenses.
Threat Vectors and Attack Surfaces
| Vector | Attack Method | Defense Strategy |
|---|---|---|
| ๐ง Message-Based | Email, SMS, IM phishing | Security awareness training, email filtering |
| ๐ Network | Wired/wireless/Bluetooth access | Network segmentation, encryption, NAC |
| ๐ป Systems | Open ports, default credentials, vulnerabilities | Patch management, hardening, vulnerability scanning |
| ๐ Files/Images | Embedded malicious code | Antimalware, sandboxing, user training |
| ๐พ Removable Devices | USB drives with malware | Device control policies, endpoint protection |
| โ๏ธ Cloud | Misconfigured access, exposed credentials | CSPM tools, IAM, encryption |
| ๐ Supply Chain | Compromised vendors, software, MSPs | Vendor assessment, code review, monitoring |
Building Threat Intelligence Programs
Open Source (OSINT)
Public feeds from CISA, SANS, vendor sites. Free but requires validation and filtering
Proprietary/Closed
Commercial vendors provide curated, validated feeds with analysis services
ISACs
Information Sharing Centers for sector-based threat exchange among critical infrastructure operators
๐ Assessment Criteria for Threat Intelligence
Timeliness: Is information current and actionable? | Accuracy: Can you rely on the source? Multiple confirmations? | Relevance: Does it apply to your organization’s platform, software, and threat profile? | Confidence Scores: Filter intelligence based on reliability (Confirmed 90-100 โ Discredited 1)
Indicators of Compromise (IoCs) provide telltale attack signs through file signatures, log patterns, and evidence. STIX/TAXII standards enable automated threat intelligence sharing using structured formats.
Understanding Zero-Day Attacks
โ ๏ธ Zero-Day Vulnerabilities
APT actors conduct their own vulnerability research to discover unknown flaws. These zero-day attacks are particularly dangerous because vendors have no patches available. Example: Stuxnet exploited zero-days to compromise Iranian nuclear facilities.
Key Takeaway
Understanding the diverse threat landscapeโfrom unskilled opportunists to nation-state APT actorsโenables organizations to build appropriate defenses, leverage threat intelligence effectively (OSINT, proprietary feeds, ISACs), understand threat vectors (message-based, network, supply chain), and prioritize security investments based on actual risks and attacker motivations (financial gain, espionage, disruption, political beliefs).