The document provides an overview of key security goals in cybersecurity, focusing on confidentiality, integrity, and availability (CIA). It emphasizes the importance of authentication, authorization, and accountability in ensuring data security and outlines various measures for maintaining these goals. Additionally, it discusses challenges and threats to security, along with the importance of training and best practices for individuals handling sensitive information.

1. Lecture 2
COMP SCI 7328 Concepts in Cyber Security
Security Goals
Lecturer: Faheem Ullah (faheem.ullah@adelaide.edu.au)

2. Outline
• Introduction to security goals
• Confidentiality, Integrity, and Availability (CIA)
• Authentication and Authorization
• Accountability
2

3. Computer Security Goals
3

4. Confidentiality (1/6)
• Only authorized parties can
access non-public information
• Examples:
– technically: data encryption
– procedurally: physical access
control
• Related terms:
– privacy: how personal sensitive
information is shared
– anonymity: actions are not linked
to a public identity
4

5. Confidentiality (2/6)
• At large, the goal of confidentiality is to stop sensitive
data from getting into the wrong hands
• Before implementing security controls, group your
data into different categories according to how much
damage could be done if accessed by an authorized
entity
• The higher the negative impact, the stronger the
security controls need to be.
5

6. Confidentiality (3/6)
• Ensuring confidentiality is the responsibility of both
technologists and everyone else in the organization
• Everyone having access to information has a role in
preserving confidentiality
• Some ways to ensure data confidentiality
– Encryption
– Strong password
– Two-factor authentication
– Biometric verification
6

7. Confidentiality (4/6)
• Sometimes safeguarding data confidentiality involves special training
for those privy to sensitive documents
• Training can help familiarize authorized people with risk factors and
how to guard against them
• Further aspects of training may include strong passwords and
password-related best practices
• Users can take precautions to minimize the number of places where
information appears and the number of times it is actually transmitted
to complete a required transaction
7

8. Confidentiality (5/6)
Can you give an example of a
threat to data confidentiality and
explain how you would mitigate
it?
8

9. Confidentiality (6/6)
Can you explain how encryption
can be used to enhance the
confidentiality of data?
9

10. Integrity (1/5)
• Data remain unaltered, excepted
by authorized parties
• Integrity involves maintaining the
accuracy and completeness of
data over its entire life cycle
• Examples:
– error detection/correction codes
10

11. Integrity (2/5)
• Challenges that could affect the integrity of your
information
– Human Error
– Compromising a server where end-to-end encryption isn’t there
– Physical compromise to a device
11
Source: ‘The CIA Triad: The key to Improving Your Information Security’ by Katie, 2018

12. Integrity (3/5)
• Some ways of ensuring integrity
– Encryption
– User access controls
– Version control
– Backup and recovery procedures
– Error detection software
• Measures for detecting change in data
• Backups must be available to restore the affected data to its correct
state
12

13. Integrity (4/5)
How do you detect and respond to
a data integrity breach in your
organization?
13

14. Integrity (5/5)
Have you ever implemented
controls or procedures to ensure
the accuracy and completeness of
data in an organization?
14

15. Availability (1/5)
• Resources are accessible for
authorized use
• Example:
– protection against denial-of-
service attacks
15

16. Availability (2/5)
• Availability is typically associated with reliability and
system uptime.
• Availability can be impacted by
– Hardware failures
– Unscheduled software downtime
– Human error
– Cyber attacks like denial-of-service
16

17. Availability (3/5)
• Availability is ensured via
– Backups
– Redundancy
– Disaster recovery
– Proper monitoring
– Incident response plan
– Hardware repairs and maintenance
17

18. Availability (4/5)
How would you approach
planning for disaster recovery and
business continuity in the event of
a cyber attack or system failure?
18

19. Availability (5/5)
What are some common current
threats to the availability of
systems and services?
19

20. CIA – Confidentiality, Integrity, Availability
20

21. Challenges to ensure CIA
21
• The large volume of data
• The high variety of data
• The heterogenous sources of data
• Internet of things

22. Authentication (1/2)
• Assurance that data is
genuine relative to
expectations
• Authentication is used by a
server when the server needs
to know exactly who is
accessing their information
or site
22

23. Authentication (2/2)
• Authentication does not determine what tasks the
individual can do or what files the individual can see.
• Authentication merely identifies and verifies who the
person or system is.
• In authentication, the user or computer has to prove
its identity to the server or client.
• Usually done before authorization
23

24. Authorization
• Resources are accessible only
by authorized entities
• A process by which a server
determines if the client has
permission to use a resource
or access a file
• Usually done after
authentication
• Example:
– access control: access restriction
24

25. Accountability (1/2)
• Every individual who works
with an information system
should have specific
responsibilities for information
assurance
• Ability to identify actors
responsible for past actions
25

26. Accountability (2/2)
• Example: Policy statement that all employees must
avoid installing outside software on a company-owned
information infrastructure
• The person in charge of information security should
perform periodic checks to be certain that the policy is
being followed.
• Individuals must be aware of what is expected of them
26
Source: https://www.computer-security-glossary.org/accountability.html

27. Summary
27
• The security policy of organizations are primarily
driven by security goals
• Confidentiality, integrity, and availability are the three
most important security requirements/goals
• Authentication and authorization are key measures for
ensuring confidentiality, integrity, and availability
• Accountability also plays a key role in ensuring
security of an organization

28. Extended Readings (1/2)
28
Articles
• "Confidentiality, Integrity, and Availability (CIA) Triad in Cybersecurity" by
SANS Institute
• "Balancing Confidentiality, Integrity, and Availability in Cybersecurity" by
ISACA
• "The Importance of Confidentiality, Integrity, and Availability in
Cybersecurity" by Dark Reading
• "Confidentiality, Integrity, and Availability (CIA) Triad: A Vital Component
of Cybersecurity" by InfoSec Institute

29. Extended Readings (2/2)
29
Research Papers
• "A Framework for Confidentiality, Integrity, and Availability in
Cybersecurity" by R. K. Jain and P. K. Sahu
• "Cybersecurity: A Study of Confidentiality, Integrity, and Availability" by R.
Jain and R. K. Jain
• "Cybersecurity Risks and Countermeasures: Confidentiality, Integrity, and
Availability" by D. C. Anderson and J. L. Brown
• "Confidentiality, Integrity, and Availability in Cybersecurity: A Review and
Future Directions" by A. P. Sahoo and S. Sahoo