CIA Triad, Authentication, Encryption & Cyber Controls
Key Takeaways
- The CIA triad -- confidentiality, integrity, and availability -- is the foundational model guiding information security policy.
- Multi-factor authentication requires combining at least two different factor categories: something you know, something you have, and something you are.
- Symmetric encryption (e.g., AES) uses one shared key for both encryption and decryption and is fast enough for bulk data.
- Asymmetric encryption (e.g., RSA) uses a public/private key pair and is typically used for secure key exchange and digital signatures rather than bulk data encryption.
- Digital forensic investigations depend on a documented chain of custody and forensic imaging to preserve evidence integrity for legal proceedings.
The CIA Triad
The CIA triad -- confidentiality, integrity, and availability -- is the foundational model that guides virtually every information security policy and control decision.
| Principle | Definition | Example control |
|---|---|---|
| Confidentiality | Protecting information from unauthorized access or disclosure | Encryption, access control lists, need-to-know restrictions |
| Integrity | Ensuring data is accurate, complete, and has not been altered by an unauthorized party | Hashing/checksums, version control, change-management approval |
| Availability | Ensuring authorized users can access information and systems when needed | Redundancy, backups, disaster recovery, denial-of-service protection |
A common exam trap is assuming a single control serves all three principles equally. Encryption, for example, primarily serves confidentiality; a cryptographic hash primarily serves integrity (verifying a file has not changed) without providing confidentiality at all (a hash does not conceal the underlying data). Strong programs deliberately select controls for each leg of the triad rather than assuming one technology covers all three.
Consider a hospital's patient-records system: encrypting the database protects confidentiality, but if a ransomware attack encrypts the same records with the attacker's key and the organization has no verified backup, availability fails even though confidentiality was never breached. A single incident can therefore violate one, two, or all three legs of the triad independently, which is why incident-response plans should assess impact against each leg separately rather than treating breach severity as a single undifferentiated score.
Authentication and Multi-Factor Authentication
Authentication relies on three recognized factor categories:
- Something you know -- a password, PIN, or passphrase.
- Something you have -- a smart card, hardware token, or registered mobile device.
- Something you are -- a biometric characteristic.
Multi-factor authentication (MFA) requires combining factors from at least two different categories -- a password plus a PIN is still single-factor (both are something you know), while a password plus a one-time push approval on a registered device is genuine MFA.
Biometrics further split into physiological identifiers (fingerprint, iris, facial geometry) and behavioral identifiers (gait, keystroke dynamics, voice pattern). Biometric system accuracy is measured by the False Accept Rate (FAR) -- the rate at which an unauthorized person is incorrectly granted access -- and the False Reject Rate (FRR) -- the rate at which an authorized person is incorrectly denied. The point where FAR and FRR intersect is the Crossover Error Rate (CER), a single figure commonly used to compare biometric technologies.
Ethical Hacking and Penetration Testing
Ethical hacking and penetration testing are authorized, scoped simulations of an attacker's methods, conducted to find and remediate vulnerabilities before a malicious actor exploits them. Engagements are typically categorized by how much information the tester is given in advance:
- Black-box -- the tester has no internal knowledge, simulating an external attacker.
- White-box -- the tester has full internal knowledge (network diagrams, source code, credentials), enabling the deepest technical review.
- Gray-box -- the tester has partial knowledge, simulating an attacker with some insider access, such as a compromised low-privilege account.
Every engagement must have documented, written authorization and a defined scope and rules of engagement before testing begins -- without authorization, the identical technical activity is a crime rather than a security service.
A typical engagement follows a defined methodology: reconnaissance (gathering public information about the target), scanning and enumeration (identifying live systems, open ports, and services), exploitation (attempting to gain access using discovered vulnerabilities), and reporting (documenting findings, exploited paths, and prioritized remediation recommendations for the client). The final report, not the exploitation itself, is the deliverable that drives actual risk reduction.
Encryption and Data Masking
| Method | Key structure | Speed | Typical use |
|---|---|---|---|
| Symmetric encryption (e.g., AES) | One shared key encrypts and decrypts | Fast | Bulk data at rest or in transit |
| Asymmetric encryption (e.g., RSA) | A public/private key pair -- the public key encrypts, the private key decrypts | Much slower | Secure key exchange, digital signatures, small data volumes |
In practice the two are combined: asymmetric encryption securely exchanges a temporary symmetric key, and the fast symmetric algorithm then encrypts the actual bulk data -- the same hybrid model used in HTTPS. Data masking is a related but distinct technique that obscures specific data values (replacing a real value with a realistic but fictional one), typically for non-production environments such as software testing, and -- unlike encryption -- is often not designed to be reversed.
Forensic Investigations
When an incident requires evidence for disciplinary action or legal proceedings, a digital forensic investigation must preserve evidence integrity from the moment it is identified. Core requirements include a documented chain of custody (who handled the evidence, when, and why, without gaps), forensic imaging (an exact bit-for-bit copy of the original media, so analysis is performed on the copy rather than risking alteration of the original), and use of write-blocking hardware or software to guarantee the original source is never modified during acquisition. Evidence handled outside these controls risks being ruled inadmissible, regardless of how clearly it demonstrates wrongdoing.
Investigators also apply the order of volatility principle, collecting the most perishable evidence first -- system memory (RAM) and active network connections degrade or disappear the moment a system is powered down, while data on a hard drive remains comparatively stable, so acquisition sequencing itself is a documented forensic decision.
A user logs into a corporate system with a password and then must also approve a push notification on a registered mobile device. Which authentication principle does this represent?
Which statement correctly distinguishes symmetric from asymmetric encryption?