November 2023 – Pete on Software

Spy Dressed in Trenchcoat During our introduction in the last blog post, we mentioned the “CIA Triad” and gave a quick rundown about what it is. As a reminder, it’s not related to any government agency; rather, it stands for Confidentiality, Integrity, and Availability – three pillars of infosec. Today, let’s zoom in on the first pillar – Confidentiality – and unpack its significance, with a sprinkle of real-world examples and what happens when it fails.

In the simplest of terms, confidentiality in information security refers to the practice of ensuring that information is not made available or disclosed to unauthorized individuals, entities, or processes. It’s about access and exposure control. Whether it is personal data, corporate secrets, or sensitive government information, confidentiality aims to keep it under wraps from those not cleared to view it.

The Mechanisms of Ensuring Confidentiality

Encryption: This is the process of encoding information so that only authorized parties can decode and access it. When you send an encrypted email, for instance, you’re ensuring that only the intended recipient with the right key can read it. Confidential data should always be encrypted at rest and in transit.
Access Controls: These are policies and technologies used to restrict access to data. Some examples passwords, biometric scans, or even simpler methods like locked file cabinets. Basically, we know that certain people are only allowed to access certain information. How do we first create a yes/no list and secondly, how do we make sure that you’re the person represented on the list?
Data Classification: By categorizing data based on its sensitivity, organizations can apply appropriate confidentiality controls. This is the easiest way to apply access controls broadly.
Pete can see public data and sensitive data, but not confidential or proprietary data. Luke can see public, sensitive, and confiential, but not proprietary. Jayson can see all kinds. Appropriate classifications can make access easier to maintain.

Real-World Examples

Healthcare: Under regulations like HIPAA in the U.S., patient health information must be kept confidential. Hospitals use secure databases with strict access controls to store patient records.
Banking: Financial institutions employ encryption to protect customer data during transactions. Your online banking session is an example where confidentiality is key to safeguard your financial information.
Legal Sector: Attorney-client privilege is a form of confidentiality. Communications are often encrypted to protect sensitive legal information from being accessed by outside parties.

The Consequences of Confidentiality Breaches

Now, what happens when confidentiality fails? The repercussions can be severe:

Identity Theft: If personal information like social security numbers or credit card details is leaked, individuals can face identity theft, leading to financial loss and a long road to credit recovery.
Corporate Espionage: For businesses, a breach of confidentiality can mean leaking trade secrets, resulting in a competitive disadvantage or even financial ruin.
National Security Threats: On a larger scale, if government secrets are exposed, it can lead to threats against national security and diplomatic relations.

Preventing Breaches of Confidentiality

The key to preventing breaches is a proactive approach:

Regular Training: Regularly educating employees on the importance of confidentiality and how to maintain it.
Up-to-Date Security Measures: Continuously updating security protocols and software to combat evolving threats.
Incident Response Planning: Having a plan in place in case a breach occurs, to minimize the damage.

Conclusion

In our increasingly digitized world, the importance of maintaining the confidentiality of information cannot be overstated. As individuals and organizations, understanding and applying the principles of confidentiality is not just a best practice but a necessity in safeguarding our data and, by extension, our digital identities.

Remember, a chain is only as strong as its weakest link. Let’s ensure confidentiality is a robust link in our information security chain.

Picture of a Safe Door
I’ve been spending a lot of time at work recently being involved in audits of our company’s security. Some of them we are paying for (3rd party pentesting), some are voluntary compliance (SOC 2), and some are from clients doing their due diligence on vendors. In conducting and discussing the requests and our answers, it occurred to me just how vital that having a good understanding of Information Security is becoming table stakes to be in the industry, whether you’re a budding programmer, an aspiring entrepreneur, or just someone curious about the tech world. Let’s dive into the basics in the first post of what I hope will become a series.

What is Information Security (Infosec)?

At its essence, information security (infosec) is about safeguarding data from unauthorized access and alterations. It’s the practice of defending our digital valuables – be it personal information, business data, or governmental records. We live in a world where data flows everywhere, and just like dams ensure water flows in controlled and safe ways, infosec ensures data remains confidential, intact, and accessible only by those meant to access it.

Why is Infosec Important?

Imagine writing a personal letter and leaving it at a coffee shop. Anyone could read it, modify it, or take it away. That’s what the digital world is like without information security. With the invention and expansion of the internet, we’re more connected than ever. That means that our data – from emails to credit card numbers – is exposed to potential misuse.

The CIA Triad is a common model to use to talk about information systems. CIA doesn’t stand for the United States Central Intelligence Agency, rather it is an acronym for these concepts:

Confidentiality: This principle ensures that sensitive information is only accessed by those who have the right to view it. Think of it like putting a letter in a sealed envelope rather than leaving it open for all to see.
Integrity: Ensuring data remains unaltered during storage or transmission is vital. It’s like ensuring that the letter you wrote reaches its destination without anyone changing the words inside.
Availability: Data needs to be accessible when needed. Imagine sending a letter and ensuring it reaches its destination on time for whenever the recipient wants to read it. Availability in infosec ensures that systems and data are available when required.

What’s at Stake?

Every day, new vulnerabilities and threats emerge. From ransomware attacks holding data hostage to data breaches leaking sensitive information, it can seem like we’re in a Wild West scenario. Companies of all sizes heavily invest in securing the data that they generate and are entrusted with by having dedicated security teams (both offensive and defensive) to constantly remain vigilant while finding their own weaknesses to fix before the adversaries do. This can take many forms, including monitoring, proactive Bug Bounty Programs to engage ethical hackers, simulated attacks, and tabletop exercises, to name a few.

If these companies fail, the results can be disastrous. Compromising one or more points of the CIA Triad can directly affect a company’s revenue and reputation. One great example of this is what happened to LastPass after they had a large security incident. Customers left in droves for other alternatives like BitWarden, 1Password, and KeePass. That certainly will hurt LastPass’ revenue, but even worse is that the attack directly harmed their customers’ finances. The Verge reported that there was a potential link was made between the 2022 data theft and a total of more than $35 million in cryptocurrency that had been stolen, due the fact that almost all victims were LastPass users. Those are sobering consequences.

Why Should You Care?

As we plunge deeper into the digital era, infosec isn’t just a concern for IT departments but is everyone’s responsibility. Understanding infosec can not only make you a more informed digital citizen but can also open doors to a thriving career path. Even if you’re not interested in becoming a cybersecurity specialist, you should look to secure your online presence. Your security is only as strong as the weakest link and you should do all that you can to not be that weak link, and the journey into information security can be rewarding and eye-opening.

What’s Next?

Embarking on the infosec journey equips you with the knowledge to protect not just your data but also contribute to a safer digital ecosystem. From teaching to policy-making to ethical hacking, the field is vast and ripe with opportunity. Over the next few posts, I hope to explore these points more in depth and talk more about what we in technology can do to sharpen these tools in our own toolkits.

Pete on Software

Month: November 2023

The CIA Triad: Confidentiality