← Back to domain
Domain 1 Module 1.1

Info Assurance

Module 1.1: Information Assurance Concepts

Learning Objectives

By the end of this module, you will:

  • Explain each component of the CIA triad with real-world examples
  • Differentiate between authentication, authorization, and accountability
  • Understand multi-factor authentication and why it matters
  • Explain non-repudiation and how digital signatures achieve it
  • Distinguish between privacy and confidentiality
  • Understand AI security implications for information assurance

The CIA Triad: Foundation of Information Security

Every security decision, every control, and every policy ultimately serves one or more pillars of the CIA triad. This is the most fundamental concept in cybersecurity.

Confidentiality

Definition: Ensuring information is accessible only to those authorized to access it.

Think of it as: A locked diary. Only people with the key can read what's inside.

Real-World Breach Examples:

  • Equifax (2017): 147 million people's Social Security numbers, birth dates, and addresses exposed. Attackers exploited an unpatched web application vulnerability. The data was not encrypted at rest.
  • Target (2013): 40 million credit card numbers stolen through a compromised HVAC vendor. Demonstrates that confidentiality breaches can come through third parties.
  • Capital One (2019): 100 million credit applications exposed through misconfigured cloud firewall. Shows that confidentiality failures aren't always about hackers—misconfigurations count too.

What happens when confidentiality fails:

  • Financial loss (regulatory fines, lawsuits, remediation costs)
  • Reputation damage (customer trust evaporates)
  • Competitive disadvantage (trade secrets exposed)
  • Identity theft for affected individuals
  • Regulatory penalties (GDPR: up to 4% of global annual revenue)

Controls that protect confidentiality:

Control How It Protects
Encryption Makes data unreadable without key
Access controls (ACLs, RBAC) Limits who can access data
Data classification Identifies what needs protection
DLP (Data Loss Prevention) Detects/prevents data exfiltration
Network segmentation Limits lateral access
Steganography Hides existence of data

Integrity

Definition: Ensuring data is accurate, complete, and unaltered except by authorized actions.

Think of it as: A tamper-evident seal on medicine. You can tell if someone has opened it.

Two Types:

  • Data integrity: The information itself is correct and unmodified (a financial record hasn't been changed)
  • System integrity: The system operates as intended without unauthorized modification (no rootkit, no unauthorized configuration changes)

Real-World Examples:

  • Stuxnet (2010): Malware modified the programming of Iranian nuclear centrifuges while reporting normal readings to operators. The integrity of both the control systems and the monitoring data was compromised.
  • DNS poisoning: Attackers modify DNS cache entries, sending users to fake websites even when they type correct URLs. This is an integrity attack on the name resolution system.
  • Financial fraud: An insider modifies database records to transfer funds. The data looks valid but has been tampered with.

Controls that protect integrity:

Control How It Protects
Hashing (SHA-256) Detects any modification to data
Digital signatures Proves origin and detects tampering
Checksums Detects transmission errors
Version control Tracks all changes with attribution
Access controls Prevents unauthorized modification
Input validation Prevents bad data from entering systems
Change management Controls who can modify systems

⚠️ Key Distinction: Integrity is NOT about keeping data secret—it's about keeping it ACCURATE. A public website has no confidentiality requirement, but its integrity is critical (you don't want hackers defacing it).

Availability

Definition: Ensuring systems, data, and resources are accessible and usable when needed by authorized users.

Think of it as: A hospital emergency room must be open 24/7. If it's closed when someone needs it, the consequences are severe.

Real-World Examples:

  • AWS outage (2017): A typo in a maintenance command took down a significant portion of the internet for hours. Services like Slack, Trello, and IFTTT went offline.
  • WannaCry ransomware (2017): UK's NHS hospitals couldn't access patient records. Surgeries were cancelled. Ambulances were diverted. This is availability being destroyed.
  • Dyn DNS attack (2016): DDoS attack against DNS provider knocked major sites (Twitter, Netflix, Reddit) offline for hours.

What threatens availability:

  • DDoS attacks (overwhelming resources)
  • Hardware failures (disk crashes, power supply failure)
  • Natural disasters (floods, earthquakes, fires)
  • Ransomware (encrypts data, making it inaccessible)
  • Human error (bad patches, misconfigurations)
  • Software bugs (memory leaks, crashes)

Controls that protect availability:

Control How It Protects
Redundancy (RAID, clustering) Eliminates single points of failure
Backups Enables recovery after data loss
Failover systems Automatically switches to standby
Load balancing Distributes work across systems
UPS + generators Protects against power loss
DDoS mitigation Absorbs/filters attack traffic
Patching Prevents crashes from bugs
Disaster recovery plans Ensures systematic recovery

SLA (Service Level Agreement) and Uptime:

SLA Level Annual Downtime Allowed
99% 3.65 days
99.9% (three nines) 8.77 hours
99.99% (four nines) 52.6 minutes
99.999% (five nines) 5.26 minutes

CIA Conflicts and Trade-offs

In practice, the three principles can conflict:

Conflict Example
Confidentiality vs Availability Strong encryption slows down access; complex MFA delays legitimate users
Integrity vs Availability Strict change controls slow down deployments
Confidentiality vs Integrity DRM systems may prevent legitimate backup/verification

The balance: Security professionals must find the right equilibrium for their organization's risk tolerance.

Authentication Deep Dive

The IAAA Model

Step Question Example
Identification "Who are you?" Username, badge number, account
Authentication "Prove it!" Password, fingerprint, token
Authorization "What can you do?" Read files, admin access, specific systems
Accountability "What did you do?" Audit logs, session recording

Authentication Factors

Factor Type Category Examples Strengths Weaknesses
Type 1 Something you KNOW Password, PIN, security question Easy to implement, no hardware needed Can be guessed, stolen, shared, forgotten
Type 2 Something you HAVE Smart card, phone, USB key, token Physical possession required Can be lost, stolen, cloned
Type 3 Something you ARE Fingerprint, face, iris, voice Unique to individual, can't forget Privacy concerns, false acceptance/rejection

Additional factors (awareness):

  • Something you DO (behavioral): typing pattern, gait, mouse movement
  • Somewhere you ARE (location): GPS, IP geolocation
  • Something you EXHIBIT (contextual): time of day, typical behavior patterns

Multi-Factor Authentication (MFA)

Rule: MFA requires two or more DIFFERENT factor types.

Combination MFA? Why?
Password + PIN ❌ NO Both are Type 1 (know)
Password + SMS code ✅ YES Type 1 (know) + Type 2 (have phone)
Fingerprint + iris scan ❌ NO Both are Type 3 (are)
Badge + fingerprint ✅ YES Type 2 (have) + Type 3 (are)
Password + fingerprint + smart card ✅ YES All three types!

Why MFA matters: Even if an attacker steals your password (Type 1), they still can't access your account without your phone (Type 2) or fingerprint (Type 3).

Biometrics Key Terms

Term Definition Implication
FAR (False Accept Rate) Rate of accepting unauthorized users Too high = insecure
FRR (False Reject Rate) Rate of rejecting authorized users Too high = unusable
CER (Crossover Error Rate) Point where FAR = FRR Lower CER = better system

Common Authentication Protocols (Awareness)

Protocol Purpose Key Fact
Kerberos Network authentication using tickets Default in Windows Active Directory
RADIUS Remote authentication (network access) Common for WiFi, VPN authentication
TACACS+ Cisco-centric authentication Encrypts entire packet (better than RADIUS)
SAML Web-based SSO XML-based, federated identity
OAuth Authorization (not authentication) Grants access without sharing credentials
LDAP Directory services lookup Stores user/group information

Non-Repudiation

Definition: The inability to deny having performed an action.

Why it matters: In legal and business contexts, you need PROOF that someone did something. "I never sent that email" or "I never approved that transaction" shouldn't be valid excuses.

How Digital Signatures Achieve Non-Repudiation

Step 1: Alice creates a message
Step 2: Alice hashes the message (SHA-256) → digest
Step 3: Alice encrypts the digest with her PRIVATE key → digital signature
Step 4: Alice sends message + signature to Bob
Step 5: Bob decrypts signature with Alice's PUBLIC key → gets digest
Step 6: Bob independently hashes the message → computes own digest
Step 7: Bob compares: if digests match → message is intact AND Alice signed it

Why this works for non-repudiation: Only Alice has her private key. If the signature verifies with her public key, she MUST have signed it. She cannot deny it.

Authentication vs Non-Repudiation

Authentication Non-Repudiation
When At the moment of access After the fact
Purpose "Is this really you right now?" "You can't deny you did this"
Example Logging into a system Signing a digital contract
Evidence Session token, success/fail log Digital signature, audit trail
Reversible? Yes (session ends) No (signature persists)

Privacy

Privacy vs Security

Aspect Privacy Security
Focus Personal data rights and proper handling Protecting all information assets
Scope Collection, use, sharing, retention of personal data CIA triad for all data
Driver Legal rights, ethics, consent Business needs, risk management
Example "Don't collect my data without consent" "Encrypt all sensitive data"

Data Categories

Category Abbreviation Examples Key Regulation
Personally Identifiable Information PII Name, SSN, email, address, phone GDPR, CCPA
Protected Health Information PHI Medical records, diagnoses, prescriptions HIPAA
Payment Card Information PCI Credit card numbers, CVV, cardholder data PCI-DSS

Privacy Principles

  1. Data minimization - Collect only what you need
  2. Purpose limitation - Use data only for stated purpose
  3. Storage limitation - Don't keep data longer than necessary
  4. Accuracy - Keep data correct and up to date
  5. Lawfulness - Have legal basis for processing
  6. Transparency - Tell people what you're doing with their data
  7. Integrity & confidentiality - Protect data appropriately
  8. Accountability - Be able to demonstrate compliance

AI Security Fundamentals (New for 2025)

AI and the CIA Triad

CIA Principle AI Application
Confidentiality Training data may contain sensitive information; AI outputs may leak data
Integrity Training data must be trustworthy; model poisoning corrupts decisions
Availability AI services must be reliable; adversarial attacks can crash AI systems

Key AI Threats

Model Poisoning: Attacker corrupts the training data used to build an AI model, causing it to make wrong decisions.

  • Example: Poisoning spam filter training data so it learns to let spam through.

Adversarial Inputs: Carefully crafted inputs that fool AI systems.

  • Example: Adding invisible noise to a stop sign image so self-driving car misidentifies it.

Data Leakage: AI inadvertently reveals training data in its outputs.

  • Example: Asking a language model to repeat verbatim text from its training data.

Deepfakes: AI-generated synthetic media used for deception.

  • Example: Cloned CEO voice authorizing a wire transfer over the phone.

Ethical AI Principles

  • Transparency: People should know when AI is making decisions about them
  • Fairness: AI should not discriminate based on protected characteristics
  • Accountability: Humans must be responsible for AI decisions
  • Privacy: AI must respect data protection principles
  • Safety: AI should not cause harm

Practice Questions

  1. Which security principle is MOST concerned with ensuring data hasn't been modified?

    • A) Confidentiality
    • B) Integrity ✅
    • C) Availability
    • D) Non-repudiation

  2. A user enters a username and password. Which step of IAAA is this?

    • A) Identification (username) and Authentication (password) ✅
    • B) Authorization
    • C) Accountability
    • D) Authentication only

  3. Which combination represents valid MFA?

    • A) Password + PIN
    • B) Smart card + fingerprint ✅
    • C) Retina scan + face recognition
    • D) Passphrase + security question

  4. An organization's website is knocked offline by a DDoS attack. Which CIA principle is violated?

    • A) Confidentiality
    • B) Integrity
    • C) Availability ✅
    • D) Non-repudiation

  5. What does non-repudiation prevent?

    • A) Unauthorized access
    • B) Denial of having performed an action ✅
    • C) Data modification
    • D) System downtime

  6. Which is the BEST control for ensuring data integrity during transmission?

    • A) Encryption
    • B) Hashing/digital signatures ✅
    • C) Access controls
    • D) Redundancy

  7. An attacker corrupts AI training data to make a fraud detection model miss fraudulent transactions. This is:

    • A) Adversarial input
    • B) Model poisoning ✅
    • C) Data leakage
    • D) Deepfake attack

  8. What is the crossover error rate (CER) in biometrics?

    • A) The point where FAR equals FRR ✅
    • B) The maximum false accept rate
    • C) The minimum reject rate
    • D) The overall error percentage

  9. Privacy differs from confidentiality in that privacy:

    • A) Is only about encryption
    • B) Focuses on proper handling of personal data and individual rights ✅
    • C) Only applies to government data
    • D) Is a subset of availability

  10. A hospital's electronic health records system is encrypted at rest and in transit, requires MFA to access, and logs all access. Which CIA principle is NOT directly addressed?

    • A) Confidentiality (encryption + MFA)
    • B) Integrity (access controls + logs detect changes)
    • C) Availability ✅ (no redundancy or failover mentioned)
    • D) All three are addressed

End of Module 1.1 - Next: 1.2 Risk Management

Next: 1.2 →