tag:blogger.com,1999:blog-5265451399720742490.post7148195104757261468..comments2022-06-28T00:50:39.781-07:00Comments on Telic Thoughts: Is the CIA model still relevant?Unknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-5265451399720742490.post-34468522526402446752010-09-13T05:59:56.458-07:002010-09-13T05:59:56.458-07:00Thanks JP, my focus isn't specifically on impa...Thanks JP, my focus isn't specifically on impact. I still feel that some of the concepts are not well defined, conflated or equivocated and hence it's hard to communicate with our customers and peers. From an impact perspective I don't really disagree with your "impact" centric view, I'm looking at control objectives though.Marinushttps://www.blogger.com/profile/13323174363583005241noreply@blogger.comtag:blogger.com,1999:blog-5265451399720742490.post-67486594960975197592010-09-13T05:43:48.018-07:002010-09-13T05:43:48.018-07:00I still reckon CIA is the ‘bare bones’ for categor...I still reckon CIA is the ‘bare bones’ for categorising impact, where the Parkerian Hexad lets you get into more detail if you want to.<br /><br />When describing what harm was caused, it’s either<br />C: Data was read by an unauthorised party, or, a trusted party abused privilege to read data they didn’t need to.<br />I: Data was modified during an error in processing, by an unauthorised party, or, as per your example, was modified by a trusted party who abused their privilege.<br />A: Data was not available to authorised parties.<br /><br />In your example were the balance is modified on the DB, I think your taking a control point of view when you say "The Integrity of the database is intact, redundancy checks pass". If I take it from an impact point of view, I think the integrity of the database is not intact because it’s been modified in an unauthorised way (even if the user was authorised to have write access). From a control point of view, the bank should have had reconciliation and change control processes that prevented authorised users from making unauthorised changes.<br /><br />So perhaps the ‘I’ in CIA is still relevant to your example? We might disagree for semantic reasons where your definition of integrity is strict and limited to ‘data is well formed and only modified by authorised users’ and mine is extended to ‘modified in authorised process or ways’. To me, integrity means data is not modified in unintended ways.<br /><br />While authentication and authenticity seems to be left out of CIA, I think they are implied since subverting authentication leads to a loss in authenticity and ultimately the impact can still be described with CIA (e.g. data read, modified or deleted by someone in an unauthorised way). However, while I think CIA is sufficient for describing impact, I might be more persuaded to agree it inadequate when describing attacks and controls.Anonymoushttps://www.blogger.com/profile/06368008164269466761noreply@blogger.comtag:blogger.com,1999:blog-5265451399720742490.post-60175108554748045042009-02-23T00:22:00.000-08:002009-02-23T00:22:00.000-08:00Jazz Man, I think you totally missed the point of ...Jazz Man, I think you totally missed the point of my question. I asked whether the CIA model is relevant, since it is unable to describe certain classes of information threats. Do we look for an alternative or do we augment it?Marinushttps://www.blogger.com/profile/13323174363583005241noreply@blogger.comtag:blogger.com,1999:blog-5265451399720742490.post-25245668382149459942009-02-20T03:27:00.000-08:002009-02-20T03:27:00.000-08:00Are we saying we should do away with the AIC princ...Are we saying we should do away with the AIC principles within security? <BR/><BR/>The CISSP material uses the AIC, to elaborate on everything that has been mentioned on this blog.<BR/><BR/>The problem is that we have too many Kamakazi pilots in security that think they understand the concept in securing a service.<BR/><BR/>One point to mention from ones AIC model, one could perform a Qualitative and Qantitative analysis of a risk and implement just enough security for the service offering.<BR/><BR/>In many scenarios security is looked at as an enabler to a service and yet all it is being used for is to reduce the possible risk and TCO.<BR/><BR/>I am certain this will bring about other debates, however debates are always welcome.<BR/><BR/>Regards<BR/><BR/>Jazz ManUnknownhttps://www.blogger.com/profile/03145227233901494221noreply@blogger.com