Vulnerability Threat Control Paradigm and CIA Triads – Computer Security
Learn more about the Vulnerability Threat Control Paradigm.
Join the DZone community and get the full member experience.Join For Free
Vulnerability Threat Control Paradigm
Vulnerability Threat Control Paradigm is a framework to protect your computer so that you can protect the system from threats. The purpose of this paradigm is to achieve the ultimate goal of protecting your valuable assets so that your computer can be safe. You know that a threat is a condition that has the potential to produce harm so that the vulnerable part can be exploited. A vulnerability is an exploitable weakness of the system.
For example, the government builds dams so that electricity can be produced. Look at the picture below. Water flows through the wall so that turbines can generate electricity. There is a limit of pressure that the wall can tolerate. If the wall has cracked, it will be its vulnerability. More pressure of water can blow away the wall, so this is a threat.
Similarly, an attacker can exploit a system by overwhelming the traffic to a system so that it can stop working. The attacker uses such attack in Denial of Service. To survive these attacks and resist against them, countermeasures and controls are taken.
Things to Be Observed About Threats:
What Could Those Be?
- Possible threats
- Potential of each threat
- Sources of threats
- Survivable threats
CIA Triads: Basic Properties of Computer Security
As there are three basic properties of computer security, the threats to these properties are threats to computer security.
Confidentiality: This is the ability of a computer system to ensure that the authorized user has viewed the file. Only the authorized user or system can access data.
Integrity: This is the ability of a computer system to ensure that the authorized user has modified the file. Only the authorized system or user can manipulate or update data.
Availability: The ability of a computer system to ensure that the authorized user has used the file. Only the authorized system or user can use the information in files.
ISO 7498-2 adds two more properties of computer security that are authentication and accountability or non-repudiation.
Authentication: The ability of a computer system to confirm the sender’s identity.
Non-repudiation or accountability: The ability of a computer system to confirm that the sender can not deny about something sent.
The above definition can vary because of the scenarios of harm. If you can not access your computer, then availability is lost. If someone else can view your files, then confidentiality is lost. Similarly, a computer loses integrity if someone else manipulates your data.
Different Perspectives of CIA Triad
You can see the CIA triad from different perspectives so that your point of view can get clear about these properties. A scenario may involve interruption, fabrication, interception, and modification. An attacker may interrupt your access to files so that they can show you what they want. An attacker can intercept your messages and emails so that they can know what you are doing. They can also modify information in your emails before sending to the receiver. The attacker may also fabricate information. Try Turbologo.
By controlling access to a file, you limit the system to follow rules so that no unauthorized user can access the file. The highest level of security can be disconnecting your computer from the Internet, turning off it, and storing it in a locker where no one can access it. But this level of security is not acceptable because there will be no use of computer anymore.
Another option is to let everything accessible all the time which is completely an unsecured way. You will have zero security and anyone can harm you easily. The best security option lies between high-level security and zero level security. You should be able to use it within the optimized performance range. But there should be restrictions so that the system can maintain its safety level. These restrictions are policies of access control. We make policies about who will access a file and what he can do with it.
Mapping Modes of Access to CIA Triads
Prevention of data from modification (integrity) or viewing (confidentiality) and keeping it accessible (availability).
Computer Network Vulnerabilities
According to WAR70, computer security does not rely on software security completely because other areas of the computer can also have vulnerabilities. The cause of vulnerabilities in the computer network can be unauthorized access to files, copy or theft of files, the operator themselves who reveals protective measures or replaces the supervisor. It can be a system programmer who reveals protective measures or disables protective features.
A vulnerability can be an improper hardware connection or cross coupling. It can be an issue in user identification, authentication, modification, or subtle software. It can be the attachment of recorders so that bugs or any other information can be recorded. A vulnerability can be something done by a maintenance man, for example, he disables the hardware devices or uses stand-alone utility programs. It can be the failure of protection circuits or software. Vulnerabilities involve bound control and access control issues. We can not consider that the security relays only on software security or hardware security because the persons can also involve in leaking or disabling the various modules so that unauthorized access can be gained.
Every emerging technology is not less than a threat to the security and privacy of the people. Data Visualization is a technique which helps the companies in making a story about data visualization for increasing their sales and customer loyalty but to achieve the best results, the greed of companies for collecting data for is increased a lot. It is ethical to get data of users with their consent, this will not violate CIA triad, but what if the information of the user is available to access without the consent of the user, or manipulated information is spread on the internet for a particular group. Well, security should be the main focus while development of any application or during the use of any application.
Published at DZone with permission of Arslan ud Din Shafiq, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.