Basic Information Security
A succint guide for the professional

Table of Contents

Back home.

1. Introduction

The last decades has seen a proliferation of publicly accessible software for cryptography. Sadly, while these technologies are available, efforts to convince the wider public to adopt these technologies has not yet reached a critical mass1. Further, while corporations have launched features and products that might have marketed themself as secure, they fundamentally have all failed to provide the users with reliable, trustworthy, and crucially simple solutions for the consumer. In sofar as they have been simple, it has been at the cost of either unreasonable prices or fundamental security flaws2.

It is the authors hope that this document will be useful for the technically inclined office worker and academic. It’s certainly not meant for the layman, rather for the enthusiastic learner, willing to accept the slight friction that will arise when doing something differently than one is used to3.

2. CIA triad

Let’s briefly introduce a simple model for security.

The CIA triad is a simple, but useful way to understand the “meat and potatoes” of information security4. The CIA acronym derives from the three fundamental goals of the triad, namely:

  • Confidentiality
  • Integrity
  • Availability

2.1. Confidentiality

This simply means that any information we deem important is only seen by the recipients we have chosen.

An example would be sending an end-to-end-encrypted (E2EE) email, meaning that only the sender and the recipient are able to read it, leaving any eavesdrops clueless to the conversation.

2.2. Integrity

Integrity in this context is a certainty that information is not damaged or tampered with.

An example would be how many files on the internet (usually unbeknownst to the user) are associated with a short letter combination that is calculated from the file5. This works by the sender calculating this combination of letters before sending the file, and then sending it with the file. If the reciever tries to calculate this combination from the file they have recieved, and it does not match the senders combination, they will know that either the combination that was sent, or the file itself has been altered.

2.3. Availability

Availability is about having access to the information at the right time.

For example, a failure in availability would be if the alarm number in a country was suddenly congested. The time critical nature of these calls makes it a disaster if you cannot reach the police, emergency health services, or fire fighters.

2.4. In conclusion

The CIA triad, while considered incomplete and reductionistic by the leading figures in IT-Security, provides a solid mental model for assessing any system. If you understand and internalize it, you will quickly find that it’s useful for many everyday systems:

  • Houses front door
  • Postal mail
  • Fridge
  • Alarm clock
  • Bedroom

Importantly, it’s not the case that you need to have all letters working flawlessly at all times. Rather, it’s about prioritizing.

Let’s take the example of the fridge. The confidentiality of your fridge is probably not something that’s extremely important to you, so you would likely not care much about making sure it was highly guarded information. However, the integrity of your fridge would likely be a high priority, given that if your fridge suddenly stops working — catastrophically — all your groceries would likely be ruined in hours. Regarding availability, it’s probably not a critical issue, but if you’re hungry and there is no food… well, it’s not something you would completely neglect, but a modest and sober approach would be warranted.

Now that you are aware of these fundamentals, you’re ready to start building your own secure systems!

Footnotes:

1

They are however foundational in the FOSS community, as well as many other distributed projects, particularly of a software nature.

2

These flaws usually boil down to two things. Companies that don’t charge for their services usually make money from advertising data, e.g. in the case of emails, each email is a treasure trove of advertisement metrics and strategies, thus they usually sell this data, albeit with some cryptography on the information, fundamentally, it’s not confidential. The other case is the laws of the organizations, that unlike for the individual user might require more formal protocols for helping law enforcement. Politics aside, objectively, this leaves these solutions less insecure, as any backdoor is fundamentally an attack surface.

3

A friction that one will be happy to have overcome, as it is highly probable that this investment of time will pay compound interest for the long foreseeable future. Not only from a security perspective, but in raw time savings through time shavings.

4

Further it’s just generally useful for designing systems, computational, organizational, or any other system involving dividuals.

5

This is referred to as a checksum.

Author: Christina Sørensen

Created: 2022-11-12 Sat 03:57