THE CIA TRIAD – THE BASIS OF CYBERSECURITY (CONFIDENTIALITY)

Kip Boyle:          
Hi, everybody. Welcome to Your Cyber Path. I’m Kip Boyle, and I’m here with Jason Dion. Hey, Jason, how’s it going?

Jason Dion:        
Hey, Kip, great to see you again online. I know recently you were down here in my offices and we were working together filming a new course, which I’m excited about. What course is that, Kip?

Kip Boyle:          
As you well know, that’s the NIST Risk Management Framework (RMF). We consider that to be the cousin, I guess, of the NIST Cybersecurity Framework course, which we finished and released earlier this year. I’m excited because we had some really great perspectives from other folks who use RMF course. You’ve got tons of experience using RMF, but I think the real world content that we’re putting into this course is going to really set it apart.

Jason Dion:       
Yeah, definitely. The last couple of episodes here on the podcast, we had a couple of guests with us that were talking about RMF. We really dove into that whole concept around RMF and what it’s used for and the Risk Management Framework, and we took that as kind of the basis to start with in this course. And then we just dive much, much deeper as we go through the course and really try to keep it at this hands-on practitioner level course that we’re doing just like we did with the NIST Cybersecurity Framework, where when you’re done with this three, four, five hour course, you really understand how to use this framework in the real world.

If you’re asked about it in an interview, you’ll know what to say, right? If you’re asked to do it on the job, you’ll know how to perform. And that’s really what we tried to focus on both with the NIST Cybersecurity Framework course, if you haven’t taken that, definitely take that, and this new RMF course that is now out as of last week or so. Right now as we’re releasing this episode, this is actually releasing on Black Friday. If you’re listening to us today, hopefully you have a day off of work and you’re enjoying stuff out in town. But in addition to that, Udemy always has their big Black Friday sales and Cyber Monday sales.

This weekend’s a great time to pick up some Udemy courses, including the NIST Cybersecurity Framework or the NIST RMF course that we have and really help hone your skills as you’re building yourself up into this new world of cybersecurity, especially if you’re somebody who is moving into this field from another field. It helps to bring up that information and really start learning the ways.

Kip Boyle:          
Yeah, definitely. And then you’ve got a lot of certification oriented courses on Udemy. Will you put those on sale too?

Jason Dion:        
Yeah. Every time we have a sale on Udemy, we always list those at diontraining.com/Udemy. You can get any of our courses there for all of our certifications, whether you’re studying for CASP or PenTest+ or CySA+ or Linux+or Linux Essentials, any of the stuff we have, you can always go to diontrading.com/Udemy and that’ll be able to get you the lowest price on them. When I’m talking about lowest prices, generally around Black Friday, Udemy tends to drop their prices somewhere between $10 and $15 per course, which is cheaper than buying a textbook. It really gives you a lot of great information to be able to work your way through these certifications.

Talking about certifications, that’s kind of what we’re going to be talking about a little bit today. Our big focus today and over the next five weeks or the five episodes is going to be the CIANA or the CIA Triad, which has now become the CIANA Triad, which really isn’t a triad anymore because there’s five pieces, but that’s how it works in cybersecurity. We’re going to be focusing on that today. In this lesson, we’re going to focus on the C in CIA, and that stands for confidentiality.

Kip Boyle:          
Should we tell them what the I, the A, and the NA stands for too just to set the context, right?

Jason Dion:       
Yeah, I guess that’s probably a good idea. The CIA Triad is really the fundamental thing inside of cybersecurity. The C is confidentiality, the I is integrity, and the A is availability. If you had those three things together, you had a good secure information system according to 2000 to 2010 standards. Somewhere around 2010 or so, we added the N and the A to CIA. The N and the A stand for non-repudiation and authentication. You can understand why that’s really important because non-repudiation says, “I actually did the thing I did, and I can’t say I didn’t, so we won’t be able to prove that you did what you said you did.

And then authentication is really important because that’s the way we’re able to go and log into a system and say, “I am Jason or I am Kip. Give me access to Kip’s files or Jason’s files appropriately.” What we’re going to be doing over the next five episodes is really breaking down the C, I, A, N, and A inside that CIA Triad or this pentagonal, I guess, triad at this point. The triad.

Kip Boyle:          
Yeah, a five pointed triad.

Jason Dion:        
Yeah, I don’t know how that works, but that’s what it is. We’re really going to be diving into each of those. The format that we’re going to be using for these episodes is we are going to talk about how it works in the real world. We’re going to talk about how it shows up on certifications and the keywords and things you should be recognizing with that. And then we’re going to finish out each episode by going into two or three or four different interview questions that you may get on these topics. For example, when we talk about confidentiality, that is a really, really important one.

That’s why we’re going to start with the C in CIA. When we talk about confidentiality, our definition of that is really being able to be focused on the ability to protect our data from people who shouldn’t be able to see it. When I think about confidentiality, I’m thinking about things like encryption. What are some things you think about when you think about confidentiality, Kip?

Kip Boyle:          
Well, I think about encryption, of course, but then I also think about how data, which we want to encrypt, is all over the place. Sometimes it’s sitting somewhere on a hard disk drive, an SSD, a removable USB thumb drive or something like that. Sometimes it’s moving around. We’re transferring it from one computer to the next, and we’re transferring it from a hard drive to a USB, or it’s going over the internet either as an email attachment, maybe we’re doing an FTP file transfer, or maybe we’ve got some kind of a data synchronization network link established between two sites because one’s a hot site and one’s our production site.

Data is constantly in motion. And then of course, we’re using it all the time as well. If I call up Dion Training and say, “Help! I think my voucher’s expired,” you’re going to pull up my record out of your database and you’re going to use it to see who’s this Kip guy and when did he buy his voucher because maybe it’s expired.

Jason Dion:        
Yep, exactly. That’s a great point. The other thing I think about when I think about confidentiality is I like to bring things down to just a really simple basic level. We can get out of the whole world of cybersecurity and confidentiality in computers. We could talk about it in the real world too. Let’s say that it’s Thanksgiving or yesterday was Thanksgiving as of this episode. On Thanksgiving, my wife loved to make her famous mac and cheese. She makes this mac and cheese casserole, and she has a recipe for it that’s been handed down from her mother to her and her mother’s mother to her mother and so on. This is their secret family recipe.

If they have this secret family recipe and they want to make sure nobody else in the world could see it, well, we have to lock it up and we have to protect it. And that’s what confidentiality is. I could take that index card that has her recipe and I could put it into a safe. I could spin the dial. As long as nobody else knows the combination to that dial, except my wife, that recipe has good confidentiality because nobody can read it. Same thing if you look at your house. If you put something in your desk drawer in your office, in your home office, and you lock that desk drawer and you have the key, well, only you can access it. There’s confidentiality for that data, and that’s what we try to do in the digital world as well.

Kip Boyle:          
I’m going to add one more. I want to add one more real world situation, and I’ve got one sitting right over here right next to me, which is when I’m done with a piece of paper that has information I don’t want anybody to see, I put it in my crosscut shredder. Because when I dispose of it, I don’t want to lose confidentiality.

Jason Dion:       
Yes, exactly. And that’s a great point. I don’t know if you’ve ever seen the movie Argo, which was about 1970s Iranian Revolution and they had the US Embassy and they’re trying to shred all the papers. Well, back then, they weren’t using crosscut shredders. They used a simple shredder that made strips. After they had abandoned the embassy, the Iranians went in and they grabbed all that and they started trying to put together those documents again, basically a big giant puzzle, because there were just strips.

You might take that paper and make it into 10 strips. Well, that’s pretty easy to reconstruct. That’s why we started using crosscut shredders. Now we have these little tiny pieces of paper. Even with those, you can put it back together if…

Kip Boyle:          
If you’re desperate enough.

Jason Dion:        
Right, if you’re desperate enough. But even if you use something like AI, there was actually a DARPA contest a couple of years ago, Defense Advanced Research Projects Laboratory, and they had a contest that said, “Hey, we have this scan of all these little pieces from a crosscut shredder. The first person who can put this back together into a document will get $5,000 or $50,000,” whatever the prize was. This team actually built an AI thing that went through and tried to adjust the different edges and where the lines were to reconstruct these papers. But even using AI, it still took them weeks to do, but they’re able to do it. It’s like you said, it depends on how much you want to protect it.

Kip Boyle:          
Because if it’s a billion dollar secret, how does the F-22 Stealth work, you’re going to do it. You’re going to take the time and you’re going to do it.

Jason Dion:        
Or in those cases, you want to take those shredded things and then you want to burn them. Because if they’re burnt, you can’t see it anymore because then it’s ash. This is what we’re talking about when we talk about confidentiality is how do you protect this data so nobody else can look at it. Let’s talk about how this works in the real world. Let’s give you a real world example here. Somebody is listening to the podcast and they want to get the episode notes for this podcast. What are they going to do? Well, they’re going to go over to yourcyberpath.com. When they do that, they’re going to get a little green lock next to the URL that shows that our site is encrypted because we are protecting that data.

Now, in this case, we’re not protecting the data from prying eyes because you’re able to go to our website and read the show notes. They’re publicly available for anybody. But why we have that encryption in place is that we have encryption from our server to your client to make sure that we have a protected tunnel. When you’re talking about confidentiality, it’s not always the information itself. Sometimes it’s where that information is in the flow. If we have data that we’re trying to protect on a hard drive, that’s data at rest. We want to encrypt it so only you can read it because you own that hard drive.

If we’re trying to protect the connection between our website and you, that’s data in motion. And that’s what we’re doing with TLS. If we have something like the memory on the processor, the processor and the memory on the computer is reading it, we want to protect the data when that’s happening. That’s called data in use or data in process. Those are the three states of data that we’re thinking about as cybersecurity professionals anytime we are trying to work with confidentiality. I think we’ve covered a good bit about how this looks like in the real world.

I’d like to shift the conversation a little bit into the certification realm, because a lot of times you’re going to be asked questions and you have to answer them because you’re choosing ABC on an exam. Kip, I know you’ve done a lot of certifications in the past. I think if you’ve taken your CISSP or your Security+, you’ve definitely had confidentiality questions, right?

Kip Boyle:          
Oh, absolutely. In fact, when I took my CISSP examination, it was in 1997 and there was no NA on the end of CIA. I missed that completely.

Jason Dion:        
Well, you didn’t miss any points because they didn’t ask any questions on it, right?

Kip Boyle:          
Right. That’s right. But it just goes to show things change, things evolve. We constantly have to up our game because the cyber criminals, cyber soldiers, they’re constantly upping their game. Stuff changes and it’s good. It’s really, really good that we’re doing that. I had to learn about CIA and I had to be tested on it. Now, the tests that I took were… There will be people listening to his podcast that will not believe this, but I used a number two pencil in a Scantron form and I sat in a huge room with 50 other people with our desks six feet apart or three feet apart, so we couldn’t copy each other’s page.

The room had to be absolutely silent. You couldn’t leave to go on a break. We had six hours, and that’s how we did it. Of course, today it’s totally different, right, Jason? Today, I do it on the computer and it’s adaptive. It’s a much better experience now.

Jason Dion:        
When I took my CISSP, it was back in 2010. I took it, I was actually in the Middle East at the time, I was in the Kingdom of Bahrain, and we had about 50 of us taking it. Similar to you, we had a big conference room that was taken over. Everybody was three feet apart. We had the pencil and paper and the Scantron sheets. The worst part about that is these days when you take it, you find out pretty much immediately, yes, you passed, no, you didn’t. Back then, you didn’t. They had to take those Scantrons and ship them off to the closest grading center, which for us was in the UK. And then about two weeks later, you get an email.

All I remember is that if you got an email that had an attachment, it meant you failed because the attachment said, “Here’s your score report and why you didn’t pass.” And then if you didn’t get an attachment, that meant you pass because they didn’t give you your score. It was just if you got 700 or more, you passed and we don’t care what the score was. If you got a score, you got attachment that said what you messed and emailed. I remember two weeks later, I’m sitting there on my Blackberry. Again, I’m dating myself here. My Blackberry rings at 8:00 on a Friday night.

I look at it and there’s that thing. It says, “Oh look, I passed.” I’m like, “Great. Wonderful. I don’t have to ever take that exam again,” because CISSP is a beast of exam. I never want to take it again.

Kip Boyle:          
Well good for you. Because just a few years earlier when I took it, what they would do is they would only grade the tests twice a year. No matter where in the cycle you took it, they would batch your Scantrons and they would sit until one of the two grading periods. I think I had to wait three or four months to find out what my test results were and it came in the mail on a piece of paper.

Jason Dion:        
I’m very glad that they’ve moved to this adaptive test where you could do it online and you could do it in a Pearson VUE testing center and get your results right away. It’s so much easier.

Kip Boyle:          
It’s so much better.

Jason Dion:       
Speaking of certifications, the reason I wanted to bring this up is if you’re starting for a certification, and most of the people in audience are going to be taking some kind of certification, whether it’s Security+, CISSP, CEH, PenTest+, whatever, almost every single exam now is going to have a confidentiality question. I just redid my A+ course for Udemy and there’s questions on security in A+ now. They talk about security in terms of confidentiality, integrity, and availability. When you hear the word confidentiality, if you’re taking an exam, I want you to remember a couple of keywords. Anytime you hear confidentiality, you should automatically be thinking the answer has something to do with encryption.

It may be AES. It may be TLS or SSL. It may be PKI. It might be RSA. It could be asymmetric or symmetric. It doesn’t matter. All of that goes into this idea of having confidentiality. If you think about confidentiality, the answer in your mind should be something to do with encryption. Another thing that I see a lot is anytime you see the words data at rest, data in motion, data in use, you should be thinking encryption and confidentiality. Anytime you’re thinking about privacy and how would you achieve privacy, you should always be thinking about confidentiality, because again, you’re going to be using things like encryption to give you that protection.

Things like VPNs and all of that stuff goes into this world of confidentiality. On the exam, remember these key things because they’re going to be the things that’ll clue you into what the right answer is. For example, if you had a question that said, which of the following ensures confidentiality, answer is A, AES, B, MD5, C, SHA-256, or D, I don’t know, MB. Which of those is the right answer? Well, it’s AES because that’s the only encryption one. The other three are all hashing algorithms. Those don’t provide confidentiality. Instead, they provide integrity, which we’ll talk about next episode.

Kip Boyle:          
Right. I was about to say, don’t get too far ahead of us.

Jason Dion:        
I’m not going to go into integrity, but that’s next episode. If you want to learn all about integrity, that’s what we’re going to be talking about. Now that we’ve covered what is confidentiality, some keywords you should know and some real world examples, really what we want to do with the rest of our time here is go through a little bit of mock interviews, because most of our listeners are either looking for a job, trying to get a promotion at their job, trying to switch into the career field, or something like that, and that means at some point they’re going to get questions in an interview asking them about confidentiality.

But normally it’s not going to be as simple as, “Kip, what does confidentiality mean to you?” Instead, you might get a question like let’s say, “Kip, what does it mean when there’s that little green lock next to the URL in your browser when you go to yourcyberpath.com?” And then you’re going to have to give an answer that’s going to be one to three minutes long that explains what that means. We’re going to do that right now, and I’m going to put Kip on the spot.

Kip, put on your interviewee hat. I’m your hiring manager. I’m interviewing you for this job. We’re in your technical interview. I ask you, “Kip, you want to be cyber security analyst? Tell me what does it mean when there’s that little green lock in the URL in your browser?”

Kip Boyle:          
Jason, thanks for asking. Listen, that little green lock is really important because that’s all about encryption. And that little green lock says a lot of things about the connection that you just made to a web server that corresponds to the URL that you typed into the browser bar. And without getting into a lot of ones and zeros, I would just like you to know that I’m aware that there’s a key exchange, there’s a cryptographic handshake between my browser and the web server. During that key exchange, what’s happening is, is that they’re agreeing on a number of things. What kind of algorithm can my browser handle? What’s the most secure out algorithm can my browser handle?

What key sizes can my browser handle? Because usually a web server can handle a lot of really high end encryption, but not every web browser can. There’s a bunch of protocols that are going on in there and then eventually a key size and an algorithm is chosen, and then we can start talking to each other with a nice encrypted tunnel between us. And that will persist for as long as we want to talk to each other. All that’s happening in the background. It’s all automatic. We don’t have to worry about it, but sometimes we’ll get an error message because something’s not quite right.

Maybe the web server is using a self-signed certificate, which isn’t considered to be as trustworthy as one that’s signed by a certificate authority. We might get a weird error message. Especially with Firefox, there’ll be an ominous warning message that says, “Hey, this site isn’t secure. Are you sure you want to do this?” You really should pay attention and see what’s going on. But if you’ve ever looked inside of a digital certificate, it could be very confusing if you don’t know how to decode it. I don’t want to go to that level of detail if that’s okay.

Jason Dion:        
I think that’s a good answer. Again, depending on the job you’re applying for, they may want more technical details or less. For example, if I’m hiring you to be a security engineer or a system administrator and you’re going to be configuring our web server to be able to give you that little lock, I may ask the question a little bit different to say, “I want you to tell me those technical details.” In those cases, if I was answering that question, I wanted the more technical answer, I would say, “Well, first, when a user is going to yourcyberpath.com, it first checks what is the domain name and it goes to that CA. It gets a copy of that digital certificate, which is the public key certificate.

Using that public key certificate, I’m going to pick a random number. I’m going to encrypt it, and then I’m going to send it over to the server. The server then uses its private key to be able to decrypt that. When it does that, we now have a shared secret that we have, this random number that I chose, that only I know because I chose it and the server can only know it because they have the private key and only the private key can decrypt a message encrypted with a public key. Now that we have that, we can then create a synchronous tunnel using symmetric key encryption using that new random code.” I could go into all the different details that we just talked about.

But again, the whole idea is you want to practice an answer that gives you one to three minutes because that’s what the hiring manager is looking to hear. They want to hear really quickly that you know what you’re talking about, either on a technical side or the higher theory side like Kip presented. Both those would be appropriate depending on the job you’re applying for. I want to give you an example like that. Kip, I put you on the spot. You turn to put me on the spot.

Kip Boyle:          
Oh, okay. You might also get a question like this. Jason, how could you use encryption to securely erase the contents of a hard disk or an SSD that you don’t want anymore? Let’s say you’re going to dispose of that piece of hardware and you don’t want any sensitive data left on it. How would you use encryption to deal with that situation?

Jason Dion:       
Thank you for that question. That’s a really great question, Kip, because most people think about encryption being used to create confidentiality of data. They don’t think about it as a data destruction technique, but you can use encryption to do what’s known as a secure erase. With a secure erase, you’re going to encrypt the hard drive. And then when you no longer need that hard drive, you can simply erase or zeroize that key that you use to decrypt the hard drive. Without that key, you’re not going to be able to read anything on the hard drive. All the data forensics in the world isn’t going to help you.

Because you’d still be able to recover the data even if you formatted the drive or wipe the drive, but that thing that you’re recovering is still encrypted. Without that key, you can’t decrypt it and you can’t read it. The only way to be able to read that would be to either wait for computers to get much faster where you can then decrypt something using brute force on AES 256, which as the time of this recording or as the time of this interview doesn’t exist, or you basically would have to try to guess the key to be able to unencrypt the drive. But otherwise, there’s really no way to get the data. This is a really secure way to be able to delete data.

Especially for those of us working in a cloud environment, we always want to use encryption on the drive that we’re using because these drives are actually just virtual drives that are existing on a physical server somewhere in the cloud that I don’t have access to. By using the encryption, whenever I erase that key, I now have protected all those cloud resources from anybody else seeing them when those drives are being repositioned for another company. That’s kind of the way I would attack that type of a question.

Kip Boyle:          
Yeah, that’s great. I want to also ask you about a little turner phrase, crypto-shredding. Have you ever heard of that?

Jason Dion:        
Yes. Crypto-shredding is the cuff nomenclature that people use for this term of secure erase. Crypto shredding is exactly that. You are basically shredding or deleting or zeroizing that key. In some of the environments I’ve worked in in the DOD, we actually used a physical key. And that physical key would have to be plugged into the machine for it to be able to decrypt the drive and be able to read it. If you destroy that key with a hammer or burn it or incinerate it or whatever you do with it, that drive is now useless to you. That’s really what we’re talking about. We’re talking about crypto-shredding is shredding the key, not the encryption itself.

Kip Boyle:          
Correct. Correct. It’s much faster, right? Because to zeroize a one terabyte drive using traditional methods would take forever. It’s so much easier and faster to just shred the key and get on with your life. Okay, cool. I just want to make sure people knew that little piece of jargon.

Jason Dion:        
Definitely. That was definitely a good one. And then we’ll do one more interview question style thing here. I’m going to throw it back in your court here. Kip, the interviewee, I want you to tell me how you can protect data as it’s being transmitted over the public internet. I want you to give me a couple of different ways.

Kip Boyle:          
Sure. Well, it’s going to depend a lot on the protocols that you have available and also on the systems on either end of the data exchange. For example, if you can use HTTPS or HTTP, then you can use Transport Layer Security (TLS) to encrypt the connection. That’s one way to do it. If you have more like a site to site connection between two networks, then you want to bulk encrypt everything. You might have a site to site VPN or virtual private network, or you might have an individual who wants to get remote access to a trusted network or an enclave. They could use a VPN also, but that would be a client to VPN concentrator type connection.

Not a bulk connection between two sites, but just between one node and a network. There’s some examples. You could even take a file, you could encrypt it using pretty good privacy or new Privacy Guard, DPG or PGP, and then you could take that encrypted file, you could attach it to an email. You could send the email in the clear, but the attachment’s going to be encrypted, or you could push that encrypted attachment over FTP, file transfer protocol, which is completely in the clear, but the file, because it’s encrypted, would not be understandable by anybody who might intercept it. There’s some ideas. One of those might work.

Jason Dion:        
Definitely. All of those are great suggestions. Even when you’ve mentioned FTP, my mind’s thinking, well, FTP is not secure, which you said. You can have this encrypted file going over FTP, or you can actually encrypt the entire connection when you’re using FTP by using SFTP or FTPS. That brings up a good question that I’ll just answer myself, which is what is the between FTP, FTPS, and SFTP? I see a lot of people get confused with the SFTP and FTPS. Because FTP we know is in the clear, everything being sent including user names and passwords, all the files that can all be grabbed off the wire because all set in the clear.

But when you are using FTPS or SFTP, you’re using either FTP over an SSL or TLS connection or with FTP, you’re using FTP tunneled over port 22, which is SSH, which is an encrypted connection as well. You can use SSH essentially almost as a VPN where you can create a connection and then tunnel whatever you want over it as well. That’s another way that you can do this data in motion protection. Keep all those things in mind as you’re thinking about interview questions and the type of things you might be asked when it comes to confidentiality. Kip.

Kip Boyle:          
There you go. That’s our episode on confidentiality. I hope that that really clarified things for you and gave you some really specific real world examples of how confidentiality happens even outside of the digital sphere. And then also thank you, Jason, for helping us to explore some of the protocols, TLS and SSH and that sort of thing. You even gave us a little peek into public key, private key, symmetric encryption, that sort of thing. Not meant to be a deep dive on that. I hope this was helpful to everybody.

Jason Dion:       
Yeah, definitely. If you enjoyed this episode, definitely join us for the next episode. The next episode, we’re going to move into the I, which is integrity, and that’s where we’re going to dive a little bit deeper to things like digital signatures and hashing and all the things we can do to make sure our data hasn’t been changed or modified. Remember, when we’re talking about confidentiality, we’re really focused on that privacy concern, making sure people who aren’t authorized to see it can’t see it. Mostly we do that with encryption. But that doesn’t mean that that data is actually secure itself.

We could modify that data and it would still be confidential, but it doesn’t necessarily have integrity anymore. We’ll focus on that in the next episode of Your Cyber Path. Once again, I want to thank you all for listening to Your Cyber Path. Remember, you can always go to yourcyberpath.com to get the latest show notes for the episode, as well as a transcript of everything we’re saying inside of the episode. In addition to that, I do want to point out that on the main page of Your Cyber Path, you can click to join our mentor notes. The mentor notes are put out by Kip every time we have an episode. This is going to be about 500 to a thousand words.

It gives you a really quick overview of a certain topic inside of cybersecurity. It’s a great way for you to stay up to date with what’s going on in the world, what’s happening with different concepts and privacy issues and things like that. It’s just a great short read, very digestible, very short, very to the point to really keep you in the know of what’s going on. There’s just so much great stuff that comes out in these mentor notes that Kip puts together that really will help you in your job interviews and your job hunt.

I highly recommend going to yourcyberpath.com, entering in your email and joining the mentor notes. You’ll get those direct emails from Kip every two weeks. That being said, thanks again for joining us and we’ll see you next time.

Kip Boyle:          
See you next time, everybody.