Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 0 1 00:00:00,570 --> 00:00:06,390 Welcome to the introduction to CIA lecture. To better define the different types of security threats and how 1 2 00:00:06,390 --> 00:00:10,440 to protect against them, a model called CIA has been created. 2 3 00:00:10,830 --> 00:00:13,790 The CIA model is also known as the CIA triad. 3 4 00:00:14,490 --> 00:00:16,310 What does CIA stand for? 4 5 00:00:17,010 --> 00:00:23,670 And no, in this case, it does not stand for Central Intelligence Agency in cybersecurity. CIA stands 5 6 00:00:23,670 --> 00:00:26,880 for Confidentiality, Integrity and Availability. 6 7 00:00:27,270 --> 00:00:30,510 In the next slides, we will go in more detail regarding each element. 7 8 00:00:32,280 --> 00:00:33,990 Let's start with confidentiality. 8 9 00:00:34,350 --> 00:00:40,620 Confidentiality is the property that information is available only to authorized individuals, entities 9 10 00:00:40,650 --> 00:00:41,460 or processes. 10 11 00:00:42,380 --> 00:00:47,420 Confidentiality basically refers to protecting information from being accessed by unauthorized parties, 11 12 00:00:47,960 --> 00:00:51,420 a failure to maintain confidentiality is commonly known as a breach. 12 13 00:00:52,130 --> 00:00:55,610 Most of the time, once there is a breach, it cannot be remedied. 13 14 00:00:56,120 --> 00:01:01,910 For example, if private emails are leaked publicly online, we have a breach, and unauthorized parties 14 15 00:01:01,910 --> 00:01:04,250 have already accessed and read the information. 15 16 00:01:05,000 --> 00:01:10,140 We cannot do anything to make the unauthorized people unread the emails they already read. 16 17 00:01:11,060 --> 00:01:14,120 Let's see a few examples where confidentiality is important. 17 18 00:01:14,750 --> 00:01:17,570 Let's start with health and insurance. For example. 18 19 00:01:17,600 --> 00:01:20,240 your medical records are private and only authorized 19 20 00:01:20,240 --> 00:01:24,620 people should be able to access them, such as, for example, you and your doctor. 20 21 00:01:25,590 --> 00:01:30,660 Another domain is financial services. Your transactions and balances should be private. 21 22 00:01:31,080 --> 00:01:34,190 Also, you would not want your credit card to be public. 22 23 00:01:35,070 --> 00:01:41,220 Yet another example is messaging and social media. Your messages, emails, and social media should be 23 24 00:01:41,220 --> 00:01:41,570 private. 24 25 00:01:41,580 --> 00:01:46,490 Only you and the people that you want to share the information with should have access to that information. 25 26 00:01:46,950 --> 00:01:50,250 And finally, confidentiality is important in everyday use. 26 27 00:01:50,580 --> 00:01:56,030 Data that you store on your personal devices, such as your smartphone or laptop is confidential. 27 28 00:01:56,550 --> 00:02:00,720 This data should only be accessible to you even if your device is stolen. 28 29 00:02:01,930 --> 00:02:08,740 Now that we understood what confidentiality is, let's have a look at some common ways to ensure it first. 29 30 00:02:08,740 --> 00:02:11,070 We can do this by encrypting sensitive files. 30 31 00:02:11,740 --> 00:02:14,280 For example, your hard drive should be encrypted. 31 32 00:02:14,290 --> 00:02:19,210 So, even in the event that your device is stolen, the data is not accessible by anyone else. 32 33 00:02:19,540 --> 00:02:25,870 Another example can be, encrypting data stored online, such as in the cloud, so that it's only available 33 34 00:02:25,870 --> 00:02:27,090 to authorized parties. 34 35 00:02:27,580 --> 00:02:31,810 Another way to ensure confidentiality is to communicate over secure channels. 35 36 00:02:32,320 --> 00:02:34,670 This can apply to messaging tools, for example. 36 37 00:02:35,260 --> 00:02:40,390 Ideally, you should use apps like Signal or WhatsApp that provide end-to-end encryption. 37 38 00:02:40,810 --> 00:02:46,150 End-to-end encryption means that the message is encrypted by the sender and only the receiver can decrypt it. 38 39 00:02:46,150 --> 00:02:46,330 . 39 40 00:02:46,480 --> 00:02:50,230 This way, the message can travel safely without the fear of eavesdropping. 40 41 00:02:50,800 --> 00:02:53,000 Next, we have data access management. 41 42 00:02:53,500 --> 00:02:57,780 This basically means providing access to the data only to authorise parties. 42 43 00:02:58,120 --> 00:03:04,450 For example, let's take a personal computer that has multiple users. In order to make sure that my personal 43 44 00:03:04,450 --> 00:03:06,560 data is not accessible to other users, 44 45 00:03:06,580 --> 00:03:09,810 I must get the permission to access my files only to myself. 45 46 00:03:09,940 --> 00:03:12,560 No other user should be able to access my file. 46 47 00:03:12,980 --> 00:03:17,500 Finally, in order to safeguard confidentiality, devices and documents should be secured. 47 48 00:03:17,860 --> 00:03:23,050 This basically translates to not leaving your device or documents unattended in a public space. 48 49 00:03:23,200 --> 00:03:28,690 Also, you should never, ever keep your passwords written in spaces that are accessible by others, 49 50 00:03:28,690 --> 00:03:30,100 such as, for example, your workdesk. 50 51 00:03:30,110 --> 00:03:35,800 You can have the most secure passwords in the world, but if you have them written on sticky notes 51 52 00:03:35,800 --> 00:03:37,570 on your desk, it's all for nothing. 52 53 00:03:38,590 --> 00:03:43,390 Before we move on, please note that multiple methods discussed in this slide can be used at the same 53 54 00:03:43,390 --> 00:03:44,950 time to guarantee confidentiality. 54 55 00:03:46,930 --> 00:03:49,880 After confidentiality, let's discuss about integrity. 55 56 00:03:50,320 --> 00:03:53,500 Integrity refers to ensuring authenticity of information. 56 57 00:03:53,860 --> 00:03:58,720 This basically means that information is not altered and that the source of the information is genuine. 57 58 00:03:59,320 --> 00:03:59,800 Again, 58 59 00:03:59,980 --> 00:04:03,010 let's have a look at a few examples where integrity is important. 59 60 00:04:03,580 --> 00:04:05,290 Let's start with health and insurance. 60 61 00:04:06,010 --> 00:04:08,510 Think of an app that contains your medical records. 61 62 00:04:09,160 --> 00:04:13,590 You definitely don't want your medical records to be unreliable and have different data 62 63 00:04:13,600 --> 00:04:18,820 each time you open your app. You want to know that your data is correct and filled in by a trusted 63 64 00:04:18,820 --> 00:04:20,680 source such as, for example, your doctor. 64 65 00:04:21,130 --> 00:04:22,930 Next example is financial services. 65 66 00:04:23,170 --> 00:04:25,480 Your bank account must not be altered by anyone. 66 67 00:04:26,020 --> 00:04:28,180 Nobody wants to have an empty account out of the blue. 67 68 00:04:29,230 --> 00:04:32,200 Another domain where integrity is important is automotive. 68 69 00:04:33,730 --> 00:04:38,000 For example, the speedometer of the car should be trusted, so, it must always be accurate. 69 70 00:04:38,770 --> 00:04:42,030 You don't get the speeding fine just because your speedometer was inaccurate. 70 71 00:04:43,170 --> 00:04:49,350 Yet another example can be messaging and social media. Integrity must be enforced for posts and messages 71 72 00:04:49,350 --> 00:04:50,090 on social media. 72 73 00:04:50,220 --> 00:04:54,540 Otherwise, people could impersonate you and write or change messages on your behalf. 73 74 00:04:55,170 --> 00:04:58,110 Last but not least, integrity is important in everyday use. 74 75 00:04:58,230 --> 00:05:03,360 Whenever we surf the web, for example, reading news on our favorite news site or watching some movie 75 76 00:05:03,360 --> 00:05:04,300 on a streaming service. 76 77 00:05:04,320 --> 00:05:08,610 We need to know that the new site or streaming service do not content altered content and that the 77 78 00:05:08,610 --> 00:05:09,990 information is genuine. 78 79 00:05:10,930 --> 00:05:17,410 Now that we know what integrity is, let's see some ways it can be insured. One way is by using checksums 79 80 00:05:17,890 --> 00:05:20,890 A checksum is a value that is computed based on data. 80 81 00:05:21,850 --> 00:05:27,010 This value is used to detect if errors have been introduced during the transmission or storage of the 81 82 00:05:27,010 --> 00:05:32,560 data. For example, messenger applications can use checksums to validate whether the message received 82 83 00:05:32,560 --> 00:05:33,750 contains errors or not. 83 84 00:05:34,650 --> 00:05:41,100 Another, more powerful way to enforce integrity is to use a digital signature. A digital signature is 84 85 00:05:41,100 --> 00:05:47,190 a mathematical algorithm that is used to validate the authenticity and integrity of a message. 85 86 00:05:47,790 --> 00:05:54,000 So, for example, each message that is being sent in a messenger can be digitally signed, guaranteeing 86 87 00:05:54,000 --> 00:05:58,290 that it has been sent by a specific person, and that its content is genuine. 87 88 00:05:59,040 --> 00:06:04,110 Next, we can use backups and redundancies to make sure that our precious information maintains integrity. 88 89 00:06:04,680 --> 00:06:06,840 Think of your personal data stored on your PC. 89 90 00:06:07,290 --> 00:06:12,080 If the storage suffers a hardware failure or the device gets stolen, all your data will be gone. 90 91 00:06:12,090 --> 00:06:15,450 But, if you have a backup, you can easily restore the lost data. 91 92 00:06:16,020 --> 00:06:19,050 Another example can be a website, such as an online forum. 92 93 00:06:19,560 --> 00:06:24,120 The server on which the forum is hosted can fail at some point due to a hardware failure 93 94 00:06:24,120 --> 00:06:29,670 risking to corrupt and/or lose the data. To protect against these frequent backups can be done. 94 95 00:06:29,890 --> 00:06:35,340 Also, adding extra servers that host the online forum can help mitigate the risk of losing data. 95 96 00:06:36,310 --> 00:06:42,130 A version control system is a system that contains the current as well as previous versions of files, 96 97 00:06:42,280 --> 00:06:48,010 documents or programs, and can be used to track changes down to the aforementioned files, documents 97 98 00:06:48,010 --> 00:06:48,610 or programs. 98 99 00:06:49,730 --> 00:06:54,800 Last but not least, file permissions and access control can help ensure integrity. 99 100 00:06:55,620 --> 00:07:02,420 Basically, this means making sure that only parties that should modify or delete the data are able 100 101 00:07:02,420 --> 00:07:02,940 to do so. 101 102 00:07:03,560 --> 00:07:07,730 For example, let's imagine an online school schedule shared on Google Drive. 102 103 00:07:08,540 --> 00:07:13,640 The content of the school schedule should be accessible to everyone, both students and teachers, but 103 104 00:07:13,640 --> 00:07:15,380 should only be modified by the teachers. 104 105 00:07:15,590 --> 00:07:21,110 So, the teachers should give permission to view the file to everyone, but permission to edit only to 105 106 00:07:21,110 --> 00:07:23,570 the teachers. Before we move on 106 107 00:07:23,810 --> 00:07:29,630 please note that multiple methods discussed in this slide can be used in conjunction to guarantee the integrity 107 108 00:07:29,630 --> 00:07:30,330 of information. 108 109 00:07:31,040 --> 00:07:33,710 Until now, we covered the confidentiality and integrity. 109 110 00:07:34,160 --> 00:07:37,190 It's now time to have a look at the last element of the CIA triad. 110 111 00:07:37,490 --> 00:07:38,600 IT Availability. 111 112 00:07:39,350 --> 00:07:44,060 Availability means that information is accessible by authorized parties whenever desired. 112 113 00:07:44,980 --> 00:07:50,440 This applies to all I.T. systems, from all the services that we use online, such as, for example, 113 114 00:07:50,440 --> 00:07:56,350 video streaming platforms, online banking, social media platforms, and websites in general, to the usage 114 115 00:07:56,350 --> 00:07:58,120 of our own laptop or smartphone. 115 116 00:07:58,790 --> 00:08:03,800 All these services should be available to their users whenever the users demand them. 116 117 00:08:04,390 --> 00:08:07,900 Let's have a look at a few ways in which we can ensure availability. 117 118 00:08:08,560 --> 00:08:10,140 First, we have redundancy. 118 119 00:08:10,660 --> 00:08:14,970 We already discussed a bit about it when we looked at ways to ensure integrity. 119 120 00:08:15,820 --> 00:08:19,310 Similarly, redundancy could also be used to ensure availability. 120 121 00:08:20,230 --> 00:08:23,950 Nowadays, most services use redundancy to guarantee availability. 121 122 00:08:24,550 --> 00:08:30,280 For example, a streaming platform can have multiple instances deployed on separate servers so that 122 123 00:08:30,430 --> 00:08:32,620 if one of them goes down the service 123 124 00:08:32,620 --> 00:08:33,490 the service is not impacted. 124 125 00:08:34,300 --> 00:08:40,000 For example, a streaming platform can have multiple instances deployed on separate servers, 125 126 00:08:40,000 --> 00:08:43,720 so, in case that one of the servers goes down, the service is not impacted. 126 127 00:08:44,440 --> 00:08:48,070 Also, since one server cannot serve unlimited customers, 127 128 00:08:48,400 --> 00:08:54,340 hosting the service on multiple servers can ensure availability even when a large number of users are 128 129 00:08:54,340 --> 00:08:55,980 using the service at the same time. 129 130 00:08:57,170 --> 00:09:02,570 Next, we have backup, which goes hand in hand with redundancy, having data stored in multiple places 130 131 00:09:02,570 --> 00:09:08,300 can help guarantee availability. To continue with the streaming example, having a movie backed up and 131 132 00:09:08,300 --> 00:09:13,700 stored on multiple servers can allow the movie to be streamed even when one of the servers is down, due 132 133 00:09:13,700 --> 00:09:15,510 to, for example, a hardware failure. 133 134 00:09:16,160 --> 00:09:18,290 Last but not least, is lifecycle management. 134 135 00:09:19,070 --> 00:09:20,960 All hardware will eventually fail. 135 136 00:09:21,380 --> 00:09:26,930 Because of that, we should plan the replacement of older hardware, which can make the infrastructure 136 137 00:09:26,930 --> 00:09:29,420 more reliable and provide improved availability. 137 138 00:09:30,110 --> 00:09:35,210 The same lifecycle management can be applied to software, replacing older software with newer software. 138 139 00:09:37,230 --> 00:09:44,220 To recap, in this lecture, we learned what the CIA triad is, and for each of its element, Confidentiality, 139 140 00:09:44,220 --> 00:09:46,210 Integrity and Availability, 140 141 00:09:46,270 --> 00:09:49,290 we had a closer look and learned how we can ensure them. 141 142 00:09:50,190 --> 00:09:55,350 With that, we conclude this lecture. As always, if you have any questions, don't hesitate to ask us. 142 143 00:09:55,800 --> 00:09:57,030 See you soon in the next one. 15976