Practical – 6

Aim: Explain Confidentiality, Integrity and Availability. Confidentiality

Confidentially
 In simple terms, confidentiality means something that is secret and is not supposed to
be disclosed to unintended people or entities.
 Confidentiality ensures that sensitive information is accessed only by an authorized
person and kept away from those not authorized to possess them.
 Everyone has information which they wish to keep secret. Thus, protecting such
information is an important part of information security.

Examples of confidential information:

 Bank account statement
 Personal information
 Credit card number
 Trade secrets
 Government documents

In the event that confidentiality is compromised, it might result in unauthorized access to

personal information or even complete loss of privacy.

Examples of attacks that affect confidentiality:

 Packet sniffing
 Password cracking
 Dumpster diving
 Wiretapping
 Key logging
 Phishing
Ways to ensure confidentially:
 Username and password
 Two-factor authentication
 Biometric verification
 Security tokens or key fobs
 Data encryption

1|Page AJ
 Secret

A message
B

c
Fig – Confidentially

 This figure represents the secret message is send from A to receive by B, but the actual
message is read by another person C.

Integrity
 Integrity means that when a sender sends data, the receiver must receive exactly the
same data as sent by the sender.
 Data must not be changed in transit. For example, if someone sends a message
“Hello!”, then the receiver must receive “Hello!” That is, it must BE exactly the same
data as sent by the sender. Any addition or subtraction of data during transit would
mean the integrity has been compromised.
 Note that the changes in data might also occur as a result of non-human-caused
events such as an electromagnetic pulse (EMP) or server crash, so it’s important to
have the backup procedure and redundant systems in place to ensure data integrity.

Example attacks that affect Integrity:

 Data modify attack
 Session hijacking
 Man-In-The-Middle (MITM) attack

Ideal rout of message

A B

Transfer $100 Transfer $1000

c
Fig – Integrity

2|Page AJ
  In above diagram, A send some data to B but loss of integrity by C means actual
transaction has been changed.

Availability

A B

C
Fig – Availability

 Availability implies that information is available to the authorized parties whenever

required. Unavailability to data and systems can have serious consequences.
 It is essential to have plans and procedures in place to prevent or mitigate data loss as
a result of a disaster. A disaster recovery plan must include unpredictable events such
as natural disasters and fire.
 A routine backup job is advised in order to prevent or minimize total data loss from
such occurrences.
 Also, extra security equipment or software such as firewalls and proxy servers can
guard against downtime and unreachable data due to malicious actions such as denial-
of-service (DoS) attacks and network intrusions.

Example attacks that affect Availability:

 Dos and DDoS attacks
 SYN flood attack
 Physical attacks on server infrastructure

Authentication
 In the context of computer systems, authentication is a process that ensures and
confirms a user’s identity. Authentication is one of the five pillars of information
assurance (IA).
 Authentication begins when a user tries to access information. First, the user must
prove his access rights and identity. When logging into a computer, users commonly
enter usernames and passwords for authentication purposes. This login combination,
which must be assigned to each user, authenticates access.
 A better form of authentication, biometrics, depends on the user’s presence and
biological makeup (i.e., retina or fingerprints). This technology makes it more difficult
for hackers to break into computer systems.

3|Page AJ
 A I am user A B

C
Fig - Authentication

Non-repudiation
 Nonrepudiation is the assurance that someone cannot deny something.
Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a
communication cannot deny the authenticity of their signature on a document or the
sending of a message that they originated.

A I have sent that message,

B
which you claim to have
received

Fig - Non-repudiation

Access-control
 Network access control (NAC) is an approach to network management and security
that enforces security policy, compliance and management of access control to a
network.
 It is a network solution that enables only compliant, authenticated and trusted
endpoint devices and nodes to access network resources and infrastructure.
 It also monitors and controls their activity once they are on the network.
 Network access control is also known as Network Admission Control (NAC).

4|Page AJ