SECURITY TESTING - CIA & AAA

RAVI GALI
CIA PRINCIPLES

 Confidentiality

 Integrity

 Availability
CONFIDENTIALITY

 Confidentiality, addressing the secrecy and privacy of information, refers to the measures taken to prevent
disclosure of information or data to unauthorized individuals or systems.
 Confidentiality for the individual is a must, considering its loss could result in identity theft, fraud, and loss of
money. For a business or government agency, it could be even worse.
 The use of passwords within some form of authentication is by far the most common logical measure taken to
ensure confidentiality, and attacks against passwords are, amazingly enough, the most common confidentiality
attacks.
INTEGRITY

 Integrity refers to the methods and actions taken to protect the information from unauthorized alteration or
revision—whether the data is at rest or in transit.
 Integrity in information systems is often ensured through the use of a hash. A hash function is a one-way
mathematical algorithm (such as MD5 and SHA-1) that generates a specific, fixed-length number (known as a
hash value).
 Depending on the way the controls within the system are designed, this would result in either a retransmission of
the message or a complete shutdown of the session.
AVAILABILITY

 Availability is probably the simplest, easiest to understand segment of the security triad, yet it should not be
overlooked.
 Many methods are used for availability, depending on whether the discussion is about a system, network resource,
or the data itself, but they all attempt to ensure one thing—when the system or data is needed, it can be accessed
by appropriate personnel.
 Attacks against availability all fall into the “denial of service” realm. Denial of service(DoS) attacks are designed
to prevent legitimate users from having access to a computer resource or service, and can take many forms.
AAA FRAMEWORK

 Authentication

 Authorization

 Accounting
AUTHENTICATION

 As the first process, authentication provides a way of identifying a user, typically by having the user enter a valid
user name and valid password before access is granted.
 The process of authentication is based on each user having a unique set of criteria for gaining access.
AUTHORIZATION

 Following authentication, a user must gain authorization for doing certain tasks.
 After logging into a system, for instance, the user may try to issue commands.
 The authorization process determines whether the user has the authority to issue such commands. Simply put,
authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or
services a user is permitted. Usually, authorization occurs within the context of authentication.
 Once you have authenticated a user, they may be authorized for different types of access or activity.
ACCOUNTING

 Accounting is carried out by logging of session statistics and usage information and is used for authorization
control, billing, trend analysis, resource utilization, and capacity planning activities.