Cybersecurity Fundamentals, Part 1: The CIA Triad

In this multi-part series, I will continuously add learnings and insights from my cybersecurity studies prompted by the boot camp I just started. If you find the information insightful, please share a comment below and Like the post to increase reach!

The CIA Triad

The three foundational pillars of Information Security.

• C - Confidentiality
• I - Integrity
• A - Availability

??Confidentiality: Authorized and maintained access. Protection of sensitive information, or Private Personal Information (PPI). Disclosure and compliance. See Case Study: Marriott Hack below.

?? Integrity: Data Integrity. Protection against improper modification or destruction of information. Making sure the data stays consistent and accurate.

?? Availability: Keeping the system and/or information available and accessible for the user. Eg: NetFlix is always working; it's always available.

I wish I had learned about the CIA triad a bit sooner, it would have saved me some embarrassment in a previous interview! Hot Tip: This is a different CIA, not the Central Intelligence Agency. The good news is I'll never mix the two up again -- "FAIL stands for First Attempt In Learning" - FullStack Academy

Case Study on Confidentiality - Marriott Hack

In 2018, Marriott revealed that ~380-500 million guest’s Private Personal Information (PPI) was exposed over the course of four years. The systems were not encrypted, only hashed using SHA-1 (which doesn’t qualify as encryption).

Per Marriott, the company had hired three third-party security firms to audit its security–Accenture, Verizon, and CrowdStrike–somehow, all three missed the PPI that was improperly secured. At least, this is what Marriott claims. I'll leave it to you to determine the truth.

Beginning in 2014, cybercriminals infiltrated Marriott’s systems through a recent acquisition of Starwood properties. Starwood’s systems were breached via a remote access trojan (RAT). RAT is a harmful computer program that grants the unauthorized user access to the system's administrative capabilities.?

Failures and Vulnerabilities:

There are several and failures vulnerabilities that led to this attack:

1. Starwood’s properties were using outdated Windows Server software.
2. These properties also left their remote desk protocol (RDP) ports open to the internet.
3. During Marriott’s acquisition process of Starwood, it failed to complete a proper cybersecurity audit of Starwood’s networks and technology.
4. Marriott continuously failed to identify the hacker’s activity within Starwood’s systems.

Only in 2015 did Marriott detect the cybercriminal’s activities within their reservation system, but still failed to properly address the issue, migrated data from Starwood to Marriott was also breached after the cybercriminals found the decryption keys.

Business Impact:

Marriott suffered over $1B in lost revenue due to diminished customer loyalty. Their stock dropped almost 5% as a result of the breach announcement. The British government fined Marriott $123M.

Lessons Learned:

• Remote Desktop Ports (RDP) require proper safeguards. RDP’s should never be left open to the internet; Virtual Private Networks (VPNs) and multi-factor authentication (MFA) protocols can be utilized to safeguard these ports.
• Cybersecurity must be considered during Merger and Acquisition events as these transitions can open up new vulnerabilities.
• Effective threat detection and cybersecurity software is crucial. Despite being an expensive investment, the loss of $1B in potential revenue was undoubtedly greater than this investment cost. Investing in and maintaining keeping PPI confidential is critical to businesses in the digital age. The costs of neglecting these responsibilities can far outweigh the cost of the safeguards.

Case Study on Integrity - National Health Service (NHS) Defacement

A website defacement attack is a rudimentary example of an cyberattack that speaks to the importance of the “I” in the CIA Triad: Integrity. This modification of a website can damage business continuity, brand image, and consumer trust.

In 2017, a hacker named “AnoaGhost” defaced the NHS (see image below). This was reported in 2018 by BBC. The hack was initially visually identified by a cybersecurity expert, who tweeted his findings to his followings on Twitter. Within hours, the message was removed and the site restored. However, the compromise was likely to have lasted five days without notice.

Common Causes of Defacement Attacks (per Imperva):

• Unauthorized Access
• SQL Injection
• Cross-site Scripting (XSS)
• Malware Infection

Lessons Learned:

• Use the Principle of Least Privilege (POLP). Limit admin access to your websites to reduce the chance that internal users leak admin PPI, or is compromised by an external attacker.
• Don’t use Default Admin names, emails, or passwords. Hackers know these common default standards and will attempt to use default usernames and passwords to gain access. Default admin emails can be the target of Phishing attacks.
• Limit the use of add-ons and plugins on your website or program, and vet the ones you do use.

Case Study: GitHub DDoS Attack Summary

On February 28th, 2018 GitHub was attacked with a memcached DDoS attack rather than botnet DDoS. The attack only lasted about 20 minutes thanks to GitHub having an active protection service that detected the DDoS after 10 minutes.

What happened:

• GitHub.com was unavailable for 20 minutes due to a large DDoS attack.
• The attack used a technique that amplified its impact by using spoofing on misconfigured Memcached servers, which amplified their attack by 50,000 times.
• The attack peaked at 1.35 terabits per second (Tbps), sending packets at a rate of 126.9 million per second.

What GitHub did to respond:

• They identified the attack and rerouted traffic through Akamai, a partner with a larger network capacity.
• They used automated tools to mitigate the attack and restore service.

What GitHub is doing to improve:

• They are investigating ways to automate their response to DDoS attacks.
• They are expanding their network capacity and looking for new ways to defend against attacks.
• They are committed to improving their availability and response times.

Important note:

• No user data was compromised during the attack.

Hope you learned something new!

Sources:

• https://www.stationx.net/what-is-the-cia-triad/
• https://www.pcmag.com/news/it-turns-out-marriott-wasnt-using-encryption-before-huge-data-breach (Hindy, 2024)
• https://coverlink.com/case-study/marriott-data-breach/ (Young, 2021)
• A second, subsequent breach: https://thehill.com/policy/cybersecurity/490378-marriott-suffers-data-breach-involving-52-million-customer-records/ (Miller, 2020)

• https://www.imperva.com/learn/application-security/website-defacement-attack/
• https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/