Information represents precious assets of any company. They hold significant economic value and are the foundation for countless businesses.
The big 3 of information security, also known as protection goals, are the key points for protecting your information. What exactly lies behind the terms: Confidentiality, integrity and availability and which threats can violate these protection goals, you will learn in the following.
Confidentiality in system security
A system provides confidentiality when no one can gain unauthorized information.
Threats to confidentiality
A typical threat to data confidentiality, for example, is when the workplace is not properly secured acoustically or visually, allowing unauthorized persons to easily obtain information. You’ve probably also experienced the situation where you were able to look at someone’s screen on the train without any problems, and thus perhaps also at the presentation for the next board meeting. Even through the office corridor, for example, one often unintentionally receives sensitive information.
Sometimes such “confidentiality leaks” are also particularly perfidious because people are not even aware of them. Modern printers, for example, often automatically save data to the built-in hard drive. For a test, ARD bought used multifunction printers on ebay and read out the hard disks with free software. Divorce documents, income tax cards, police witness interviews, etc. were found. One of the printers was probably located in a lawyer’s office, which was not aware that the scanned documents were stored. In this case, this is even relevant not only for data protection reasons, but also a violation of §203 of the Criminal Code, according to which third-party secrets that concern personal areas of life or company or business secrets may not be disclosed.
As often as you can, you should therefore make use of encryption. An unprotected WLAN or unencrypted e-mails are potential security risks. Even in the event that a service smartphone, laptop or USB stick is lost, the confidentiality of the data is much better if the device was encrypted.
Even if the law firm from the ARD attempt got off with a black eye. Auch wenn die Anwaltskanzlei aus dem ARD Versuch mit einem blauen Auge davon kam.
To prevent unknown entry points from occurring in the first place, it is always advisable to inventory all components of your IT environment. Thanks to IT inventory, all devices can thus be recorded at any time and the listing prepared in an up-to-date manner.
System security integrity
A system ensures integrity when it is not possible to modify data to be protected in an unauthorized and undetected manner.
Threats to integrity
An example of the active attack on the integrity of data would be the so-called SQL injection. In this attack, an attacker exploits the lack of validation of user input to inject their own commands into an SQL database. Thus, the attacker can manipulate the data in the database or possibly even delete the entire database. If you want to know more about SQL injection, you will find it on our blog.
However, the integrity of data can be violated not only by attacks, but also unintentionally. For example, if software or hardware is faulty and incorrect information is stored or passed on as a result.
Again, to ensure data integrity, always use encryption when possible. Important customer communications are best done by mail, in person, or encrypted so that data on important contracts cannot easily be changed by third parties without being noticed.
To prevent such security leaks, it is always worthwhile to resort to a penetration test. This helps you to identify vulnerabilities and possible entry points at an early stage and also gives your IT security specialists the chance to check their work for success.
Authenticity as a complement to integrity
An object or user is authentic if its authenticity and credibility can be verified by means of a unique identity/characteristic properties (e.g. username & password, fingerprint). The verification of authenticity is called authentication.
Threats to authenticity
An attack on authenticity is, for example, the generation of messages under a false identity. For example, ordering goods on the Internet under a false name. For example, ordering goods on the Internet under a false name.
The current top 10 German passwords, according to the Hasso Plattner Institute, are:
Of course, such passwords do not help to ensure authenticity. This can be remedied, for example, by a password manager, i.e. a program for the secure storage of passwords. Even if it is possible to log in to certain areas without a password or the default server access password has never been changed, this poses a threat to authenticity.
Authenticity also includes bindingness: “Bindingness of an action is guaranteed if a subject cannot deny it afterwards“. In the area of bindingness, a lot can be achieved, for example, with the creation of so-called log files. These are automatically kept logs of computer activity. Ideally, these log files can then be used in the event of a security incident to clarify which employee had access to which customer data and when, and what they did with it. Digital signatures can also help to establish bindingness. They work like a digital signature, so you can be sure that the message really comes from the signer.
A system grants availability when authenticated and authorized subjects cannot be impaired in the exercise of their privileges in an unauthorized manner.
A server failure, for example, represents an attack on availability. But elementary hazards must also be considered here. If the server room has burned down, then the corresponding service is probably also no longer available. In general, it is important for you to make your IT as fail-safe as possible. Effective IT monitoring can help you here. With this, your work reaches a proactive level and helps you to detect anomalies at an early stage.
To ensure availability, it is particularly important to have good crisis management. Who is responsible in an emergency and how can they be reached? A back-up strategy is also indispensable, in which not only are back-ups regularly created, but the replay of these back-ups is also actually rehearsed. In practice, it is precisely the latter that presents a greater challenge than one might think.
However, all of the above protection goals must of course not be viewed in complete isolation. They interlock and are mutually dependent. Enginsight’s holistic concept can therefore provide you with the best possible support in achieving these protection goals.
Summary: Confidentiality, Integrity, Availability in IT
Confidentiality, integrity and availability are the key points of information protection. Confidentiality means that no one has unauthorized access to information. Threats to confidentiality include unprotected workstations and unencrypted data transfers. Integrity means that information remains unchanged. Threats to integrity are viruses and Trojans. Availability means that information is accessible at all times. Threats to availability include DDoS attacks and hardware or software failures.
We would be happy to show you how to implement the individual protection goals with our software in a personal consultation appointment. Please feel free to contact us!