Penetration Testing Bootcamp The CIA Triad

Author:

HackerSploit

Keywords:

hackersploit,pentest,hacking,penetration testing tools,penetration testing with kali linux,penetration testing live,penetration testing tutorial,penetration testing course,penetration testing linux,penetration testing career,penetration testing certification,penetration testing for beginners hindi,penetration testing for beginners kali linux,penetration testing tutorial hindi,penetration testing tutorial for beginners,kali linux,hacker exploit,penetration testing

Subtitles:
all right welcome back to the penetration testing bootcamp in this video we're going to be touching upon the confidentiality integrity and availability triad in InfoSec and I'll sort of explain these five essential security features that are used in InfoSec so first of all let me just give you a basic understanding if you're not already familiar InfoSec the whole idea behind InfoSec is pretty self-explanatory it's the process of keeping information secure maintaining its integrity making sure it's available and that's why we all it all comes down to or points towards this CIA triad now this is something i've already explained before on the channel but i'll go over it one more time and its relation to data and you know penetration testing so it's very essential to understand what you're dealing with so the CIA triad is an integral part of InfoSec that's pretty much clear and it involves the use of five essential features more like security features to ensure that data is kept secure now that's a very vague statement and that's why it is defined very clearly as we can see in this triad so the three we're dealing with primarily are going to be confidentiality integrity and availability and they may seem self-explanatory but let me give you an introduction into them right so number one confidentiality this is very important so this feature or security feature ensures that data is accessible to only those that have authorized access so for example we can encrypt data to prevent unauthorized access and of course only the authorized parties with the decryption keys can access that data so this prevents you know attackers or anyone any insider from accessing data that they are not you know that they are not authorized to access so that's one that's very important number two we have integrity right so integrity this is used to ensure that the integrity of the data is maintained and that no unauthorized changes have been made to the data so what what do I mean by this so if you have a piece of data or a file and you want to make sure that you maintain its integrity across the board you can you you can use things like md5 signature hashing or checksums that will will actually generate a hash of a particular file or a folder and that hash is unique to that particular file so if any changes are made that will generate a different hash and from that you can perform or you can use deductive logic to determine that hey there has been a change made to this file and none of us or none of the authorized parties have actually done this so there has to be some that there has to be a breach of integrity here or security in a hole so the next step is or the next security feature is availability right so veil ability ensures that systems that store and process this data are accessible to authorized users when needed so a quick example of this is you know things like details protection load balancing or to a lighter extent but what what you're trying to do is you're trying to make sure that the data that is required by certain authorized individuals is available to them when they required now this could also be your clients and you know you could be running website for example or web application that's very popular and you know clients require access to this web application to either you know perform transactions do various types of things and so you want to ensure that they can access the data when they require it all right now the two that are going to be authenticity and non-repudiation really fall under the CIA try but are also very important right so authenticity is used to ensure that the authenticity of the communication or the transport data is genuine so an example of this is you're ensuring that communication is encrypted either using either using you know encrypted communication like HTTPS or SSL or TLS you're essentially making sure that this data's not be intercepted and modified in transit that's one example secondly is you're trying to ensure that the data is as you're trying to ensure that data is not being modified or is not been changed in any way by unauthorized parties now you may be saying well doesn't this tie into integral well let me explain so for example you could have a system where you have a you know you have three authorized users that have access to a data set or a database and then through some security breach an attacker gets access to a particular account and again they can then start performing changes as that authorized user so this is an obvious bridge to prevent this you want to have things like two-factor authentication that you know try and verify the identity of the person or you're trying to generally speaking ident to authenticate and you're trying to make sure that the person is who they say they are and of course this could also use things like biometrics stuff like that and as I said when talking about you know the authenticity of data within transit you're talking about things like SSL TLS etc alright and finally we have non repudiation so non repudiation is a very simple thing to understand you're essentially trying to ensure that communication communication between a sender and recipient cannot be refuted so a quick example if you're in an organization you want to essentially log communication and I'll get into that later on but that may seem very vague but what you're trying to do is you're trying to ensure that if someone sends an email or communicates to to someone within the company outside you are able to actually to actually prove that they did that so you you have the ability to say hey you know you even if they refute it or they try and say hey I didn't send that you have the proof and you can actually prove that they did this now this as you can see all ties very closely with each other because if you miss one of these then the rest of these can all fall down so for example if you miss authenticity and you don't have things like 2fa to verify the identity of authorized users then non-repudiation can fail because if the person or the authorized user didn't do it in it an attacker did it from his account then it really can be blamed on him so they all have to build on one another and that's why they all settle on a triad so the whole idea beyond that triangle is they all need each other to actually form a solid structure all right so that is the CIA triad within InfoSec and this is why it's very so this will all come into play as we start penetration testing you'll actually see that you're you're actually trying to target all of these areas at different levels so that's all I wanted to cover in this video if you have any questions or feedback let me know in the comment section or at our website at HACC exploit or org and we'll happily answer you or fix any issues we have with this particular video thank you so much for watching and I'll be seeing you in the next video [Laughter] [Music]

Loading