Module 2: Security Fundamentals

CIA Triad (Confidentiality, Integrity, Availability)

Master the three fundamental principles of information security that form the foundation of cybersecurity with real-world examples and practical applications.

Content by: Vatsal Vadariya

Cybersecurity Specialist

Connect

Confidentiality: Keeping Secrets Safe

Confidentiality ensures that information is accessible only to authorized individuals, entities, or processes. It prevents unauthorized disclosure of sensitive information. Think of it as a locked diary - only you have the key, and no one else can read your private thoughts.

Confidentiality in Practice

•Password protection: Only you know your password
•Encryption: Scrambling data so only authorized parties can read it
•Access controls: Limiting who can see sensitive information
•Data classification: Marking information as public, internal, or confidential
•Secure communication: Using encrypted channels for sensitive data

Integrity: Ensuring Data Accuracy

Integrity ensures that information remains accurate, complete, and unmodified during storage, processing, or transmission. It prevents unauthorized alteration of data. Imagine a bank account - the balance must be accurate and only change through legitimate transactions.

Integrity Protection Methods

•Digital signatures: Verify that data hasn't been tampered with
•Checksums: Mathematical values that detect changes in data
•Version control: Track changes to documents and files
•Audit trails: Log all modifications to sensitive data
•Backup systems: Maintain copies of original data

Availability: When You Need It

Availability ensures that information and resources are accessible to authorized users when needed. It prevents service disruptions and ensures business continuity. Like having a reliable car that starts every time you need to go somewhere.

Availability Strategies

•Redundancy: Multiple systems to prevent single points of failure
•Backup systems: Quick recovery from system failures
•Load balancing: Distributing traffic across multiple servers
•Disaster recovery: Plans for major system failures
•Monitoring: Early detection of potential problems

CIA Triad Implementation Example

Code Example

# Example: CIA Triad in Practice - Online Banking System
const crypto = require('crypto');

// CONFIDENTIALITY - Data Encryption
function encryptData(data, key) {
    const cipher = crypto.createCipher('aes-256-cbc', key);
    let encrypted = cipher.update(data, 'utf8', 'hex');
    encrypted += cipher.final('hex');
    return encrypted;
}

function decryptData(encryptedData, key) {
    const decipher = crypto.createDecipher('aes-256-cbc', key);
    let decrypted = decipher.update(encryptedData, 'hex', 'utf8');
    decrypted += decipher.final('utf8');
    return decrypted;
}

// INTEGRITY - Data Hashing and Digital Signatures
function createHash(data) {
    return crypto.createHash('sha256').update(data).digest('hex');
}

function verifyIntegrity(originalData, receivedHash) {
    const calculatedHash = createHash(originalData);
    return calculatedHash === receivedHash;
}

// AVAILABILITY - System Health Monitoring
function checkSystemHealth() {
    return {
        status: 'healthy',
        uptime: process.uptime(),
        memory: process.memoryUsage(),
        timestamp: new Date().toISOString(),
        responseTime: Math.random() * 100 + 50 // Simulated response time
    };
}

// Example: Banking Transaction with CIA Triad
const bankingTransaction = {
    accountNumber: "1234567890",
    amount: 1000,
    recipient: "John Doe",
    timestamp: new Date().toISOString()
};

// Step 1: CONFIDENTIALITY - Encrypt sensitive data
const encryptionKey = "bank-secret-key-2024";
const encryptedTransaction = encryptData(JSON.stringify(bankingTransaction), encryptionKey);
console.log("Confidentiality: Transaction encrypted");

// Step 2: INTEGRITY - Create hash to verify data hasn't changed
const transactionHash = createHash(JSON.stringify(bankingTransaction));
console.log("Integrity: Hash created for verification");

// Step 3: AVAILABILITY - Check system health before processing
const systemStatus = checkSystemHealth();
if (systemStatus.status === 'healthy') {
    console.log("Availability: System is healthy, processing transaction");
} else {
    console.log("Availability: System unavailable, transaction queued");
}

// Verify integrity when receiving data
const isDataIntact = verifyIntegrity(JSON.stringify(bankingTransaction), transactionHash);
console.log(`Data integrity verified: ${isDataIntact}`);

// Decrypt data when needed
const decryptedTransaction = decryptData(encryptedTransaction, encryptionKey);
console.log("Transaction decrypted for processing:", JSON.parse(decryptedTransaction));

Swipe to see more code

# Example: CIA Triad in Practice - Online Banking System
const crypto = require('crypto');

// CONFIDENTIALITY - Data Encryption
function encryptData(data, key) {
    const cipher = crypto.createCipher('aes-256-cbc', key);
    let encrypted = cipher.update(data, 'utf8', 'hex');
    encrypted += cipher.final('hex');
    return encrypted;
}

function decryptData(encryptedData, key) {
    const decipher = crypto.createDecipher('aes-256-cbc', key);
    let decrypted = decipher.update(encryptedData, 'hex', 'utf8');
    decrypted += decipher.final('utf8');
    return decrypted;
}

// INTEGRITY - Data Hashing and Digital Signatures
function createHash(data) {
    return crypto.createHash('sha256').update(data).digest('hex');
}

function verifyIntegrity(originalData, receivedHash) {
    const calculatedHash = createHash(originalData);
    return calculatedHash === receivedHash;
}

// AVAILABILITY - System Health Monitoring
function checkSystemHealth() {
    return {
        status: 'healthy',
        uptime: process.uptime(),
        memory: process.memoryUsage(),
        timestamp: new Date().toISOString(),
        responseTime: Math.random() * 100 + 50 // Simulated response time
    };
}

// Example: Banking Transaction with CIA Triad
const bankingTransaction = {
    accountNumber: "1234567890",
    amount: 1000,
    recipient: "John Doe",
    timestamp: new Date().toISOString()
};

// Step 1: CONFIDENTIALITY - Encrypt sensitive data
const encryptionKey = "bank-secret-key-2024";
const encryptedTransaction = encryptData(JSON.stringify(bankingTransaction), encryptionKey);
console.log("Confidentiality: Transaction encrypted");

// Step 2: INTEGRITY - Create hash to verify data hasn't changed
const transactionHash = createHash(JSON.stringify(bankingTransaction));
console.log("Integrity: Hash created for verification");

// Step 3: AVAILABILITY - Check system health before processing
const systemStatus = checkSystemHealth();
if (systemStatus.status === 'healthy') {
    console.log("Availability: System is healthy, processing transaction");
} else {
    console.log("Availability: System unavailable, transaction queued");
}

// Verify integrity when receiving data
const isDataIntact = verifyIntegrity(JSON.stringify(bankingTransaction), transactionHash);
console.log(`Data integrity verified: ${isDataIntact}`);

// Decrypt data when needed
const decryptedTransaction = decryptData(encryptedTransaction, encryptionKey);
console.log("Transaction decrypted for processing:", JSON.parse(decryptedTransaction));

Scroll

CIA Triad Trade-offs

•Confidentiality vs Availability: Strong encryption may slow down systems
•Integrity vs Performance: Extensive logging may impact speed
•Availability vs Security: More security measures may reduce uptime
•Balancing act: Finding the right mix for your organization
•Risk assessment: Understanding what's most important for your use case

Interactive Exercise: CIA Triad Assessment

Code Example

# Mini-Project: CIA Triad Assessment
// Assess how well different systems implement the CIA Triad

const systemAssessments = {
    email: {
        confidentiality: "Medium - Emails can be intercepted",
        integrity: "Low - Emails can be modified in transit",
        availability: "High - Email services are generally reliable"
    },
    onlineBanking: {
        confidentiality: "High - Strong encryption and authentication",
        integrity: "High - Digital signatures and audit trails",
        availability: "High - Redundant systems and monitoring"
    },
    socialMedia: {
        confidentiality: "Low - Data is often shared publicly",
        integrity: "Medium - Some protection against tampering",
        availability: "High - Generally reliable access"
    },
    cloudStorage: {
        confidentiality: "High - Encryption at rest and in transit",
        integrity: "High - Version control and checksums",
        availability: "High - Multiple data centers and redundancy"
    }
};

// Calculate CIA Triad score
function calculateCIAScore(system) {
    const scores = {
        confidentiality: system.confidentiality === 'High' ? 3 : system.confidentiality === 'Medium' ? 2 : 1,
        integrity: system.integrity === 'High' ? 3 : system.integrity === 'Medium' ? 2 : 1,
        availability: system.availability === 'High' ? 3 : system.availability === 'Medium' ? 2 : 1
    };
    
    const totalScore = scores.confidentiality + scores.integrity + scores.availability;
    const maxScore = 9;
    const percentage = (totalScore / maxScore) * 100;
    
    return {
        scores,
        totalScore,
        percentage,
        level: percentage >= 80 ? 'Excellent' : 
               percentage >= 60 ? 'Good' : 
               percentage >= 40 ? 'Fair' : 'Poor'
    };
}

// Assess each system
Object.keys(systemAssessments).forEach(systemName => {
    const assessment = calculateCIAScore(systemAssessments[systemName]);
    console.log(`${systemName.toUpperCase()} CIA Triad Score:`);
    console.log(`  Confidentiality: ${systemAssessments[systemName].confidentiality}`);
    console.log(`  Integrity: ${systemAssessments[systemName].integrity}`);
    console.log(`  Availability: ${systemAssessments[systemName].availability}`);
    console.log(`  Overall Score: ${assessment.percentage}% - ${assessment.level}`);
    console.log('---');
});

Swipe to see more code

# Mini-Project: CIA Triad Assessment
// Assess how well different systems implement the CIA Triad

const systemAssessments = {
    email: {
        confidentiality: "Medium - Emails can be intercepted",
        integrity: "Low - Emails can be modified in transit",
        availability: "High - Email services are generally reliable"
    },
    onlineBanking: {
        confidentiality: "High - Strong encryption and authentication",
        integrity: "High - Digital signatures and audit trails",
        availability: "High - Redundant systems and monitoring"
    },
    socialMedia: {
        confidentiality: "Low - Data is often shared publicly",
        integrity: "Medium - Some protection against tampering",
        availability: "High - Generally reliable access"
    },
    cloudStorage: {
        confidentiality: "High - Encryption at rest and in transit",
        integrity: "High - Version control and checksums",
        availability: "High - Multiple data centers and redundancy"
    }
};

// Calculate CIA Triad score
function calculateCIAScore(system) {
    const scores = {
        confidentiality: system.confidentiality === 'High' ? 3 : system.confidentiality === 'Medium' ? 2 : 1,
        integrity: system.integrity === 'High' ? 3 : system.integrity === 'Medium' ? 2 : 1,
        availability: system.availability === 'High' ? 3 : system.availability === 'Medium' ? 2 : 1
    };
    
    const totalScore = scores.confidentiality + scores.integrity + scores.availability;
    const maxScore = 9;
    const percentage = (totalScore / maxScore) * 100;
    
    return {
        scores,
        totalScore,
        percentage,
        level: percentage >= 80 ? 'Excellent' : 
               percentage >= 60 ? 'Good' : 
               percentage >= 40 ? 'Fair' : 'Poor'
    };
}

// Assess each system
Object.keys(systemAssessments).forEach(systemName => {
    const assessment = calculateCIAScore(systemAssessments[systemName]);
    console.log(`${systemName.toUpperCase()} CIA Triad Score:`);
    console.log(`  Confidentiality: ${systemAssessments[systemName].confidentiality}`);
    console.log(`  Integrity: ${systemAssessments[systemName].integrity}`);
    console.log(`  Availability: ${systemAssessments[systemName].availability}`);
    console.log(`  Overall Score: ${assessment.percentage}% - ${assessment.level}`);
    console.log('---');
});

Scroll

🎯 Practice Exercise

Test your understanding of this topic:

I understand the basic concepts covered in this topicI can apply the concepts in practical scenariosI'm ready to move to the next topic

Security Principles

Learn the core principles that guide security practices and decision-making in cybersecurity.

Content by: Vatsal Vadariya

Cybersecurity Specialist

Connect

Defense in Depth

•Multiple layers of security controls
•No single point of failure
•Redundant security measures
•Layered approach to protection
•Compensating controls when primary fails

Least Privilege

•Users get minimum necessary access
•Principle of least privilege access
•Regular access reviews
•Temporary access when needed
•Separation of duties

Fail Secure

•System fails to secure state
•Deny access by default
•Secure configuration on failure
•Error handling without exposure
•Graceful degradation

Security by Design

•Security built into systems from start
•Secure development lifecycle
•Threat modeling during design
•Security requirements definition
•Regular security testing

Implementation Example

Code Example

# Example: Security Principles in Practice
class UserAccessControl {
    constructor() {
        this.users = new Map();
        this.permissions = new Map();
    }
    
    // Least Privilege - Grant minimum necessary access
    grantAccess(userId, resource, action) {
        if (!this.hasPermission(userId, resource, action)) {
            throw new Error('Access denied - insufficient privileges');
        }
        return true;
    }
    
    // Defense in Depth - Multiple validation layers
    validateAccess(userId, resource, action) {
        // Layer 1: User exists
        if (!this.users.has(userId)) {
            return false;
        }
        
        // Layer 2: User is active
        if (!this.users.get(userId).isActive) {
            return false;
        }
        
        // Layer 3: Permission exists
        if (!this.hasPermission(userId, resource, action)) {
            return false;
        }
        
        // Layer 4: Resource is available
        if (!this.isResourceAvailable(resource)) {
            return false;
        }
        
        return true;
    }
    
    // Fail Secure - Default to deny
    hasPermission(userId, resource, action) {
        const userPermissions = this.permissions.get(userId) || [];
        return userPermissions.some(p => 
            p.resource === resource && p.action === action
        );
    }
}

Swipe to see more code

# Example: Security Principles in Practice
class UserAccessControl {
    constructor() {
        this.users = new Map();
        this.permissions = new Map();
    }
    
    // Least Privilege - Grant minimum necessary access
    grantAccess(userId, resource, action) {
        if (!this.hasPermission(userId, resource, action)) {
            throw new Error('Access denied - insufficient privileges');
        }
        return true;
    }
    
    // Defense in Depth - Multiple validation layers
    validateAccess(userId, resource, action) {
        // Layer 1: User exists
        if (!this.users.has(userId)) {
            return false;
        }
        
        // Layer 2: User is active
        if (!this.users.get(userId).isActive) {
            return false;
        }
        
        // Layer 3: Permission exists
        if (!this.hasPermission(userId, resource, action)) {
            return false;
        }
        
        // Layer 4: Resource is available
        if (!this.isResourceAvailable(resource)) {
            return false;
        }
        
        return true;
    }
    
    // Fail Secure - Default to deny
    hasPermission(userId, resource, action) {
        const userPermissions = this.permissions.get(userId) || [];
        return userPermissions.some(p => 
            p.resource === resource && p.action === action
        );
    }
}

Scroll

🎯 Practice Exercise

Test your understanding of this topic:

I understand the basic concepts covered in this topicI can apply the concepts in practical scenariosI'm ready to move to the next topic

Risk vs Threat vs Vulnerability

Understand the key differences between risk, threat, and vulnerability in cybersecurity context.

Content by: Vatsal Vadariya

Cybersecurity Specialist

Connect

Vulnerability

A weakness or flaw in a system, process, or control that could be exploited by a threat. It's a gap in security that exists regardless of whether it's been discovered or exploited.

Threat

Any potential danger that could exploit a vulnerability to cause harm to an organization's assets. Threats can be natural, accidental, or intentional.

Risk

The potential for loss or damage when a threat exploits a vulnerability. Risk is calculated as: Risk = Threat × Vulnerability × Impact.

Examples

•Vulnerability: Unpatched software with known security flaw
•Threat: Malicious actor looking to exploit the flaw
•Risk: Data breach resulting in financial loss and reputation damage
•Vulnerability: Weak password policy
•Threat: Brute force attack
•Risk: Unauthorized access to user accounts

Risk Assessment Example

Code Example

# Example: Risk Assessment Framework
class RiskAssessment {
    constructor() {
        this.vulnerabilities = new Map();
        this.threats = new Map();
        this.assets = new Map();
    }
    
    // Calculate risk score
    calculateRisk(vulnerabilityId, threatId, assetId) {
        const vulnerability = this.vulnerabilities.get(vulnerabilityId);
        const threat = this.threats.get(threatId);
        const asset = this.assets.get(assetId);
        
        if (!vulnerability || !threat || !asset) {
            return null;
        }
        
        // Risk = Likelihood × Impact × Vulnerability Severity
        const likelihood = threat.probability; // 1-5 scale
        const impact = asset.value; // 1-5 scale
        const severity = vulnerability.severity; // 1-5 scale
        
        const riskScore = likelihood * impact * severity;
        
        return {
            riskScore,
            riskLevel: this.getRiskLevel(riskScore),
            recommendations: this.getRecommendations(riskScore)
        };
    }
    
    getRiskLevel(score) {
        if (score >= 75) return 'Critical';
        if (score >= 50) return 'High';
        if (score >= 25) return 'Medium';
        return 'Low';
    }
    
    getRecommendations(score) {
        if (score >= 75) return ['Immediate action required', 'Implement compensating controls'];
        if (score >= 50) return ['Address within 30 days', 'Consider additional monitoring'];
        if (score >= 25) return ['Address within 90 days', 'Regular monitoring'];
        return ['Monitor and review periodically'];
    }
}

Swipe to see more code

# Example: Risk Assessment Framework
class RiskAssessment {
    constructor() {
        this.vulnerabilities = new Map();
        this.threats = new Map();
        this.assets = new Map();
    }
    
    // Calculate risk score
    calculateRisk(vulnerabilityId, threatId, assetId) {
        const vulnerability = this.vulnerabilities.get(vulnerabilityId);
        const threat = this.threats.get(threatId);
        const asset = this.assets.get(assetId);
        
        if (!vulnerability || !threat || !asset) {
            return null;
        }
        
        // Risk = Likelihood × Impact × Vulnerability Severity
        const likelihood = threat.probability; // 1-5 scale
        const impact = asset.value; // 1-5 scale
        const severity = vulnerability.severity; // 1-5 scale
        
        const riskScore = likelihood * impact * severity;
        
        return {
            riskScore,
            riskLevel: this.getRiskLevel(riskScore),
            recommendations: this.getRecommendations(riskScore)
        };
    }
    
    getRiskLevel(score) {
        if (score >= 75) return 'Critical';
        if (score >= 50) return 'High';
        if (score >= 25) return 'Medium';
        return 'Low';
    }
    
    getRecommendations(score) {
        if (score >= 75) return ['Immediate action required', 'Implement compensating controls'];
        if (score >= 50) return ['Address within 30 days', 'Consider additional monitoring'];
        if (score >= 25) return ['Address within 90 days', 'Regular monitoring'];
        return ['Monitor and review periodically'];
    }
}

Scroll

🎯 Practice Exercise

Test your understanding of this topic:

I understand the basic concepts covered in this topicI can apply the concepts in practical scenariosI'm ready to move to the next topic

Security Controls Overview

Learn about different types of security controls and how they work together to protect information and systems.

Content by: Vatsal Vadariya

Cybersecurity Specialist

Connect

Administrative Controls

•Security policies and procedures
•Training and awareness programs
•Background checks and screening
•Incident response plans
•Regular security audits

Technical Controls

•Firewalls and intrusion detection systems
•Antivirus and anti-malware software
•Access control systems
•Encryption and data protection
•Network monitoring tools

Physical Controls

•Locks and access cards
•Security cameras and surveillance
•Environmental controls (temperature, humidity)
•Secure disposal of media
•Visitor management systems

Control Categories

•Preventive: Stop incidents before they occur
•Detective: Identify and detect security incidents
•Corrective: Fix issues after they're discovered
•Deterrent: Discourage potential attackers
•Compensating: Alternative controls when primary fails

Control Implementation Example

Code Example

# Example: Security Control Framework
class SecurityControls {
    constructor() {
        this.controls = new Map();
        this.categories = ['Administrative', 'Technical', 'Physical'];
        this.types = ['Preventive', 'Detective', 'Corrective', 'Deterrent'];
    }
    
    addControl(name, category, type, description) {
        this.controls.set(name, {
            category,
            type,
            description,
            status: 'Active',
            lastReview: new Date(),
            effectiveness: 'Unknown'
        });
    }
    
    // Evaluate control effectiveness
    evaluateControl(controlName, metrics) {
        const control = this.controls.get(controlName);
        if (!control) return null;
        
        const effectiveness = this.calculateEffectiveness(metrics);
        control.effectiveness = effectiveness;
        control.lastReview = new Date();
        
        return {
            controlName,
            effectiveness,
            recommendations: this.getControlRecommendations(effectiveness)
        };
    }
    
    calculateEffectiveness(metrics) {
        const { incidentsPrevented, falsePositives, cost, coverage } = metrics;
        
        // Simple effectiveness calculation
        const preventionRate = incidentsPrevented / (incidentsPrevented + falsePositives);
        const costEffectiveness = incidentsPrevented / cost;
        const coverageScore = coverage / 100;
        
        const overallScore = (preventionRate + costEffectiveness + coverageScore) / 3;
        
        if (overallScore >= 0.8) return 'High';
        if (overallScore >= 0.6) return 'Medium';
        return 'Low';
    }
}

Swipe to see more code

# Example: Security Control Framework
class SecurityControls {
    constructor() {
        this.controls = new Map();
        this.categories = ['Administrative', 'Technical', 'Physical'];
        this.types = ['Preventive', 'Detective', 'Corrective', 'Deterrent'];
    }
    
    addControl(name, category, type, description) {
        this.controls.set(name, {
            category,
            type,
            description,
            status: 'Active',
            lastReview: new Date(),
            effectiveness: 'Unknown'
        });
    }
    
    // Evaluate control effectiveness
    evaluateControl(controlName, metrics) {
        const control = this.controls.get(controlName);
        if (!control) return null;
        
        const effectiveness = this.calculateEffectiveness(metrics);
        control.effectiveness = effectiveness;
        control.lastReview = new Date();
        
        return {
            controlName,
            effectiveness,
            recommendations: this.getControlRecommendations(effectiveness)
        };
    }
    
    calculateEffectiveness(metrics) {
        const { incidentsPrevented, falsePositives, cost, coverage } = metrics;
        
        // Simple effectiveness calculation
        const preventionRate = incidentsPrevented / (incidentsPrevented + falsePositives);
        const costEffectiveness = incidentsPrevented / cost;
        const coverageScore = coverage / 100;
        
        const overallScore = (preventionRate + costEffectiveness + coverageScore) / 3;
        
        if (overallScore >= 0.8) return 'High';
        if (overallScore >= 0.6) return 'Medium';
        return 'Low';
    }
}

Scroll

🎯 Practice Exercise

Test your understanding of this topic:

I understand the basic concepts covered in this topicI can apply the concepts in practical scenariosI'm ready to move to the next topic

Security Fundamentals

Select Topics Overview

CIA Triad (Confidentiality, Integrity, Availability)

Security Principles

Risk vs Threat vs Vulnerability

Security Controls Overview

CIA Triad (Confidentiality, Integrity, Availability)

Security Principles

Risk vs Threat vs Vulnerability

Security Controls Overview

CIA Triad (Confidentiality, Integrity, Availability)

Confidentiality: Keeping Secrets Safe

Confidentiality in Practice

Integrity: Ensuring Data Accuracy

Integrity Protection Methods

Availability: When You Need It

Availability Strategies

CIA Triad Implementation Example

CIA Triad Trade-offs

Interactive Exercise: CIA Triad Assessment

🎯 Practice Exercise

Security Principles

Defense in Depth

Least Privilege

Fail Secure

Security by Design

Implementation Example

🎯 Practice Exercise

Risk vs Threat vs Vulnerability

Vulnerability

Threat

Risk

Examples

Risk Assessment Example

🎯 Practice Exercise

Security Controls Overview

Administrative Controls

Technical Controls

Physical Controls

Control Categories

Control Implementation Example

🎯 Practice Exercise

Module 1: Introduction to Cybersecurity

Module 3: Computer Systems & Networks

Ready for the Next Module?