1 00:00:06,610 --> 00:00:07,670 - [Instructor] Before we cover 2 00:00:07,670 --> 00:00:10,310 all the access control fundamentals, 3 00:00:10,310 --> 00:00:13,640 the processes and mechanisms, it is very important 4 00:00:13,640 --> 00:00:16,560 to go over the pillars of access control 5 00:00:16,560 --> 00:00:19,090 and the concepts of confidentiality, 6 00:00:19,090 --> 00:00:21,940 integrity, and availability. 7 00:00:21,940 --> 00:00:25,600 This is also known as the CIA triad. 8 00:00:25,600 --> 00:00:29,980 This is a model designed to use or to guide policies 9 00:00:29,980 --> 00:00:34,060 for information security within an organization. 10 00:00:34,060 --> 00:00:38,280 The model is also sometimes referred to as the AIC triad, 11 00:00:38,280 --> 00:00:41,580 or availability, integrity, and confidentiality. 12 00:00:41,580 --> 00:00:43,250 And this is to avoid confusion 13 00:00:43,250 --> 00:00:46,700 with the US Central Intelligence Agency. 14 00:00:46,700 --> 00:00:47,990 Now, the elements of the triad 15 00:00:47,990 --> 00:00:50,750 are considered the three most crucial components 16 00:00:50,750 --> 00:00:52,550 of cybersecurity. 17 00:00:52,550 --> 00:00:54,170 Now let's go over them. 18 00:00:54,170 --> 00:00:55,580 First, confidentiality. 19 00:00:55,580 --> 00:00:57,230 Confidentiality is the process used 20 00:00:57,230 --> 00:00:59,730 to ensure that only authorized users 21 00:00:59,730 --> 00:01:02,770 can access resources or systems. 22 00:01:02,770 --> 00:01:06,910 Now, an example of this is that you, and only you, 23 00:01:06,910 --> 00:01:09,770 have access to your bank account information, 24 00:01:09,770 --> 00:01:11,720 and nobody else has that. 25 00:01:11,720 --> 00:01:15,940 And another example is that a system that is designed 26 00:01:15,940 --> 00:01:17,570 for storing source code 27 00:01:17,570 --> 00:01:20,800 is only accessed by the engineering department 28 00:01:20,800 --> 00:01:22,770 and not the sales organization 29 00:01:22,770 --> 00:01:25,960 or perhaps finance, and then vice versa, 30 00:01:25,960 --> 00:01:29,050 a financial system that cannot be accessed 31 00:01:29,050 --> 00:01:31,470 from the rest of the company, 32 00:01:31,470 --> 00:01:35,550 but only authorized users in the finance department. 33 00:01:35,550 --> 00:01:38,060 Now, attacks to access control 34 00:01:38,060 --> 00:01:40,940 that protects the confidentiality of a resource 35 00:01:40,940 --> 00:01:43,580 will typically aim at still sensitive 36 00:01:43,580 --> 00:01:45,770 or confidential information. 37 00:01:45,770 --> 00:01:48,040 Now, the next one is integrity, 38 00:01:48,040 --> 00:01:49,680 and that is the process used 39 00:01:49,680 --> 00:01:51,890 to ensure that only authorized users 40 00:01:51,890 --> 00:01:56,490 can modify the state of a resource or a system. 41 00:01:56,490 --> 00:01:59,830 Now, an example is that only authorized users 42 00:01:59,830 --> 00:02:03,230 are able to modify entries in a database, 43 00:02:03,230 --> 00:02:05,033 or, let's say, in a file. 44 00:02:06,080 --> 00:02:07,740 Now attack to access control 45 00:02:07,740 --> 00:02:10,890 that protect the integrity of a resource 46 00:02:10,890 --> 00:02:14,560 will typically aim at changing information. 47 00:02:14,560 --> 00:02:15,930 In some cases, 48 00:02:15,930 --> 00:02:18,810 this can also be the configuration of a system, 49 00:02:18,810 --> 00:02:20,980 like a network infrastructure device, 50 00:02:20,980 --> 00:02:23,890 or a server or a firewall. 51 00:02:23,890 --> 00:02:25,840 Now finally, availability. 52 00:02:25,840 --> 00:02:27,830 Now, availability is a process 53 00:02:27,830 --> 00:02:31,440 to ensure that a system or a resource is available 54 00:02:31,440 --> 00:02:34,720 to users that are authorized to access it, 55 00:02:34,720 --> 00:02:36,610 in a reasonable amount of time, right? 56 00:02:36,610 --> 00:02:40,690 So attacks that will affect the availability 57 00:02:40,690 --> 00:02:45,310 will typically aim at disabling access to a resource, 58 00:02:45,310 --> 00:02:50,310 or to create what we call a denial-of-service condition. 59 00:02:50,310 --> 00:02:51,670 Now, having said that, 60 00:02:51,670 --> 00:02:54,970 denial-of-service attacks are a simple example 61 00:02:54,970 --> 00:02:59,333 of attacks to the availability of a resource or a system.