CIA

No… this is not about what Robin Williams calls the ‘Central Intuitive Agency‘ . This is about the three basics of Information Security – Confidentiality, Integrity and Availablilty. Confidentiality refers to the information being secret, being accessible only to a few chosen ones. Some people take this further and rather than the just the information being secret even the existence of information is kept secret. This is called Stegnography. Integrity is the assurance that the information available is correct. Sometimes people might strengthen this property and demand that the origin of information is also correct this is called authentication. Integrity assurance itself has two types of mechanisms. The first weaker kind just ensures that if the information is tampered with, this tampering comes to light. The second stronger kind does not allow tampering at all. Finally we come to availability. This particular property has relatively been a new design requirement. Denial of service attacks some famous ones like the syn flood attack have made this very very important. Any information that is not available is as good as no information.

Now once we are done with the security requirements we need to sort out the kind of threats or attacks we are faced with. Shirey divides them into four broad classes:
Diclosure – Unauthorized Access
Deception – Falsifying Data
Disruption – Abortion, interruption or prevention of a process or operation
Usurpation – Unathorized control of system resource

This is really basic stuff… yes… but it is good to begin at the begining.