Information Security
What is Information Security
2017. Equifax. One unpatched Apache Struts server - $700 million in fines, data of 147 million Americans leaked. 2020. SolarWinds. A backdoor in an IT-manager update - $40M settlement, 18,000 organizations compromised including the Pentagon. 2021. Log4Shell - one line in a Java logging library - 3.5 billion devices at risk within 48 hours. Information security is not an optional skill. It is basic literacy for anyone who writes code.
- **OWASP Top 10 (2023)** - Broken Access Control, Cryptographic Failures, Injection - knowing this list covers the overwhelming majority of real-world attacks on web applications
- **Zero Trust (Google BeyondCorp, 2014)** - instead of a trusted perimeter, every request is verified; today the enterprise standard at Microsoft, Cloudflare, Zscaler
- **ML for anomaly detection** - CrowdStrike Falcon and Darktrace use neural networks to detect threats without signatures in real time; traditional signature-based AV is obsolete
CIA Triad: three pillars of security
In 2017, the credit bureau Equifax lost the personal data of **147 million** Americans. Social Security numbers, dates of birth, addresses - all leaked. The company's stock fell 35%, the CEO resigned, and fines exceeded $700 million. One unpatched server - and a company worth $17 billion found itself on the brink of collapse.
Information security rests on three pillars, known as the **CIA Triad** - no relation to the agency. Every security incident is a violation of at least one of them. CrowdStrike Falcon and Darktrace use ML to detect anomalies that violate exactly these three properties in real time, without signature databases.
| Pillar | What it protects | Example violation |
|---|---|---|
| **Confidentiality** | Data is visible only to authorized individuals | Attacker read Equifax's password database |
| **Integrity** | Data has not been altered without authorization | Attacker changed the amount of a bank transfer |
| **Availability** | System is accessible when needed | DDoS attack took down a hospital website for 3 days |
**Balance matters more than maximizing any one pillar.** A military base with no internet connection has perfect confidentiality but zero availability. Public Wikipedia has maximum availability, but the integrity of its articles is under constant threat. The goal is to find the right balance for a specific system.
Every security decision is a trade-off between the three pillars. Two-factor authentication improves confidentiality but reduces availability (a user without their phone won't be able to log in). Backups improve availability but create another point where confidentiality can be compromised.
A common mistake: thinking about security only in terms of confidentiality. If a server is down for 6 hours due to an attack - that is also a security incident (a violation of **Availability**), even if not a single byte of data was leaked.
A hacker changed student grades in a university database without compromising anyone's password. Which pillar of the CIA Triad was violated?
Types of threats
A **threat** is a potential event that can cause harm to a system. Not every threat is realized, but each one must be accounted for. Threats are categorized along several axes.
**APT (Advanced Persistent Threat)** is a well-funded group (often state-sponsored) that spends months inside a victim's network collecting data. Unlike a script kiddie who hacks for fun, an APT operates quietly and with purpose.
| Attacker type | Motivation | Resources | Example |
|---|---|---|---|
| Script kiddie | Entertainment, self-assertion | Low (ready-made tools) | Student with Kali Linux |
| Hacktivists | Ideology, politics | Moderate | Anonymous, attacks on government sites |
| Organized crime | Financial gain | High | Ransomware groups (LockBit, REvil) |
| APT / Nation-states | Espionage, sabotage | Very high | SolarWinds 2020 (attributed to SVR) |
| Insider threat | Grievance, money, blackmail | Already inside! | Employee Edward Snowden (NSA) |
**SolarWinds 2020:** attackers embedded a backdoor into an IT manager software update used by 18,000 organizations, including the U.S. Treasury, the Pentagon, and Microsoft. The attack went undetected for **9 months**. This demonstrated that supply chain attacks are one of the most dangerous modern threats.
**80% of data breaches** involve human factors (Verizon DBIR report). Not a hoodie-wearing hacker, but an employee who clicked a phishing link, or an admin who forgot to change a default password.
Insider threats are especially dangerous because the insider already has legitimate access. No firewall helps if an admin with elevated privileges decides to cause harm.
An employee accidentally sent a file with customer data to their personal email. How should this threat be classified?
Vulnerabilities: weaknesses in the system
A **vulnerability** is a weakness in a system that a threat can exploit. A threat without a vulnerability is just noise. A vulnerability without a threat is just a bug. Together they create **real risk**.
The industry uses standardized systems to describe vulnerabilities:
| System | What it does | Example |
|---|---|---|
| **CVE** | Unique vulnerability identifier | CVE-2021-44228 (Log4Shell) |
| **CWE** | Classification of weakness types | CWE-79 (XSS), CWE-89 (SQL Injection) |
| **CVSS** | Severity score (0.0–10.0) | Log4Shell: 10.0 (Critical) |
**OWASP Top 10 (2023)** - annually updated list of the most common web application vulnerabilities: 1) Broken Access Control, 2) Cryptographic Failures, 3) Injection (SQL, XSS, etc.). Knowing the Top 10 covers the overwhelming majority of real-world attacks. Log4Shell (CVE-2021-44228, CVSS 10.0) - a vulnerability in a Java logging library - exposed 3.5 billion devices and cost the industry $3.5 billion to remediate.
**Zero-day** - a vulnerability the vendor doesn't know about yet. On the black market, a zero-day for iOS can cost up to **$2.5 million** (Zerodium, 2024). This is the most dangerous type of vulnerability because no patch yet exists.
Check dependencies regularly! The command `npm audit` (Node.js) or `pip-audit` (Python) will show known CVEs in the libraries used. Most real-world breaches occur through known but unpatched vulnerabilities.
Log4Shell (CVE-2021-44228) received a CVSS score of 10.0 out of 10.0. The vulnerability allowed arbitrary code execution on a server via a specially crafted string in log entries. Why exactly 10.0?
Risk Management
We now know the three components: **threats** want to cause harm, **vulnerabilities** give them the opportunity, and the **CIA Triad** defines what we are protecting. All that remains is to assemble this into a decision-making system - **risk management**.
Once a risk has been identified, there are **four strategies** for dealing with it:
| Strategy | What we do | Example |
|---|---|---|
| **Avoid** | Remove the source of risk | Don't store credit card data - delegate to Stripe |
| **Mitigate** | Reduce the likelihood or impact | Encryption, firewall, backups, MFA |
| **Transfer** | Shift responsibility to a third party | Cyber insurance, SLA with a cloud provider |
| **Accept** | Consciously do nothing | The risk is too small, or protection costs more than the loss |
**Real-world example:** a startup decides whether to spend $50,000 on a pentest. If the startup processes medical data (HIPAA), the fine for a data breach is up to $1.9 million. Risk > Cost = **Mitigate**. If it's a pet project with no user data - **Accept**.
Key principle: **defense in depth**. A single layer of protection is never enough. A firewall fails - encryption protects the data. Encryption is broken - monitoring detects the anomaly. Google BeyondCorp (2014) took this to the extreme: no trusted perimeter at all, every request is verified. This is Zero Trust architecture - now the industry standard at Microsoft, Cloudflare, and Zscaler.
Security is a **process**, not a product. A firewall cannot be configured once and forgotten. New threats emerge daily, systems get updated, employees change. Security requires constant attention.
100% security is achievable - it just requires enough money and effort
Absolute security is impossible. The goal is to manage risks down to an acceptable level at a reasonable cost
Every system involves trade-offs: convenience vs. security, cost vs. protection. SolarWinds spent $40M on settlement - and the attack came through the supply chain, not a weak perimeter. Log4Shell hit 3.5 billion devices despite enterprise security budgets. Even air-gapped systems have been compromised via USB (Stuxnet, 2010). The goal is not the ideal, but reducing risk to a level the business is willing to accept.
A small online store wants to accept card payments. What is the most sensible risk management strategy for storing card data?
Key Takeaways
- **CIA Triad** - confidentiality, integrity, availability - three pillars in balance; Equifax 2017 ($700M) violated all three simultaneously through one unpatched server
- **Threats**: 80% of breaches involve the human factor (Verizon DBIR); APT groups like the SolarWinds attackers stay inside networks for months undetected
- **CVE/CWE/CVSS**: Log4Shell CVSS 10.0 - maximum score for unauthenticated RCE; `npm audit` and `pip-audit` close most N-day attacks
- **Risk = Threat x Vulnerability x Impact** - four strategies: avoid, mitigate, transfer, accept; Zero Trust (BeyondCorp) is the architectural answer to insider threats
- **Security is a process**: CrowdStrike Falcon and Darktrace apply ML for real-time anomaly detection - because signatures cannot keep up with zero-day exploits
Related Topics
Information security is a broad field. Next we'll dive into specific methodologies and tools:
- Threat Models and STRIDE — How to systematically find threats rather than guessing
- Authentication and Authorization — Practical implementation of Confidentiality from the CIA Triad
- Cryptography — The mathematical foundation of confidentiality and integrity
Вопросы для размышления
- The SolarWinds attack came through the supply chain, not through the perimeter. Which CIA Triad pillar was violated - and would Zero Trust architecture have prevented it or not?
- Log4Shell received CVSS 10.0 for unauthenticated RCE in a ubiquitously used library. What risk management strategy did companies apply that were not breached in the first 24 hours?
- CrowdStrike Falcon uses ML to detect threats without signatures. Which CIA pillar does this protect first - and why did traditional signature-based antivirus prove insufficient?
Связанные уроки
- sec-02 — Threat modeling (STRIDE) builds directly on the CIA Triad and threat taxonomy from this lesson
- crypto-01-intro — Cryptography is the mathematical foundation of Confidentiality and Integrity in the CIA Triad
- prob-01-intro — Risk quantification requires probabilistic reasoning identical to basic probability theory
- st-01-feedback-loops — Defense in depth creates layered feedback loops for threat detection
- alg-01-big-o — CVSS scoring provides the same kind of objective comparison as Big-O notation
- net-01-intro