Module 5 of 25 · Foundations

CIA triad and simple attacks

30 min read 3 outcomes Interactive attack classifier + drag challenge 5 standards cited

By the end of this module you will be able to:

  • Give a real-world example of each CIA triad property being violated
  • Apply the STRIDE threat model to identify threats in a given scenario
  • Classify common attack types by which CIA property they primarily target

Real-world incident · September 2022

An 18-year-old bypassed every user-facing security control. The method: MFA fatigue and a network share.

In September 2022, Uber's internal systems were compromised by an 18-year-old attacker. The method was not a sophisticated zero-day exploit. The attacker purchased stolen Uber employee credentials from the dark web, then spent several hours sending repeated MFA (Multi-Factor Authentication) push notifications to the employee's phone until the employee, exhausted by the notifications, accepted one, believing it was a system error. This technique is called MFA fatigue.

Once inside, the attacker found plaintext credentials stored in an internal network share, which provided access to Uber's AWS (Amazon Web Services) environment, Google Workspace, HackerOne vulnerability disclosure programme, Slack, and internal tools. The attacker posted screenshots of Uber's internal systems on HackerOne and Twitter. Uber confirmed the breach, described it as a social engineering attack, and took several systems offline to contain it.

The incident violated all three CIA triad properties simultaneously: confidentiality (internal data and vulnerability reports were seen by an unauthorised person), integrity (the attacker had write access to many systems), and availability (Uber took systems offline). This module unpacks each property in depth, introduces the STRIDE threat model, and maps common attack types to the framework.

The Uber attacker violated all three CIA triad properties in one incident. Which came first, and how did each enable the next?

With the learning outcomes established, this module begins by examining the cia triad in depth in depth.

5.1 The CIA triad in depth

Module 1 introduced the CIA triad as the foundational model for what cybersecurity protects. This module goes deeper: for each property, you will see how a real attack violated it, what specific controls would have prevented the breach, and how to classify new attacks you encounter against the framework.

Confidentiality is the assurance that information is accessible only to those authorised to access it. Violations occur when data is read, copied, or transmitted without authorisation, whether intentionally through theft or accidentally through misconfiguration. Controls include encryption, access restrictions, and data classification policies.

In September 2017, Equifax disclosed that attackers accessed the personal data of approximately 147 million people, including Social Security numbers, birth dates, and addresses. The attackers exploited an unpatched Apache Struts vulnerability (CVE-2017-5638, known since March 2017) and moved laterally through Equifax's systems for 76 days before detection. This is a textbook confidentiality violation: data read and exfiltrated by parties with no authorisation.

Integrity means ensuring data is accurate and has not been altered without authorisation. Integrity attacks modify, delete, or fabricate data. The 2016 Bangladesh Bank SWIFT attack, covered in Module 3, was an integrity attack: fraudulent transfer instructions were inserted into a legitimate transaction workflow without any data being stolen.

Availability ensures systems and data are accessible when needed by authorised users. The WannaCry attack against the NHS in May 2017 was primarily an availability attack: systems were encrypted and made inaccessible, with no data exfiltration involved. DDoS (Distributed Denial-of-Service) attacks, ransomware, and hardware failures all target availability.

The three security objectives are Confidentiality, Integrity, and Availability. Loss of confidentiality is the unauthorized disclosure of information. Loss of integrity is the unauthorized modification or destruction of information. Loss of availability is the disruption of access to or use of information or an information system.

NIST SP 800-12 Rev.1, An Introduction to Information Security - Section 2.1, Three Security Objectives

NIST SP 800-12 Rev.1 provides the authoritative US government definitions of the CIA triad properties. The precision of these definitions matters: confidentiality covers disclosure, integrity covers modification or destruction, and availability covers disruption of access. All three can apply to the same incident, as the Uber breach demonstrated.

The CIA triad represents the fundamental security properties that a secure system must protect. Confidentiality prevents unauthorised disclosure, integrity prevents unauthorised modification, and availability ensures legitimate users can access the system. All three properties must be considered together; protecting one at the expense of another creates exploitable weaknesses.

ISO/IEC 27001:2022, Annex A.8.20: Networks Security, foundational CIA objectives - Annex A.8

With an understanding of the cia triad in depth in place, the discussion can now turn to stride: mapping threats to system functions, which builds directly on these foundations.

5.2 STRIDE: mapping threats to system functions

The CIA triad describes what attackers aim to violate. STRIDE describes the attack mechanisms they use to do it. Developed at Microsoft in the late 1990s, STRIDE provides a structured vocabulary for identifying threats to any system or component during design.

Each letter represents a threat category. Spoofing means claiming a false identity. A phishing email that appears to come from your bank is spoofing. Tampering means modifying data without authorisation: altering a database record, intercepting a network message, or corrupting a file. Repudiation means denying having performed an action, a threat that audit logging is designed to counter.

Information disclosure covers unauthorised access to data, whether through intentional exfiltration or accidental exposure of a misconfigured S3 bucket. Denial of service covers disrupting availability, from a volumetric DDoS to ransomware that encrypts files. Elevation of privilege means gaining capabilities beyond what is authorised, such as a regular user account gaining administrative rights through a local privilege escalation vulnerability.

Common misconception

The CIA triad and STRIDE are competing frameworks. You should use one or the other.

They serve different purposes and are used together. The CIA triad defines what is being protected (confidentiality, integrity, availability). STRIDE defines the threat mechanisms used to attack those properties. In a threat model, you enumerate STRIDE threats against each component, then map each threat to which CIA property it violates. STRIDE is applied during design; the CIA triad is used throughout the security programme lifecycle.

Common misconception

Availability is the least important CIA property because data confidentiality and integrity matter more than uptime.

For many systems, availability failure is the highest-consequence security event. A hospital whose patient record system is unavailable during an emergency cannot access critical medication information. A financial exchange whose trading system is unavailable loses millions per minute. Ransomware is primarily an availability attack; the cost of ransomware to UK organisations in 2023 was estimated at over £2 billion in recovery costs, business disruption, and ransom payments combined. Rank CIA properties based on the specific system's mission, not a generic ordering.

In the Uber breach, STRIDE maps cleanly: the initial credential purchase and MFA fatigue constitute Spoofing (false identity claim to bypass authentication). Finding plaintext credentials in a network share represents Information disclosure. Accessing the HackerOne programme means the attacker gained visibility into unreported vulnerabilities, constituting further Information disclosure and potential Elevation of privilege. Taking systems offline to contain the breach was Uber's response to the Denial-of-service risk created by the attacker's access.

STRIDE, six threats and the property each violates

Microsoft's threat-modelling vocabulary mapped one-to-one onto CIA-style security properties.

STRIDE's six threat mechanisms mapped to the property each violates Two regions stacked vertically. Region one shows six cards in a single row, one per STRIDE letter. S Spoofing claims a false identity and violates Authenticity. T Tampering modifies data without permission and violates Integrity. R Repudiation denies an action took place and violates Accountability. I Information disclosure provides unauthorised access to data and violates Confidentiality. D Denial of service disrupts availability and violates Availability. E Elevation of privilege gains unauthorised capability and violates Authorisation. Each card carries a large brand-red initial letter, the threat name as an eyebrow, a plain-English definition, and a VIOLATES sub-label naming the CIA-style property that the threat targets. Region two is a brand-red left-accent callout reading 'USE AT DESIGN TIME, NOT AFTER LAUNCH', explaining that asking which of the six STRIDE threats applies to each data-flow boundary beats a single open-ended 'is it secure?' review. STRIDE · SIX THREATS, SIX CIA PROPERTIES VIOLATED S SPOOFING Claiming a falseidentity. VIOLATES Authenticity T TAMPERING Modifying datawithoutpermission. VIOLATES Integrity R REPUDIATION Denying anaction tookplace. VIOLATES Accountability I INFORMATION DISCLOSURE Unauthorisedaccess to data. VIOLATES Confidentiality D DENIAL OF SERVICE Disruptingavailability. VIOLATES Availability E ELEVATION OF PRIVILEGE Gainingunauthorisedcapability. VIOLATES Authorisation USE AT DESIGN TIME, NOT AFTER LAUNCH For every data-flow boundary, ask which of the six STRIDE threats applies. Six checks per boundary, ranked by impact, beats a single open-ended "is it secure?" review. built by ransfordsnotes.com

Six threat mechanisms, each violating a specific CIA property. STRIDE turns 'security review' into a checklist with named outcomes. Source: Microsoft SDL, OWASP Threat Modelling.

With an understanding of stride: mapping threats to system functions in place, the discussion can now turn to common attack types mapped to the triad, which builds directly on these foundations.

5.3 Common attack types mapped to the triad

With the framework established, classifying common attack types becomes straightforward. Each type primarily targets one CIA property, though complex attacks often touch multiple.

Ransomware primarily targets availability by encrypting files and making them inaccessible. Some variants also exfiltrate data before encrypting (double extortion), adding a confidentiality violation. The primary business impact is usually operational disruption from lost availability.

Data exfiltrationprimarily targets confidentiality. The attacker copies data and removes it from the organisation's control. The original data may remain in place; the violation is in the unauthorised disclosure.

Man-in-the-Middle attacks (MitM) intercept communications between two parties. They can violate both confidentiality (reading intercepted data) and integrity (modifying messages before forwarding them). TLS, covered in Module 4, is designed specifically to prevent MitM attacks by authenticating the server and encrypting all traffic.

DDoS attacks primarily target availability by overwhelming a system with traffic until legitimate requests cannot be served. They do not typically involve data access or modification.

SQL injection attacks insert malicious SQL (Structured Query Language) code into database queries through unsanitised user input. Depending on the payload, they can violate all three CIA properties: exfiltrating data (confidentiality), modifying or deleting records (integrity), or crashing the database service (availability).

Six common attacks against the CIA properties

A matrix showing which property each attack primarily and secondarily targets.

Six common attacks mapped to the CIA properties each violates A single LTDS matrix region. The left column lists six common attack types with a real-world example for each: Distributed denial of service (Mirai botnet, 2016), Ransomware (WannaCry, 2017), SQL injection (MOVEit/Cl0p, 2023), Phishing credential theft (Twilio Octapus, 2022), Man-in-the-middle (Bangladesh Bank, 2016), Supply-chain compromise (SolarWinds, 2020). The three right columns are CONFIDENTIALITY, INTEGRITY, AVAILABILITY. Each cell is marked PRIMARY (solid brand-red, white text) where the attack directly targets that property, SECONDARY (red-soft, brand-red text) where it is a side effect, or blank where the attack does not normally touch the property. The matrix shows that DDoS targets Availability only, ransomware targets Availability with Integrity as a secondary effect, SQL injection routinely violates all three, phishing targets Confidentiality with Integrity as a secondary effect, MITM targets Confidentiality and Integrity, and supply-chain compromise routinely violates all three. SIX COMMON ATTACKS × THREE CIA PROPERTIES ATTACK · EXAMPLECONFIDENTIALITYINTEGRITYAVAILABILITY Distributed denial of serviceMirai botnet, 2016 PRIMARY RansomwareWannaCry, 2017 SECONDARY PRIMARY SQL injectionMOVEit / Cl0p, 2023 PRIMARY PRIMARY SECONDARY Phishing credential theftTwilio Octapus, 2022 PRIMARY SECONDARY Man-in-the-middleBangladesh Bank, 2016 PRIMARY PRIMARY Supply-chain compromiseSolarWinds, 2020 PRIMARY PRIMARY SECONDARY built by ransfordsnotes.com

Every attack maps onto one or more CIA properties. The mapping is the first step toward picking the right control to deploy. Source: NIST SP 800-150, MITRE ATT&CK.

Loading interactive component...
Loading interactive component...
5.4 Check your understanding

A healthcare provider discovers that an attacker accessed patient appointment records for three months without modifying them or causing any service disruption. Which CIA property was primarily violated?

A developer is designing a new payment processing API. Using STRIDE, which threat category describes an attacker injecting false transaction records into the database by exploiting an unsanitised input field?

After a DDoS (Distributed Denial-of-Service) attack, your company's website is unavailable for 6 hours. The attacker sent no malware and accessed no data. Which statement best describes the incident?

A cloud storage service experienced a breach where an attacker modified audit logs to remove evidence of their access, then extracted 2 million user files. The attacker left the files accessible to their original owners throughout the incident. Which CIA properties were violated, and which was NOT violated?

Loading interactive component...

Key takeaways

  • Confidentiality covers unauthorised disclosure. Integrity covers unauthorised modification or destruction. Availability covers disruption of access. All three can be violated in a single incident.
  • STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) maps attack mechanisms to system functions. Use it during design to enumerate threats.
  • Ransomware primarily targets availability; data exfiltration targets confidentiality; MitM attacks target both confidentiality and integrity; DDoS targets availability.
  • Precise CIA classification leads to precise remediation. A confidentiality breach requires different responses than an availability outage.

You can now classify attacks by CIA property and apply STRIDE to identify threats during design. But every attack in this module started with one thing: someone gaining access they should not have had. Module 6 examines identity and access management - authentication factors, MFA types, and the principle of least privilege.

Standards and sources cited in this module

  1. NIST SP 800-12 Rev.1, An Introduction to Information Security (2017)

    Section 2.1, Three Security Objectives

    Authoritative US government definition of the CIA triad properties. Cited in Section 5.1.

  2. Microsoft Threat Modeling, STRIDE methodology

    STRIDE threat categories documentation

    Original source for the STRIDE threat model. Cited in Section 5.2 for the six threat categories and their mapping to system functions.

  3. MITRE ATT&CK v18.1 Framework

    Tactics and techniques taxonomy

    Industry-standard reference for mapping attacker techniques. Referenced in Section 5.3 for common attack type classification.

  4. Uber Security Update (September 2022)

    Official breach statement

    Primary source for the Uber MFA fatigue breach. Used as the opening case study to ground all three CIA properties in a single incident.

Previous: Networks and transportNext: Identity and access

Module 5 of 25 · Cybersecurity Foundations