CIA triad and simple attacks
By the end of this module you will be able to:
- Give a real-world example of each CIA triad property being violated
- Apply the STRIDE threat model to identify threats in a given scenario
- Classify common attack types by which CIA property they primarily target
Real-world incident · September 2022
An 18-year-old bypassed every user-facing security control. The method: MFA fatigue and a network share.
In September 2022, Uber's internal systems were compromised by an 18-year-old attacker. The method was not a sophisticated zero-day exploit. The attacker purchased stolen Uber employee credentials from the dark web, then spent several hours sending repeated MFA (Multi-Factor Authentication) push notifications to the employee's phone until the employee, exhausted by the notifications, accepted one, believing it was a system error. This technique is called MFA fatigue.
Once inside, the attacker found plaintext credentials stored in an internal network share, which provided access to Uber's AWS (Amazon Web Services) environment, Google Workspace, HackerOne vulnerability disclosure programme, Slack, and internal tools. The attacker posted screenshots of Uber's internal systems on HackerOne and Twitter. Uber confirmed the breach, described it as a social engineering attack, and took several systems offline to contain it.
The incident violated all three CIA triad properties simultaneously: confidentiality (internal data and vulnerability reports were seen by an unauthorised person), integrity (the attacker had write access to many systems), and availability (Uber took systems offline). This module unpacks each property in depth, introduces the STRIDE threat model, and maps common attack types to the framework.
The Uber attacker violated all three CIA triad properties in one incident. Which came first, and how did each enable the next?
With the learning outcomes established, this module begins by examining the cia triad in depth in depth.
5.1 The CIA triad in depth
Module 1 introduced the CIA triad as the foundational model for what cybersecurity protects. This module goes deeper: for each property, you will see how a real attack violated it, what specific controls would have prevented the breach, and how to classify new attacks you encounter against the framework.
Confidentiality is the assurance that information is accessible only to those authorised to access it. Violations occur when data is read, copied, or transmitted without authorisation, whether intentionally through theft or accidentally through misconfiguration. Controls include encryption, access restrictions, and data classification policies.
In September 2017, Equifax disclosed that attackers accessed the personal data of approximately 147 million people, including Social Security numbers, birth dates, and addresses. The attackers exploited an unpatched Apache Struts vulnerability (CVE-2017-5638, known since March 2017) and moved laterally through Equifax's systems for 76 days before detection. This is a textbook confidentiality violation: data read and exfiltrated by parties with no authorisation.
Integrity means ensuring data is accurate and has not been altered without authorisation. Integrity attacks modify, delete, or fabricate data. The 2016 Bangladesh Bank SWIFT attack, covered in Module 3, was an integrity attack: fraudulent transfer instructions were inserted into a legitimate transaction workflow without any data being stolen.
Availability ensures systems and data are accessible when needed by authorised users. The WannaCry attack against the NHS in May 2017 was primarily an availability attack: systems were encrypted and made inaccessible, with no data exfiltration involved. DDoS (Distributed Denial-of-Service) attacks, ransomware, and hardware failures all target availability.
“The three security objectives are Confidentiality, Integrity, and Availability. Loss of confidentiality is the unauthorized disclosure of information. Loss of integrity is the unauthorized modification or destruction of information. Loss of availability is the disruption of access to or use of information or an information system.”
NIST SP 800-12 Rev.1, An Introduction to Information Security - Section 2.1, Three Security Objectives
NIST SP 800-12 Rev.1 provides the authoritative US government definitions of the CIA triad properties. The precision of these definitions matters: confidentiality covers disclosure, integrity covers modification or destruction, and availability covers disruption of access. All three can apply to the same incident, as the Uber breach demonstrated.
“The CIA triad represents the fundamental security properties that a secure system must protect. Confidentiality prevents unauthorised disclosure, integrity prevents unauthorised modification, and availability ensures legitimate users can access the system. All three properties must be considered together; protecting one at the expense of another creates exploitable weaknesses.”
ISO/IEC 27001:2022, Annex A.8.20: Networks Security, foundational CIA objectives - Annex A.8
With an understanding of the cia triad in depth in place, the discussion can now turn to stride: mapping threats to system functions, which builds directly on these foundations.
5.2 STRIDE: mapping threats to system functions
The CIA triad describes what attackers aim to violate. STRIDE describes the attack mechanisms they use to do it. Developed at Microsoft in the late 1990s, STRIDE provides a structured vocabulary for identifying threats to any system or component during design.
Each letter represents a threat category. Spoofing means claiming a false identity. A phishing email that appears to come from your bank is spoofing. Tampering means modifying data without authorisation: altering a database record, intercepting a network message, or corrupting a file. Repudiation means denying having performed an action, a threat that audit logging is designed to counter.
Information disclosure covers unauthorised access to data, whether through intentional exfiltration or accidental exposure of a misconfigured S3 bucket. Denial of service covers disrupting availability, from a volumetric DDoS to ransomware that encrypts files. Elevation of privilege means gaining capabilities beyond what is authorised, such as a regular user account gaining administrative rights through a local privilege escalation vulnerability.
Common misconception
“The CIA triad and STRIDE are competing frameworks. You should use one or the other.”
They serve different purposes and are used together. The CIA triad defines what is being protected (confidentiality, integrity, availability). STRIDE defines the threat mechanisms used to attack those properties. In a threat model, you enumerate STRIDE threats against each component, then map each threat to which CIA property it violates. STRIDE is applied during design; the CIA triad is used throughout the security programme lifecycle.
Common misconception
“Availability is the least important CIA property because data confidentiality and integrity matter more than uptime.”
For many systems, availability failure is the highest-consequence security event. A hospital whose patient record system is unavailable during an emergency cannot access critical medication information. A financial exchange whose trading system is unavailable loses millions per minute. Ransomware is primarily an availability attack; the cost of ransomware to UK organisations in 2023 was estimated at over £2 billion in recovery costs, business disruption, and ransom payments combined. Rank CIA properties based on the specific system's mission, not a generic ordering.
In the Uber breach, STRIDE maps cleanly: the initial credential purchase and MFA fatigue constitute Spoofing (false identity claim to bypass authentication). Finding plaintext credentials in a network share represents Information disclosure. Accessing the HackerOne programme means the attacker gained visibility into unreported vulnerabilities, constituting further Information disclosure and potential Elevation of privilege. Taking systems offline to contain the breach was Uber's response to the Denial-of-service risk created by the attacker's access.
With an understanding of stride: mapping threats to system functions in place, the discussion can now turn to common attack types mapped to the triad, which builds directly on these foundations.
5.3 Common attack types mapped to the triad
With the framework established, classifying common attack types becomes straightforward. Each type primarily targets one CIA property, though complex attacks often touch multiple.
Ransomware primarily targets availability by encrypting files and making them inaccessible. Some variants also exfiltrate data before encrypting (double extortion), adding a confidentiality violation. The primary business impact is usually operational disruption from lost availability.
Data exfiltration primarily targets confidentiality. The attacker copies data and removes it from the organisation's control. The original data may remain in place; the violation is in the unauthorised disclosure.
Man-in-the-Middle attacks (MitM) intercept communications between two parties. They can violate both confidentiality (reading intercepted data) and integrity (modifying messages before forwarding them). TLS, covered in Module 4, is designed specifically to prevent MitM attacks by authenticating the server and encrypting all traffic.
DDoS attacks primarily target availability by overwhelming a system with traffic until legitimate requests cannot be served. They do not typically involve data access or modification.
SQL injection attacks insert malicious SQL (Structured Query Language) code into database queries through unsanitised user input. Depending on the payload, they can violate all three CIA properties: exfiltrating data (confidentiality), modifying or deleting records (integrity), or crashing the database service (availability).
A healthcare provider discovers that an attacker accessed patient appointment records for three months without modifying them or causing any service disruption. Which CIA property was primarily violated?
A developer is designing a new payment processing API. Using STRIDE, which threat category describes an attacker injecting false transaction records into the database by exploiting an unsanitised input field?
After a DDoS (Distributed Denial-of-Service) attack, your company's website is unavailable for 6 hours. The attacker sent no malware and accessed no data. Which statement best describes the incident?
A cloud storage service experienced a breach where an attacker modified audit logs to remove evidence of their access, then extracted 2 million user files. The attacker left the files accessible to their original owners throughout the incident. Which CIA properties were violated, and which was NOT violated?
Key takeaways
- Confidentiality covers unauthorised disclosure. Integrity covers unauthorised modification or destruction. Availability covers disruption of access. All three can be violated in a single incident.
- STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) maps attack mechanisms to system functions. Use it during design to enumerate threats.
- Ransomware primarily targets availability; data exfiltration targets confidentiality; MitM attacks target both confidentiality and integrity; DDoS targets availability.
- Precise CIA classification leads to precise remediation. A confidentiality breach requires different responses than an availability outage.
You can now classify attacks by CIA property and apply STRIDE to identify threats during design. But every attack in this module started with one thing: someone gaining access they should not have had. Module 6 examines identity and access management - authentication factors, MFA types, and the principle of least privilege.
Standards and sources cited in this module
NIST SP 800-12 Rev.1, An Introduction to Information Security (2017)
Section 2.1, Three Security Objectives
Authoritative US government definition of the CIA triad properties. Cited in Section 5.1.
Microsoft Threat Modeling, STRIDE methodology
STRIDE threat categories documentation
Original source for the STRIDE threat model. Cited in Section 5.2 for the six threat categories and their mapping to system functions.
Tactics and techniques taxonomy
Industry-standard reference for mapping attacker techniques. Referenced in Section 5.3 for common attack type classification.
Uber Security Update (September 2022)
Official breach statement
Primary source for the Uber MFA fatigue breach. Used as the opening case study to ground all three CIA properties in a single incident.
Module 5 of 25 · Cybersecurity Foundations