Information System Security

Foundation Module: Understanding the CIA Triad

Before we can defend a system or understand how hackers break into one, we must first define what "secure" actually means. In cybersecurity, every defense mechanism, security policy, and risk assessment maps directly back to three core principles known as the CIA Triad.

Select a module below to explore the concepts, view real-world examples, and understand how these principles are attacked and defended.

Part 1: Confidentiality

Keeping secrets secret. Learn about encryption, access controls, and stopping unauthorized access.

Part 2: Integrity

Trusting the data. Learn about hashing, digital signatures, and detecting unauthorized changes.

Part 3: Availability

Being there when needed. Learn about redundancy, system resilience, and surviving DoS attacks.

Part 1: Confidentiality

        The Core Concept: Confidentiality is the principle of keeping secrets secret. It ensures that sensitive information is accessed only by an authorized person and kept away from those who do not have permission to view it.
    

The "Need to Know" Basis

Imagine your personal medical records. You want your doctor to be able to read them (Authorized Access), but you absolutely do not want a random stranger or a malicious hacker to read them (Unauthorized Access). Confidentiality is the set of rules and tools we use to enforce this "need to know" boundary.

How Do We Enforce Confidentiality?

In Information System Security, we don't just rely on hiding data. We use specific tools to enforce confidentiality:

Encryption: Mathematically scrambling data so that even if an attacker steals the file, it looks like useless gibberish without the decryption key.
Access Controls & Authentication: Requiring passwords, PINs, or biometric scans (like a fingerprint) to prove you are who you say you are before granting access.
File Permissions: Setting rules on the operating system so that 'User A' can read a file, but 'User B' cannot even open it.

What Happens When It Fails?

A failure of confidentiality is commonly known as a Data Breach. If a hacker exploits a vulnerability to download a database of customer passwords or credit card numbers, the confidentiality of that system has been broken.

Part 2: Integrity

        The Core Concept: Integrity ensures that data remains accurate, authentic, and unaltered. It guarantees that the information you are looking at has not been changed by unauthorized users, software errors, or malicious hackers.
    

Trusting the Data

Imagine using your mobile banking app to transfer Rp 50,000 to a friend. If a hacker intercepts that transaction over the network and changes the amount to Rp 5,000,000 before it reaches the bank, your data has lost its integrity. We need mathematical proof that a file, message, or transaction is exactly the same as when it was created.

How Do We Enforce Integrity?

We use cryptographic tools to ensure that if even a single comma is changed in a file, the system knows immediately:

Hashing: Running data through a mathematical algorithm to create a unique "digital fingerprint" (like SHA-256). If the data changes, the fingerprint changes entirely.
Digital Signatures: Similar to a physical signature, these mathematically prove who created the data and that it hasn't been altered since they signed it.
Version Control & Backups: Keeping secure, read-only copies of data so that if an unauthorized change occurs, the original state can be restored.

What Happens When It Fails?

A failure of integrity can be catastrophic. If an attacker injects malicious code into a website (like Cross-Site Scripting or a Trojan Horse), changes financial records, or modifies medical prescriptions, the data can no longer be trusted. Sometimes, losing data integrity is worse than losing confidentiality.

Part 3: Availability

        The Core Concept: Availability ensures that systems, applications, and data are accessible to authorized users whenever they need them. A perfectly secure system is completely useless if nobody can actually log in and use it.
    

Being There When Needed

Imagine a hospital's electronic health record system. The data might be perfectly encrypted (Confidentiality) and mathematically verified (Integrity), but if the servers crash during an emergency and doctors cannot access a patient's medical history, lives could be at risk. Protecting availability means keeping the digital doors open.

How Do We Enforce Availability?

We build systems with resilience in mind so they can survive hardware failures, natural disasters, and deliberate cyberattacks:

Redundancy & Backups: Having multiple servers in different geographical locations. If Server A fails, Server B takes over seamlessly.
Load Balancing: Distributing network traffic across multiple servers so no single computer gets overwhelmed by requests.
DDoS Mitigation: Using specialized services (like Cloudflare or AWS Shield) to filter out massive floods of malicious "junk" traffic before it reaches your actual servers.

What Happens When It Fails?

When availability is compromised, business stops. E-commerce sites lose m