26

I am in the process of writing a security vulnerabilities report on an application used at my employer, having completed an application audit. One discovered vulnerability can lead to unauthorized deletion / destruction of data.

In the context of the CIA security principles,I associate integrity to be concerned with safeguarding data from unauthorized modification, such as through MITM and availability with safeguarding data from DoS such as through smurf or teardrop attacks.

I am inclined to say that unauthorized deletion of data is an attack on Availability principle given the data can no longer be accessed by legitimate users. However, one of my colleagues disagrees and considers such to be an attack on the Integrity principle, because data was modified by being destroyed without authorization.

Is the unauthorized deletion of data considered a breach of integrity or availability?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Anthony
  • 1,736
  • 1
  • 12
  • 22
  • 5
    Possible duplicate of [Is unauthorised deletion an integrity or availability issue?](https://security.stackexchange.com/questions/145395/is-unauthorised-deletion-an-integrity-or-availability-issue) – Michael May 25 '17 at 21:43
  • @Michael That question is specifically about CVSS. CVSS is sometimes a bit peculiar regarding CIA (especially regarding direct/indirect impact and impact on affected/other components), so I don't think that this is a duplicate. – tim May 26 '17 at 18:58

7 Answers7

48

However, one of my colleagues disagrees and considers such to be an attack on the Integrity principle, because data was modified by being destroyed without authorization.

Your colleague has a point. Unauthorized data deletion is foremost a breach of integrity since deletion can be considered a special case of modification. This can have an impact on availability, but it doesn't have to. E.g, an attacker who manages to delete all logfiles on a web server probably wouldn't impact the server's uptime. But obviously a breach of integrity often implies impaired availability since a service with corrupted resources will likely not function properly.

I wouldn't always force a vulnerability into one of the three CIA categories, though. The impact of unauthorized data deletion is quite obvious, so I'm not sure categorizing it according to the CIA triad adds any clarification. Also note that there are many alternative models such as the Parkerian hexad that give you a few more options to choose from.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 3
    To the extent that the CIA triad is useful, I suppose it distinguishes between an "unauthorised data deletion" accomplished by exploiting an application vulnerability, which certainly is a breach of integrity as well as causing loss of availability, vs. "unauthorised data deletion" by dropping a large munition on the enemy's data storage facility, which (until you respond to this potential threat by adding redundancy) is *only* a loss of availability. – Steve Jessop May 25 '17 at 11:57
  • 2
    Formally I think that, supposing a particular record is supposed to be in the system, then if the attack causes the application to report that there is no record, that's integrity (because the attacker caused the system to lie). If it causes the application to report that it cannot determine whether or not there is a record then that's merely availabilty. I may be wrong. – Steve Jessop May 25 '17 at 12:01
  • Agree with the answer, and just wanted to add, why does it have to be only one? You could consider it both. The triad is not mutually exclusive. To expand on the accepted answer, consider if attacker deleted all the info but 1 character, or 2? Still basically your deletion question, right? Now consider the other end of that spectrum. They only delete 1 character and leave the rest. The later case is clearly "Integrity." Complete deletion is just an extreme special case of modification, hence Integrity. – JesseM May 25 '17 at 19:00
13

In my opinion you shouldn't put a vulnerability into the CIA triad. Because if you do then you have to put it in all of these three criteria. For example:

Confidentiality: When there is a vulnerability in your system, any unauthorized person can access your system and your data are no longer secret, which violates confidentiality.

Integrity: If an intruder exploits the vulnerability and deletes/modifies some/all data, then it violates Integrity.

Availability: If intruder deletes/modifies all/some data and users don't get those data/any service because of that then this situation violates Availability.

So it would be best if you categorize a vulnerability based on its type (e.g. Memory leak), severity (e.g. High), impact (root privilege escalation) etc.

psmears
  • 900
  • 7
  • 9
arif
  • 1,088
  • 13
  • 24
  • 12
    A vulnerability that allows gross data deletion doesn't always allow the attacker to know what he is deleting... bobby tables is a good example... – rackandboneman May 24 '17 at 10:11
  • @rackandboneman - but some wouldn't care about what they were deleting, just that they were able to delete it. – ivanivan May 24 '17 at 15:55
  • 3
    @ivanivan the point is that in this case it is not a breach of confidentiality. – Paŭlo Ebermann May 24 '17 at 18:05
  • 3
    Yep. Though a small amount of information is gained by the attacker, if the attack is sure to delete something: "Either the target will now have lost data, or taken notice of the breach and taken action to repair it." – rackandboneman May 24 '17 at 22:54
4

In my opinion, your colleague is right. Unauthorized modification/deletion of data is considered a breach or loss of integrity since the data is no more intact. The aftermath of this could result in unavailability as availability may or may not be affected in all cases. For example, if a user A's login credentials were deleted then he won't be able to access his account. This is affecting availability and integrity. However, user B can still access his account regardless. This is only affecting integrity. In both cases, the data is not consistent anymore, i.e. integrity is lost.

Hope this helps :)

Siddhartha
  • 41
  • 2
3

So deletion by itself is definitely an integrity problem... However it may be more than that, for instance if you can delete arbitrary files you might be able to use that capability to escalate your privileges by deleting acl files, or htaccess style files. If you can do that deletions could thereby affect confidentiality. If you can arbitrarily delete critical files that could also be an availability concern.

So I would say deleting files could be bad in all three ways depending on the system.

Ori
  • 2,757
  • 1
  • 15
  • 29
1

The point of CIA is not to categorize a problem as fitting in just one of the three categories. The point of CIA is to mention desirable characteristics, and prioritize them. (Remembering the priority may be easy for people who have heard the acronym for America's Central Intelligence Agency.)

C = Confidentiality (is it private?)
Having a temporary problem with confidentiality can be worse than temporary lacking in the other areas, because this can be unrecoverable. Once data is leaked, then there may be no way to make it secret again.
I = Integrity (is it right?)
Is the data right? This is considered more important than Availability, because information needs to be right. If information is available, but the information is wrong, then people might expensively act on the wrong information. In contrast, if information is known to be unavailable, people might wait for right information, which is frequently better than spending resources making something happen (when it's not the right thing to happen). e.g., it's better to wait for directions, then to spend money/gas/time/etc. going East if you need to go West.
A = Availability (can I access it when I should be able to?)
Good to have. (For reasons explained above, temporary lapses in availability may be less painful than temporary lapses in the other areas. Still, people like to have access when they want it.)

Now, whether you agree with that ordering or not is perhaps less important. I've heard people give fine-sounding arguments why a different order might make more sense. Well, I say that if you're learning this for some certification/exam/etc., it is good to be familiar with the widely agreed-on official order (even if you're personally unconvinced that's actually best.

One reason we refer to this triad is that having the entire triad is crucial, and can be much more challenging than maintaining either of the other two.

  • Making data public, but still read-only, compromises confidentiality while integrity and availability may be in tact.
  • A faulty device driver leading to writing a blank sector, instead of desired data, might still honor confidentiality and provide (wrong) data upon request, indicating that there is still availability of data (even if it isn't the right data)
  • Deleting data can help to really ensure confidentiality, and not violate integrity, but remove availability.

All three are useful/necessary.

I associate integrity to be concerned with safeguarding data from unauthorized modification, such as through MITM

Integrity has to do with rightness. An artificial MITM that changes data will result in lacking integrity. A flaw in the design of memory chips (e.g., "row hammer" attack) can result in a lack of integrity. A physical defect in media, which results in a bit being misread, can result in a lack of integrity.

"availability with safeguarding data from DoS such as through smurf or teardrop attacks."

Not just artificial malicious attacks. If a RAID array is offline (and not just degraded) due to physical defects, then you're lacking availability. If you have backups, you might not be suffering a loss of integrity (you aren't giving out bad information), but you lack availability until you get the drives into an online state.

I am inclined to say that unauthorized deletion of data is an attack on Availability principle given the data can no longer be accessed by legitimate users.

Example one: If I take a graphic file, such as a bar chart, and overwrite some of the pixels with white pixels (effectively "deleting" part of the bars), I violated integrity. If you can still open the file, and not realize there was a problem, then the data file is still available, but it is wrong. People looking at the data will think something false; when people find out you gave them false data, they may have grounds to consider you to be a spreader of false information. People may think you're just being dishonest. This situation is a problem with integrity, not availability.

Example two: If a log file removes content about an attack, the log file may indicate everything's fine. If you report everything's fine, you're saying something wrong. This ends up placing your reputation of integrity on the line.

Now, let's look at a case of availability:

Example One: If the file with the bar charts was deleted, then you can't open the file, so there is a problem with availability. Once the file is restored, your availability is fixed. At no time did you give out wrong data. Your trustworthiness is in tact; you maintained integrity.

Example Two: Similarly, when the log file is gone, you basically know there's a problem when you see "File not found". You're not being misled, so people aren't going to fault you for information that is misleading. This is not a problem with integrity; this is a problem with availability.

Is the unauthorized deletion of data considered a breach of integrity or availability?

I've just demonstrated how this could go either way, depending on whether the deleted data was just contents within a file, or an entire file missing. However, I'd like to re-iterate my earlier point: you could experience both problems at once. So don't feel like you have to categorize a potential problem as applying to just one category or the other. (It can be both.)

Edit (clarifying that a bit) - An attacker that steals information (violating confidentiality), defaces your web site's main page (so your web server provides undesired information, a lack of data integrity) and deletes the rest of your website including your backups (so that you can't get to the right information) results in a loss of the entire CIA triad. A single attack (whether one action, or more actions) can have multiple effects, and appropriately apply to multiple categories of the CIA triad.

TOOGAM
  • 372
  • 1
  • 5
1

If someone unplugs the server or DDoSes it, it is a loss of availability. It is no longer available to respond to requests, but it will eventually come back online and the data will still be there in the form it was before the incident.

If someone improperly modifies data (including deletion), it is a loss of integrity. The server is still available to service requests, even if it returns data that is now incorrect.

Obviously someone could do both, but trying to say deletion alone results in loss of availability, while true from a practical standpoint, is incorrect in terms of the CIA triangle because you're conflating the scopes of the two domains. They are separate for a reason.

Ivan
  • 6,288
  • 3
  • 18
  • 22
1

You could look at it from the perspective of what breaks each part of the CIA triad, seeing it from the other side. You could think of this as the anti-CIA triad: DAD (1)

  • Disclosure, the counter to Confidentiality: revealing or allowing access of resources to an outside party
  • Alteration, the counter to Integrity: unauthorized modification of resources: modification, corruption, encryption, etc
  • Disruption, the counter to Availability: authorized access to to resources has been lost.

While deletion is a special case of Alteration, from a technical standpoint the absence of data trough deletion is not an alteration perse. It just presents you with a case of 'data is not available' as the final result

It would therefore better fit the Disruption category, which is the counterpart of the Availability category.

Losing data through deletion thus seems like an Availability problem.

The answer might not be straightforward, but this model gives you a different viewpoint to look at the question.

1) source: CEHv9 study guide. sybex

r0b4x
  • 61
  • 1
  • 5