CIA / DAD & Security Controls
Mission Brief
Three recent incidents at Glasshouse each broke one leg of the CIA triad. Your job: diagnose which property failed, classify the controls that should have been there, and design a layered defence the auditor can map line-by-line to NIST.
Story · Three letters that explain every incident
Quarter close. Three incidents arrive on the CISO's desk in a single week. Monday: a customer statements bucket is found indexed by Google — anyone could read PDFs containing PAN-truncated account numbers. Wednesday: a ledger reconciliation flags that 27 wire amounts were silently changed by one penny each over three months. Friday: the online banking portal is down for four hours after a botnet hits the WAF.
Same week. Same word in the headlines — 'cyber incident'. Yet each broke a completely different security property: confidentiality, integrity, availability. The defensive playbook for each is also completely different — encryption and access control vs. hashing and tamper-evident logging vs. capacity, anti-DDoS and resilient architecture.
CIA is the simplest, most useful triangle in security. Its dark mirror — Disclosure, Alteration, Destruction (DAD) — is how attackers think. Spend this hour mastering both, plus the control taxonomy that maps every defence to a slot, and you'll never lose an architecture argument again.
Trainer · Core Concepts
Only those authorised can read the data. Broken by: data leakage, unencrypted transit, weak access control, insider exfiltration. Controlled by: encryption (rest + transit), classification + handling, MFA + least privilege, DLP, key management.
Data and systems are accurate and unaltered except by authorised processes. Broken by: tampering, MITM injection, malware modifying code, unauthorised privilege changes. Controlled by: hashing, digital signatures, code-signing, file-integrity monitoring, change management, separation of duties.
Authorised users can reach the resource when they need it. Broken by: DDoS, ransomware, hardware failure, misconfiguration, natural disaster. Controlled by: capacity planning, redundancy, backups (tested!), DDoS mitigation, BCP / DR, geo-distribution.
Disclosure attacks Confidentiality. Alteration attacks Integrity. Destruction attacks Availability. Every offensive technique on the CEH syllabus can be slotted into one of these three buckets. When a SOC analyst reads an alert, asking 'which leg of CIA is this hitting?' instantly narrows triage.
PREVENTIVE — stop the event (firewalls, MFA, encryption, hardened images). DETECTIVE — surface that it happened (SIEM, IDS, FIM, audit logs). CORRECTIVE — restore after (backups, patching, incident-response runbooks). COMPENSATING — substitute when the primary control is impractical (e.g. extra monitoring because you can't patch a legacy box). DETERRENT — discourage the actor (warning banners, visible cameras, prosecution policies).
ADMINISTRATIVE — policies, procedures, training, background checks, separation of duties. TECHNICAL (logical) — hardware/software: MFA, encryption, firewalls, EDR. PHYSICAL — locks, badges, mantraps, cameras, environmental (HVAC, fire suppression). Every mature defence layers all three families — never just technical.
Layer controls so failure of any single control doesn't cause failure of the whole system. Concentric defences (perimeter → network → host → app → data), supported by Admin / Technical / Physical and Preventive / Detective / Corrective. Auditors map your architecture to this matrix — and so should you.
Knowledge Map · drag to explore
Micro Labs
Lab 10 · CIA / DAD Diagnoser
Tag each event by which CIA property was violated (or DAD action observed).
Lab 11 · Control Type Classifier
Sort each control by FUNCTION — Preventive / Detective / Corrective / Compensating / Deterrent.
Lab 12 · Layered Defence Picker
For each risk, pick the layered control set (Administrative + Technical + Physical) that an auditor will accept.
Risk: insider exfiltrates customer PII via USB from a branch workstation.
Risk: ransomware encrypts the primary fileserver; attackers also delete the backup volume.
Risk: silent integrity attack on the wire-payments queue.
Knowledge Check
Challenge · The Audit-Proof Triangle
Pick one CIA leg and one threat-actor class from Hour 3. Design ONE preventive + ONE detective + ONE corrective control across Admin / Technical / Physical. Aim for a defence the auditor cannot mark 'compensating only'.
CEH v13 Exam Focus
- ·CIA triad definitions and concrete examples per leg
- ·DAD as the inverse of CIA
- ·Five control functions: Preventive / Detective / Corrective / Compensating / Deterrent
- ·Three control families: Administrative / Technical / Physical
- ·Compensating vs. corrective control distinction
- ·CIA inverts to DAD — Disclosure / Alteration / Destruction.
- ·PDCCD — Preventive, Detective, Corrective, Compensating, Deterrent (five control functions).
- ·ATP — Administrative · Technical · Physical (three families; layer all three).
- ⚠Calling a backup a 'preventive' control — it's CORRECTIVE (restores after).
- ⚠Calling a SIEM 'preventive' — it's DETECTIVE.
- ⚠Mixing up compensating (substitute) with corrective (restore).
- ⚠Forgetting that signage / banners are DETERRENT, not detective.
- ▸Encryption = preventive (confidentiality)
- ▸FIM = detective (integrity)
- ▸Backup = corrective (availability)
- ▸Extra monitoring on unpatchable system = compensating
- ▸Warning banner / 'prosecution will follow' = deterrent
- ▸Policy / training / background check = administrative