In this lesson, I'll discuss integrity. So by the end of the lesson, once you understand what integrity is, you should also be able to discuss how integrity is achieved and discuss through example how integrity is applied. In the previous lesson, we talked about confidentiality. We also talked about the federal publication called FIPS 199. It outlines the categorization for federal information and information systems. So it breaks down the categorization of information, which includes things like integrity. So based off of FISMA compliance, Federal Information Security Modernization Act, this dives into, how do we apply the three pillars of the CIA triad to any information systems. So according to the title 44 of the US Code: "Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity," is what integrity is all about. That's the definition according to the code. So in layman's terms, it means that information is accurate, information is complete and information is protected from modification. How do we use this? How does this apply? So, each time we discuss any I.T. service or system and assess security, we must look at these three principles of the CIA triad. So, going back to FIPS 199, "a loss of integrity is the unauthorized modification or destruction of information". So think about how this applies to anything that you do. Do you want information to be accurate? Do you want information to be complete? We do see this, some, in the media. Do we want the truth? Do we want all information to remain the best that it can be, the best that from the source? If we get layers and layers deep, how do we know that that information is accurate? So the best example that I can give you, and we'll talk about some other examples, but did you ever play the game called telephone? So that's where we have a lot of people, more than one person, obviously, or more than two people, got in a line and basically whispered in each other's ear, a word or a phrase to the next person down the line. So the first person down line creates this word or phrase, and then the last person at the line says what that phrase actually was. And rarely is it correct. Because, why? Well, it could have been because we told it wrong. It could have been because we whispered too quietly. It could have been we heard it wrong, but rarely do we ever get the correct message from the first person to the last person. How would we actually solve that? Perhaps writing it down on paper. So the medium could be very important. So, writing it down on a piece of paper and handing it to the first person, handing it to the last person would say, "yes the source is correct". Taking all the other people out of the equation, this is the actual source. So, this also applies in computer security. It applies how, in the second example here, it allows us to verify data. Let's talk about the Luhn algorithm. It's used to protect against accidental errors. It's not a hashing algorithm that is used to prove that something is the absolute source of correct information, but it is a way that we can verify the validity of information. We see this algorithm used in credit card numbers, IMEI numbers for cell phones. Every cell phone has an IMEI number that verifies that it's actually an IMEI number based on that algorithm. The National Provider Identification numbers and Canadian Social Insurance numbers are also based on the Luhn algorithm. So it takes bits and pieces from whatever you're trying to prove and actually gives proof based on the outcome. So, here's how we use it every day. Integrity is built into every packet traversing the network from any any source. So, unless it is a connection-less protocol, which is probably about one percent or less than one percent of all network traffic out there, every packet traversing the network is checked for errors, runs a cyclical redundancy check on every packet out there. So any time, well, a good example of this is the video that you're watching now, every single packet, every single payload in a frame is checked to make sure there are no errors in that packet. If there are, the information is recent and checked again. Digital signatures. Digital signatures are, you may think of, well they're just the Adobe Sign. There's other ones out there, but they're not actually digital signatures. Digital signatures means that it is a cryptographic algorithm that ensures that the person that actually sent that information was the person that sent that information. Hashing algorithms. Hashing algorithms are a great representation of how integrity is used in the industry. So integrity for let's say software downloads, if we want to download a piece of software, it may have a little hash underneath it, an MD5 or SHA1 algorithm-based hash, that compares the file that you just downloaded to the download or the hash on the screen. Cryptography is another way that we have integrity guaranteeing that, from one end to another, we have algorithms that could say this is actually the source of the information. So why do we need this? If we can't verify a message is correct what good is that message? What about the industry? In the previous lesson, I talked about confidentiality and how we use confidentiality for healthcare and credit cards. Let's do the same here. Healthcare - Accuracy is important! Think about how you dose medicine. If you dose it incorrectly, is the integrity of what you wrote intact? What about credit card information? Do we want that banking information. Do we want to make sure that information is correct from one source to another. Do we want $10 being withdrawn from her account or five dollars that we actually spent? We want to guarantee that information is always correct. What about video on YouTube? If you have errors in the network and the packets are garbled, do you have distorted video? Or even the video that you're watching now, if information is not verified that this is the information being sent in this is correct from one end to another from client to server, is that information accurate? Does it need to be resent? So this is why the entire internet, in the way that communications work, relies on integrity. Major failures of integrity. They include things like the phpMyAdmin attack of 2012. This is where hackers attacked SourceForge, one of the servers for a lot of open source projects, and they were able to replace some of the binary files for phpMyAdmin software. So if you downloaded those, the integrity check, the hashing that we did, would have failed. Checksum mismatches as well. Based on that, phpMyAdmin attack failed. How about phishing? Think of the human aspect of integrity. If I tell somebody phishing is a great example of how integrity fails, because you are trusting of things that come into your email. But if an attacker decides, "hey I want to steal that information," they are taking into account that you're not paying attention to the integrity of the actual message. So, if it says Help Desk from the Help Desk, for example, and I don't check the validity of that coming from the Help Desk, are my credentials going to be stolen? Maybe, maybe not.
