Lesson 32 of 60 beginner

CIA Triad, Risk & Least Privilege

Security language you must speak clearly

Open interactive version (quiz + challenge)

Real-world analogy

Security is like protecting a bank vault. Confidentiality is ‘only the right people see inside,’ integrity is ‘the money in the vault is exactly what we counted,’ availability is ‘the vault opens at 9 AM sharp.’ Threats attack one or all three.

What is it?

The security language junior IT must speak: CIA, risk vocabulary, least privilege, defense in depth, hygiene, and the core frameworks. Without this language, every security conversation sounds foreign — and you can’t be trusted with access.

Real-world relevance

A bank hires a junior who already uses MFA on their own accounts, explains CIA clearly, and when asked about a phishing case says ‘I’d isolate the device, notify SOC, preserve logs, reset credentials, and check sign-ins.’ That junior gets trusted with production access fast.

Key points

Confidentiality, Integrity, Availability — Every real security control maps to one or more of these. Encryption protects confidentiality. Hashing/signing protects integrity. Redundancy/backup/DR protects availability.
Threat, vulnerability, risk — Threat: what could harm us. Vulnerability: a weakness that could be exploited. Risk: the likelihood × impact of a threat exploiting a vulnerability. Controls reduce risk — they rarely eliminate it.
Least privilege — Every account, process, and service should have only the access needed to do its job, no more. Applies to humans (no Domain Admin for daily work) and services (no ‘app runs as SYSTEM because it was easier’).
Defense in depth — Assume any single control will fail. Layer them: perimeter → network → host → identity → data → monitoring. Attackers have to defeat multiple layers; you only need one to catch them.
Security is mostly hygiene — Patching, MFA, least privilege, logging, backups — the ‘boring basics’ block most real attacks. Fancy AI products don’t rescue a shop without patching discipline.
Shared responsibility in cloud — In IaaS the provider handles the physical/cloud infra; you handle OS, app, data, identity, configuration. In SaaS you still own identity, access, and data classification. Never assume ‘cloud = secure by default.’
Security is a team sport — A junior IT person has a real security role: configure MFA correctly, handle phishing tickets, reset credentials safely, enforce device compliance, document access. You don’t need a SOC job to be useful.
Frameworks to recognize by name — ISO/IEC 27001 (ISMS), NIST Cybersecurity Framework, PCI DSS (card data), HIPAA (health, US), GDPR (privacy, EU), SOC 2 (service orgs), CIS Controls. You don’t need mastery; recognize them when a regulator or auditor uses the terms.

Code example

// CIA and least privilege — practical checks

Confidentiality:
  - TLS everywhere (no plain HTTP on sensitive data)
  - Disk encryption on laptops (BitLocker/FileVault)
  - Mail/file encryption for regulated content
  - Proper ACLs, least privilege on data

Integrity:
  - Signed software, checksums for patches
  - Immutable backups / WORM storage for audit
  - Audit logs that detect tampering

Availability:
  - Redundant infra (DCs, DCs pun intended)
  - Backups with tested restores
  - DR plans with drills

Least privilege checklist:
  [ ] Standard user for daily work
  [ ] Separate named admin accounts
  [ ] Service accounts with only required permissions
  [ ] Time-bounded access for vendors
  [ ] Reviewed every quarter at minimum

Line-by-line walkthrough

1. CIA practical checks header
2. Confidentiality controls
3. TLS everywhere
4. Disk encryption
5. Mail/file encryption
6. ACLs and least privilege
7. Blank separator
8. Integrity controls
9. Signed software and checksums
10. Immutable backups
11. Audit log integrity
12. Blank separator
13. Availability controls
14. Redundant infrastructure
15. Backup + tested restore
16. DR plans with drills
17. Blank separator
18. Least privilege checklist
19. Standard user daily
20. Separate admin accounts
21. Narrow service account scope
22. Time-bounded vendor access
23. Periodic access review

Spot the bug

Company policy: 'All employees use a single shared admin account called bankadmin on all machines so it’s easy.'

Need a hint?

List three controls this setup destroys.

Show answer

(1) Least privilege — everyone acts as admin. (2) Accountability/audit — logs show ‘bankadmin did X’ with no user identity. (3) Credential rotation and separation of duties — one leaked password compromises everything. Replace with: standard per-user accounts, named admin accounts used only for privileged tasks, MFA, and centralized access reviews.

Explain like I'm 5

Good security is like a bank with three rules: (1) only let the right people in, (2) make sure nobody messes with the money inside, (3) make sure the bank opens on time. Everything else is just details of how.

Fun fact

The Verizon Data Breach Investigations Report (DBIR) consistently shows that a huge share of breaches exploit known vulnerabilities or weak credentials — boring, fixable issues. Basics are unsexy and they’re the entire job.

Hands-on challenge

Write a one-page personal security hygiene checklist: MFA everywhere, password manager, device encryption, OS + app updates, phishing awareness, backup. Apply it this week and note what you changed.

More resources

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp