1

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 3

Separation

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Using a firewall to separate network assets from intruders is the most familiar approach in cyber security

• Networks and systems associated with national infrastructure assets tend to be too complex for firewalls to be effective

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Introduction

3

• Three new approaches to the use of firewalls are necessary to achieve optimal separation – Network-based separation

– Internal separation

– Tailored separation

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Introduction

4

Fig. 3.1 – Firewalls in simple and complex networks

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

5

• Separation is a technique that accomplishes one of the following – Adversary separation

– Component distribution

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

What Is Separation?

6

• A working taxonomy of separation techniques: Three primary factors involved in the use of separation – The source of the threat

– The target of the security control

– The approach used in the security control

(See figure 3.2)

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

What Is Separation?

7

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Fig. 3.2 – Taxonomy of separation techniques

8

• Separation is commonly achieved using an access control mechanism with requisite authentication and identity management

• An access policy identifies desired allowances for users requesting to perform actions on system entities

• Two approaches – Distributed responsibility

– Centralized control

– (Both will be required)

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Functional Separation?

9

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Fig. 3.3 – Distributed versus centralized mediation

10

• Firewalls are placed between a system or enterprise and an un-trusted network (say, the Internet)

• Two possibilities arise – Coverage: The firewall might not cover all paths

– Accuracy: The firewall may be forced to allow access that inadvertently opens access to other protected assets

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

National Infrastructure Firewalls

11

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Fig. 3.4 – Wide area firewall aggregation and local area firewall

segregation

12

• Increased wireless connectivity is a major challenge to national infrastructure security

• Network service providers offer advantages to centralized security – Vantage point: Network service providers can see a lot

– Operations: Network providers have operational capacity to keep security software current

– Investment: Network service providers have the financial wherewithal and motivation to invest in security

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

National Infrastructure Firewalls

13

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Fig. 3.5 – Carrier-centric network-based firewall

14

• Network-based firewall concept includes device for throttling distributed denial of service (DDOS) attacks

• Called a DDOS filter

• Modern DDOS attacks take into account a more advanced filtering system

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

DDOS Filtering

15

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Fig. 3.6 – DDOS filtering of inbound attacks on target assets

16

• SCADA – Supervisory control and data acquisition

• SCADA systems – A set of software, computer, and networks that provide remote coordination of control system for tangible infrastructures

• Structure includes the following – Human-machine interface (HMI)

– Master terminal unit (MTU)

– Remote terminal unit (RTU)

– Field control systems

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

SCADA Separation Architecture

17

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Fig. 3.7 – Recommended SCADA system firewall architecture

18

• Why not simply unplug a system’s external connections? (Called air gapping)

• As systems and networks grow more complex, it becomes more likely that unknown or unauthorized external connections will arise

• Basic principles for truly air-gapped networks: – Clear policy

– Boundary scanning

– Violation consequences

– Reasonable alternatives

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Physical Separation

19

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Fig. 3.8 – Bridging an isolated network via a dual-homing user

20

• Hard to defend against a determined insider

• Threats may also come from trusted partners

• Background checks are a start

• Techniques for countering insider attack – Internal firewalls

– Deceptive honey pots

– Enforcement of data markings

– Data leakage protection (DLP) systems

• Segregation of duties offers another layer of protection

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Insider Separation

21

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Fig. 3.9 – Decomposing work functions for segregation of duty

22

• Involves the distribution, replication, decomposition, or segregation of national assets – Distribution: creating functionality using multiple

cooperating components that work together as distributed system

– Replication: copying assets across components so if one asset is broken, the copy will be available

– Decomposition: breaking complex assets into individual components so an isolated compromise won’t bring down asset

– Segregation: separation of assets through special access controls, data markings, and policy enforcement

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Asset Separation

23

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Fig. 3.10 – Reducing DDOS risk through CDN-hosted content

24

• Typically, mandatory access controls and audit trail hooks were embedded into the underlying operating system kernel

• Popular in the 1980s and 1990s

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Multilevel Security (MLS)

25

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

Fig. 3.11 – Using MLS logical separation to protect assets

26

• Internet separation: Certain assets simply shouldn’t be accessible from the Internet

• Network-based firewalls: These should be managed by a centralized group

• DDOS protection: All assets should have protection in place before an attack

• Internal separation: Critical national infrastructure settings need an incentive to implement internal separation policy

• Tailoring requirements: Vendors should be incentivized to build tailored systems such as firewalls for special SCADA environments

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 3 –

S e p a ra

tio n

National Separation Program

Project Part 2: Access Controls Procedure Guide

Scenario

Changing access controls can have some undesirable effects. Therefore, it is important to carefully consider changes before making them and provide mechanisms to reverse changes if they have unexpected consequences.

Always Fresh management has asked you to develop procedures for changing any access controls. The purpose of these procedures is to ensure that staff:

· Understand and document the purpose of each access control change request

· Know what access controls were in place before any changes

· Get an approval of change by management

· Understand the scope of the change, both with respect to users, computers, and objects

· Have evaluated the expected impact of the change

· Know how to evaluate whether the change meets the goals

· Understand how to undo any change if necessary

Tasks

Create a guide that security personnel will use that includes procedures for implementing an access control change.

The procedure guide must contain the steps Always Fresh security personnel should take to evaluate and implement an access control change. You can assume any change requests you receive are approved.

Ensure that your procedures include the following:

· Status or setting prior to any change

· Reason for the change

· Change to implement

· Scope of the change

· Impact of the change

· Status or setting after the change

· Process to evaluate the change

Required Resources

· Internet access

· Course textbook

Submission Requirements

· Format: Microsoft Word (or compatible)

· Font: Arial, size 12, double-space

· Citation Style: Follow your school’s preferred style guide

· Length: 2 to 4 pages

Self-Assessment Checklist

· I created a procedure guide that provides clear instructions that anyone with a basic technical knowledge base can follow.

· I created a well-developed and formatted procedure guide with proper grammar, spelling, and punctuation.

· I followed the submission guidelines.

1

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 6

Depth

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Any layer of defense can fail at any time, thus the introduction of defense in depth

• A series of protective elements is placed between an asset and the adversary

• The intent is to enforce policy across all access points

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Introduction

3

Fig. 6.1 – General defense in depth schema

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

4

• Quantifying the effectiveness of a layered defense is often difficult

• Effectiveness is best determined by educated guesses

• The following are relevant for estimating effectiveness – Practical experience

– Engineering analysis

– Use-case studies

– Testing and simulation

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Effectiveness of Depth

5

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Fig. 6.2 – Moderately effective single layer of protection

6

• When a layer fails, we can conclude it was either flawed or unsuited to the target environment

• No layer is 100% effective—the goal of making layers “highly” effective is more realistic

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Effectiveness of Depth

7

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Fig. 6.3 – Highly effective single layer of protection

8

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Fig. 6.4 – Multiple moderately effective layers of protection

9

• A national authentication system for every citizen would remove the need for multiple passwords, passphrases, tokens, certificates, and biometrics that weaken security

• Single sign-on (SSO) would accomplish this authentication simplification objective

• However, SSO access needs to be part of a multilayered defense

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Layered Authentication

10

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Fig. 6.5 – Schema showing two layers of end-user authentication

11

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Fig. 6.6 – Authentication options including direct mobile access

12

Layered E-Mail Virus and Spam Protection

• Commercial environments are turning to virtual, in- the-cloud solutions to filter e-mail viruses and spam

• To that security layer is added filtering software on individual computers

• Antivirus software helpful, but useless against certain attacks (like botnet)

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

13

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Fig. 6.7 – Typical architecture with layered e-mail filtering

14

• Layering access controls increases security

• Add to this the limiting of physical access to assets

• For national infrastructure, assets should be covered by as many layers possible – Network-based firewalls

– Internal firewalls

– Physical security

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Layered Access Controls

15

Fig. 6.8 – Three layers of protection using firewall and access controls

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

16

• Five encryption methods for national infrastructure protection – Mobile device storage

– Network transmission

– Secure commerce

– Application strengthening

– Server and mainframe data storage

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Layered Encryption

17

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Fig. 6.9 – Multple layers of encryption

18

• The promise of layered intrusion detection has not been fully realized, though it is useful

• The inclusion of intrusion response makes the layered approach more complex

• There are three opportunities for different intrusion detection systems to provide layered protection – In-band detection

– Out-of-band correlation

– Signature sharing

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Layered Intrusion Detection

19

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

Fig. 6.10 – Sharing intrusion detection information between systems

20

• Developing a multilayered defense for national infrastructure would require a careful architectural analysis of all assets and protection systems – Identifying assets

– Subjective estimations

– Obtaining proprietary information

– Identifying all possible access paths

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 6 –

D e p th

National Program of Depth

1

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 8

Collection

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Diligent and ongoing observation of computing and networking behavior can highlight malicious activity – The processing and analysis required for this must be done

within a program of data collection

• A national collection process that combines local, regional, and aggregated data does not exist in an organized manner

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Introduction

3

Fig. 8.1 – Local, regional, and national data collection with aggregation

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

4

• At local and national levels data collection decisions for national infrastructure should be based on the following security goals – Preventing an attack

– Mitigating an attack

– Analyzing an attack

• Data collection must be justified (who is collecting and why)

• The quality of data is more important than the quantity

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Introduction

5

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.2 – Justification-based decision analysis template for data collection

6

• Metadata is perhaps the most useful type of data for collection in national infrastructure – Metadata is information about data, not what the data is

about

• Data collection systems need to keep pace with growth of carrier backbones

• Sampling data takes less time, but unsampled data may be reveal more

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Collecting Network Data

7

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.3 – Generic data collection schematic

8

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.4 – Collection detects evidence of vulnerability in advance of notification

9

• National initiatives have not traditionally collected data from mainframes, servers, and PCs

• The ultimate goal should be to collect data from all relevant computers, even if that goal is beyond current capacity

• System monitoring may reveal troubling patterns

• Two techniques useful for embedding system management data – Inventory process needed to identify critical systems

– Process of instrumenting or reusing data collection facilities must be identified

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Collecting System Data

10

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.5 – Collecting data from mainframes, servers, and PCs

11

Security Information and Event Management

• Security information and event management (SIEM) is the process of aggregating system data from multiple sources for purpose of protection

• Each SIEM system (in a national system of data collection) would collect, filter, and process data

• Objections to this approach include both the cost of setting up the architecture and the fact that embedded SIEM functionality might introduce problems locally

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

12

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.6 – Generic SIEM architecture

13

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.7 – Generic national SIEM architecture

14

• Identifying trends is the most fundamental processing technique for data collected across the infrastructure

• Simplest terms – Some quantities go up (growth)

– Some quantities go down (reduction)

– Some quantities stay the same (leveling)

– Some quantities doing none of the above (unpredictability)

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Large-Scale Trending

15

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.8 – Growth trend in botnet behavior over 9-month period (2006–

2007)

16

• Some basic practical considerations that must be made by security analysts before a trend can be trusted – Underlying collection

– Volunteered data

– Relevant coverage

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Large-Scale Trending

17

• Collecting network metadata allows security analysts track a worm’s progress and predict its course

• Consensus holds that worms work too fast for data collection to be an effective defense – There’s actually some evidence that a closer look at the

data might provide early warning of worm threats

• After collecting and analyzing, the next step is acting on the data in a timely manner

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Tracking a Worm

18

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.9 – Coarse view of UDP traffic spike from SQL/Slammer worm

(Figure courtesy of Dave Gross and Brian Rexroad)

19

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.10 – Fine view of UDP traffic spike from SQL/Slammer worm (Figure courtesy of Dave Gross and Brian Rexroad)

20

• Once the idea for a national data collection program is accepted, the following need to be addressed – Data sources

– Protected transit

– Storage considerations

– Data reduction emphasis

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

National Collection Program

1

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 5

Commonality

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Certain security attributes must be present in all aspects and areas of national infrastructure to ensure maximum resilience against attack

• Best practices, standards, and audits establish a low- water mark for all relevant organizations

• Audits must be both meaningful and measurable – Often the most measurable things aren’t all that

meaningful

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Introduction

3

• Common security-related best practices/standards – Federal Information Security Management Act (FISMA)

– Health Insurance Portability and Accountability Act (HIPAA)

– Payment Card Industry Data Security Standard (PCI DSS)

– ETSI Cyber Security Technical Committee (TC-CYBER)

– ISO/IEC 27000 Standard family (ISO27K) • ISO 27001 – Security management systems

• ISO 27002 – Code of practice for InfoSec controls

– COBIT - Control Objectives for Information and related Technology

– NIST Cybersecurity Framework

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Introduction

4

Fig. 5.1 – Illustrative security audits for two organizations

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

5

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.2 – Relationship between meaningful and measurable

requirements

6

• The primary motivation for proper infrastructure protection should be success based and economic – Not the audit score

• Security of critical components relies on – Step #1: Standard audit

– Step #2: World-class focus

• Sometimes security audit standards and best practices proven through experience are in conflict

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Meaningful Best Practices for Infrastructure Protection

7

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.3 – Methodology to achieve world-class infrastructure

protection practices

8

• Four basic security policy considerations are recommended – Enforceable: Policies without enforcement are not

valuable

– Small: Keep it simple and current

– Online: Policy info needs to be online and searchable

– Inclusive: Good policy requires analysis in order to include computing and networking elements in the local nat’l infrastructure environment

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Locally Relevant and Appropriate Security Policy

9

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.4 – Decision process for security policy analysis

10

• Create an organizational culture of security protection

• Culture of security is one where standard operating procedures provide a secure environment

• Ideal environment marries creativity and interest in new technologies with caution and a healthy aversion to risk

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Culture of Security Protection

11

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.5 – Spectrum of organizational culture of security options

12

• Organizations should be explicitly committed to infrastructure simplification

• Common problems found in design and operation of national infrastructure – Lack of generalization

– Clouding the obvious

– Stream-of-consciousness design

– Nonuniformity

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Infrastructure Simplification

13

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.6 – Sample cluttered engineering chart

14

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.7 – Simplified engineering chart

15

• How to simplify a national infrastructure environment – Reduce its size

– Generalize concepts

– Clean interfaces

– Highlight patterns

– Reduce clutter

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Infrastructure Simplification

16

• Key decision-makers need certification and education programs

• Hundred percent end-user awareness is impractical; instead focus on improving security competence of decision-makers – Senior Managers

– Designers and developers

– Administrators

– Security team members

• Create low-cost, high-return activities to certify and educate end users

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Certification and Education

17

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.8 – Return on investment (ROI) trends for security education

18

• Create and establish career paths and reward structures for security professionals

• These elements should be present in national infrastructure environments – Attractive salaries

– Career paths

– Senior managers

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Career Path and Reward Structure

19

• Companies and agencies being considered for national infrastructure work should be required to demonstrate past practice in live security incidents

• Companies and agencies must do a better job of managing their inventory of live incidents

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Responsible Past Security Practice

20

• Companies and agencies being considered for national infrastructure work should provide evidence of the following past practices – Past damage

– Past prevention

– Past response

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

Responsible Past Security Practice

21

• A national commonality plan involves balancing the following concerns – Plethora of existing standards

– Low-water mark versus world class

– Existing commissions and boards

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 5 –

C o m

m o n a lity

National Commonality Program

1

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 7

Discretion

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Proprietary information will be exposed if discovered by hackers

• National infrastructure protection initiatives most prevent leaks – Best approach: Avoid vulnerabilities in the first place

– More practically: Include a customized program focused mainly on the most critical information

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Introduction

3

• A trusted computing base (TCB) is the totality of hardware, software, processes, and individuals considered essential to system security

• A national infrastructure security protection program will include – Mandatory controls

– Discretionary policy

• A smaller, less complext TCB is easier to protect

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Trusted Computing Base

4

Fig. 7.1 – Size comparison issues in a trusted computing base

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

5

• Managing discretion is critical; questions about the following should be asked when information is being considered for disclosure – Assistance

– Fixes

– Limits

– Legality

– Damage

– Need

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Trusted Computing Base

6

• Security through obscurity is often maligned and misunderstood by security experts – Long-term hiding of vulnerabilities

– Long-term suppression of information

• Security through obscurity is not recommended for long-term protection, but it is an excellent complementary control – E.g., there’s no need to publish a system’s architecture

– E.g., revealing a flaw before it’s fixed can lead to rushed work and an unnecessary complication of the situation

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Security Through Obscurity

7

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.2 – Knowledge lifecycle for security through obscurity

8

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.3 – Vulnerability disclosure lifecycle

9

• Information sharing may be inadvertent, secretive, or willful

• Government most aggressive promoting information sharing

• Government requests information from industry for the following reasons – Government assistance to industry

– Government situational awareness

– Politics

• Government and industry have conflicting motivations

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Information Sharing

10

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.4 – Inverse value of information sharing for government and industry

11

• Adversaries regularly scout ahead and plan before an attack

• Reconnaissance planning levels – Level #1: Broad, wide-reaching collection from a variety of

sources

– Level #2: Targeted collection, often involving automation

– Level #3: Directly accessing the target

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Information Reconnaissance

12

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.5 – Three stages of reconnaissance for cyber security

13

• At each stage of reconnaissance, security engineers can introduce information obscurity

• The specific types of information that should be obscured are – Attributes

– Protections

– Vulnerabilities

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Information Reconnaissance

14

• Layering methods of obscurity and discretion adds depth to defensive security program

• Even with layered obscurity, asset information can find a way out – Public speaking

– Approved external site

– Search for leakage

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Obscurity Layers

15

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.6 – Obscurity layers to protect asset information

16

• Governments have been successful at protecting information by compartmentalizing information and individuals – Information is classified

– Groups of individuals are granted clearance

• Compartmentalization defines boundaries, which helps guides decisions

• Private companies can benefit from this model

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Organizational Compartments

17

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.7 – Using clearances and classifications to control information

disclosure

18

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.8 – Example commercial mapping of clearances and classifications

19

• To implement a national discretion program will require – TCB definition

– Reduced emphasis on information sharing

– Coexistence with hacking community

– Obscurity layered model

– Commercial information protection models

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

National Discretion Program

1

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 4

Diversity

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Introduction

• The securing any set of national assets should include a diversity strategy

• The deliberate introduction of diversity into national infrastructure to increase security has not been well explored

• Two system are considered diverse if their key attributes differ

• Diversity bucks the trend to standardize assets for efficiency's sake

3

Fig. 4.1 – Diverse and nondiverse components through attribute

differences

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

4

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Diversity and Worm Propagation

• Worm propagation is an example of an attack that relies on a nondiverse target environment

• Worm functionality in three steps: – Step #1: Find a target system on the network for

propagation of worm program

– Step #2: Copy program to that system

– Step #3: Remotely execute program

– Repeat

• Diversity may be expensive to introduce, but saves money on response costs in the long run

5

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Fig. 4.2 – Mitigating worm activity through diversity

6

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Desktop Computer System Diversity

• Most individual computers run the same operating system software on a standard processor platform and browse the Internet through one or two popular search engines with the one of only a couple browsers

• The typical configuration is a PC running Windows on an Intel platform, browsing the Internet with Internet Explorer, searching with Google

• This makes the average home PC user a highly predictable target

7

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Fig. 4.3 – Typical PC configuration showing diversity

8

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Desktop Computer System Diversity

• Three Considerations – Platform costs

– Application interoperability

– Support and training

9

• Ultimate solution for making desktops more secure involves their removal – Not a practical solution

• Cloud computing may offer home PC users a diverse, protected environment

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Diversity Paradox of Cloud Computing

10

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Fig. 4.4 – Spectrum of desktop diversity options

11

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Fig. 4.5 – Diversity and attack difficulty with option of removal

12

• Modern telecommunications consist of the following two types of technologies – Circuit-switched

– Packet-switched

• When compared to one another, these two technologies automatically provide diversity

• Diversity may not always be a feasible goal – Maximizing diversity may defend against large-scale

attacks, but one must also look closely at the entire architecture

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Network Technology Diversity

13

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Fig. 4.6 – Worm nonpropagation benefit from diverse telecommunications

14

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Fig. 4.7 – Potential for impact propagation over shared fiber

15

• Any essential computing or networking asset that serves a critical function must include physical distribution to increase survivability

• Physical diversity has been part of the national asset system for years – Backup center diversity

– Supplier/vendor diversity

– Network route diversity

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Physical Diversity

16

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

Fig. 4.8 – Diverse hubs in satellite SCADA configurations

17

• A national diversity program would coordinate between companies and government agencies – Critical path analysis

– Cascade modeling

– Procurement discipline

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 4 –

D iv

e rs

ity

National Diversity Program

Get help from top-rated tutors in any subject.

Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com