*
Copyright © 2012, Elsevier Inc. All Rights Reserved
Chapter 3
Separation
Cyber Attacks
Protecting National Infrastructure, 1st ed.
Copyright © 2012, Elsevier Inc. All Rights Reserved
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
- Using a firewall to separate network assets from intruders is the most familiar approach in cyber security
- Networks and systems associated with national infrastructure assets tend to be too complex for firewalls to be effective
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Introduction
Copyright © 2012, Elsevier Inc. All rights Reserved
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
- Three new approaches to the use of firewalls are necessary to achieve optimal separation
- Network-based separation
- Internal separation
- Tailored separation
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Introduction
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Fig. 3.1 – Firewalls in simple and complex networks
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Copyright © 2012, Elsevier Inc. All rights Reserved
*
- Separation is a technique that accomplishes one of the following
- Adversary separation
- Component distribution
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
What Is Separation?
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
- A working taxonomy of separation techniques: Three primary factors involved in the use of separation
- The source of the threat
- The target of the security control
- The approach used in the security control
(See figure 3.2)
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
What Is Separation?
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.2 – Taxonomy of separation techniques
*
- Separation is commonly achieved using an access control mechanism with requisite authentication and identity management
- An access policy identifies desired allowances for users requesting to perform actions on system entities
- Two approaches
- Distributed responsibility
- Centralized control
- (Both will be required)
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Functional Separation?
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.3 – Distributed versus centralized mediation
*
- Firewalls are placed between a system or enterprise and an un-trusted network (say, the Internet)
- Two possibilities arise
- Coverage: The firewall might not cover all paths
- Accuracy: The firewall may be forced to allow access that inadvertently opens access to other protected assets
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
National Infrastructure Firewalls
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.4 – Wide area firewall aggregation and local area firewall segregation
*
- Increased wireless connectivity is a major challenge to national infrastructure security
- Network service providers offer advantages to centralized security
- Vantage point: Network service providers can see a lot
- Operations: Network providers have operational capacity to keep security software current
- Investment: Network service providers have the financial wherewithal and motivation to invest in security
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
National Infrastructure Firewalls
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.5 – Carrier-centric network-based firewall
*
- Network-based firewall concept includes device for throttling distributed denial of service (DDOS) attacks
- Called a DDOS filter
- Modern DDOS attacks take into account a more advanced filtering system
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
DDOS Filtering
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.6 – DDOS filtering of inbound attacks on target assets
*
- SCADA – Supervisory control and data acquisition
- SCADA systems – A set of software, computer, and networks that provide remote coordination of control system for tangible infrastructures
- Structure includes the following
- Human-machine interface (HMI)
- Master terminal unit (MTU)
- Remote terminal unit (RTU)
- Field control systems
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
SCADA Separation Architecture
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.7 – Recommended SCADA system firewall architecture
*
- Why not simply unplug a system’s external connections? (Called air gapping)
- As systems and networks grow more complex, it becomes more likely that unknown or unauthorized external connections will arise
- Basic principles for truly air-gapped networks:
- Clear policy
- Boundary scanning
- Violation consequences
- Reasonable alternatives
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Physical Separation
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.8 – Bridging an isolated network via a dual-homing user
*
- Hard to defend against a determined insider
- Threats may also come from trusted partners
- Background checks are a start
- Techniques for countering insider attack
- Internal firewalls
- Deceptive honey pots
- Enforcement of data markings
- Data leakage protection (DLP) systems
- Segregation of duties offers another layer of protection
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Insider Separation
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.9 – Decomposing work functions for segregation of duty
*
- Involves the distribution, replication, decomposition, or segregation of national assets
- Distribution: creating functionality using multiple cooperating components that work together as distributed system
- Replication: copying assets across components so if one asset is broken, the copy will be available
- Decomposition: breaking complex assets into individual components so an isolated compromise won’t bring down asset
- Segregation: separation of assets through special access controls, data markings, and policy enforcement
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Asset Separation
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.10 – Reducing DDOS risk through CDN-hosted content
*
- Typically, mandatory access controls and audit trail hooks were embedded into the underlying operating system kernel
- Popular in the 1980s and 1990s
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Multilevel Security (MLS)
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
Fig. 3.11 – Using MLS logical separation to protect assets
*
- Internet separation: Certain assets simply shouldn’t be accessible from the Internet
- Network-based firewalls: These should be managed by a centralized group
- DDOS protection: All assets should have protection in place before an attack
- Internal separation: Critical national infrastructure settings need an incentive to implement internal separation policy
- Tailoring requirements: Vendors should be incentivized to build tailored systems such as firewalls for special SCADA environments
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 3 – Separation
National Separation Program
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
Rubic_Print_Format
| Course Code | Class Code | Assignment Title | Total Points | |||||
| ELM-580 | ELM-580-O501 | Literary Genres | 50.0 | |||||
| Criteria | Percentage | No Submission (0.00%) | Insufficient (69.00%) | Approaching (74.00%) | Acceptable (87.00%) | Target (100.00%) | Comments | Points Earned |
| Content | 100.0% | |||||||
| Fiction and Nonfiction Genres | 25.0% | Not addressed. | Matrix includes insufficient and incomplete examples and definitions of fiction and nonfiction genre along with poorly researched and weak examples of grade cluster appropriate texts for grades 1-3, 4-5, and 6-8. | Examples and definitions of fiction and nonfiction genre in the matrix are marginal and inconsistent along with irrelevant examples of grade cluster appropriate texts for grades 1-3, 4-5, and 6-8. | Matrix includes detailed and clear examples and definitions of fiction and nonfiction genre along with coherent examples of grade cluster appropriate texts for grades 1-3, 4-5, and 6-8. | Matrix includes well-researched and thoughtful examples and definitions of fiction and nonfiction genre along with proficient examples of grade cluster appropriate texts for grades 1-3, 4-5, and 6-8. | ||
| Literary Genre Integration | 25.0% | Not addressed. | Examples included in matrix are missing components of strategies of how to integrate each selected text into reading, writing, and listening instruction along with a poor and undeveloped description of how to integrate each text with a technology application. | Matrix includes inconsistent and inadequate examples of strategies of how to integrate each selected text into reading, writing, and listening instruction along with beginning-level description of how to integrate each text with a technology application. | Matrix includes credible and direct examples of strategies of how to integrate each selected text into reading, writing, and listening instruction along with an adequate and detailed description of how to integrate each text with a technology application. | Matrix includes meaningful and insightful examples of strategies of how to integrate each selected text into reading, writing, and listening instruction along with a skillful and well-researched description of how to integrate each text with a technology application. | ||
| Reflection | 20.0% | Not addressed. | Reflection poorly addresses how multiple forms of literary genre can be implemented in your future classroom and is missing components of an explanation of the strategies for student comprehension in reading and how selecting the appropriate text supports a positive attitude toward reading and comprehension skills. | Reflection includes a partially proficient summary on how multiple forms of literary genre can be implemented in your future classroom, a vague explanation of the strategies for student comprehension in reading, and a marginal description on how selecting the appropriate text supports a positive attitude toward reading and comprehension skills. | Reflection includes a logical and relevant summary on how multiple forms of literary genre can be implemented in your future classroom, a solid explanation of the strategies for student comprehension in reading, and a successful description on how selecting the appropriate text supports a positive attitude toward reading and comprehension skills. | Reflection includes an exceptional and thoughtful summary on how multiple forms of literary genre can be implemented in your future classroom, an insightful explanation of the strategies for student comprehension in reading, and a meaningful description on how selecting the appropriate text supports a positive attitude toward reading and comprehension skills. | ||
| Mechanics of Writing (includes spelling, punctuation, grammar, language use) | 15.0% | Not addressed. | Surface errors are pervasive enough that they impede communication of meaning. Inappropriate word choice or sentence construction are used. | Frequent and repetitive mechanical errors distract the reader. Inconsistent language or word choice is present. Sentence structure is lacking. | Submission includes some mechanical errors, but they do not hinder comprehension. Varieties of effective sentence structures are used, as well as some practice and content-related language. | Submission is virtually free of mechanical errors. Word choice reflects well-developed use of practice and content-related language. Sentence structures are varied and engaging. | ||
| Documentation of Sources (citations, footnotes, references, bibliography, etc., as appropriate to assignment and style) | 15.0% | Not addressed. | Documentation of sources is inconsistent or incorrect, as appropriate to assignment and style, with numerous formatting errors | Sources are documented, as appropriate to assignment and style, although several minor formatting errors are present. | Sources are documented, as appropriate to assignment and style, and format is mostly correct. | Sources are completely and correctly documented, as appropriate to assignment and style, and format is free of error. | ||
| Total Weightage | 100% |
Part 1: Matrix
|
|
Fiction |
Non-fiction |
|
Definition: |
1.
2. |
1.
2. |
|
Examples: |
K-2 1. 2. 3-5 1. 2. 6-8 1. 2.
|
K-2 1. 2. 3-5 1. 2. 6-8 1. 2.
|
|
Text Integration Strategies: |
1.
2. |
1.
2. |
|
Technology Application Strategies: |
1.
2. |
1.
2.
|
|
Technology Tools: |
|
|
Part 2: Reflection
© 2018. Grand Canyon University. All Rights Reserved.
Get help from top-rated tutors in any subject.
Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com