11Copyright__2012_Elsevier_IncAll_Rights_ReservedChapter

Chapter 1

Introduction

Cyber Attacks Protecting National Infrastructure, 1st ed.

• National infrastructure – Refers to the complex, underlying delivery and support

systems for all large-scale services considered absolutely essential to a nation

• Conventional approach to cyber security not enough

• New approach needed – Combining best elements of existing security techniques

with challenges that face complex, large-scale national services

C h a p te

r 1 –

In tro

d u c tio

Introduction

C h a p te

r 1 –

In tro

d u c tio

Fig. 1.1 – National infrastructure cyber and physical attacks

C h a p te

r 1 –

In tro

d u c tio

Fig. 1.2 – Differences between small- and large-scale cyber security

C h a p te

r 1 –

In tro

d u c tio

n• Three types of malicious adversaries – External adversary

– Internal adversary

– Supplier adversary

National Cyber Threats, Vulnerabilities, and Attacks

C h a p te

r 1 –

In tro

d u c tio

Fig. 1.3 – Adversaries and exploitation points in national

infrastructure

C h a p te

r 1 –

In tro

d u c tio

n• Three exploitation points – Remote access

– System administration and normal usage

– Supply chain

National Cyber Threats, Vulnerabilities, and Attacks

C h a p te

r 1 –

In tro

d u c tio

n• Infrastructure threatened by most common security concerns:

– Confidentiality

– Integrity

– Availability

– Theft

National Cyber Threats, Vulnerabilities, and Attacks

C h a p te

r 1 –

In tro

d u c tio

Botnet Threat

• What is a botnet attack? – The remote collection of compromised end-user machines

(usually broadband-connected PCs) is used to attack a target.

– Sources of attack are scattered and difficult to identify

– Five entities that comprise botnet attack: botnet operator, botnet controller, collection of bots, botnot software drop, botnet target

C h a p te

r 1 –

In tro

d u c tio

• Five entities that comprise botnet attack:

– Botnet operator

– Botnet controller

– Collection of bots

– Botnot software drop

– Botnet target

• Distributed denial of service (DDOS) attack: bots create “cyber traffic jam”

Botnet Threat

C h a p te

r 1 –

In tro

d u c tio

Fig. 1.4 – Sample DDOS attack from a botnet

National Cyber Security Methodology Components

C h a p te

r 1 –

In tro

d u c tio

n• Ten basic design and operation principles:

– Deception – Discretion

– Separation – Collection

– Diversity – Correlation

– Commonality – Awareness

– Depth – Response

• Deliberately introducing misleading functionality or misinformation for the purpose of tricking an adversary – Computer scientists call this functionality a honey pot

• Deception enables forensic analysis of intruder activity

• The acknowledged use of deception may be a deterrent to intruders (every vulnerability may actually be a trap)

C h a p te

r 1 –

In tro

d u c tio

Deception

C h a p te

r 1 –

In tro

d u c tio

Fig. 1.5 – Components of an interface with deception

• Separation involves enforced access policy restrictions on users and resources in a computing environment

• Most companies use enterprise firewalls, which are complemented by the following:

– Authentication and identity management

– Logical access controls

– LAN controls

– Firewalls

C h a p te

r 1 –

In tro

d u c tio

Separation

Fig. 1.6 – Firewall enhancements for national infrastructure

C h a p te

r 1 –

In tro

d u c tio

• Diversity is the principle of using technology and systems that are intentionally different in substantive ways.

• Diversity hard to implement – A single software vendor tends to dominate the PC

operating system business landscape

– Diversity conflicts with organizational goals of simplifying supplier and vendor relationships

C h a p te

r 1 –

In tro

d u c tio

Diversity

C h a p te

r 1 –

In tro

d u c tio

Fig. 1.7 – Introducing diversity to national infrastructure

• Consistency involves uniform attention to security best practices across national infrastructure components

• Greatest challenge involves auditing

• A national standard is needed

C h a p te

r 1 –

In tro

d u c tio

Commonality

• Depth involves using multiple security layers to protect national infrastructure assets

• Defense layers are maximized by using a combination of functional and procedural controls

C h a p te

r 1 –

In tro

d u c tio

Depth

C h a p te

r 1 –

In tro

d u c tio

Fig. 1.8 – National infrastructure security through defense in depth

• Discretion involves individuals and groups making good decisions to obscure sensitive information about national infrastructure

• This is not the same as “security through obscurity”

C h a p te

r 1 –

In tro

d u c tio

Discretion

• Collection involves automated gathering of system- related information about national infrastructure to enable security analysis

• Data is processed by a security information management system.

• Operational challenges – What type of information should be collected?

– How much information should be collected?

C h a p te

r 1 –

In tro

d u c tio

Collection

C h a p te

r 1 –

In tro

d u c tio

Fig. 1.9 – Collecting national infrastructure-related security

information

• Correlation involves a specific type of analysis that can be performed on factors related to national infrastructure protection – This type of comparison-oriented analysis is indispensable

• Past initiatives included real-time correlation of data at fusion center – Difficult to implement

C h a p te

r 1 –

In tro

d u c tio

Correlation

Fig. 1.10 – National infrastructure high- level correlation approach

C h a p te

r 1 –

In tro

d u c tio

• Awareness involves an organization understanding the differences between observed and normal status in national infrastructure

• Most agree on the need for awareness, but how can awareness be achieved?

C h a p te

r 1 –

In tro

d u c tio

Awareness

C h a p te

r 1 –

In tro

d u c tio

Fig. 1.11 – Real-time situation awareness process flow

• Response involves the assurance that processes are in place to react to any security-related indicator – Indicators should flow from the awareness layer

• Current practice in smaller corporate environments of reducing “false positives” by waiting to confirm disaster is not acceptable for national infrastructure

C h a p te

r 1 –

In tro

d u c tio

Response

C h a p te

r 1 –

In tro

d u c tio

Fig. 1.12 – National infrastructure security response approach

• Commissions and groups

• Information sharing

• International cooperation

• Technical and operational costs

C h a p te

r 1 –

In tro

d u c tio

Implementing the Principles Nationally

blog1

Get help from top-rated tutors in any subject.