Cyber Attacks
Protecting National Infrastructure, 1st ed.
Chapter 6
Depth
Copyright © 2012, Elsevier Inc.
All Rights Reserved 1
Introduction
Anylayerofdefensecanfailatanytime,thusthe
introduction of defense in depth
Aseriesofprotectiveelementsisplacedbetweenan
asset and the adversary
Theintentistoenforcepolicyacrossallaccesspoints
Copyright © 2012, Elsevier Inc.
All rights Reserved 2
Chapter 6 – Depth
Fig. 6.1 – General defense in depth schema
Copyright © 2012, Elsevier Inc.
All rights Reserved 3
Chapter 6 – Depth
Effectiveness of Depth
Quantifyingtheeffectivenessofalayereddefenseis often difficult
Effectivenessisbestdeterminedbyeducatedguesses
Thefollowingarerelevantforestimating
effectiveness
– Practical experience
– Engineering analysis
– Use-case studies
– Testing and simulation
Copyright © 2012, Elsevier Inc.
All rights Reserved 4
Chapter 6 – Depth
Fig. 6.2 – Moderately effective single layer of protection
Copyright © 2012, Elsevier Inc.
All rights Reserved 5
Chapter 6 – Depth
Effectiveness of Depth
• Whenalayerfails,wecanconcludeitwaseither
flawed or unsuited to the target environment
• Nolayeris100%effective—thegoalofmakinglayers “highly” effective is more realistic
Copyright © 2012, Elsevier Inc.
All rights Reserved 6
Chapter 6 – Depth
Fig. 6.3 – Highly effective single layer of protection
Copyright © 2012, Elsevier Inc.
All rights Reserved 7
Chapter 6 – Depth
Fig. 6.4 – Multiple moderately effective layers of protection
Copyright © 2012, Elsevier Inc.
All rights Reserved 8
Chapter 6 – Depth
Layered Authentication
Anationalauthenticationsystemforeverycitizen would remove the need for multiple passwords, passphrases, tokens, certificates, and biometrics that weaken security
Singlesign-on(SSO)wouldaccomplishthis authentication simplification objective
However,SSOaccessneedstobepartofa multilayered defense
Copyright © 2012, Elsevier Inc.
All rights Reserved 9
Chapter 6 – Depth
Fig. 6.5 – Schema showing two layers of end-user authentication
Copyright © 2012, Elsevier Inc.
All rights Reserved 10
Chapter 6 – Depth
Fig. 6.6 – Authentication options including direct mobile access
Copyright © 2012, Elsevier Inc.
All rights Reserved 11
Chapter 6 – Depth
Layered E-Mail Virus and Spam Protection
Commercialenvironmentsareturningtovirtual,in- the-cloud solutions to filter e-mail viruses and spam
Tothatsecuritylayerisaddedfilteringsoftwareon individual computers
Antivirussoftwarehelpful,butuselessagainstcertain attacks (like botnet)
Copyright © 2012, Elsevier Inc.
All rights Reserved 12
Chapter 6 – Depth
Fig. 6.7 – Typical architecture with layered e-mail filtering
Copyright © 2012, Elsevier Inc.
All rights Reserved 13
Chapter 6 – Depth
Layered Access Controls
• Layeringaccesscontrolsincreasessecurity
• Addtothisthelimitingofphysicalaccesstoassets
• Fornationalinfrastructure,assetsshouldbecovered by as many layers possible
– Network-based firewalls – Internal firewalls
– Physical security
Copyright © 2012, Elsevier Inc.
All rights Reserved 14
Chapter 6 – Depth
Fig. 6.8 – Three layers of protection using firewall and access controls
Copyright © 2012, Elsevier Inc.
All rights Reserved 15
Chapter 6 – Depth
Layered Encryption
• Fiveencryptionmethodsfornationalinfrastructure protection
– Mobile device storage – Network transmission
– Secure commerce
– Application strengthening
– Server and mainframe data storage
Copyright © 2012, Elsevier Inc.
All rights Reserved 16
Chapter 6 – Depth
Fig. 6.9 – Multple layers of encryption
Copyright © 2012, Elsevier Inc.
All rights Reserved 17
Chapter 6 – Depth
Layered Intrusion Detection
Thepromiseoflayeredintrusiondetectionhasnot been fully realized, though it is useful
Theinclusionofintrusionresponsemakesthe layered approach more complex
Therearethreeopportunitiesfordifferentintrusion detection systems to provide layered protection
– In-band detection
– Out-of-band correlation – Signature sharing
Copyright © 2012, Elsevier Inc.
All rights Reserved 18
Chapter 6 – Depth
Fig. 6.10 – Sharing intrusion detection information between systems
Copyright © 2012, Elsevier Inc.
All rights Reserved 19
Chapter 6 – Depth
National Program of Depth
• Developingamultilayereddefensefornational infrastructure would require a careful architectural analysis of all assets and protection systems
– Identifying assets
– Subjective estimations
– Obtaining proprietary information – Identifying all possible access paths
Copyright © 2012, Elsevier Inc.
All rights Reserved 20
Chapter 6 – Depth