Discussion3: Emerging threats and counter sticks

 After reading chapter 3, analyze how separation within a network is a great technical control. The response must contain at least one external citation and reference in APA format. 

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

1

Copyright © 2012, Elsevier Inc.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

All Rights Reserved

Chapter

3

Separation

Cyber Attacks
Protecting National Infrastructure, 1st ed.

2

• Using a firewall to separate network assets from
intruders is the most familiar approach in cyber
security

• Networks and systems associated with national
infrastructure assets tend to be too complex for
firewalls to be effective

Copyright © 2012, Elsevier Inc.

All rights Reserved

C
h
a
p
te

r 3

S
e
p
a
ra

tio
n

Introduction

3

• Three new approaches to the use of firewalls are
necessary to achieve optimal separation
– Network-based separation

– Internal separation

– Tailored separation

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra

tio
n

Introduction

4

Fig. 3.1 – Firewalls in simple and
complex networks

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

5

• Separation is a technique that accomplishes one of
the following
– Adversary separation

– Component distribution

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

What Is Separation?

6

• A working taxonomy of separation techniques: Three
primary factors involved in the use of separation
– The source of the threat

– The target of the security control

– The approach used in the security control

(See figure 3.2)

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n
What Is Separation?

7

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.2 – Taxonomy of separation
techniques

8

• Separation is commonly achieved using an access
control mechanism with requisite authentication and
identity management

• An access policy identifies desired allowances for
users requesting to perform actions on system
entities

• Two approaches
– Distributed responsibility

– Centralized control

– (Both will be required)

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Functional Separation?

9

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.3 – Distributed versus centralized
mediation

10

• Firewalls are placed between a system or enterprise
and an un-trusted network (say, the Internet)

• Two possibilities arise
– Coverage: The firewall might not cover all paths

– Accuracy: The firewall may be forced to allow access that
inadvertently opens access to other protected assets

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

National Infrastructure Firewalls

11

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.4 – Wide area firewall
aggregation and local area firewall

segregation

12

• Increased wireless connectivity is a major challenge
to national infrastructure security

• Network service providers offer advantages to
centralized security
– Vantage point: Network service providers can see a lot

– Operations: Network providers have operational capacity
to keep security software current

– Investment: Network service providers have the financial
wherewithal and motivation to invest in security

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n
National Infrastructure Firewalls

13

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.5 – Carrier-centric network-based
firewall

14

• Network-based firewall concept includes device for
throttling distributed denial of service (DDOS) attacks

• Called a DDOS filter

• Modern DDOS attacks take into account a more
advanced filtering system

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

DDOS Filtering

15

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.6 – DDOS filtering of inbound
attacks on target assets

16

• SCADA – Supervisory control and data acquisition

• SCADA systems – A set of software, computer, and
networks that provide remote coordination of
control system for tangible infrastructures

• Structure includes the following
– Human-machine interface (HMI)

– Master terminal unit (MTU)

– Remote terminal unit (RTU)

– Field control systems

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

SCADA Separation Architecture

17

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.7 – Recommended SCADA system
firewall architecture

18

• Why not simply unplug a system’s external
connections? (Called air gapping)

• As systems and networks grow more complex, it
becomes more likely that unknown or unauthorized
external connections will arise

• Basic principles for truly air-gapped networks:
– Clear policy

– Boundary scanning

– Violation consequences

– Reasonable alternatives

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Physical Separation

19

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.8 – Bridging an isolated network
via a dual-homing user

20

• Hard to defend against a determined insider

• Threats may also come from trusted partners

• Background checks are a start

• Techniques for countering insider attack
– Internal firewalls

– Deceptive honey pots

– Enforcement of data markings

– Data leakage protection (DLP) systems

• Segregation of duties offers another layer of
protection

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Insider Separation

21

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.9 – Decomposing work functions
for segregation of duty

22

• Involves the distribution, replication, decomposition,
or segregation of national assets
– Distribution: creating functionality using multiple

cooperating components that work together as distributed
system

– Replication: copying assets across components so if one
asset is broken, the copy will be available

– Decomposition: breaking complex assets into individual
components so an isolated compromise won’t bring down
asset

– Segregation: separation of assets through special access
controls, data markings, and policy enforcement

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Asset Separation

23

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.10 – Reducing DDOS risk through
CDN-hosted content

24

• Typically, mandatory access controls and audit trail
hooks were embedded into the underlying operating
system kernel

• Popular in the 1980s and 1990s

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Multilevel Security (MLS)

25

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

Fig. 3.11 – Using MLS logical separation
to protect assets

26

• Internet separation: Certain assets simply shouldn’t
be accessible from the Internet

• Network-based firewalls: These should be managed
by a centralized group

• DDOS protection: All assets should have protection in
place before an attack

• Internal separation: Critical national infrastructure
settings need an incentive to implement internal
separation policy

• Tailoring requirements: Vendors should be
incentivized to build tailored systems such as firewalls
for special SCADA environments

Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 3

S
e
p
a
ra
tio
n

National Separation Program

Calculate your order
Pages (275 words)
Standard price: $0.00
Client Reviews
4.9
Sitejabber
4.6
Trustpilot
4.8
Our Guarantees
100% Confidentiality
Information about customers is confidential and never disclosed to third parties.
Original Writing
We complete all papers from scratch. You can get a plagiarism report.
Timely Delivery
No missed deadlines – 97% of assignments are completed in time.
Money Back
If you're confident that a writer didn't follow your order details, ask for a refund.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
$0.00
Power up Your Academic Success with the
Team of Professionals. We’ve Got Your Back.
Power up Your Study Success with Experts We’ve Got Your Back.

Order your essay today and save 30% with the discount code ESSAYHELP