Cyber Attacks
Protecting National Infrastructure, 1st ed.
Chapter 6
Depth
Copyright © 2012, Elsevier Inc.
All Rights Reserved
1
Introduction
Anylayerofdefensecanfailatanytime,thusthe
introduction of
defense in depth
Aseriesofprotectiveelementsisplacedbetweenan
asset and the adversary
Theintentistoenforcepolicyacrossallaccesspoints
Copyright © 2012, Elsevier Inc.
All rights Reserved
2
Chapter 6 – Depth
Fig. 6.1 – General defense in depth schema
Copyright © 2012, Elsevier Inc.
All rights Reserved
3
Chapter 6 – Depth
Effectiveness of Depth
Quantifyingtheeffectivenessofalayereddefenseis often difficult
Effectivenessisbestdeterminedbyeducatedguesses
Thefollowingarerelevantforestimating
effectiveness
– Practical experience
– Engineering analysis
– Use-case studies
– Testing and simulation
Copyright © 2012, Elsevier Inc.
All rights Reserved
4
Chapter 6 – Depth
Fig. 6.2 – Moderately effective single layer of protection
Copyright © 2012, Elsevier Inc.
All rights Reserved
5
Chapter 6 – Depth
Effectiveness of Depth
• Whenalayerfails,wecanconcludeitwaseither
flawed
or
unsuited
to the target environment
• Nolayeris100%effective—thegoalofmakinglayers “highly” effective is more realistic
Copyright © 2012, Elsevier Inc.
All rights Reserved
6
Chapter 6 – Depth
Fig. 6.3 – Highly effective single layer of protection
Copyright © 2012, Elsevier Inc.
All rights Reserved
7
Chapter 6 – Depth
Fig. 6.4 – Multiple moderately effective layers of protection
Copyright © 2012, Elsevier Inc.
All rights Reserved
8
Chapter 6 – Depth
Layered Authentication
Anationalauthenticationsystemforeverycitizen would remove the need for multiple passwords, passphrases, tokens, certificates, and biometrics that weaken security
Singlesign-on(SSO)wouldaccomplishthis authentication simplification objective
However,SSOaccessneedstobepartofa multilayered defense
Copyright © 2012, Elsevier Inc.
All rights Reserved
9
Chapter 6 – Depth
Fig. 6.5 – Schema showing two layers of end-user authentication
Copyright © 2012, Elsevier Inc.
All rights Reserved
10
Chapter 6 – Depth
Fig. 6.6 – Authentication options including direct mobile access
Copyright © 2012, Elsevier Inc.
All rights Reserved
11
Chapter 6 – Depth
Layered E-Mail Virus and Spam Protection
Commercialenvironmentsareturningtovirtual,in- the-cloud solutions to filter e-mail viruses and spam
Tothatsecuritylayerisaddedfilteringsoftwareon individual computers
Antivirussoftwarehelpful,butuselessagainstcertain attacks (like botnet)
Copyright © 2012, Elsevier Inc.
All rights Reserved
12
Chapter 6 – Depth
Fig. 6.7 – Typical architecture with layered e-mail filtering
Copyright © 2012, Elsevier Inc.
All rights Reserved
13
Chapter 6 – Depth
Layered Access Controls
• Layeringaccesscontrolsincreasessecurity
• Addtothisthelimitingofphysicalaccesstoassets
• Fornationalinfrastructure,assetsshouldbecovered by as many l.