More Related Content Similar to 11Copyright © 2012, Elsevier Inc. All Rights Reserved (20) More from MargenePurnell14 (20) 11Copyright © 2012, Elsevier Inc. All Rights Reserved1. 11
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter 1
Introduction
Cyber Attacks
Protecting National Infrastructure, 1st ed.
2
• National infrastructure
– Refers to the complex, underlying delivery and support
systems for all large-scale services considered absolutely
essential to a nation
• Conventional approach to cyber security not enough
• New approach needed
– Combining best elements of existing security techniques
with challenges that face complex, large-scale national
services
Copyright © 2012, Elsevier Inc.
4. tro
d
u
c
tio
n
Fig. 1.2 – Differences between
small- and large-scale cyber security
5
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
5. n• Three types of malicious adversaries
– External adversary
– Internal adversary
– Supplier adversary
National Cyber Threats,
Vulnerabilities, and Attacks
6
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
6. n
Fig. 1.3 – Adversaries and
exploitation points in national
infrastructure
7
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n• Three exploitation points
– Remote access
– System administration and normal usage
7. – Supply chain
National Cyber Threats,
Vulnerabilities, and Attacks
8
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n• Infrastructure threatened by most common security
concerns:
– Confidentiality
8. – Integrity
– Availability
– Theft
National Cyber Threats,
Vulnerabilities, and Attacks
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
9. Botnet Threat
• What is a botnet attack?
– The remote collection of compromised end-user machines
(usually broadband-connected PCs) is used to attack a
target.
– Sources of attack are scattered and difficult to identify
– Five entities that comprise botnet attack: botnet operator,
botnet controller, collection of bots, botnot software drop,
botnet target
10
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
10. c
tio
n
• Five entities that comprise botnet attack:
– Botnet operator
– Botnet controller
– Collection of bots
– Botnot software drop
– Botnet target
• Distributed denial of service (DDOS) attack: bots
create “cyber traffic jam”
Botnet Threat
11
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
11. r 1
–
In
tro
d
u
c
tio
n
Fig. 1.4 – Sample DDOS attack from a
botnet
12
National Cyber Security
Methodology Components
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
12. In
tro
d
u
c
tio
n• Ten basic design and operation principles:
– Deception – Discretion
– Separation – Collection
– Diversity – Correlation
– Commonality – Awareness
– Depth – Response
13
• Deliberately introducing misleading functionality or
misinformation for the purpose of tricking an
adversary
– Computer scientists call this functionality a honey pot
• Deception enables forensic analysis of intruder
activity
• The acknowledged use of deception may be a
deterrent to intruders (every vulnerability may
actually be a trap)
13. Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Deception
14
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
14. p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.5 – Components of an interface
with deception
15
• Separation involves enforced access policy
restrictions on users and resources in a computing
environment
• Most companies use enterprise firewalls, which are
complemented by the following:
– Authentication and identity management
– Logical access controls
– LAN controls
15. – Firewalls
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Separation
16
Fig. 1.6 – Firewall enhancements for
national infrastructure
Copyright © 2012, Elsevier Inc.
16. All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
17
• Diversity is the principle of using technology and
systems that are intentionally different in substantive
ways.
• Diversity hard to implement
– A single software vendor tends to dominate the PC
operating system business landscape
– Diversity conflicts with organizational goals of simplifying
supplier and vendor relationships
17. Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Diversity
18
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
18. a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.7 – Introducing diversity to
national infrastructure
19
• Consistency involves uniform attention to security
best practices across national infrastructure
components
• Greatest challenge involves auditing
• A national standard is needed
Copyright © 2012, Elsevier Inc.
All rights Reserved
19. C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Commonality
20
• Depth involves using multiple security layers to
protect national infrastructure assets
• Defense layers are maximized by using a combination
of functional and procedural controls
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
21. In
tro
d
u
c
tio
n
Fig. 1.8 – National infrastructure
security through defense in depth
22
• Discretion involves individuals and groups making
good decisions to obscure sensitive information
about national infrastructure
• This is not the same as “security through obscurity”
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
22. In
tro
d
u
c
tio
n
Discretion
23
• Collection involves automated gathering of system-
related information about national infrastructure to
enable security analysis
• Data is processed by a security information
management system.
• Operational challenges
– What type of information should be collected?
– How much information should be collected?
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
24. tro
d
u
c
tio
n
Fig. 1.9 – Collecting national
infrastructure-related security
information
25
• Correlation involves a specific type of analysis that
can be performed on factors related to national
infrastructure protection
– This type of comparison-oriented analysis is indispensable
• Past initiatives included real-time correlation of data
at fusion center
– Difficult to implement
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
26. In
tro
d
u
c
tio
n
27
• Awareness involves an organization understanding
the differences between observed and normal status
in national infrastructure
• Most agree on the need for awareness, but how can
awareness be achieved?
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
28. Fig. 1.11 – Real-time situation
awareness process flow
29
• Response involves the assurance that processes are
in place to react to any security-related indicator
– Indicators should flow from the awareness layer
• Current practice in smaller corporate environments
of reducing “false positives” by waiting to confirm
disaster is not acceptable for national infrastructure
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
29. n
Response
30
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.12 – National infrastructure
security response approach
30. 31
• Commissions and groups
• Information sharing
• International cooperation
• Technical and operational costs
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Implementing the Principles
Nationally