NCSAM – Week 5 -Building Resilience in Critical Infrastructure
Week 5: October 31, 2016 – Topic: Building Resilience in Critical Infrastructure
The first step in designing an information security program, often involves a survey of the data and technologies in use throughout an environment. It is crucial to build an understanding of the types of information stored and processed within an organization. Building an understanding will effectively prioritize the types and placement of security controls. In the complex and dynamic infrastructures supporting modern enterprise, it has become common to assign a level of “criticality” to information system components; this includes hardware, software, and the data itself. These criticality assignments reference the potential business impact of the loss of that system of service, or the data that resides there. Systems which are deemed highly critical are those which process business sensitive or personal data, as well as those which support mission critical applications. Other systems may merit a lower criticality rating.
Highly critical systems are those which would have a truly adverse effect on the health or growth of a business in the event that the system is compromised. These systems are those which require the utmost care and attention to detail, regarding the design of the controls implemented to support the confidentiality, integrity, and availability of the information system. It is easy to confuse “critical” systems with “vulnerable” systems, as the results of a fresh vulnerability scan can immediately draw attention away from systems which do not appear vulnerable. However, the criticality of an information system is, for the most part, independent of its vulnerability to compromise. Critical systems deserve continuous monitoring and multiple controls at each logical level in order to protect the business’ critical data. This concept of defense-in-depth is built upon the idea that overlapping controls more effectively protect the target in the event of an actual attack.
When utilized effectively, defense-in-depth lowers the likelihood of an attacker successfully accessing a target, based on compromising any one security control. The application of defense-in-depth to critical infrastructure builds resilience without focusing on any single attack vector. This broad approach seeks to layer controls, such that accessing a target requires successfully navigating a diverse collection of perimeter, network, host, and data-level controls. The design should ensure that compromise of any individual control does not grant an adversary the access for which they are searching.
For example, consider a database supporting a payment processing application which is absolutely critical to the continued success of an organization. The concept of defense-in-depth calls for layered controls at all definable levels of the system. From the perimeter, enterprise-level firewalls may be preventing rogue attempts to access the internal network resources. Further, intrusion detection or prevention services may also be analyzing traffic in an attempt to identify or block malicious activity. From the internal network, network access control (NAC) may be in place to prevent rogue systems from establishing a network connection. Network segregation techniques such as subnets and virtual local area networks (VLANS) may be implemented to prevent communication between certain hosts. The critical database may live on a dedicated VLAN, making it unreachable by normal users. At the host level, monitoring software may be in place to capture and analyze traffic sent to the database. Connections to the database may be limited by an inline firewall, so that only certain computers and user accounts may access the database. Access controls, requiring the use of strong passwords or multi-factor authentication, may govern the ability to directly access the database. Finally, data-level controls such as encryption and data loss prevention can limit the ability for an attacker to access, modify, or remove the data itself. A robust backup strategy also offers protection at the data level.
The concept of defense-in-depth does not call for the adoption of all available security controls. Rather, it is a framework for structuring the chosen controls, so the failure of any one control does not compromise the target. This layering of controls also gives the system administrators more time to identify and mitigate the attack. No security control should be an island. An attacker, after successfully compromising the first control, should be met only with another control.