In-Depth
A 3-Step Defense-in-Depth Strategy for Combating Cyberterrorism
Learn how a "defense-in-depth" strategy can provide greater protection to your enterprise.
by John Sutton
The conversation around the security of essential intelligence and defense systems within the U.S. federal government has been intensifying for some time. In a recent article [see Note 1] discussing the Pentagon's cyberstrategy, Deputy Defense Secretary William J. Lynn III said malicious code placed on a flash drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military's Central Command when that flash drive was inserted into a U.S. military laptop on a post in the Middle East in 2008.
That code spread undetected on both classified and unclassified systems. Lynn noted that the Pentagon's 15,000 networks and 7,000,000 computing devices are being probed thousands of times daily, and that it is difficult to identify the instigator of an attack.
In another recent report [see Note 2], the FBI said it is spending nearly $100 million to outsource its cybersecurity. Federal agencies across the board recognize the need to strengthen their cybersecurity, but the federal government doesn't have enough manpower to do it themselves, and there is a growing trend to purchase managed security services to do the job.
In fact, the federal government has committed several billion dollars as part of its Comprehensive National Cyber Initiative, which is designed to secure both agency networks and Web sites to avoid what has been described as a potential "electronic Pearl Harbor." The thought of a foreign power being able to shut down a country's critical infrastructure or to gain critical intelligence is something no one wants to imagine.
Like it or not, cyber attacks exist, and we have to address them. The trend toward managed security services allows agencies to proactively monitor, control, and protect their network infrastructure. Unprecedented levels of network awareness and in-depth forensic capabilities are necessary to provide the most advanced, end-to-end managed security services available today. These services should include continuous monitoring, intrusion detection, anomaly detection, and data retention, and should be based on a "defense-in-depth" strategy.
A "defense-in-depth" strategy utilizes multiple, independent and interlinking layers of security to provide greater protection than each of the controls provides individually. It also leverages the many standards and best practices collaboratively created by thought leaders in the U.S. government and in industry alliances.
There are three steps to the strategy.
Step 1: Secure the Perimeter
Perimeter security is essential to protecting networks and systems from the "untrusted" outside world. Any system or network that is not managed and controlled by the government should be considered untrusted and a potential threat. The first line of defense is to deploy firewalls at all access points where government networks are connected to untrusted networks. The most common untrusted network is the Internet, but untrusted networks can also include other internal networks, connected partners and suppliers, and any wireless network to which your systems may be connected. A distributed, perimeter-firewall architecture should be deployed globally, applied uniformly to every access point, and managed centrally.
Installing a firewall is just the first step in securing the perimeter. The perimeter has many holes that need additional protection. Two of the most common holes are Internet access and e-mail access. It is critical to be aware of -- and manage -- the network traffic to and from the Internet through Web content management. This allows you to control access to the Internet and the sites available to your employees. In addition, a perimeter e-mail antivirus system is used to eradicate viruses and malware in e-mail messages at the perimeter before they reach e-mail servers.
These perimeter defenses have a proven track record of protecting the enterprise against known malicious activity. The next level of perimeter security consists of continuous monitoring through the deployment of network sensors that collect network traffic flow information and metadata, providing a baseline against which to evaluate traffic. These tools provide situational awareness about your network and the traffic to and from your network. The variances from the baseline are considered network anomalies that need to be investigated and analyzed. Continuous monitoring and analysis is critical for protecting your network from the unknown and untrusted networks.
Step 2: Secure Your Systems
Securing the network is critical to protecting systems and data, but the systems themselves are primary targets for exploitation. The perimeter has been extended (one could even say eroded) by mobile devices. It is critical to protect the mobile device with host-based firewalls, host-based intrusion detection, antivirus protection, and endpoint security deployed on the device to protect against untrusted networks and systems. In addition, critical mobile devices should also be required to have whole disk encryption to protect from a physical intrusion.
Additional steps for securing systems include vulnerability testing and management, system hardening, patch management, antivirus, managing system access, and log management. Whole disk encryption (WDE) should be implemented on mobile devices that store critical data on them, such as personnel records or confidential information. WDE protects the mobile system from inappropriate disclosure in the event of system loss or theft.
Step 3: Secure the Network
Today's sophisticated networks connect globally via wide area networks (WAN), local area networks (LAN), wireless LANs, and special segregated networks, such as data center networks and extranets. As networks have grown, the need to gain access has changed from a tightly controlled access method to an open architecture environment that supports flexibility. Technology such as 802.1x authentication and network access control (NAC) exist, but the technology is not widely used.
The greatest risk to most networks is from the trusted insider -- employees, vendors, partners, and suppliers that are allowed to connect to your networks. These trusted insiders may intentionally or unintentionally introduce malware into the environment. This is why it is essential to implement additional security controls to protect networks, systems and data:
- A distributed network intrusion detection system (NIDS) at each primary Internet access point, at each VPN gateway, and at the border between the agency network and data communication network (DCN) networks is essential. The NIDS implementation passively inspects network traffic for known patterns of unacceptable activity. These could include worms, hacking attempts, network enumeration, port scanning, or policy violations such as peer-to-peer file sharing or unauthorized remote access connections.
- Passive Operating System fingerprinting allows one to monitor the systems that are transiting the perimeter access points and to capture critical information that can be used to make sure that the systems are identified and protected. The data that is gathered through the passive OS fingerprinting can be compared to the known systems inventory. This technology can also be used to identify rough systems or new systems that have been added to the network out of process.
- A public key infrastructure (PKI) facilitates the use of corporate PKI-signed X.509 certificates for secured inter-server/inter-process communications, SSL/TLS protected Web services, and 802.1X host authentication and network admission control. PKI services also can be extended to the end user, with S/MIME e-mail encryption and digital signatures.
Securing government agencies and enterprises is complicated. It requires an overall security strategy including network security, physical security, personnel security, and information assurance. Although the implementation of the technology will vary, the underlying principles remain consistent.
NOTES:
1. "Defending a New Domain; the Pentagon's Cyberstrategy," William J. Lynn III, Foreign Affairs, September/October 2010
2. "FBI Outsources Cybersecurity to Mantech," Elizabeth Montalbano, Information Week, August 18, 2010
John Sutton is executive vice president and general manager, Federal Sector at Global Crossing Ltd.. You can contact the author at here.