In our last post we asked a simple question: Why do data breaches still occur?
In order to begin to answer this question, we need to start by looking at the state of the contemporary security scene – from the POV of the information security product or service provider, the corporate consumer, & the networked user.
To begin then – Most security practitioners would agree, I believe, about the generic objectives that comprise a complete networked security solution. These include the following:
- Privacy: keeping information confidential; preventing disclosure to unauthorized users. (Keep it secret)
- Authentication: providing proof of the credentials of either the originator of information or a participant in a session. (Who are you?)
- Authorization: permitting authenticated users to access only the specified information, systems, and services that they require. (What can you do?)
- Integrity: providing assurance that information has not been changed during handling.
- Non-repudiation: preventing a participant in a service or transaction from denying having taken some specific action.
- Availability: Ensuring that required systems, services, and data are available in a timely manner
Most would also agree that – at its highest level – a security system that met the objectives above is achieved using multiple overlapping approaches (multiple layers of defense, defense-in-depth) that make it difficult for an attacker to penetrate the network strata.
External facing (bastion) routers and firewalls comprise the first zone, followed by internal zones, which are often logically separated by VLANs, ACLs, more firewalls, etc., gradually containing increasingly sensitive systems and data as one moves toward the core.
The generic approaches used to secure these networks can be considered to belong to three broad categories: (1) Prevention approaches that try to thwart an attacker from penetrating the network and causing harm; (2) Detection approaches that detect an attacker after the attacker has already penetrated the preventive barriers; and (3) Response approaches that attempt to respond to an attacker once he/she has been detected to have penetrated the preventive barriers..
Prevention schemes are generally the most well-funded of the three approaches mentioned above and are historically the most common and obvious. The classes of devices and techniques used in this approach include firewalls (Both UTM & Next-Gen), router-based point solutions, VPN’s, NAT devices, Session Border Controllers (SBCs), proxies, traffic shaping devices, and Intrusion Prevention Systems (IPS’s). All of these systems are designed to stop or slow an outsider from attacking critical internal resources.
Detection schemes are more recent, and use devices such as Intrusion Detection Systems (both network and host-based), honeypots and honeynets, and log analysis. Procedures associated with these detection systems focus on determining if an attack or a break-in has occurred and what methods the attacker used to accomplish the feat.
Response approaches may ultimately end up in the police realm, but more often, the organization’s IT security group or an outsourced security group takes the forensic role. A Computer Security Incident Response Team (CSIRT) is the focal point for responding to computer security incidents in most organizations. Response may be as simple as pulling the plug on an infected server, or may be as complicated as managing a complete forensic trail while orchestrating internal and external communications.
