Chapter 3: Setting up Defenses

3.1 Foundations of Information Assurance

The Internet is an example of a global information infrastructure. Most businesses now rely on this global information infrastructure while conducting operations using any combination of networking interconnects that are globally available today. Once a common context for an information infrastructure is understood , we can describe processes that categorize information into distinct groupings. For example, a company may have information it considers public knowledge, and it would place that knowledge in the "public" category in its company-specific process of categorization of its corporate information. However, the same company is also very cautious about protecting company secrets, and some documents that are considered sensitive or those documents whose release would harm the company are considered a part of its "private" category. Such public and private categories are sometimes referred to as domains. Only certain groups of people are allowed to see the "private" domain information. Within the scope of this "private" domain, information may be further subcategorized as accessible only by members of the finance department, the human relations department, the information technology department, and so on.

In our government, such categorization processes are referred to as classification levels. Our government recognizes four general classification levels: unclassified, confidential, secret, and top secret. Among these four levels, there also may be subcategories specific to individual communities grouped very similarly to the corporate departments mentioned previously. Such communities are often defined by the work tasks they perform and by their need to have access to such information. In many instances, it is not enough to simply be a member of a group in order to gain access to information. Certain categories of information require the individual to also have a "need to know" about that information. This "need to know" is often certified by some higher authority as necessary for the performance of work because that person could not vouch for him or herself. This additional process of information subcategorization into a "need to know" group further protects the information from unauthorized release. It assures the creator, protector, or owner of such information that a process is in place, in addition to physical access restrictions, to protect the information from unauthorized disclosure. This is the essence of what is meant by information assurance.

For any business or government organization to work effectively, it is required to implement methods that enforce maintaining the integrity of the aforementioned information domains. This is problematic because information within an organization often needs to be shared among different groups, and this sharing process creates boundary issues. People working in organizations and sharing information need to agree on the classification level of the information and the methods they will use to protect that information. Sometimes, one group will regard information as more or less sensitive than its organizational counterpart , and representatives from both groups then need to find a means of negotiating a mutually agreeable solution that allows information to flow across the boundary of one group and into the boundary of another group.

"What happens if one group has different security policies in place from the other group?"

"How can information be protected equally among organizations?"

These questions have been answered by the application of a common framework for protecting information assets. This framework, called the IATF, mentioned previously, has created the following four categories within all organizations whereby the application of a common set of principles and processes will help assure that information is safeguarded:

1. Local computing environments

2. Enclave boundaries (around local computing environments)

3. Networks and infrastructures

4. Supporting infrastructures

The local computing environment usually consists of clients , servers, and the applications installed on both of them. Applications can include, but are not limited to, those that provide services such as scheduling, time management, printing, word processing, or directory services. Other examples of local computing environment applications are e-mail messaging software, operating systems, Web browsers, electronic commerce applications, database access software, wireless access software, collaborative computing products, and so on.

A collection of local computing devices that are interconnected on a Local Area Network (LAN) and are governed by a single security policy, regardless of physical location, is considered an enclave boundary. An enclave can be distributed across one or more locations having connectivity from the LAN to a Wide Area Network (WAN) or the Internet. The enclave boundary is the physical location where information enters or leaves the enclave. Many organizations have extensive connections to networks that are outside their control, so a layer of protection is needed to ensure that the inbound information does not affect the organization's operation or resources, and that outbound information is authorized. Most businesses use multiple types of external network connections that pass through the enclave boundary.

These types of connections can include direct Internet connections, dial-up access via the public telephone network, connection to an Internet Service Provider (ISP), or by several other means available on the open market today. Such connections to other local networks often means dealing with networks that are operating at different classification levels. Each connection requires different types of solutions to satisfy both operational and IA concerns. Internets invite access through the boundary, with security only as good as the entire network through which the data are being transported. This generally means that the security is only as good as the lowest level of classification through which it passes . In order to protect unauthorized disclosure of information, safeguards must be enacted to assure us that the information does not flow from a higher classification source to or through a lower classification source.

The network and infrastructure equipment that provides connectivity between enclaves can be logically grouped into three areas:

1. Public/commercial networks and network technologies

2. Dedicated network services

3. Government-owned and operated

The public/commercial networks used by the private sector and government include the Internet, the Public Switched Telephone Network (PSTN), and wireless networks. Wireless networks include cellular, satellite, wireless LAN, and paging networks. Access to networks is typically gained through telecommunications service providers. These public networks are wholly owned and operated by private-sector providers.

For dedicated network services, organizations must engage in contracts that procure network services. Public network providers grant access to their networks through an arrangement with the buyer. Businesses obtain telecommunications services in a similar manner, leasing and purchasing dedicated commercial telecommunications services.

Finally, the government owns and operates some dedicated network services. Examples include the Department of Energy's Energy Science Network (ESNet), the Federal Aviation Administration's Agency Data Telecommunications Network (ADTN), and the Department of Defense's Secret Internet Protocol Router Network (SIPRNET). These networks may begin as private networks, go through leased or public networks, and terminate as private networks. They also include totally owned and operated networks such as MILSTAR.

Supporting infrastructures provide the foundation on which IA mechanisms are used in the network, enclave, and computing environments for securely managing the system and providing security-enabled services. Supporting infrastructures provide security services for networks, end- user workstations, servers for the Web, applications, and files, and single-use infrastructure machines (e.g., higher-level Domain Name Server [DNS] services, higher-level directory servers). Two areas specifically addressed in the IATF are Key Management Infrastructure (KMI), which includes Public Key Infrastructures (PKIs) and detect and respond infrastructures, which are discussed later in this chapter.

So far in this section, we have discussed the basic tenets of IA. This consists of having a common point of reference known as an information infrastructure, categorized by varying levels, or classifications, of the sensitivity of the information contained therein. This information, in practical use, needs to be shared across boundaries within and outside of an organization. Protection of information being passed across those boundaries needs to be effected using a common framework between organizations sharing the information. Such a framework, know as the IATF, is used in both government and industry to provide a solution to passing information across these information boundaries. Supporting infrastructures that provide mechanisms for passing information across these boundaries include PKIs and detect and respond infrastructures.

Organizational and governmental information systems and their corresponding networks offer attractive targets to hackers. They must be able to withstand the ever-growing quantity of threats from hackers of all types in order to limit damage and recover rapidly when such attacks do occur. The IATF considers five classes of attacks:

1. Passive . Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and capturing authentication information (e.g., passwords). Passive intercept of network operations can give adversaries indications and warnings of impending actions. Passive attacks can result in the disclosure of information or data files to an attacker without the consent or knowledge of the user. Examples include the disclosure of personal information, such as credit card numbers and medical files.

2. Active . Active attacks include attempts to circumvent or break protection features, introduce malicious code, or steal or modify information. These include attacks mounted against a network backbone, exploitation of information in transit, electronic penetrations into an enclave, or attacks on an authorized remote user when attempting to connect to an enclave. Active attacks can result in the disclosure or dissemination of data files, denial of service, or modification of data.

3. Close-in . Close-in attack is where an unauthorized individual is in close physical proximity to networks, systems, or facilities to modify, gather, or deny access to information. Close proximity is achieved through surreptitious entry, open access, or both.

4. Insider . Insider attacks can be malicious or nonmalicious. Malicious insiders have the intent to eavesdrop, steal or damage information, use information in a fraudulent manner, or deny access to other authorized users. Nonmalicious attacks typically result from carelessness, lack of knowledge, or intentionally circumventing security for nonmalicious reasons such as to "get the job done."

5. Distribution . Distribution attacks focus on the malicious modification of hardware or software at the factory or during distribution. These attacks can introduce malicious code into a product, such as a back door to gain unauthorized access to information or a system function at a later date.

The IA strategy the IATF recommends for dealing with these types of attacks is known as Defense-in-Depth . The Department of Defense (DoD) has been in the vanguard of this effort, leading the way in defining this strategy in order to achieve a highly effective IA posture . The next section summarizes the essence of the Defense-in-Depth strategy for a better understanding.