Defense strategy (computing)

Last updated

In computing, defense strategy is a concept and practice used by computer designers, users, and IT personnel to reduce computer security risks. [1]

Contents

Common strategies

Boundary protection

Boundary protection employs security measures and devices to prevent unauthorized access to computer systems (referred to as controlling the system border). The approach is based on the assumption that the attacker did not penetrate the system. Examples of this strategy include using gateways, routers, firewalls, and password checks, deleting suspicious emails/messages, and limiting physical access.

Boundary protection is typically the main strategy for computing systems; if this type of defense is successful, no other strategies are required. This is a resource-consuming strategy with a known scope. External information system monitoring is part of boundary protection. [2]

Information System Monitoring

Information System Monitoring employs security measures to find intruders or the damage done by them. This strategy is used when the system has been penetrated, but the intruder did not gain full control. Examples of this strategy include antivirus software, applying a patch, and network behavior anomaly detection.

This strategy's success is based on competition of offence and defence. This is a time and resource-consuming strategy, affecting performance. The scope is variable in time. It cannot be fully successful if not supported by other strategies.

Unavoidable actions

Unavoidable actions employ security measures that cannot be prevented or neutralized. This strategy is based on the assumption that the system has been penetrated, but an intruder cannot prevent the defensive mechanism from being employed. Examples of this strategy include rebooting, using physical unclonable functions, and using a security switch.

Secure enclave

Secure enclave is a strategy that employs security measures that prevent access to some parts of the system. This strategy is used when the system has been penetrated, but an intruder cannot access its special parts. Examples of this strategy include using the Access level, using a Trusted Platform Module, using a microkernel, using Diode (unidirectional network device), and using air gaps.

This is a supporting strategy for boundary protection, information system monitoring and unavoidable action strategies. This is a time and resource-consuming strategy with a known scope. Even if this strategy is fully successful, it does not guarantee the overall success of the larger defense strategy.

False target

False target is a strategy that deploys non-real targets for an intruder. It is used when the system has been penetrated, but the intruder does not know the system architecture. Examples of this strategy include honeypots, virtual computers, virtual security switches, fake files, and address/password copies.

This is a supporting strategy for information system monitoring. It is a time-consuming strategy, and the scope is determined by the designer. It cannot be fully successful if not supported by other strategies.

Moving target

Moving target is a security strategy based on frequent changes of data and processes. This strategy is based on the assumption that the system has been penetrated, but the intruder does not know the architecture of the system and its processes. Examples of this strategy are regular changes of passwords or keys (cryptography), using a dynamic platform, etc.

This is a supporting strategy for information system monitoring. It is a time-consuming strategy, and the scope is determined by the designer. It cannot be fully successful if not supported by other strategies. Actions are activated on a scheduled basis or as a response to a detected threat.

Useless information

Useless information comprises security measures to turn important information into useless data for an intruder. The strategy is based on the assumption that the system has been penetrated, but the intruder is not able to decrypt information, or does not have enough time to decrypt it. For example, encrypting the file system or using encryption software can render the data useless even if an attacker gets access to the file system, or using data masking, where sensitive data is hidden in non-sensitive data with modified content.

This is a supporting strategy for information system monitoring. It is a time and resource-consuming strategy, affecting performance. The scope is known. It cannot be successful if not supported by other strategies. Claude Shannon's theorems show that if the encryption key is smaller than the secured information, the information-theoretic security can not be achieved. There is only one known unbreakable cryptographic system: the one-time pad. This strategy is not generally possible to use because of the difficulties involved in exchanging one-time pads without the risk of being compromised. Other cryptographic systems are only buying time or can be broken (see Cryptographic hash function#Degree_of_difficulty). This strategy needs to be supported by the moving target or deletes strategies.

Deletion

Deletion is a strategy using security measures to prevent an intruder from gaining sensitive information at all costs. The strategy is based on the assumption that the damage from information disclosure would be greater than the damage caused by deleting the information or disabling the system required to gain access to the information. The strategy is part of the data-centric security approach. Examples of this strategy include information deletion as a response to a security violation (such as unauthorized access attempts) and password resets.

This is a supporting strategy for information system monitoring. It is a resource-consuming strategy, and the scope is determined by the designer. It cannot be fully successful on its own since the detected intrusion is not quarantined.

Information redundancy

Information redundancy is a strategy performing security measures to keep redundancy for information and using it in case of damage. The strategy is based on the assumption that finding and repairing the damage is more complicated than the restoration of the system. Examples of this strategy include using system restoration, keeping backup files, and using a backup computer.

This is a supporting strategy for information system monitoring. This strategy consumes considerable resources, and the scope is known. It can be fully successful in its part.

Limiting of actions made by a robot

Limiting of actions made by a robot is a strategy performing security measures to limit a robot's (software bot) actions. The strategy is based on the assumption that a robot can take more actions, or create damage that a human cannot create. Examples of this strategy include using anti-spam techniques, using CAPTCHA and other human presence detection techniques, and using DOS-based defense (protection from Denial-of-service attack).

This is a supporting strategy for boundary protection and information system monitoring. It is a time and resource-consuming strategy, and the scope is determined by the designer. This strategy cannot be fully successful on its own.

Active defense

Active defense is a strategy performing security measures attacking the potential intruders. The strategy is based on the assumption that a potential intruder under attack has fewer abilities. Examples of this strategy include creating and using lists of trusted networks, devices, and applications, blocking untrusted addresses, and vendor management.

This is a supporting strategy for boundary protection and information system monitoring. It is a time and resource-consuming strategy, and the scope is determined by the designer. This strategy cannot be fully successful on its own.

Unavoidable actions

This strategy can support any other strategy. [3] [4] [5] [6] [ clarification needed ] This is a resource-consuming strategy, and the scope is determined by the designer. An implementation may have a wide impact on devices. [7] This strategy can be fully successful, but in most cases, there is a trade-off of full system functionality for security. This strategy can be used proactively or reactively. Actions done in response to an already detected problem may be too late. [8] Any implementation needs to be supported by the secure enclave strategy in order to prevent neutralizing action by unauthorized access to the protection mechanism.

Actions can be of the following types:

See also

Related Research Articles

<span class="mw-page-title-main">Security</span> Degree of resistance to, or protection from, harm

Security is protection from, or resilience against, potential harm caused by others, by restraining the freedom of others to act. Beneficiaries of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change.

<span class="mw-page-title-main">Physical security</span> Measures designed to deny unauthorized access

Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm. Physical security involves the use of multiple layers of interdependent systems that can include CCTV surveillance, security guards, protective barriers, locks, access control, perimeter intrusion detection, deterrent systems, fire protection, and other systems designed to protect persons and property.

<span class="mw-page-title-main">Intrusion detection system</span> Network protection device or software

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

<span class="mw-page-title-main">Power analysis</span> Form of side channel attack

Power analysis is a form of side channel attack in which the attacker studies the power consumption of a cryptographic hardware device. These attacks rely on basic physical properties of the device: semiconductor devices are governed by the laws of physics, which dictate that changes in voltages within the device require very small movements of electric charges (currents). By measuring those currents, it is possible to learn a small amount of information about the data being manipulated.

<span class="mw-page-title-main">Internet security</span> Branch of computer security

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

<span class="mw-page-title-main">Host-based intrusion detection system</span> Type of intrusion detection system

A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent.

An information security audit is an audit on the level of information security in an organization. It is an independent review and examination of system records, activities and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

<span class="mw-page-title-main">Federal Office for Information Security</span> German federal agency

The Federal Office for Information Security is the German upper-level federal agency in charge of managing computer and communication security for the German government. Its areas of expertise and responsibility include the security of computer applications, critical infrastructure protection, Internet security, cryptography, counter eavesdropping, certification of security products and the accreditation of security test laboratories. It is located in Bonn and as of 2020 has about 1,100 employees. Its current president, since 1 February 2016, is former business executive Arne Schönbohm, who took over the presidency from Michael Hange.

<span class="mw-page-title-main">Tamperproofing</span> Security methodology

Tamperproofing, conceptually, is a methodology used to hinder, deter or detect unauthorised access to a device or circumvention of a security system. Since any device or system can be foiled by a person with sufficient knowledge, equipment, and time, the term "tamperproof" is a misnomer unless some limitations on the tampering party's resources is explicit or assumed.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

<span class="mw-page-title-main">Security information and event management</span> Computer security

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

The following outline is provided as an overview of and topical guide to computer security:

NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

Network eavesdropping, also known as eavesdropping attack, sniffing attack, or snooping attack, is a method that retrieves user information through the internet. This attack happens on electronic devices like computers and smartphones. This network attack typically happens under the usage of unsecured networks, such as public wifi connections or shared electronic devices. Eavesdropping attacks through the network is considered one of the most urgent threats in industries that rely on collecting and storing data. Internet users use eavesdropping via the Internet to improve information security.

References

  1. Martiny, Karsten; Motzek, Alexander; Möller, Ralf (2015). Formalizing Agents' Beliefs for Cyber-Security Defense Strategy Planning (PDF). Advances in Intelligent Systems and Computing. Vol. 369. pp. 15–25. doi:10.1007/978-3-319-19713-5_2. ISBN   978-3-319-19712-8. S2CID   18198176.
  2. Computer Security Division, Information Technology Laboratory (November 30, 2016). "Release Search - NIST Risk Management Framework | CSRC | CSRC". CSRC | NIST.
  3. "What is two-factor authentication, and which 2FA solutions are best?". PCWorld. June 5, 2019.
  4. "PUF based encryption". www.researchgate.net.
  5. "Design and implementation of Hardware-assisted security architecture for software integrity monitoring". hal.archives-ouvertes.fr.
  6. "Real-time Captcha technique improves biometric authentication". ScienceDaily.
  7. "Adding kill switches to protect your privacy is not as simple as you might think". amosbbatto.wordpress.com. August 15, 2019.
  8. Gitlin, Jonathan M. (October 18, 2019). "Should all connected cars have a physical network kill switch?". Ars Technica.