Kinya Sharon - Ass1 - Infrastructure
Kinya Sharon - Ass1 - Infrastructure
Kinya Sharon - Ass1 - Infrastructure
UNIT: BISF-3202
Email: [email protected]
SEPT-DEC 2022
i. Map out a Defense in Depth Perimeter you would apply in strategizing the
security of a critical infrastructure component along with the Corresponding
Protective Measures (10 Marks)
Critical infrastructure are those physical facilities, supply chains, information technologies and
communication networks that, if destroyed, degraded or rendered unavailable for an extended
period, would significantly impact on the social or economic wellbeing of the nation or affect a
nation ability to conduct national defense and ensure national security
Defense in Depth is a cybersecurity strategy in which many protective measures are layered to
safeguard sensitive data and information. When one defense system fails, another springs into
action right away to stop an assault. This multi-layered strategy with deliberate redundancy
boosts system security overall and counters numerous attack routes.
Defense in Depth uses a comprehensive strategy to safeguard all assets, by providing effective
levels of monitoring and protection using the resources that are available to the organization
while taking into account its interconnections and dependencies
Prevention
Detection
Response
Defense-in-depth architecture: Layered security
Physical controls – These controls include security measures that prevent physical access to IT
systems, such as security guards or locked doors.
Technical controls – Technical controls include security measures that protect network systems
or resources using specialized hardware or software, such as a firewall appliance or antivirus
program.
1. Physical access
I will implement the physical access control provides protection for the entire facility, from the
outside perimeter to the inside office space, including the data center or server room.
i. Biometrics
Biometrics are physical traits or biological measurements that can be used to identify a person.
Examples of biometric technology include
facial recognition,
fingerprint mapping
Retina scans.
Voice recognition
Physical access control ensures that only those who are allowed to enter an area can enter by
creating barriers to prevent unauthorized people from entering a physical space. They include: -
A data diode is a unidirectional network communication device that enables the safe, one-way
transfer of data between segmented networks. Data diode design maintains physical and
electrical separation of source and destination networks, establishing a non-routable, completely
closed one-way data transfer between networks. Data diodes effectively eliminate external points
of entry to the sending system, preventing intruders and contagious elements from infiltrating the
network.
2. Network Access
I will implement the network access solutions to provide a way to manage access to network
resources by establishing which devices and users are authorized to connect to wired and
wireless networks in the critical infrastructure. This will make all devices and users visible to
network managers and allows technicians to enforce security policies across every part of
corporate networks. Network Access Control tools will also determine which resources are
available to a corporate network user. Security policies can set out different access tiers
dependent upon user roles, and Network Access Control software can make it impossible for
users to move outside their allotted permission.
NAC tools determines which resources are available to corporate network users. Security
policies can set out different access tiers dependent upon user roles, and Network Access Control
software can make it impossible for users to move outside their allotted permission.
VPNs mask user data by routing all communications through an encrypted private server, rather
than a public internet service provider, allowing users to remotely connect to a network via a
secure tunnel.
iv. Firewalls
Firewalls are software or hardware appliances that control network traffic through access or deny
policies or rules. These rules may include black or whitelisting IP addresses, MAC addresses,
and ports. There are also application-specific firewalls, such as Web Application Firewalls
(WAF) and secure email gateways that focus on detecting malicious activity directed at a
particular application.
An IDS detects unauthorized access attempts and flags them as potentially dangerous but does
not remove them.
An access control list (ACL) is a list of rules that specifies which users or systems are granted or
denied access to a particular object or system resource.
3. User management
Core principles.
Dentails of the core principles underpinning user-access management and providing the basis
for subsequent controls.
Details of the key objectives and approaches to providing information security governance
oversight to user-access management.
Details of the key objectives and approaches to implementing user-access management controls
in the management of personnel within an organisation.
Details of the key objectives and approaches to implementing specific technical controls into a
comprehensive user-access management scheme.
Corresponding Protective Measures:
Active Directory is a database and set of services that runs on Microsoft Windows server.
Active Directory will provide this two main functions where it allows:
LDAP (Lightweight Directory Access Protocol) is a software protocol that allows users to locate
an organization’s data. LDAP authentication techniques are an effective deterrent to security
risks. LDAP will assist with:
Prevention of disclosing any passwords, by use of an encrypted channel that the LDAP
server supports.
Monitoring and prevention – it will include logging, vulnerability scanning, and security
training for staff.
4. Data access
Data access control will be used to control how users interact with critical infrastructure’s data.
The goal is to ensure that data is accessed in a manner that meets the security, privacy, and
compliance needs, without undermining efficiency or accessibility.
Permission Control
Entity-centric methods
Data centric methods
Context centric methods
Access control, Authentication and Authorization
i. Entity-centric methods
Entity-centric data access control involves setting permissions based on different entities’
attributes.
By setting up rules to control access, at the level of the data itself, rather than based on entities to
maximize on the security. For example, having a particular dataset that can only be accessed via
a dedicated application. to strictly control who can access the application, through authentication
and identity management tools.
iii. Context centric methods
I will limit the capacity to export huge amounts of data to specific periods of the day based on
the context of how data is accessed, in order to avoid significant breaches. I could also limit the
activities that can be taken on particular database items based on where they are in a given
workflow.
Access control is a security technique that regulates who or what can view or use resources in a
computing environment. Access control involves two main processes:
Authentication is the process of ensuring users are who they say they are.
Authorization is the process of ensuring authenticated users have access to the necessary
data and resources.
File integrity monitoring refers to an IT security process and technology that tests and checks
operating system (OS), database, and application software files to determine whether or not they
have been tampered with or corrupted.
File integrity monitoring, verifies and validates these files by comparing the latest versions of
them to a known, trusted baseline. If file integrity monitoring detects that files have been altered,
updated, or compromised and generates alerts to ensure further investigation, and if necessary
remediation takes place. File integrity monitoring encompasses both reactive (forensic) auditing
as well as proactive, rules-based active monitoring.
5. Data
Data is the lifeblood of every organization. It informs decision-making, finds solutions to
problems, improves the efficiency and efficacy of operations, boosts customer service and
informs marketing efforts, reduces risks, increases productivity, enhances collaboration and, in
the end, is instrumental in increasing revenue and profit.
Data security is the practice of safeguarding digital information from unauthorized access,
accidental loss, disclosure and modification, manipulation or corruption throughout its entire
lifecycle, from creation to destruction.
i. Data Diode
A data diode is a unidirectional network communication device that enables the safe, one-way
transfer of data between segmented networks. Data diode design maintains physical and
electrical separation of source and destination networks, establishing a non-routable, completely
closed one-way data transfer between networks. Data diodes effectively eliminate external points
of entry to the sending system, preventing intruders and contagious elements from infiltrating the
network.
6. Human element
The human element is the least secure and least controlled aspect of enterprise security because
of the inherent vulnerability of human trust, we are prone to the tactics of social engineering.
Humans motivate cyberattacks, and humans also, often unknowingly, facilitate cyberattacks.
program. Security starts with people, and technology should support them effectively. People
control explains the main goals, methods, and controls that may be used by an organization to
integrate defense in depth ideas into the field of human security. Through an employee lifecycle
strategy, I will implement a layered control which will be created to address the following areas
and reduce people-related risks in the organization:
job and role definition
recruitment and selection
induction, training and development
ongoing operations
role change management
management of morale
termination of employment strategy avoiding any unnecessary level of employee distress
https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-
CERT_Defense_in_Depth_2016_S508C.pdf
https://blog.netwrix.com/2022/09/16/top-cis-critical-security-controls-for-cyber-defense/
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7122347/
https://nces.ed.gov/pubs98/safetech/chapter5.asp
https://blog.twinstate.com/cybersecurity/defense-in-depth-explained
https://www.forcepoint.com/cyber-edu/defense-depth
https://heimdalsecurity.com/blog/defense-in-depth-cybersecurity/
https://www.crowdstrike.com/cybersecurity-101/defense-in-depth/
https://budibase.com/blog/app-building/data-access-control/