Fri Dec 5 09:28:48 PST 2014

Zones: Connection controls: How should connections between devices be controlled?


Options:

Definitions:
Define AREAS: {zones / subzones / microzones / components}
Define SEPARATION ENFORCEMENT MECHANISMS: {firewalls / routers / gateways / proxies / guards / protocol changes / digital diodes / FSMs / physical airgaps}
Define CONNECTION MECHANISMS: protocols / traffic types / addressing schemes / addresses / ports / gateway addresses / network masks / interface software / operating environments / storage media / authentication methods / identity management approaches / personnel / control mechanisms / cryptographic protocols, systems, and systems
Define IDENTIFIERS: serial numbers / device codes / cryptographic keys / addresses
Define OPERATING MECHANISMS: physical/logical device / interface / protocol / service / operation
Basis:
Option A: The design basis threat.
Option B: The operating environment.
Option C: Duties to protect.
Option D: Revisit design basis threat as it changes over time.
Option E: Follow applicable elements of applicable standards and requirements.
Option F: Due diligence requirements.
Deter:
Option Q: Use proper online banners to warn against inappropriate actions.
Option R: Provide periodic (at rate) training and suitable education relating to connection control requirements.
Option S: Provide obvious presence of (or don't seek to conceal) some security measures and response processes.
Prevent:
Option 1: Logically separate AREAS by placing SEPARATION ENFORCEMENT MECHANISMS between them.
Option 2: Use different CONNECTION MECHANISMS and OPERATING MECHANISMS within and between different AREAS.
Option 3: {Associate / label / mark / limit} unique IDENTIFIERS to each OPERATING MECHANISMS and map them to their respective AREA(s).
Option 4: Map each connection {sequence} to all relevant OPERATING MECHANISMS, CONNECTION MECHANISMS, and SEPARATION ENFORCEMENT MECHANISMS and have all such mechanisms deny {operation / connection / flows} to unmapped connections {and sequences}.
Option 5: Secure OPERATING MECHANISMS, CONNECTION MECHANISMS, and SEPARATION ENFORCEMENT MECHANISMS using available protective mechanisms against unauthorized connections {and sequences}.
Option 6: Limit OPERATING MECHANISMS, CONNECTION MECHANISMS, and SEPARATION ENFORCEMENT MECHANISMS so that none are unused.
Option 7: Use only end-to-end connections for operations.
Detect, react, and adapt:
Option V: Place logical {alarms / detectors} on SEPARATION ENFORCEMENT MECHANISMS, CONNECTION MECHANISMS, and OPERATING MECHANISMS for unauthorized (unmapped) or inadequate connections and IDENTIFIERS.
Option W: Surveil and audit {operation / connection / flows / flow sequences} between and within SEPARATION ENFORCEMENT MECHANISMS, CONNECTION MECHANISMS, and OPERATING MECHANISMS.
Option X: Perform {regular / periodic / random / continuous} {audit reviews / tests} to detection deviation from and verify proper implementation and operation of SEPARATION ENFORCEMENT MECHANISMS, CONNECTION MECHANISMS, and OPERATING MECHANISMS with frequency based on the design basis threat.
Option Y: Implement response regimens and actions to event sequences per a systems analysis based on the design-basis threat.
Option Z: Follow incidents up with investigative and adaptation processes to identify and mitigate root causes of incidents and improve performance.

Decision:

Typical controls for different risk levels are identified here:

High consequence connection controls are suggested as follows:

Definitions:
    Precisely define all AREAS, SEPARATION ENFORCEMENT MECHANISMS, CONNECTION MECHANISMS, IDENTIFIERS, and OPERATING MECHANISMS and put them in the inventory system.

Basis:

    Base all specifics on the design basis threat, duties to protect, risk management decisions, and the environment.
    Precisely define and specify these elements of the protective architecture.
    Revisit these elements of the protective architecture as they change over time.
    Follow applicable elements of applicable standards and requirements.
Deter:
    Use proper online banners to warn against inappropriate actions.
    Provide periodic (4 times per year) training and suitable education relating to connection control requirements.
    Provide obvious presence of (or don't seek to conceal) some security measures and response processes.
Prevent:
    Logically separate AREAS by placing SEPARATION ENFORCEMENT MECHANISMS between them.
    Use different CONNECTION MECHANISMS and OPERATING MECHANISMS within and between different AREAS.
    {Associate / label / mark / limit} unique IDENTIFIERS to each OPERATING MECHANISMS and map them to their respective AREA(s).
    Map each connection and sequence to all relevant OPERATING MECHANISMS, CONNECTION MECHANISMS, and SEPARATION ENFORCEMENT MECHANISMS and have all such mechanisms deny operation, connection, and flows} to unmapped connections and sequences.
    Secure OPERATING MECHANISMS, CONNECTION MECHANISMS, and SEPARATION ENFORCEMENT MECHANISMS using available protective mechanisms against unauthorized connections and sequences.
    Limit OPERATING MECHANISMS, CONNECTION MECHANISMS, and SEPARATION ENFORCEMENT MECHANISMS so that none are unused.
    Use only end-to-end connections for operations.
Detect, react, and adapt:
    Place logical alarms and detectors on SEPARATION ENFORCEMENT MECHANISMS, CONNECTION MECHANISMS, and OPERATING MECHANISMS for unauthorized (unmapped) or inadequate connections and IDENTIFIERS.
    Surveil and audit operation, connection, flows, and flow sequences between and within SEPARATION ENFORCEMENT MECHANISMS, CONNECTION MECHANISMS, and OPERATING MECHANISMS.
    Perform regular, periodic, random, and continuous audit reviews and tests to detection deviation from and verify proper implementation and operation of SEPARATION ENFORCEMENT MECHANISMS, CONNECTION MECHANISMS, and OPERATING MECHANISMS with frequency based on the BASIS.
    Implement response regimens and actions to event sequences per a systems analysis based on the BASIS.
    Follow incidents up with investigative and adaptation processes to identify and mitigate root causes of incidents and improve performance.
High consequence connection controls

Medium consequence connection controls are suggested as follows:

Definitions:
    Define all AREAS, SEPARATION ENFORCEMENT MECHANISMS, CONNECTION MECHANISMS, IDENTIFIERS, and OPERATING MECHANISMS at least at the zone, subzone, and microzone granularity level, and put them in the inventory system.

Basis:

    Base all specifics on the design basis threat, duties to protect, risk management, and the environment.
    Follow applicable elements of applicable standards and requirements.
Deter:
    Use proper online banners to warn against inappropriate actions.
    Provide periodic (at least annual) training and suitable education relating to connection control requirements.
    Provide obvious presence of (or don't seek to conceal) some security measures and response processes.
Prevent:
    Logically separate AREAS by placing SEPARATION ENFORCEMENT MECHANISMS between them.
    Associate unique IDENTIFIERS to each OPERATING MECHANISMS and map them to their respective AREA(s).
    Map each connection to all relevant OPERATING MECHANISMS, CONNECTION MECHANISMS, and SEPARATION ENFORCEMENT MECHANISMS and have all such mechanisms deny connection and flows to unmapped connections.
    Secure OPERATING MECHANISMS, CONNECTION MECHANISMS, and SEPARATION ENFORCEMENT MECHANISMS using available protective mechanisms against unauthorized connections.
Detect, react, and adapt:
    Place logical alarms and detectors on SEPARATION ENFORCEMENT MECHANISMS for unauthorized (unmapped) or inadequate connections and IDENTIFIERS.
    Surveil and audit connections and flows between and within SEPARATION ENFORCEMENT MECHANISMS, CONNECTION MECHANISMS, and OPERATING MECHANISMS.
    Perform quarterly audit reviews and tests to detect deviation from and verify proper implementation and operation of SEPARATION ENFORCEMENT MECHANISMS.
    Follow incidents up with investigative and adaptation processes to identify and mitigate root causes of incidents and improve performance.
Medium consequence connection controls

Low consequence connection controls are suggested as follows:

Definitions:
    Define CONNECTION MECHANISMS.
Basis:
    Base all specifics on due diligence requirements and defined duties to protect.
Deter:
    Use proper online banners to warn against inappropriate actions.
    Provide initial training and suitable education relating to connection control requirements.
Prevent:
    Secure CONNECTION MECHANISMS using available protective mechanisms against unauthorized connections.
Detect, react, and adapt:
    Place logical alarms on CONNECTION MECHANISMS for unauthorized connections.
    Audit connections.
    Perform audit reviews of CONNECTION MECHANISMS if negative consequences are identified.
    Follow incidents up with investigative and adaptation processes to identify and mitigate root causes of incidents and improve performance.
Low consequence connection controls

Basis:

Definitions:

For the purposes of this set of decisions, several terms are used that should be defined in detail by the operators of the system environment and cataloged as appropriate to the need. These terms are exemplified as follows:

Basis: Deter: Prevent: Detect, react, and adapt:
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved