Skip to content

Page124

Countermeasures

The primary countermeasure to mitigate the attacks described in the previous section is defense-in-depth: multiple overlapping controls spanning across multiple domains, which enhance and support each other. Any one control may fail; defense-in-depth (also called layered defense) mitigates this issue.

Technical countermeasures are discussed in Chapter 5, Domain 4: Communication and Network Security. They include routers and switches, firewalls, system hardening including removing unnecessary services and patching, virtual private networks, and others.

Administrative countermeasures are discussed in Chapter 2, Domain 1: Security and Risk Management. They include policies, procedures, guidelines, standards, and related documents.

Physical countermeasures are discussed later in this chapter. They include building and office security, locks, security guards, mobile device encryption, and others.

Mobile Device Attacks

A recent information security challenge is mobile devices ranging from USB flash drives to laptops that are infected with malware outside of a security perimeter, and then carried into an organization. Traditional network-based protection, such as firewalls and intrusion detection systems, are powerless to prevent the initial attack.

Infected mobile computers such as laptops may begin attacking other systems once plugged into a network. USB flash drives can infect host systems via the Microsoft Windows “autorun” capability, where the “autorun.inf” file is automatically executed when the device is inserted into a system. Some types of malware create or edit autorun.inf in order to spread to other systems upon insertion of the USB flash drive.

Mobile Device Defenses

Defenses include administrative controls such as restricting the use of mobile devices via policy. The US Department of Defense instituted such a policy after an alleged outbreak of the USB-borne SillyFDC worm. Wired.com reports: “The Defense Department’s geeks are spooked by a rapidly spreading worm crawling across their networks. So they have suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further” [31].

Technical controls to mitigate infected mobile computers include requiring authentication at OSI model layer 2 via 802.1X, which we will discuss in Chapter 5, Domain 4: Communication and Network Security. 802.1X authentication may be bundled with additional security functionality, such as verification of current patches and antivirus signatures. Two technologies that do this are Network Access Control (NAC) and Network Access Protection (NAP). NAC is a network device-based solution supported by vendors including Cisco Systems. NAP is a computer operating system-based solution by Microsoft.

Another mobile device security concern is the loss or theft of a mobile device, which threatens confidentiality, integrity, and availability of the device and the data that resides on it. Backups can assure the availability and integrity of mobile data.

Full disk encryption (also known as whole disk encryption) should be used to ensure the confidentiality of mobile device data. This may be done in hardware or software, and is superior to partially-encrypted solutions such as encrypted files, directories, or partitions.

Remote wipe capability is another critical control, which describes the ability to erase (and sometimes disable) a mobile device that is lost or stolen.