Tag Archives: Data Diode

Validating the Payload

10 Nov

In the blog Secure Delivery of a Payload we discussed how secure information exchange consists of two distinct elements: the information you need to convey – the payload, and the technical method used to carry the payload – the protocol. Attackers wishing to break into your network can exploit either of these: the protocol or the payload.

The previous blog looked at protecting protocol-based attacks. In this blog we look at content-based attacks – on the payload.

Hacker Inside Logo

The Attack Vector

The principle behind a content-based attack is that when delivered, the payload contains malware that will cause the end system to do something unexpected, which the attacker can take advantage of – usually to gain access.

The most common and effective technical mitigations are:

  • Patching – to ensure your applications have known vulnerabilities removed
  • Anti-Virus – to detect known malware

(Aside: This is why these two mitigations are fundamental to the UK Governments baseline security standard, Cyber Essentials)

However, both of these mitigations have one thing in common, they work on known problems. The skilled attacker that really wants to get you will exploit an unknown problem – the so called Zero-Day.

Threat Reduction

To reduce this threat we can use the following techniques, first described in the White Paper Protecting confidential information using Data Diodes and which explores these concepts in much more depth.

  1. Accept the risk. Patching / Anti-Virus may be sufficient for the threat you face.
  2. Do a very strict pattern matching on the payload, only accepting payloads recognised to be conformant (i.e. whitelisting). For example, only accept “text” files with 7bit ASCII characters in it. More advanced scenarios will perform strict schema checking on the file to ensure it conforms to an expected set of rules.
  3. Convert the payload itself. Essentially, take all information out of the source file, and create a new one with the same contents. The White Paper Preventing Document-Based Malware from Devastating your Business talks about this defense technique in much more depth.
  4. Do a combination of the above. For example: only accept JPEG files, convert those to PNG and drop all other payloads.

One of the most difficult aspects of the above is not technical. It’s deciding which level of control is necessary and relevant to your business or application scenario – this is where Threat Analysis, as discussed in A Brief Introduction to Threat Analysis, fits. This is not easy, and it is why you need to consider engaging with experts that can help understand your exact situation and provide advice on the right solution for your situation.

Do you have the right level of content protection in your business?

Secure Delivery of a Payload via a Protocol Break

21 Oct

A secure information exchange consists of two distinct elements: the information you need to convey – the payload, and the technical method used to carry the payload – the protocol. Attackers wishing to break into your network can exploit either of these: the protocol or the payload.

In this blog we briefly look at protecting protocol-based attacks. In a future blog we will look at content-based (payload) attacks.

Continue reading

Diodes are Diodes, Guards are Guards

15 Sep

Over the last 3-5 years Data Diodes have grown in popularity as a solution for moving data between isolated networks. With this has come creative marketing to leverage the term ‘Diode’ for solutions that are anything but.

Let’s just take a few moments to revise some of the fundamental modes of secure information exchange.

Continue reading

Diode Applications: Secure Printing

12 Nov

In this blog series, I have been exploring applications for Data Diodes.  This week, I look at the issue of printing between different networks.

Continue reading

Diode Applications: Secure Network Monitoring

10 Oct

For the third article in the Data Diode blog series, I explore Audit and Monitoring between Domains.

Continue reading

Diode Applications: Secure Windows Updates

27 Aug

In this blog series, I have been exploring applications for Data Diodes.  This week, I look at the issue of getting Windows Updates into a segregated network — securely.
Continue reading

What is the difference between a Guard and a Gateway?

13 Aug

Guards and gateways are full application layer proxies that connect to two or more networks.  They accept data passed on an inbound network interface, ‘process it’, and then pass data to the outbound network interface.   The difference between the two is in the ‘process it’ step.
Continue reading

Nexor in Touch

27 Jun

An article about a Nexor solution deployment in the FCO Services has been published in the Microsoft Technology in the Public Sector Magazine – Touch.

Continue reading

Diode Applications: Secure Remote Camera Control

13 Jun

In this blog series, I will explore applications for Data Diodes. In the first of the series, we’ll look at providing secure access to  remote CCTV cameras, in unsecured location.
Continue reading

Yet Another Stuxnet Article

21 May

A lot has been written about Stuxnet, one of the big revelations was the malware had jumped an air-gap.  The on-going debate is whether air-gaps work, or would joining the networks in a controlled way REDUCE the vulnerability.

Continue reading

Follow

Get every new post delivered to your Inbox.

Join 518 other followers