Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.
Issue link: https://uscgproceedings.epubxp.com/i/436751
31 Winter 2014 – 2015 Proceedings www.uscg.mil/proceedings hardware vendors for new security disclosures. Patch all vulnerable systems and confgure frewalls and IDPS sys- tems to flter out exploit traffc. Check downloaded fles against known viruses: Install up- to-date, anti-virus scanners on all computers and check all downloaded fles. Protect Ethernet ports and manage switches: Protect Eth- ernet ports and allow only authorized devices to be con- nected to ports. Use managed Ethernet switches to control network traffc. Use and properly conf igure firewalls: Use a properly designed, secured frewall to control incoming and outgo- ing network traffc. Use an intrusion detection and prevention system: Use an intrusion detection and prevention system (IDPS) to monitor network traffc and identify potential intrusions. Given the amount of network traffc, manual monitoring is impossible. However, the IDPS can be confgured manually to protect against newly disclosed zero-day exploits when patches are not available. Protect dial-in modems: Allow only authorized numbers for dial-in modems; remove them unless they are absolutely necessary. Secure the wireless network: Allow only authorized devices to connect to the wireless network and monitor wireless activities. At seaports, connections from untrusted vessels could pose additional security threats. Monitor public vulnerability disclosures: Monitor public vulnerability sites such as US-CERT (www.us-cert.gov/), ICS-CERT (https://ics-cert.us-cert.gov/), and software and Life cycle of zero-day exploits. Image courtesy of the authors. Attack Surfaces and Attack Vectors The attack surface of a system consists of its reachable and exploitable vulnerabilities. The smaller the attack surface, the smaller a port's risk exposure. A defense-in-depth system architecture takes into consideration these dimen- sions of the surface along with their sub-dimensions: ■ Network dimension: The deployed network protocols (TCP/IP, IPv6, P2P, VPN). ■ Software dimension: The software and interfaces, such as code, operating systems, confgurations, web pages. ■ Human dimension: The personnel and associated variables like social engineering, inside threats, errors, user naiveté. An attack vector is a "point" on the attack surface for which the dimensions are specifed. They are ways hackers can launch an attack, so they defne an exploit's scope. Reducing the number of attack vectors improves system resiliency. 0 1 1 0 1 0 0 1 0 1 1 0 1 0 0