Security controls

High Security controls moving from military to commercial business

EICAR

EICAR is a 68-byte .com file detected as “EICAR-Test-File”. This IS NOT a virus but is a manipulated file for testing for the presence of Antivirus systems in email, the file system, or other places. This test file simply displays a text message and returns the control to the operating system.

Software vendors agreed about developing a uniform standard “virus simulator” which should consist of text messages only. Look for detailed information about EICAR at ” Kaspersky“.

Titus header

Documents contain sensitive or confidential information that must be protected by organisations. There data leakage must be prevented although data – or information sharing must be promoted. To give organisations control over the exchange of data Titus headers are used. TITUS Services allow organisations to classify their electronic documents so that appropriate security can be applied to documents, and end-users can be made aware of which documents contain sensitive information. Look at ” Titus headers” for more information.

Purifile

PuriFile software is a file inspection application that performs deep analysis of various Microsoft Office file formats and .pdf files. The software detects and identifies hidden objects and metadata, which could accidentally or maliciously disclose sensitive information or confidential digital assets that would otherwise go unnoticed in typical review processes.

Datadiode

Confidentiality and productivity are each other enemies. To deal with this the dilemma a datadiode is used. This is a one-way network connection (an black box/appliance with EAL4 certification) that offers the highest certified level of security and prevents unwanted access to business assets and critical systems, while facilitating free flow of information.

Cross domain gateways

Cross-Domain Gateways are a concept from multi-level government and military networks that are increasingly being deployed into traditionally flat commercial networks. It is about trust zones and choke-points between trust zones. Each trust zone has a certain degree of threat exposure and for each trust zone underlies the need for cross-domain gateways.

There are a wide variety of applications to which cross domain gateways can be applied and a wide variety of gateway patterns and designs. However there is a common set of possible gateway functions that such patterns and designs can commonly call upon.

GatewayFunctions

Address rewriting

Address rewriting is meant for different reasons. Some are merely cosmetic, and some are necessary to deliver correctly formatted mail to the correct destination. Examples are:

  • Transform an incomplete address into a complete address. For example, transform “username” into “username@example.com”, or transform “username@hostname” into “username@hostname.example.com”.
  • Replace an address by an equivalent address. For example, replace “username@example.com” by “firstname.lastname@example.com” when sending mail, and do the reverse transformation when receiving mail.
  • Replace an internal address by an external address. For example, replace “username@localdomain.local” by “isp-account@isp.example” when sending mail from a home computer to the Internet.
  • Replace an address by multiple addresses. For example, replace the address of an alias by the addresses listed under that alias.

Security labeling

A security label, sometimes referred to as a confidentiality label, is a structured representation of the sensitivity of a piece of information. A security label can be used in conjunction with a clearance, a structured representation of what sensitive information a person (or other entity) is authorised to access, and a security policy to control access to each piece of information.

For instance, an email message could have an “EXAMPLE CONFIDENTIAL” label that requires the sender and the receiver to have a clearance granting access to information labeled “EXAMPLE CONFIDENTIAL”.

The standardised formats for security labels, clearances, security policy, and associated authorization models are generalised and can be used in non- government deployments where appropriate.

For more information on this topic see Labeling

Content analysis 

Content Analysis is a layered solution that offers you protection against known, unknown, and targeted attacks. Combined with Blue Coat ProxySG appliances, the Content Analysis uses a layered approach to protecting against known and unknown threats, and includes

  • AV technology,
  • whitelisting,
  • static code analysis, and
  • dynamic analysis (sandboxing).

This fusion of content and malware analysis sandboxing functions provides malware protection against targeted attacks so you can protect against viruses, Trojans, worms, spyware, and other forms of malicious content – even when users aren’t running anti-malware software at the desktop.

These controls are only a few that you can use to elevate your security to a high level. Important is to understand is that each trust zone requires a custom made solution. Therefor each Cross domain gateway is a constellation of specific security devices and functionalities such as Firewalls like Palo Alto, Juniper or Cisco ASA with specialised (application) proxy servers (forward and reversed) in combination with Load balancers, IDS/IPS (host or network), data splitting and capturing switches as well as VPN-servers, RADIUS/TACACS for remote access and Cisco ISE-servers. Most important is to understand the services and flows that are crossing the different cross domain gateways. By understanding the flows you can configure an appropriate set of security devices, rules and policies.

Why this article

The intention of this article is to make you aware that these security controls are most common used in the military and can be applied in commercial areas. This is a new development. Now a days you see a shift to the commercial industry. It is good to have an oversight of the security controls you can implement and build an improved and more secure environment.


Herman Rensink,
Cloud – and Security Architect,
Greater BV, Moersbergselaan 17, 3941 BW Doorn