Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Mohammed Syed says
It would depend on why or the reason inbound or outbound traffic would need to be blocked. The inbound rules protect the network traffic against incoming traffic from the internet or other network segments namely, malware, denial of service attacks. In organizations most incoming traffic is filtered. It helps organizations to disable any software updates they do not want, or block any advertising from rushing into their system. While the outbound traffic rules protect against outgoing traffic, such as requests to uncertain or dangerous websites because the organization’s networks are made up of a group of devices such as firewalls, server, load balance, routers, switches, wireless access point and other network elements. Most often the reason why outbound traffic is blocked is to restrain malware, if it has entered the system, from spreading further, or to prevent loss of confidential data.
It is important to be careful in every segment of local area network architecture and maintenance because the local area network is the nervous system of an organization’s information system; excellent maintenance must be taken to secure it properly. Organization’s network should be maintained by securing equipment because it is a very important part of any security strategy as all users need to access the organization’s network locally and remotely, there should be a way to identify and ensure strictly who is allowed on the network and what access they have been permitted. All users want to connect to the internet for commercial or research activities. The most trusted users belong to the intranet who have to authenticate to a centralized administrator to access resources of the network. Less trusted users may originate from the intranet, as well as external users who are authenticated to access resources such as email and web services. The least trusted users are unauthenticated users, most of them are simply browsing resources on the internet with no malice intended. There are three objectives:
Confidentiality: Authorized users have access to the network.
Integrity: data cannot be modified by unauthorized users.
Availability: Security must be designed so that authorized users have uninterrupted access to data.
If unknown traffic comes to an organization’s network, it is important to establish a filtering process that identifies potential cyberattacks such as ransomware and vulnerability. Ensure that one’s default position is to deny traffic, not permit it.
Andrew Nguyen says
If I could only filter and selectively block one network traffic direction, I would concentrate on incoming network traffic.
• Confidentiality
○ Incoming network traffic filtered and monitored to determine if confidentiality is intact (for example if a signed in user is accessing resources that they are authorized to).
• Integrity
○ Incoming network traffic such as requests to an API can be logged and monitored to flag suspicious activity, such as SQL injection attempts through a query string in a URL. These requests can be selectively blocked.
• Availability
Incoming network traffic can be filtered and monitored and can help notify an organization if they are victim to a denial of service attack, if the incoming requests are filtered in a way such that the organization can view and organize data from the filtered network traffic.
Matthew Bryan says
Andrew,
I like how you formatted this and broke out implications across confidentiality, integrity, and availability. I thought your examples aligned well with the OWASP top 10 which should be accounted for if the intranet is accessible via a web app.
Dan Xu says
Hi Andrew,
I agree with you about choosing to block incoming network traffic because the risks associated with that direction are much greater than the other side. For effective control and filtering, the filtering and monitoring you mention is an effective control method to ensure that confidentiality is intact. Also I think the request from the API you mentioned is another good way to think about it in terms of integrity. Organizing effective filtering and blocking incoming traffic can better mitigate the burden of maintenance and subsequent risk.
kofi bonsu says
I totally agreed with you as regards on your understanding on confidentiality, availability and integrity. However, availability models keep data and resources available for authorized use, especially during emergencies or disasters. Information security professionals usually address three common challenges to availability:
Denial of service (DoS) due to intentional attacks or because of undiscovered flaws in implementation (for example, a program written by a programmer who is unaware of a flaw that could crash the program if a certain unexpected input is encountered) Loss of information system capabilities because of natural disasters (fires, floods, storms, or earthquakes) or human actions (bombs or strikes).
.
Ornella Rhyne says
Hi Andrew,
Great points on highlighting and giving examples to all three ( CIA). I believe an organization must protect inbound as well as outbound traffic network but they should prioritize more inbound than outbound. With perfect training, I am pretty sure they will avoid a lot of outbound traffic network but they must protect and secure their network from inbound traffic. Good job!
Kelly Sharadin says
To protect the integrity and availability of the organization’s intranet, I would focus on blocking the firewall’s outbound traffic. Blocking the intranet’s outbound traffic would prevent command and control beacons from talking to a malicious server and exfiltrating data. Intranets communicate within the organization, and authorized users can access its resources without the need for outbound connections.
However, for confidentiality, I would block inbound network traffic from external sources. Intranets are an insulated portion of the organization’s network reserved for authorized personnel. Therefore, it is doubtful there would be a need for external inbound traffic and, as such, could pose a risk to the confidentiality of the intranet’s data.
Miray Bolukbasi says
Hi Kelly,
I liked your thoughts on which of the CIA concepts would be effected by inbound vs outbound blocking decision. The inbound traffic that is when Internet based user makes a network connection to a device exist in the business infrastructure, definitely is a treat for confidentiality. However, outbound traffic is a serious security risk when it comes to DDoS attacks. In addition to that, any uncontrolled email or file transfer might led someone inside of the network without blocked outbound traffic.
Bernard Antwi says
Excellent points, Kelly. If malware infects a computer, it might send outbound traffic containing confidential data (such as content from a Microsoft SQL Server database, email messages from a Microsoft Exchange server, or a list of passwords).
Matthew Bryan says
It’s important to consider the threat landscape facing the organization in this scenario. Different companies may have different risk tolerances from external and internal traffic. In both situations there are risks that could affect the confidentiality, integrity, and availability of the intranet.
Filtering external traffic prioritizes integrity and availability as this limits entry points that could be used to modify intranet data or affect its availability. Confidentiality is less protected in this situation as data could flow unrestricted from the intranet out to the internet. Lure based attacks, like phishing, could facilitate this via emails with no apparent malicious content, e.g. a link to credential harvesting sent via Google Docs. In this situation, I would advise filtering external traffic for organizations facing significant outside risks that threaten the availability and integrity of systems, e.g. utility companies.
Filtering internal traffic prioritizes confidentiality as this restricts how the intranet communicates with outside resources. This would help prevent situations where data is exposed. It does not address vectors like ransomware that seek entry to the intranet to disrupt the integrity and availability of the information. Prioritizing internal filtering may be appropriate for organizations where external threats are less prevalent and there is more concern with insiders exposing information, e.g. early stage companies/ start-ups.
Bryan Garrahan says
Thanks for sharing I really like some of the examples you used. I think it’s interesting integrity and availability fundamentally exist, and need to, in order for a business to operate, However, we see organizations categorize their confidentiality at various different levels based on their nature of business. However, no matter how “critical” or “minimal” confidentiality is categorized it will always take a back seat to integrity and availability.
Olayinka Lucas says
Hello Mathew, well articulated.
I am, however, of the opinion that filtering both inbound and outbound traffic carries the same weight, and both touch on the elements of Confidentiality, Integrity, and Availability. Internal employee attacks and errors hold the same consequences as adversarial attacks. Data compromised from within or being leaked is equally as dangerous as incoming malicious packets. Data theft can similarly be as disruptive as a ransomware attack.
As much as I would concentrate on inbound traffic if left with just one choice, I believe both are equally dangerous to every network and adversely touch on confidentiality, integrity, and availability if not adequately filtered.
Bryan Garrahan says
Personally, I would prioritize securing inbound data from the internet into my network. As it relates to CIA, it’s important to filter inbound traffic to ensure it cannot perform unusual or malicious activities (i.e. integrity) or cause adverse impacts/outages (i.e. availability) to the network. Additionally, it’s important to filter inbound traffic to aid in deterring unauthorized network access (i.e. confidentiality).
It certainly is important to filter data going outbound from our network to the internet. However, from a CIA perspective, we’re really only concerned with the element of confidentiality. It’s important to have controls in place to ensure sensitive personal or organizational data isn’t leaked or exposed out to the internet without proper filtering in place. However, outbound traffic doesn’t pose much significant impact to the integrity or availability of data.
Matthew Bryan says
Bryan,
Great post. I agree with your thoughts and prioritization. I was thinking more about this and I wonder if there’s a scenario where there’s so much outbound traffic that it takes resources offline. In this case, availability would be affected by virtue of resources being drained to move data out. The chances of this happening are probably low, but I wonder if it’s possible.
Bryan Garrahan says
I was thinking about this and I don’t believe I’ve experienced a system failure due to an excessive amount of data outflow. However, that doesn’t mean it couldn’t happen so it’s certainly plausible to consider availability in this scenario. Thanks for the response!
Vraj Patel says
It is equally important for an organization to filter the traffic that is entering and leaving the network. An attacker from the outside the organization could try to penetrate the network if the traffic is not being scanned and blocked from entering within the network. The organization also has to ensure that the user from inside the organization doesn’t sends out a companies critical information to someone outside of the organization either unintentionally or intentionally.
If require selecting one of the objectives, I would focus more resources on the traffic coming into the network. As it has higher risk then the traffic going out. It has a higher risk because there are a lot of attackers that are outside of the network that would be willing to attack and distribute the business process compared to the traffic going outside of the network. The end users could be provided with the trainings to not sent out the companies personal data outside of the network but it still has a risk if the use sends out an data accidently which would be lower risk compare to the traffic coming within the network as the attacker would be constantly attacking the network.
Jason Burwell says
Hi Vraj,
Great point about traffic coming into the network being higher risk than traffic going out of the network.
Corey Arana says
If filtering only one, it would be incoming. With regards to CIA, being able to block incoming traffic so only authorized personal can access the network. The network can be blocked from incoming traffic so the organizations data can’t be changed by any unauthorized user. The organization is able to block the incoming traffic and allow only a certain number of users at a time to control the availability of the network. An example would be a website that sells a product and when they block incoming traffic, they can control the traffic on their site. They would be able to monitor each user so no malicious activity can take place. They can make sure nothing gets changed and can make certain parts of the site available or none at all.
kofi bonsu says
Realistically speaking, I would settle on an organizational ability in securing inbound data from the internet into my network. As it has bearing on CIA, and it’s becoming absolutely imperative to filter inbound traffic to ensure it cannot undertake any malicious activities that is meant derail the integrity Hence, Integrity – making sure that the data in an organization’s possession is accurate, reliable and secured against unauthorized changes, tampering, destruction or loss. or cause adverse impacts/outages (i.e. availability) to the network. In that regard, Availability – private information is available for anyone who is authorized to access it, such as when a customer requests to view his or her profile.
More importantly, it’s absolutely essential to filter inbound traffic to assist in fencing off unauthorized network access (i.e. confidentiality) Confidentiality – ensuring privacy is a crucial data security objective. Confidentiality involves restricting data only to those who need access to it. Encryption and setting passwords are ways to ensure confidentiality security measures are met.
An organization should ensure that an organization achieves the fundamental objectives of information security, which also includes nonrepudiation. In enforcing nonrepudiation, a business will have the ability to prove that a transaction or communication occurred. Both parties sending and/or receiving information agree that an exchange took place. that an enterprise considers confidential and/or proprietary, it should also protect the personally identifiable information (PII) of its customers. An example of PII is a consumer’s social security number, driver’s license number, even his or her email address. Most organizations are hard pressed to implement cybersecurity measures that will ensure the information that they process is secure, and adheres to the standard known as the CIA triad:
Dhaval Patel says
Hi Kofi,
You make a lot of great points. I agree that it would be best to filter on inbound traffic for the reasons of accuracy, reliability, and security as you stated. Preventing unauthorized access is another key reason to focus on filtering inbound traffic, as it can become a much larger issue if unauthorized access is granted.
Ryan Trapp says
I think that, given the options, if a company had to choose in this context about what traffic to filter that they should filter the traffic coming inbound. When examining the three information system security objectives, it is better to filter the outbound. With respect to availability, we can filter and block traffic that would cause any network outages such as a DOS attack or other types of attacks. When considering confidentiality, we can ensure that only authenticated users are accessing the network from outside. It will also assist with the integrity by monitoring any suspicious activity from malware in the network. For example, if there was a remote access trojan (RAT) installed on one of the internal machines that was attempting to be accessed from outside the network.
Of course, it is best to selectively filter and block certain network activity in both directions. But given this scenario it would be most efficient to block and filter inbound traffic. Although, an argument can certainly be made for both.
Miray Bolukbasi says
Filtering and blocking network traffics relatively covers the concept of Firewalls as protecting against network intrusions. For ideal scenario, both incoming and outgoing traffic should be protected and filtered with various protection ways. However, if we will be focused more to one of them, I believe for an organization, it is more important to protect internal network from external threats. I understand that not being able to protect the outgoing traffic might affect day to day business operations in some cases and its availability. However, if you can’t control the external traffic that might threat confidentiality and integrity of your information, then you might need to deal with bigger issues. Also, it should be considered that probably there is more attack would come from outside to incoming traffic to the network. It seems more effective to focus on incoming traffic to prevent the incidents.
Vraj Patel says
Hey Miray,
That’s a great post. I completely agree with you that both are equally important. The threats that are coming in to the network does have a higher possibility of a threat to the companies confidentiality, integrity, and availability. The companies has also need to ensure that the users within their network are not bringing malicious USB or any other rough devices and connecting to their network.
Ornella Rhyne says
From a CIA perspective, I would say all three are important and need to be filtered and selectively blocked to protect the information system of an organization. If I could filter and selectively block one network traffic direction, I will concentrate on inbound traffic network. Outbound traffic must not be excluded and must be protected as well but as the technology evolves, so the knowledge of people to hack system continue to develop. From a security perspective, you really want to avoid a lot of outside malicious attacks and ransomware coming into your network more than coming out.
Confidentiality will be my main focus. Unauthorized access can penetrate the network and modify information exposing to data breaches and information leaked causing disruptive events in the network. Confidentiality contains very sensitive data that can affect the business reputation and profitability if those information are falling into somebody’s hand. For such, you would want to ensure that you have all means of protection including policies and procedures implemented, MFA and employees adequate trainings that explain the do’s and don’t related to an information security system.
Michael Galdo says
Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?
If I am left with the decision to put more emphasis on one or the other, I believe that selectively blocking network traffic coming into its intranet from the internet is more important. Being able to filter outbound traffic is important as well, but keeping your network safe from threats attempting to come in is essential to an adequate network. It’s important to keep your network safe from unauthorized users that way a user can’t enter and disrupt the running of the network. You are also able to address availability by being able to monitor how many people are actively on the network and controlling how many authorized users can be connected at once.
Michael Duffy says
This depends on the categorization of the system and the sensitivity of data within it. So we would first have to look at the FIPS-199 & NIST 800-53 to decide what impact does the sensitivity of data have on the system, and what happens if we compromise this data by implementing controls related to System Communications (SC family) by encrypting information in transit.
For systems that are more commercial use such as office laptops and desktop computers for the everyday user I would focus on protecting the confidentiality of the system by implementing local firewall host policies and HBSS. This may affect availability of the system, as software applications like McAfee Agent as HBSS typically consume much of an computer’s resources; however it would protect the integrity & confidentiality of the information within the system. Especially since work laptops can typically hold sensitive information such as PII. It would also be much easier to assume all data must be treated indiscriminately when downloading towards each device as I cannot trust each end user to not unwittingly invite or download malware onto the system.
For systems that require real-time operation in the sense that information must be readily available I would limit/block the use of outgoing connections by selectively deciding which ports are necessary for a system connecting to the internet. For example; if a system is sending health information for a control system to offload for auditors to view remotely – only that port should be open with an encrypted tunnel between the system.
However it really depends on the system.
Wilmer Monsalve says
Michael, you make a great point. With being able utlilize firewall policies one can put more focus as to what gets through the firewall and block/monitor outbound traffic. This would definitely help keep integrity and confidentiality for the data in the network.
Olayinka Lucas says
The essence of network security is to manage, monitor, and block traffic internally and externally. If left with the option to filter and block traffic from a direction, I suggest that incoming traffic be monitored and filtered more stringently through the firewall, IPS, or IDS configurations. The rationale for this is that other forms of security exist via an endpoint, Internet, application security to monitor internal activities. The focus should be on incoming, external data packets because they are outside the control and alien to the system owner. Although, outbound traffic is still within the power of the system owner to control. Even though it has its own risk, i.e., Data Loss, Theft, and misuse, the consequences could still easily be managed than an attack from inbound traffic. If specific rules are in place, external traffic, most likely adversarial, should be of more significant or more concern.
From a CIA perspective, I would instead block and filter what could attack from outside while managing what exists within my network.
Lauren Deinhardt says
HI Olayinka. I agree with you on this. Preservation of the CIA triad as a whole is at jeopardy when inbound blocking is not implemented; a user can lose access to their computer from becoming a botnet, password-logging malware can be deployed, etc. Great points!
Antonio Cozza says
Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?
I would more likely choose to block traffic coming into the intranet rather than outbound traffic for multiple reasons. Inbound traffic if not regulated could more easily harm the internal network in a number of ways. If packets are freely accepted from outside the network, a botnet could execute a DDoS as internal machines would also be responding to ICMP packets / ping sweeps to inform attackers that they are up and running. With the network’s bandwidth being consumed by the denial of service, its availability would be at risk initially, and if an attacker could gain access to private competitive or secret information while in the internal network, confidentiality is also at risk. If an attacker could escalate privileges in an internal operating system, integrity of the data is also at risk.
Kelly Sharadin says
Hi Antonio,
I also believe blocking inbound traffic should be prioritized when protecting an intranet . The most obvious defense mechanism is to protecting data’s confidentiality. However, I really like your example of how attackers could use recon tools like ping sweeps to map the network. Blocking inbound traffic could prevent an adversary from doing so. Thanks for your thoughtful post!
Kelly
Madalyn Stiverson says
Option A caters to integrity and confidentiality. It prevents external bad actors from potentially having access to the data, meaning they could change it or steal it as desired.
Option B caters to confidentiality. It prevents rogue employees from sending sensitive information outside the network. It decreases availability, since it prevents employees from emailing sensitive information to their personal devices.
If I could only choose 1, I’d choose Option A (prevent incoming traffic). This is because each organization is indiscriminately targeted multiple times a day with malware, phishing emails, and other methods of attack. You can mitigate against Option B by training employees and doing background checks.
Michael Galdo says
Hello Madalyn,
I agree with you in that preventing incoming traffic would be more important than blocking out coming traffic. Keeping your network safe from threats attempting to come into your network is essential to an adequate network. It’s important that you recognized that both options are important and that outgoing traffic can be prevented by employee training. You can address the availability issue by monitoring how many people are actively on the network and controlling how many authorized users are connected to the server at once.
Michael Duffy says
I agreed with Option A in your case if your trying to prevent external threats. I think it depends ultimately on the system though that you’re trying to protect and it’s operation. If these are office-style enterprise systems that handle day-to-day information than it would definitely be Option A.
However I could see B being an option in the case if the company is using some sort of system that focuses on real-time capabilities from within their network. And that the only reason they’re sending any communication outside is for remote logging/auditing to keep separate. I could be wrong; just trying to create a scenario in my head.
Olayinka Lucas says
Hello Madalyn, very well articulated.
I, however, believe that both options touch on the CIA triad in totality. Both choices (inbound and outgoing traffic) could adversely impact confidentiality, Integrity, and availability if not correctly managed. Employee errors from within are equally as dangerous as adversarial attacks and also touch all elements of security.
Christopher Clayton says
With incoming network traffic coming from the outside, I would personally focus on blocking traffic that is coming in rather than traffic going out. Malicious attackers disguise their network using different procedures to bypass IP address filtering in order to take control of end-user resources, steal credentials, and possibly damage network performance. That’s why firewall security device protection is very necessary to prevent outside threats from entering a network by filtering traffic and blocking intruders (i.e. malware, unauthorized access, intrusion detection).
Corey Arana says
Christopher, I do agree with you with blocking incoming traffic over outbound traffic. However, it appears everyone else thinks that too. Do you think there is anyway outbound traffic could be the better option in being blocked over inbound?
Christopher Clayton says
Hi Corey, as far as outbound traffic, data loss prevention (DLP) would probably be the better option, because you want to make sure you’re not sending critical information outside the network, for instance banking material, medical records, or any other type of sensitive information.
Antonio Cozza says
Hi Christopher,
I definitely agree that blocking incoming traffic is the better option. I liked the examples you provided as to why that could be the case. A well-configured firewall is a good way to mitigate much of the unwanted inbound network traffic, provided that the firewall is actually configured properly to a desired state such that it blocks most requests that could potentially touch internal services, processes, or network protocols.
Olayinka Lucas says
Hello Christopher,
I believe that both are equally dangerous to a network when not adequately managed, and I would instead protect my network from what I cannot control than focus on what I can easily handle. More importantly, outbound data packets emanate from my network and may be easily monitored, unlike inbound traffic that is alien to my network.
Lauren Deinhardt says
With respect to the security objectives of confidentiality, integrity and availability, if I needed to only filter one of the two above-listed traffic types, I would opt for incoming traffic. Firewalls blocking incoming traffic can prevent the extremely prevalent threat posed by spam, social engineering and phishing; these tactics can lead to denial of service (DOS) attacks, malware, and ransomware deployment. Although outbound traffic blocking will prevent employees/insiders leaking information; thus ensuring confidentiality, inbound network firewalls ensure that these threats affiliated with confidentiality, integrity, and availability are correctly prevented. Incoming traffic blockage can ensure confidentiality by preventing spyware from being deployed via spam phishing, and can ensure integrity/availability by preventing ransomware attacks via spam also. Incoming traffic firewalls tied with effective security awareness training is an excellent mitigation measure to preserve organizational security.
Corey Arana says
Lauren,
Great response, I agree with you on blocking incoming traffic. Being able to stop spam, social engineering and phishing is really the option to block over outbound. I think it is much more of a likelihood an attack will come from outside rather than an employee leaking information. Thanks for the description of your response.
Wilmer Monsalve says
Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?
I believe filtering/blocking incoming traffic would be the best option for the CIA triad in terms of security for the organization. If you can prevent an incoming potential threat it would protect the organization as opposed to only seeing what is already circulating through network traffic when you can find something in your network. Most threats occur externally from bad actors corrupting users with phishing scams and other tactics to obtain any credentials into a system. If this can be prevented from happening than most threats can be erased and internal threats can now be narrowed down to an individual or group. This would help keep user information confidential and available as well since attacks still get through firewall and network defenses daily, constant supervision of incoming network traffic is vital.
Dhaval Patel says
If I had to filter incoming or outbound network traffic based on the CIA triad I would probably choose to filter incoming traffic. With incoming traffic, if there are no filters it can be very difficult to control. Without monitoring you don’t know if the traffic contains sensitive data or malicious data, the data coming in could also be in an altered state. With outbound, there is a general understanding of what can and cannot be sent out simply through company policies, and so, it is much easier to manage.
Madalyn Stiverson says
Hi Dhaval,
Good point on outbound traffic being able to be managed in other ways. There is still some risk, such as from insider threats, but those threats can be mitigated by company policy, proper least privilege access, and swiftly terminating employee accounts after that employee leaves the company.
Dan Xu says
When considering the three security objectives of confidentiality, integrity and availability of an information system, I would choose to block incoming traffic when only one direction of network traffic can be filtered and selectively blocked. First, to ensure confidentiality, we need to control user access rights. For unknown traffic incoming, untrusted users cannot guarantee confidentiality, and it is the trigger of many privacy leaks and disasters. Second, to ensure the integrity, unauthorized and untrusted users cannot tamper and destroy data at will, and restricting incoming traffic can effectively ensure data integrity and reduce the risk of data destruction. For usability, incoming traffic prevents authorized and trusted users from having access to the information contained therein because they need to use it securely. By effectively filtering and blocking incoming traffic, organizations can better mitigate the burden of maintenance and subsequent risk issues and protect organizational security.
Michael Jordan says
Dan,
I agree that I would also block incoming traffic if I was in charge of the network policy and only had the option to block one. I agree with your point that not all users who are allowed access to a system can be trusted to know which incoming traffic is malicious and which is not.
-Mike
zijian ou says
I believe in focusing on firewalls, which can be considered closed borders or gateways to manage the propagation of permitted and prohibited network activities on private networks.
zijian ou says
For confidentiality, integrity, and availability, I would focus on the firewall. Firewalls can be considered closed boundaries or gateways that govern the propagation of permitted and prohibited network activities on a private network. The term comes from the concept of a physical wall being a barrier that slows the spread of fire until emergency services can put it out. By contrast, network security firewalls are used for network traffic management – often designed to slow the spread of network threats. A firewall determines which network traffic is allowed through and which traffic is considered dangerous. It does this essentially by filtering out the good from the bad or the trusted from the untrusted. Before going into detail, however, we must understand the structure of Web-based networks before explaining how a firewall filters between them.
Jason Burwell says
Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?
For me this is a tough question, I believe a case could be made to filter on either side if one could only choose one. But to answer the question in this scenario, I am going to filter the incoming traffic, when we think of CIA, in the end I believe it would be best to filter the inbound traffic, Confidentiality will be more secured and the Integrity also, Availability would be more of an issue as we are filtering what is allowed in but it would not be totally cut off and if we find ourselves with only one way to filter traffic, I believe this would be the best bet.
Joshua Moses says
I think I would focus on network traffic coming into its intranet from the internet (incoming). Organizations’ networks need to be protected by filtering network incoming and outgoing traffic between the private network and the public internet. However, if I could only choose to protect one, this is what I would expect to achieve.
Blocking incoming network traffic will deter the following:
-incoming traffic
-unauthorized connections
– malware
-denial of service attacks
Alexander William Knoll says
In respect to to the 3 information system security objectives, I personally would selectively block outbound network traffic for Confidentiality, and incoming traffic for Integrity and Availability. The reason for my decision is because when it comes to Confidentiality, the employee is sometimes the biggest risk. Blocking outbound network traffic would essentially eliminate any unauthorized disclosure of information, whether it be from whistleblowers or employees making honest mistakes. On the other hand, blocking incoming traffic assures that nobody with malicious intent can gain access to the organization’s sensitive data, assuring that it remains accurate in the sense of its integrity, and reliable to the authorized users (employees) in the sense of availability. If truly forced to only block one network traffic direction, the answer for me would be inbound as it pays better respect to the CIA triad. (Integrity, Availability)
Bernard Antwi says
Personally, I will build firewalls that block any inbound traffic that hasn’t been specifically allowed. By default, the public profile allows absolutely no incoming connections. This provides excellent security when connecting to public hotspots or other untrusted networks. The domain and private profiles allow some incoming connections, such as connections for file and printer sharing. Even if you install or enable a feature that requires incoming connections, it will automatically enable the required firewall rules.
Confidentiality: Data is kept protected against threats and unauthorized access.
Integrity: Data is kept accurate and trustworthy by preventing accidental or intentional alterations or deletion.
Availability: Data is kept accessible to those who are authorized to have access.
Michael Jordan says
If i could only block one network traffic direction, I would block traffic coming inbound to an intranet. I say this because one of the largest vectors of information security risk and loss is employee ignorance and negligence, and even though employees are able to send information to the internet that could produce a loss, it is more common for an employee to allow malicious traffic inbound to an intranet.
In regard to the CIA triangle:
Confidentiality: Although data could still be exported to the internet if only incoming traffic is blocked, the availability and integrity of the data is still secured as long as it is an employee exporting this information (and not a cybercriminal). Blocking inbound traffic decreases the chances of cybercriminals installing malware and breaching a system, (hopefully) preventing them from accessing the information they want to export from the start. It also protects patents and intellectual property from being seen by criminal competitors or foreign governments.
Availability: By blocking inbound traffic, the availability of business information systems is preserved by preventing ransomware from being installed due to information security failure of employees. As ransomware is one of the most frequent methods used by cybercriminals to extort companies out of money, this would be a major benefit of blocking inbound traffic from the internet.
Integrity: By blocking inbound traffic, integrity of internal information is preserved because it would not be able to be changed unless an employee or someone with physical access altered the information. With that being said, this would not be helped much by blocking inbound traffic from the internet, but I don’t see how blocking outbound traffic to the internet would prevent an employee from altering information either.
Richard Hertz says
Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?
I would concentrate on blocking outbound traffic in order to protect the confidentiality of data. I would not allow employees or unauthorized people to send data outside of the confines of my network. I would employ various tools (e.g. – data loss prevention) to ensure data was not exfiltrated from my network.
Note – with respect to cyber concerns this approach protected my data, but did not necessarily protect the organization from ransomware or similar threats. To address those threats I would focus more on inbound traffic to prevent bad actors from getting into my network.
Victoria Zak says
Suppose an organization is only able to filter and selectively block either a) network traffic coming into the intranet from internet (incoming) or b) network traffic going out to the intranet (outbound) with respect to each of 3 information system objectives (CIA). If you could only filter and selectively block one network traffic direction, which one would you concentrate on and why?
If an organization were to only filter and selectively block inbound or outbound, I would recommend an organization to choose to filter network traffic coming into the intranet from the internet. Regarding the CIA, it is extremely important for organization’s to have an MFA in place to ensure authorized users are in the company’s network.
However, having outbound and inbound traffic is extremely important to monitor and should be filtered to the appropriate setting.