Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Samuel Omotosho says
I would concentrate on network availability. The security objective helps in determining how well a computer network can respond to connectivity and performance demands that are placed on it (Hashemi & Zarei, 2020). Therefore, blocking some information, incoming and outbound, will help in determining the capacity of the information system.
Reference
Hashemi, S., & Zarei, M. (2020). Internet of Things backdoors: Resource management issues, security challenges, and detection methods. Transactions on Emerging Telecommunications Technologies. https://doi.org/10.1002/ett.4142
Jill Brummer says
If an organization was only able to selectively block incoming or outgoing network traffic, in my opinion is that selectively blocking outgoing network traffic would be what I would concentrate on because the outgoing traffic is coming from within the organization. Confidentiality – employees within the organization have access to confidential information and could leak it from the company, which would hopefully be caught in the outgoing traffic. Integrity – employees have access (some privileged) where they could make inaccurate and/or inappropriate changes to data and then leak outside of the company, also hopefully getting caught in the outgoing traffic. Lastly, availability of the protected data, is available to certain employees within the company, again posing a risk that they could leak the data going outside the company in outgoing traffic.
Even though the incoming traffic is a risk, they still have to find data once inside the network. Even if they find the data, they might not be able to access the data, change the data, or read the data without access to privileged credentials. If they did gain access to privileged credentials, they would still have to successfully move the data outside the organization in the outgoing traffic.
David Vanaman says
I like your rational, but I think in general the industry disagrees with you. If you look at default configurations for firewalls, the basic windows firewall is a simple example, the default is to white list incoming and allow by default for outgoing. It is easier to build in administrative and compensating controls to reduce outgoing traffic.
Nicholas Foster says
The premise of this question in choosing only one type of traffic (ingress or egress) to monitor/filter/block/etc. is largely based on the type of organization and what data lives on that network. Depending on the type of organization you work for and the sensitivity around the data would heavily sway you to one side or the other. For example, if the organization was a hospital, I would be much more concerned with the traffic egressing due to the sensitivity of data that lives on hospital’s networks. There’s not only malicious risk but accidental risk involved. For example, in a previous organization I worked for, emails were scanned for potential plaintext PII/PHI. For example, anything resembling a SSN i.e. 123-45-6789 would automatically be blocked from egressing and sent to IT security for further review. If deemed PHI/PII it would go to that user’s manager for remediation/disciplinary actions. Whereas, say google, a search engine that crawls the web for results and displays them. Since it makes a good amount of its revenue based on sponsored links, if the site were to be rendered unavailable due to DDoS attacks, it heavily impacts not only it’s primary feature (the ability to search the web) but impacts customers who paid to have their link frontloaded on the website.
Kenneth Saltisky says
Hi Nicholas,
Your example of a hospital is a good example where outbound traffic is important in monitoring accidental or intentional data leakage. Information such as SSN or other PHI/PII should be closely monitored since it is sensitive data that can result in potential fines or reputational loss should it be leaked.
Jill Brummer says
I like your point of view regarding it depends on the business and what type of data. I wasn’t thinking about it that way. I agree with your thoughts on the hospital example.
David Vanaman says
Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?
Looking at filtering from the perspective of Confidentiality, Integrity, and Availability and choosing to only filter incoming or outgoing, my recommendation would be to filter incoming. Incoming traffic is more of a threat to integrity and availability. Outgoing traffic is more of a threat to confidentiality. While being unable to filter outgoing traffic would create the risk of data confidentiality being broken by exposure, it is far easier to apply compensating and administrative controls for confidentiality than to prevent availability threats such as denial of service or integrity threats from file compromise.
Abayomi Aiyedebinu says
Hi David,
I like the point you raised about Incoming traffic as more of a threat to integrity and availability. Incoming traffic poses great threat in terms of vulnerabilities and system administrator have a great role to play in making sure firewalls and anti-malware are up to date.
Christa Giordano says
The decision to filter incoming traffic or outgoing traffic is a difficult one as the answer could vary based on a number of facters, since threat actors could be insiders as well as external to the organization. I do think in general there is a higher liklihood of an attack or threat coming from the outside and it is easier to add controls and mitigants to incoming traffice and employ the defense in depth model. In addition, since we are considering the confidentiality, integity and availability of information, the greatest risk to these attributes comes from outside sources. Vacca identifies the that the most frequent threats (top 4) to the network comes from viruses, spam, spyware, adware and hijacking, which are all primarily outside resources. These are threat actors that if given the opportunity will compromise the confidentiality and integrity of information, and/or they can launch a DOS or DDOS and impact the availability of data.
Kenneth Saltisky says
Hi Christa,
I agree that filtering incoming traffic would help in mitigating the top four threats you mentioned, especially since most of these threats originate from external traffic. It is still possible that internal traffic can perpetuate these threats should an insider threat perpetuate these threats against the organization; however, it is more likely that there will be more consistent attacks from outside the network.
Shepherd Shenjere says
Hello Christa,
I totally agree with you, many’re times, threat actors comes from outside the organization and I think that should be a priority when filtering network traffic.
Abayomi Aiyedebinu says
Inbound and outbound refers to the direction traffic moves between networks. Inbound network traffic originates from outside the network, while outbound traffic originates inside the network. If an organization is only able to filter and selectively block network traffic coming into its intranet or network going out to the outbound, I would suggest that it is best to concentrate on inbound traffic since most organizations would put more effort in protecting the enterprise infrastructure from outside attack. In addition to that inbound traffic poses a huge threat to enterprise infrastructure like data breach although outbound also could be compromised with regards to confidentiality, exposing PII, or accessing vulnerabilities from unknown packets that have been embedded with malware and trojan. therefore, an organization should have a holistic view when it comes to protecting inbound and outbound traffic.
Kenneth Saltisky says
Hi Abayomi,
I agree that having a holistic view beyond selecting to concentrate on inbound or outbound traffic is important for an organization. Although there is more potential for external threats to attack the network, there is still room for internal threats to potentially harm an organization’s network infrastructure or to leak confidential information.
Kenneth Saltisky says
In terms of the three security objectives, it would be more effective to block and filter incoming network traffic. In terms of confidentiality, it would be able to verify that a user has access to resources they are authorized to access. For integrity, attempts to manipulate data through something like an SQL injection attack would be filtered. For availability, potential denial of service attacks can be mitigated and requests to access data can be filtered such that only those that are supposed to have access can.
However, it would be more effective to consider an organization’s needs prior to considering only allowing inbound or outbound traffic.
Shepherd Shenjere says
I honestly would address my focus more on blocking incoming traffic if I had to choose between blocking incoming traffic and outgoing traffic. Incoming traffic is usually the one that brings malicious links or code inside the organization’s network. So, it is a best idea to protecting the organization particularly in terms of data integrity and availability. Even though confidentiality may be affected by the outgoing traffic, the organization may harden or implement necessary measures and decide how much access can be granted to the data that’s going out. However, it comes down to the organization’s decision on how they want to handle and protect their data.
Maxwell ODonnell says
Hi Shepherd,
I agree with the point that it’s best to block incoming traffic based on the fact that will best help the availability and integrity of the data. Even though it doesn’t directly help with confidentiality, the same way blocking outgoing traffic does, preserving the other two security objectives helps also preserve confidentiality.
Parmita Patel says
I would concentrate on blocking the incoming traffic because what is coming into the organization is more important than what is going out. The incoming traffic can protect against intruders, attackers from trying to phish out the critical data we can expose. Even outbound traffic is important but we should manage that while keeping the incoming blocked would held better grasp the situation. Incoming traffic would still be able to send emails in which someone at the company would be able to click and give away sensitive data about the company. This would help better manage and keep those risks out.
Matthew Stasiak says
Assuming my team is competent enough to have understood the security training and briefings, then the risk of internal threats can be deemed as minimal. Because of that, I would personally choose scenario A where I selectively filter and block incoming traffic to remove any risk of outside threats. I feel like most of the internal threats are from people with low-level clearance that the company has assessed the risk for and can manage some loss in that department, but any risk to the upper-level clearance must be protected at all costs and that’s why I would personally choose A.
Maxwell ODonnell says
Within the context of data confidentiality, integrity, and availability I think it would be better to focus on filtering/blocking incoming traffic. Most threats are seen from the outside and filtering that traffic would help mitigate some of that risk. Albeit, threats can still originate internally, the majority are prevented from monitoring inbound traffic. Data integrity would be preserved by blocking attempts to manipulate data and availability would be preserved by preventing denial of service attacks. Confidentiality would be best preserved by monitoring outgoing traffic, however, I still recommend monitoring inbound traffic to be the best course of action.