Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
If we were hypothetically only able to filter incoming or outgoing traffic, my inclination would be to focus primarily on incoming traffic. Vacca’s chapters illustrate how often threats emerge from incoming network traffic and activity, and much of the systems in place to ensure network activity seem to focus on prevention and filtration of incoming traffic. Additionally, outbound data controls are typically more common and versatile for an organization internally than inbound.
In the context of the 3 security objectives, confidentiality can be impacted through malware downloads or network monitoring, meaning that a user’s network traffic and even offline internal processes can be compromised by an incoming signal or malware download. Integrity may be impacted via the same functions, as a malware or other hostile attack originating from inbound network traffic can alter, modify, or otherwise corrupt data on a users device. As for availability, one example of interruptions in network availability and access can be seen in a DDOS attack, where inbound network traffic can disrupt an entire network and fully deny access to all users, an attack that can not occur from outbound traffic on an organization’s end
You covered most of it with your assessment. Within the context of data confidentiality, integrity, and availability it would be better to focus on filtering/blocking incoming traffic. Data integrity would be preserved by blocking attempts to manipulate data and availability would be preserved by preventing denial of service attacks. Confidentiality would be best preserved by monitoring outgoing traffic. Although outside is usually the more common threat, it would be more effective to consider an organization’s needs prior to considering only allowing inbound or outbound traffic.
I will concentrate on the incoming
The main reason for this is that it is typically much easier for an attacker to exploit vulnerabilities in systems that are exposed to the internet than it is to attack systems that are behind a firewall. By filtering and selectively blocking incoming traffic, organizations can reduce their exposure to attacks and prevent attackers from accessing sensitive data.
Organizations typically have a much easier time filtering and selectively blocking incoming traffic than outgoing traffic. By doing so, they can reduce their exposure to attacks and prevent attackers from accessing sensitive data.
The main benefit of concentrating on incoming traffic is that it can help organizations reduce their exposure to attacks. By filtering and selectively blocking incoming traffic, organizations can prevent attackers from accessing sensitive data. Additionally, this can help to preserve the confidentiality and integrity of data, as well as the availability of systems.
The main risk of concentrating on incoming traffic is that it may not be possible to completely prevent all attacks. Additionally, if an organization is not careful in its filtering and selective blocking, it may end up blocking legitimate traffic as well.
In the realm of information system security, organizations routinely grapple with choices that balance risk and resources. For organizations limited to filtering and selectively blocking either incoming internet-derived network traffic to their intranet (incoming) or outbound network traffic venturing into the cyberspace (outbound), making the optimal decision might essentially depend on their core security objectives: confidentiality, integrity, and availability.
From a confidentiality standpoint, most organizations would arguably benefit more from focusing their resources on controlling incoming traffic, given the prevalent threat of unauthorized access or data theft from external attackers. Filtering and selectively blocking incoming network traffic allows an organization to prevent potentially malicious entities from infiltrating their system, thus upholding the confidentiality of their sensitive information.
However, when factoring in integrity – the aspect of information security that guarantees that data and systems are changed only in a specified and authorized manner – the focus could be argued in favor of regulating outgoing traffic. Particularly, this would mitigate the risk of insider threats or data exfiltration. When an organization can filter and selectively manage outbound network traffic, it ensures unauthorized or unintended information modifications are prevented, fostering data and system integrity.
Availability, the third cornerstone of information security objectives, entails that systems and data are accessible and usable upon demand by an authorized entity. In this vein, focusing on filtering and blocking incoming network traffic might offer more substantial advantages. For instance, it may help prevent distributed denial-of-service (DDoS) attacks that are primarily designed to overwhelm network resources and disrupt availability.
Organizational context, specific threats, and security strategies would ultimately influence the choice between filtering/blocking incoming versus outbound network traffic. Balancing all three security objectives is an essential step in ensuring an effective and holistic organizational approach to information security.
Michael, OBIUKWU
Hi Michael, I like how you framed the question around the information security objectives {CIA}. It actually makes more sense to frame the question this way since, as I am learning, there are many native security features that ISPs are embedding into their services and products. “Only being able to filter and selectively block network traffic coming in.. or network traffic going out” seems obsolete Moreso where are inbound and outbound traffic rules most effective.
I would almost always focus on filtering outbound (b) if I was only able to choose one but knowing that incoming traffic threats are way more common hear me out, if the outbound traffic was so heavily filtered it’d be harder for an attacker to exfiltrate any information or receive any information to further their attack. This will help both confidentiality and integrity by hindering the malware’s ability to spread. As for availability incoming attacks are going to be almost impossible to stop but stopping your own system from being used maliciously and therefore lowering its availability can be done blocking its outbound traffic.
I like how you framed the idea of outbound traffic being a limiter to furthering an attack. I would say however that if the malware is already inside of an internal system it may not necessarily need full outbound traffic access to spread throughout an organization internally. If a device that is infected were connected to a server through a local network connection or was able to infect an admin directly the integrity of the data could be highly impacted even after a short time and possibly before full detection and response are even deployed by the organization’s IT department
Hi Alex, I like your point of view, and thank you for providing this. I was only thinking and focusing on inbound but you definitely bring out good points about being able to secure a network by focusing on outbound traffic. It’s unique how you thought about the exfiltration of information which can be prevented by focusing on outbound traffic.
Within the context of data confidentiality, integrity, and availability it would be better to focus on filtering/blocking incoming traffic. Most threats are seen from the outside and filtering that traffic would help mitigate some of that risk. Threats to the network comes from viruses, spam, spyware, adware and hijacking, which are all primarily outside resources. Data integrity would be preserved by blocking attempts to manipulate data and availability would be preserved by preventing denial of service attacks. Confidentiality would be best preserved by monitoring outgoing traffic. Although outside is usually the more common threat, it would be more effective to consider an organization’s needs prior to considering only allowing inbound or outbound traffic; along with outside vs inside.
In the realm of data confidentiality, integrity, and availability, a prudent focus would be on filtering/blocking inbound traffic. This proactive approach mitigates external threats such as viruses, spam, spyware, adware, and hijacking, thereby preserving data integrity and availability. However, one should tailor measures to the organization’s specific needs, factoring in both internal and external traffic considerations..
An organization’s goals and objectives should be considered when choosing to control incoming or outgoing traffic. Both incoming and outgoing network traffic should be scrutinized but if I must choose, I will go with incoming network traffic. Attackers can take advantage of incoming traffic more than they can manipulate outgoing traffic. Filtering incoming traffic also aligns with the three objectives of information system security (confidentiality, integrity, and availability) by reducing the risks of security breaches.
Akin, I agree with you that both options touch on the CIA triad. Truth is if the incoming and outgoing traffic is not adequately managed, the effect on the CIA Triad could potentially be disastrous.
I would block outgoing traffic even though this week’s readings in Vecca concentrate more on incoming traffic. When I think about it, how can an organization even operate with no incoming traffic? Sure, it’s a two-way transmission, but not all outbound is going to be compromised, a good amount of it could be but not all, which would still give the business a means of operation.
As I kept reading though I want to learn more towards inbound as for example and taking a small sample of this week’s reading, which was a lot, a bot and its code according to Vecca ,” is code designed to hijack small parts of a machines resources in order to open communication channels to the attackers machine, spread to different hosts, and accomplish other clandestine tasks. Collectively, all computers or devices that have been infected by a bot, along with a machine or machines run by an attacker that act as a central command center, or command and control server that issues commands to the bots, are known as a botnet. To set up a botnet, an attacker must install or trick a user into installing malicious bot-code to run their computing device.” This is done by a link sent by an attacker via a website link and ultimately be used in a DDOS attack. Still makes me think, what would happen if outbound was blocked. Sure, there is tons of information in this week’s text about filtering, educating staff etc. but if you are compromised there are other means of communication a business can do to get information out vs in. I would also concentrate more on the integrity side and you can train staff as much as you want but if the integrity is not there then it doesn’t matter, incoming or outgoing you will eventually be compromised from either side.
I must say your deduction is spot on, but I dare to say that filtering both inbound and outbound traffic carries significant weight and touch on the same elements of CIA. Data stolen by exfiltration can be used by threat actors as well as disruptions caused by maybe a ransomware attack.
Organizations should prioritize filtering and selectively blocking incoming network traffic if they can only choose one direction. This is because incoming traffic is more likely to contain malicious content or attacks that can compromise the confidentiality, integrity, and availability of data. Organizations can implement compensating controls to mitigate the risks associated with the direction of network traffic they cannot filter and selectively block. For example, organizations can implement data encryption and access control measures to protect data from unauthorized access, even if it is leaked through outbound traffic. When making decisions about which direction of network traffic to filter and selectively block, organizations should consider their own risk profile and the types of data they store. For example, organizations that store sensitive data, such as financial or healthcare data, may be more concerned about filtering and selectively blocking incoming traffic. Overall, filtering and selectively blocking incoming traffic is the more critical direction to concentrate on, as it can help to protect organizations from a broader range of security threats and reduce the risk of data breaches, integrity attacks, and availability attacks.
It’s crucial to consider the threat landscape facing the organization in this scenario. Different companies may have different risk appetites from external and internal traffic. In both situations there are risks that could affect the confidentiality, integrity, and availability of the intranet. To protect the integrity and availability of the organization’s intranet, I would block the outbound traffic because this will limit the entry points that can be used to perform command and control activities by hacker groups.
On the other hand, if the goal is to protect confidentiality, I would block inbound network traffic from external sources. Intranets are an insulated portion of the organization’s network reserved for authorized personnel. Hence, there would be no need for external inbound traffic. This also prevents cases where data is exfiltrated.
Chidi it’s indeed a nuanced and complex choice that is dependent on an organization’s specific context and priorities. To move forward it would be interesting to discuss real-world examples where this decision-making process has been implemented successfully, shedding light on the outcomes and lessons learned. We could also explore specific scenarios or case studies where organizations have successfully implemented inbound or outbound network traffic filtering strategies and examine the results.
If my organization went with this model, I would select to filter and block incoming network traffic. The reason being is that one we don’t know who or where it could be coming from, and two organizations know what they have going out, so it is easier to control it to a degree. With respect to the CIA triad, I would focus on integrity of the information I let into my organization. Compromised data could potentially compromise your organization. Confidentiality and availability are not as prominent in this case as the incoming data is obliviously available to us and confidentiality is not an issue as the sender trusted us to send the information our way and they are confident that we will not alter the data. This is why integrity is the most important in my opinion.
I agree with your assessment. Filtering and blocking incoming network traffic is a sound security practice, especially considering the unknown origins and potential vulnerabilities. Focusing on the integrity of information works perfectly with the CIA triad (as Dr. Lanter has made abundantly clear), as compromised data can have severe consequences for any organization. Confidentiality and availability, while important, seem less critical in this scenario where the data source and transmission are assumed to be secure.
By taking the security approach of confidentiality, integrity, and availability, I believe that filtering and selectively blocking incoming network traffic would be the best choice to focus on. If we were to take this approach, we would be prioritizing defense against external threats, safeguarding the organizations’ sensitive data, maintaining the integrity of systems, and ensuring network availability. Incoming traffic filtering acts as a first line of defense as it effectively shields against malware, phishing attempts, and other malicious activities that originate from external sources.
I agree that if a company must prioritize blocking either inbound or outbound traffic when trying to safeguard the network , it should focus on inbound traffic. However, in today’s complex cybersecurity landscape, the situation is not so straightforward. Threat actors are increasingly gaining access to networks through phishing attacks. Once they breach the network, they often exfiltrate data outbound.
Considering that phishing scams account for , I believe, at least 22% of cybercrimes, companies need a comprehensive solution that safeguards both inbound and outbound traffic.
Focusing on incoming traffic is like putting a strong lock on the front door of a house. It’s harder for bad actors to break in from the outside than from inside a protected area. By filtering and stopping certain incoming information, organizations can shield themselves from cyberattacks and keep sensitive information safe. This approach is simpler for organizations compared to managing outgoing traffic. It’s like being more selective about who can come in rather than who can go out.
This also ensures that data remains confidential, integrity is maintained, and accessible when needed. However, it’s important to know that while this helps a lot, it doesn’t make an organization completely invincible. There’s still a small chance that an attack could get through. If not done carefully, filtering might accidentally block important information. So, while focusing on incoming traffic is a strong defense, it’s not a guarantee against all cyber threats. It’s like having a strong lock on your door – it greatly reduces the chances of a break-in, but it’s not foolproof.
I love your statement about the possible reduction of a break-in. It’s always good to keep in mind that, even though we are including a possible solution, it does not mean it is completely foolproof. The majority of the information security solutions that are implemented in an organization usually implement the solution to reduce the chances of a security incident occurring. I always believe that hackers always find a way to exploit a vulnerability when they can. If every update was the ultimate fix for every issue, we would no longer have to continue downloading updates and patches but, that is not the case.
Thank you Alyanna! I am glad this resonated with you.
I really like the strong lock analogy as it perfectly fits with the topic. It also brings understanding to your audience who may not understand why a change like this should be made. I too agree that the focus should be on incoming traffic. My rational was that companies have an idea of what they have in house, so there is not a major concern there, but filtering incoming traffic is like having a toll road, if you don’t pay, you don’t get to cross. Great summary!
Thank you, Erskine! Toll road is also definitely a cool analogy.
With respect to the 3 information system security objectives {CIA}, if I could only filter and selectively block one network traffic direction considering this scenario, I would not choose one but focus on both directions of traffic primarily through the firewall. I would also focus on access control to directories in the firewall barrier between the intranet and the public internet to ensure confidentiality and integrity of data. My reason for this stems largely from Vacca’s chapter 15, Intranet security. If I don’t focus on B) then an employee could fall victim to a phishing attack while browsing the web. However, web-filtering is not an air tight mechanism for defense especially with technology evolving so rapidly. If I do not focus on A), with the unwilful (or willful) assistance of an employee, an attacker could get direct access to the intranet where important company data could be linked. According to Bill Mansoor in Vacca’s chap 15, “The problems with threat mitigation remain largely a matter of meeting gaps in procedural controls rather than technical measures. Trained and security-aware employees are the biggest deterrent to data thefts and security breaches.” I largely agree here so while the inbound and outbound traffic will be my focus (assuming both directions of traffic can be considered), if I must choose between directions, I will stand behind the defense in depth strategy, my goal being to hinder any possible attacker as much as possible with multiple layers of defense with the Dolev-Yao model at the forefront of my efforts. The assumption is that the attacker made it into the system, now how will I ensure that data remains confidential and unchanged? This includes firewalls, IDSs, routers with access control lists (ACLs), antivirus software, access control, and spam filters. To ensure availability of data, redundancy is key, and backup systems / separate servers will be crucial in the event of an attack. I will consult the BCP.
If you have to choose between blocking either incoming or outbound traffic, it’s advisable to focus on blocking incoming traffic. Incoming traffic often presents a more significant threat to confidentiality, integrity, and availability because it encompasses external threats attempting to breach your network and compromise your data. While internal employees pose certain risks, the most probable threats to confidentiality, such as data leakage to the public on a large scale, and those affecting system availability, like malware targeting data integrity and ransomware which can affect a systems availability, are more likely to originate from external sources.
However, it’s crucial to recognize that both incoming and outbound traffic serve crucial roles in ensuring security. A comprehensive security strategy should address both directions to provide all-encompassing protection for your network and systems.
Hi Akiyah,
I agree with you. When making critical decisions, one should evaluate the pros and cons before making any decisions. Admins should consider if CIA (confidentiality, Integrity, and Accessibility) would affected, and decide on what to accept before deciding on filtering incoming traffic or outgoing traffic.