Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
4. Learn from past mistakes. Poor development practices typically result <strong>in</strong> security<br />
vulnerabilities. By exam<strong>in</strong><strong>in</strong>g these past development practices and identify<strong>in</strong>g those that<br />
improve or h<strong>in</strong>der system security, valuable lessons can be obta<strong>in</strong>ed and future<br />
implementations improved.<br />
5. Document the operational environment. This is typically done <strong>in</strong> a document called the<br />
Concept of Operations (CONOPS). It describes the environment <strong>in</strong> which the system<br />
will operate, the roles and responsibilities of the major players, how the system is<br />
designed to normally operate, and potential cont<strong>in</strong>gency modes of operation. The<br />
security environment can be <strong>in</strong>cluded <strong>in</strong> the CONOPS as a separate section or <strong>in</strong>cluded <strong>in</strong><br />
its own document (a Security CONOPS.) Elements of this security CONOPS should<br />
<strong>in</strong>clude a reiteration of the security requirements, the process used to select all<br />
countermeasures, how defense-<strong>in</strong>-depth is implemented, how the security mechanisms<br />
will operate, <strong>in</strong>clud<strong>in</strong>g user impacts, the effectiveness of the implemented<br />
countermeasures, how misuse is prevented or detected, the response mechanisms to a<br />
misuse <strong>in</strong>cident, and the recovery process, if needed.<br />
6. Perform a risk analysis. The risk analysis exam<strong>in</strong>es the operational environment to<br />
determ<strong>in</strong>e high-value assets, the threats to these assets, their vulnerabilities,<br />
countermeasures needed to reduce the risk for each threat/vulnerability pair<strong>in</strong>g, and<br />
validation of the cost effectiveness of each countermeasure. For airborne environments,<br />
this approach differs from the traditional security eng<strong>in</strong>eer<strong>in</strong>g process by <strong>in</strong>clud<strong>in</strong>g safety<br />
as a key factor. It also differs from traditional safety analysis by consider<strong>in</strong>g the possible<br />
effects of malicious actions. In more detail, the first step is to determ<strong>in</strong>e the high-value<br />
assets to assist <strong>in</strong> focus<strong>in</strong>g where the limited security dollars should be spent. In plac<strong>in</strong>g<br />
a value on each asset, the cost effectiveness of the selected countermeasures can later be<br />
determ<strong>in</strong>ed. Once the assets are determ<strong>in</strong>ed, each threat, which is asset- and<br />
environment-dependent, must be ascerta<strong>in</strong>ed. In conjunction with this, the vulnerabilities<br />
of these assets must also be determ<strong>in</strong>ed. Once the threats and vulnerabilities are<br />
determ<strong>in</strong>ed, each threat is matched with the appropriate vulnerability. Any vulnerability<br />
without a threat or vice versa can be ignored. Otherwise, countermeasures are selected to<br />
reduce the threat and the cost of the countermeasures determ<strong>in</strong>ed. A tradeoff is then<br />
performed between threat and vulnerability matches, countermeasure costs, and protected<br />
asset value.<br />
7. Design the security architecture us<strong>in</strong>g the above <strong>in</strong>formation. The above risk analysis<br />
will identify the areas requir<strong>in</strong>g protection and the cost-effective countermeasures<br />
requir<strong>in</strong>g implementation. The security design should be consistent with accepted best<br />
practices. One such best practice is the concept of defense-<strong>in</strong>-depth (discussed <strong>in</strong> section<br />
3.5). This concept uses the medieval castle as its model. Multiple layers of defense are<br />
implemented so that when one layer is successfully penetrated, other layers of protection<br />
still exist. While it is widely accepted that no security mechanism is foolproof, an<br />
architecture implement<strong>in</strong>g the defense-<strong>in</strong>-depth concept should sufficiently delay the<br />
attacker to allow for the detection of the attack and to implement an appropriate response.<br />
This assumes that full control life cycles have been implemented to enable attack<br />
detection and response. Other best practices <strong>in</strong>clude least privilege, object reuse,<br />
101