Insider/Burglary

Description

As mentioned, an air gap attack might be far fetched since not many network architectures are actually air gapped and the situations when they really are are quire rare. However, understanding the discussion around the air gap often helps discussing other situations when malicious software arrives inside a network zone by means of physical transport. Such situations may be when re-using USB media, repeatedly connecting laptops or cell phones to different network zones and also traditional burglary.

Model

The model from the air gap scenario is most relevant since it is actually representing the short-circuiting of network based protection mechanisms, regardless if external communication routes exist or not. If only looking at the situation when an infected computer is connected to an internal/protected network zone, without taking the probability for this to happen into account, we will have the following simplified model;

Modeling an Insider/Infected Host
Modeling an Insider/Infected Host

Attack Vector Attenuation

To also consider an estimated probability of this type of attack to happen, you need to use the same model as with the air gap example.

Conclusions

Modeling a foreign/infected host like above will as mentioned show what impact such a situation will have on our architecture considering the scenario when this first step (making this infected host connect to the internal network zone) has happened/succeeded. If we want to also consider an estimated probability that this will happen, we need to use the same set-up as with the air gap example. Since this attack is bypassing all protection mechanisms between external networks and the internal network it is starting from, this type of attack has a large impact on the security of our modeled architecture.