cyber security scenario based discussion
Chapter 1 provided a high-level overview of the need for a national framework for protecting critical infrastructure. For some additional reading, take a look at the latest Presidential Order that relates to strengthening cybersecurity that relates to critical infrastructure:
https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/
After reading chapter 1 and looking at the link above, write a discussion discussion.
Real-world scenario and how the Department of Homeland Security (DHS) plays into it. In the scenario, the United States will be hit by a large-scale, coordinated cyber attack organized by China. These attacks debilitate the functioning of government agencies, parts of the critical infrastructure, and commercial ventures. The IT infrastructure of several agencies are paralyzed, the electric grid in most of the country is shut down, telephone traffic is seriously limited and satellite communications are down (limiting the Department of Defense’s [DOD’s] ability to communicate with commands overseas). International commerce and financial institutions are also severely hit. Please explain how DHS should handle this situation.
11
Copyright © 2012, Elsevier I
n
c.
All Rights Reserved
Chapter 1
Introductio
n
Cyber Attacks
Protecting National Infrastructure, 1st ed.
2
• National
infrastructure
– Refers to the complex, underlying delivery and support
systems for all large-scale services considered absolutely
essential to a nation
• Conventional approach to cyber security not enough
• New approach needed
– Combining best elements of existing security techniques
with challenges that face complex, large-scale national
services
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Introduction
3
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.1 – National infrastructure
cyber and physical attacks
4
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.2 – Differences between
small- and large-scale cyber security
5
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n• Three types of malicious adversaries
– External adversary
– Internal adversary
– Supplier adversary
National Cyber Threats,
Vulnerabilities, and Attacks
6
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.3 – Adversaries and
exploitation points in national
infrastructure
7
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n• Three exploitation points
– Remote access
– System administration and normal usage
– Supply chain
National Cyber Threats,
Vulnerabilities, and Attacks
8
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n• Infrastructure threatened by most common security
concerns:
– Confidentiality
– Integrity
– Availability
– Theft
National Cyber Threats,
Vulnerabilities, and Attacks
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Botnet Threat
• What is a botnet attack?
– The remote collection of compromised end-user machines
(usually broadband-connected PCs) is used to attack a
target.
– Sources of attack are scattered and difficult to identify
– Five entities that comprise botnet attack: botnet operator,
botnet controller, collection of bots, botnot software drop,
botnet target
10
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
• Five entities that comprise botnet attack:
– Botnet operator
– Botnet controller
–
Collection
of bots
– Botnot software drop
– Botnet target
• Distributed denial of service (DDOS) attack: bots
create “cyber traffic jam”
Botnet Threat
11
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.4 – Sample DDOS attack from a
botnet
12
National Cyber Security
Methodology Components
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n• Ten basic design and operation principles:
–
Deception
–
Discretion
–
Separation
– Collection
–
Diversity
–
Correlation
–
Commonality
–
Awareness
–
Depth
–
Response
13
• Deliberately introducing misleading functionality or
mis
information
for the purpose of tricking an
adversary
– Computer scientists call this functionality a honey pot
• Deception enables forensic analysis of intruder
activity
• The acknowledged use of deception may be a
deterrent to intruders (every vulnerability may
actually be a trap)
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Deception
14
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.5 – Components of an interface
with deception
15
• Separation involves enforced access policy
restrictions on users and resources in a computing
environment
• Most companies use enterprise firewalls, which are
complemented by the following:
– Authentication and identity management
– Logical access controls
– LAN controls
– Firewalls
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Separation
16
Fig. 1.6 – Firewall enhancements for
national infrastructure
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
17
• Diversity is the principle of using technology and
systems that are intentionally different in substantive
ways.
• Diversity hard to implement
– A single software vendor tends to dominate the PC
operating system business landscape
– Diversity conflicts with organizational goals of simplifying
supplier and vendor relationships
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Diversity
18
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.7 – Introducing diversity to
national infrastructure
19
• Consistency involves uniform attention to security
best practices across national infrastructure
components
• Greatest challenge involves auditing
• A national standard is needed
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Commonality
20
• Depth involves using multiple security layers to
protect national infrastructure assets
• Defense layers are maximized by using a combination
of functional and procedural controls
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Depth
21
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.8 – National infrastructure
security through defense in depth
22
• Discretion involves individuals and groups making
good decisions to obscure sensitive information
about national infrastructure
• This is not the same as “security through obscurity”
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Discretion
23
• Collection involves automated gathering of system-
related information about national infrastructure to
enable security analysis
• Data is processed by a security information
management system.
• Operational challenges
– What type of information should be collected?
– How much information should be collected?
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Collection
24
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.9 – Collecting national
infrastructure-related security
information
25
• Correlation involves a specific type of analysis that
can be performed on factors related to national
infrastructure protection
– This type of comparison-oriented analysis is indispensable
• Past initiatives included real-time correlation of data
at fusion center
– Difficult to implement
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Correlation
26
Fig. 1.10 – National infrastructure high-
level correlation approach
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
27
• Awareness involves an organization understanding
the differences between observed and normal status
in national infrastructure
• Most agree on the need for awareness, but how can
awareness be achieved?
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Awareness
28
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.11 – Real-time situation
awareness process flow
29
• Response involves the assurance that processes are
in place to react to any security-related indicator
– Indicators should flow from the awareness layer
• Current practice in smaller corporate environments
of reducing “false positives” by waiting to confirm
disaster is not acceptable for national infrastructure
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Response
30
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.12 – National infrastructure
security response approach
31
• Commissions and groups
• Information sharing
• International cooperation
• Technical and operational costs
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Implementing the Principles
Nationally