Cyber Security Unit 1 and 2
Cyber Security Unit 1 and 2
Cyber Security Unit 1 and 2
INTRODUCTION
What is Cyber Security?
• Cyber security generally refers to the ability to control access to networked systems and the
information they contain.
• Where cyber security controls are effective is known as cyberspace and is considered a reliable,
resilient, and trustworthy digital Infrastructure.
• Where cyber security controls are absent, Incomplete, or poorly designed, cyberspace is considered
the wild west of the digital age.
• Whether a system is a physical facility or a collection of cyberspace components, the role of a security
professional assigned to that system is to plan for potential attack and prepare for its consequences.
• The goals of cybersecurity- prevent, detect, respond
• The means to achieve cyber security- people, process, technology
• The mechanisms by which cyber security goals are achieved: confidentiality, Integrity, and
availability.
• Prevent, detect, respond addresses goals common to both physical and cyber security.
• People, process, technology addresses methods common to both technology management In general
and to cyber security management as a specialized field.
• Confidentiality, integrity, and availability addresses the security objective that are specific to
Information.
a. Confidentiality refers to data, objects and resources are protected from unauthorized viewing and other
access.
b. Integrity refers to data is protected from unauthorized changes to ensure that it is reliable and correct..
c. Availability refers to that authorized users have access to the systems and the resources they need.
What Is Cyber Security Policy?
• The tension between demand for cyber functionality and requirements for security is addressed
through cyber security policy.
• The word "policy" has been used to refer to laws and regulations concerning information
distribution, private enterprise objectives for information protection, computer operations methods
for controlling technology, and configuration variables in electronic devices (Gallaher, Link et al.
2008).
Cyber Security Policy
Cyber Security Policy perspectives
• In Figure 1.2, the links to and from the "governance bodies" node illustrate that cyber security
policy is adopted by governing bodies as a method of achieving security goals. The figure is
purposely generic as governing bodies often exist outside of the organizations that they govern.
Domains of Cyber Security Policy
Where security is a priority for an organization, it is common to see cyber security policies
Issued by multiple Internal departments with overlapping constituencies, who then sometimes
detect policy incompatibility issues in trying to follow them all simultaneously.
1. laws and Regulations
Nation-state cyber security policy Is currently considered to be a subset of national security
policy. Even if nation-state cyber security policy was considered to be on the same plane as
foreign policy or economic policy, these policies do not have the same force as law.
• Policies are established and articulated through report and speeches, through talking points
and negotiations
• Policies is used to guide Judgement on what laws and regulations to consider.
• It does not refer to the laws and regulation's themselves..
2. Enterprise Policy
Private sector organizations are generally not as constrained as governments in turning senior
management policies Into actionable rules. In a corporate environment, It Is typical that
polices are expected to be followed upon threat of sanction to and Including employment
termination.
3. Technology Operations
In an effort to assist clients in complying with legal and regulatory information security
requirements, the legal accounting, and consulting profession’s have adopted standard. for due
diligence with respect to Information security, and recommended that clients model processes
around them. These were sometimes proprietary to the consulting firm, but were often based
on published standards such as the National Institute of Standards and Technology (NIST)
• Recommended Security Controls for Federal lnformation Systems and their private sector
counter-parts.
4.Technology Configuration
Because many technology operations standards are implemented using specialized security
software and devices, technology operators often colloquially refer to the standard-specified
technical configuration or these devices as "security policy“. These specifications have over the
years been implemented by vendors and service providers, who devised technical
configurations of computing devices that would allow system administrators to claim
compliance with various standards.
Strategy versus Policy
Cyber security policy articulates the strategy for cyber security goal achievement and provides its
constituents with direction for the appropriate use of cyber security measures.
Without a clear conceptual view of cyber security Influences, It would be difficult to devise cyber security
strategy and corresponding policy.
1960
• Concepts of cryptography was introduced.
• Data units encrypted using private keys and decrypted back to original message at destination
• In recognition of growing confidentiality requirements, but without any good way to meet them, the US National bureau of
standards (now the national Institute of Standards and Technology [NIST]) launched an effort to achieve consensus on a
national encryption standard.
• In 1974, the U.S Computer Security Act (Privacy Act) was the first stake in the ground designed to establish control over
information propagation.
• Later the word processing software were implemented for work automation
• Timesharing system where introduced where clients were charged for system use
• Companies began to specialized by industry, developing complicated software such as payroll tax calculation and commercial lease
calculations
• User identification through user name and password
• From 1970 to 1980, minicomputers became attract human for personal use.
• In late 1970, Apple introduced home computers.
• In 1981 , IBM introduced Personal Computer (PC).
• The local area network (LAN) cables were protected much like the computer terminals' connection to
the mainframe.
• A new type of network equipment called a hub allowed the communication, and hubs had to be kept in a
secure area.
• Mandatory access controls (MAC) allowed management to label Computer objects (programs and files)
and specify the subjects (users) who could access them.
• Discretionary schemes (DAC) that allowed each user to specify who could access their files.
• Timesharing-type password technology was employed on LAN. LAN user names were primarily
supported to facilitate directory services rather than to prevent determined attack.
• Cyberspace presented a new avenue of inquiry for law enforcement investigating traditional crimes.
• Criminals were caught boasting of their crimes on the social networking sites of the day, which were electronic bulletin board
services reached by modems over phone lines.
• Law enforcement partnered with technology vendors to produce software that would recover files that crimi- nals had attempted
to delete from computers.
• Directory services were available that allowed businesses to connect, and be connected to, the research and military
restricted advanced research projects agency (ARPA) network, or ARPANET, whose use case and name were relaxed
as it evolved intothe public Internet.
• Technology-savvy companies quickly registered their domain names so that they could own their own corner of
cyberspace.
• Researchers were concerned with the potential for system abuse due to the exponential expansion of the numbers of
connected computers.
Robert Morris at AT&T Bell Laboratories.
early computer pioneer:
• In 1988, Robert Tappan Morris devised thefirst Internet worm.
• The “Morris Worm” accessed computers used as email servers, exploited vulnerabilities to identify all the computers that were
known to each email server, and then contacted all of those computers and attempted the same exploits.
• Internet communication virtually stopped with few hours, computing resources were so overwhelmed by the worm’s activities
that they had no processing cycles or network bandwidthleft for transaction processing, leaving business processes disrupted.
• But APARNET was saved they have installed FIREWALL(A method of inspecting each individual information packet within a
stream of network traffic).
• The firewall was designed to allow network access to only those packets whose source and destination matched those on a
previously authorized list.
• Network addresses and port number used for communication.
• The Bell Labs firewall was hastily employed to safeguard AT&T’s email servers, andthe impact to AT&T from the Morris
worm was minimal.
• The primary cyber security implementation strategy of choice since then has been to deploy firewalls.
• Computer Emergency Response Team (CERT) to provide technical assistance to those who suffered from cyber security
problems.
• Same type of vulnarabilities like Morris worm in Internet-facing email servers exists in systems that presented modem interface
to the public.
• Most Hacker interested for stealing some system time to play games without information to vulnerable users system.
• Hackers who steal time to play are Joyriders.
• By1992, few hackers have profit motives.
• in 1986, Cliff Stoll, noticed a billing error in the range of 75 cents of computer time that was not associated with any of hisusers.
• Stoll ended up tracking the missing cents of computing time to an Eastern European espionage ring.
• published detective Article called The Cuckoo’s Egg. (lock the system via modems)
• no firewall-like technology for phones.
• caller Id and dial-back.
• Caller id checks the authorization of caller from database.
• Dial-back calls back the caller on checking the validity of called number.
• Safe at Dial-back modems, it became easy to surf in home network and other region.
Cyberspace in the early 1990s.
• The devices represent the logical location of the firewalls and telecommunication line connections to other firms.
• The telecommunication lines are portrayed as logically segmented spaces where lines to business partners terminate on the
internal network. private lines
• all these network periphery controls did not prevent the hackers and joyriders from disrupting computer operations with
viruses.
• viruses were distributed on floppy disks and also planted on websites for advertisement to corporate and government Internet
users.
Actions on Virus:
• Digital signature were created for each virus by identifying each file it altered and the types of logs it leftbehind.
• Anti-virus software were created and Digital Signatures of each virus were recorded.
• Software security flaws and Bugs were detected by Cyber Forensics.
• As the signature that identified one virus was not tied to the software flaw but to the files deposited by the virus itself, a virus
writer could slightly modify his or her code to take advantage of the same software vulnerability and evade detection by
antivirus software.
• Updation of Anti-virus Software.
• Locally the software bugs were repaired known as PATCHES.
• Its origin in the context of computers referred to a cable plugged into a wall of vacuum tubes that altered the course of electronic
processing in an analog computer by physically changing the path of code execution.
• Patches are small files that must frequently be installed on complex soft- ware in order to prevent an adversary from exploiting
vulnerable code andthereby causing damage to systems or information.
• vulnerabilities in software became the source of what was then called “the port 80 problem”.
• Port 80 is the port on a firewall that has to be open in order for external users to access web services.
• Starting from port 80 on a server facing the Internet, a web server programwas designed to accept user commands instructing it to
display content, but it would also allow commands instructing it to accept and execute programs provided by a user.
• The immediate result of the port 80 problem analysis was that firewalls were installed notjust at the network periphery but in a
virtual circle around any machinethat faced the Internet.
• A Demilitarized Zone (DMZ) network architecture became the new security standard.(Bell Labs)
• A DMZ was an area of the network that allowed Internet access to a well-defined set of specific services.
• In a DMZ, all computer operating software accessible from the Internet was “hardened” to ensure that no other services could be
accessed from those explicitly allowed, or that were considered “sacrificial” systems that were purposely not well secured, but
closely monitored to see if attackers were targeting the enter-prise (Ramachandran 2002).
• Cyber DMZ is surrounded by checkpointson all sides.
• The design of a DMZ requires that Internet traffic be filtered so packets can only access the servers that have been purposely
deployed for public use,
• The design of a DMZ requires that Internet traffic be filtered so packets can only access the servers that have been purposely
deployed for public use, and are fortified against expected attacks.
• It became standard procedure that the path to the internal network was opened only with the express approval of a security
architect, who was responsible for testing the security controls on all DMZ and internally accessible software.
• The huge growth of e-commerce was envied by the competing sites. sites attempted to stop the flow of e-commerce to
competitors by intentionally consuming all the available bandwidth allowed through the competitor firewall to the
competitor websites.
• Because these attacks prevented other Internet users from using the web services of the stricken competitor, they were
designated “denial of service” attacks.
• distributed denial of service” or “DDoS.”
Security researchers
• Passwords
• Handheld devices
• Bio-metric identification,
• Credit card-sized handheld devices capable of generating tokens
• The term “blacklist” became to be known in computer security literature as the list of websites that were known to
propagate malicious software (“malware”).
• A list of the universal resource locations (URLs) corresponding to Internet sites called a “blacklist.”were made as first use
of technology.
• A web proxy server blocks a user from accessing sites on the blacklist.
• The proxy is enforced because browser traffic is not allowed outbound through the network periphery by the firewalls
unlessit comes from the proxy server, so users have to traverse the proxy servicein order to browse.
• The immense growth of releasing the various forms of malicious attack, it became hetic to keep on updating the existing
mechanism.(Enterprise security management)
• Firewalls were placed on the Internal side of the telecommunications lines that privately connected firms from their
third party service providers.
• only expected services were allowed through, and only to the internal users or servers that required the connectivity to
operate.
Cyberspace in the mid-1990s.
VP
Mini-Computer
Personal Computers
Multiplexor
P Firewall Modem
ACLs
LANS
Token Admin Personal VComputers
Mainframe
Critical Server Network Remote Users
Online Services and Outsourcing Arrangements
Remote Dial-In
Assess Authentication
Server EXTERNAL THREATS
Firewall
Physical Perimeter
Proxy Server
P V
External
Server Farm Router Internet
Communications Servers
Email Server
Firewall
P Demilitarized Zone
Router
External Networks
Web Servers
• The vs with the lines through them indicate that antivirus software was installed on the types of machines identified
underneath them.
• The Ps stand forpatches that were, and still are, frequently required on the associated computers.
• The shade of gray used to identify security technology is the same throughout the diagram. The dashed line encircles
the equipment that is typically found in a dMZ.
E-commerce
• e-Commerce established connection between market and customer in device.
• The first such sites were fraught with risk of fraud and threats to confidentiality because of the number of
telecommunications devices that suddenly gained unfettered access to customer information, including credit card numbers.
• In 1995, a new encrypted communications protocol called Secure Socket Layer (SSL).
• In 1999, the protocol was enhanced by committee and codified under the name Trans- port Layer Security (TLS)
• The TLS protocol requires web servers to have long identification strings,called certificates.
• The software allowed them to create a root certificate for their company, and the root certification was used to generate server
certificates for each company web server.
• For critical applications that facilitated high asset value transactions, certificates could also be generated for each customer,
which the SSL protocol referred toas a client.
• The SSL protocol thus made use of certificates to identify client to server and server to client.
• once mutually identified, both sides would use data from the certificates to generate a single new key they both would use for
encrypted communication.
• This allows each web session to look different from the point of view of an observer on the network, even if the same information,
such as the same credentials, are transmitted.
• Identity management systems were developed to ease the administration and integrate customer login information and online
activity with existing customerrelationship management processes.
• Security strategies were devised to control and monitor code development, testing, and production environments.
• Source code control and change detection systems became standard cybersecurity equipment.
• Remote access still required two-factor authentication, and this was judged an adequate way to maintain access control,
particularly when combined with other safeguards, such as a control that prevents a user from being able to have two
simultaneous sessions.
• To maintain confidentiality of customer information, the entire remote access session would have to be encrypted. Virtual private
network (VPP) technology
• Innovative security companies sought to relieve workstations from their virus-checking duties by providing network-level
intrusion detection systems (IDSs).
• The idea behind IDS was the same asthat behind signature-based antivirus technology,
• Technical configurations such as firewall rule sets, security patch specifica-tions, wireless encryption settings, and password
complexity rules were colloquially referred to as “security policy.”
• Security policy servers were establishedto keep track of which configuration variables were supposed to be on which device.
• If a device failed or was misconfigured, it would take toomuch work to recreate the policies.
• Security policy servers economically and effectively allowed the technology configurations to be centrally monitored and
managed.
• Inspire of many security policies and strategy, cybercrimes was reported.
• security information management (SIM) servers, which were designed to store and query massive numbers of activity logs.
• A SIM server validate the activity logs and compliances the policy.
Cyberspace in the early 2000s.
• e-Commerce security has motivated to gear-up the security levels to next level.
• The patch management processeshad been enhanced to add tripwires to detect and report software changes.
• Tripwire use physical security as triggering mechanism that detects change in environment.
• These internalsoftware change detection mechanisms were also called host intrusiondetection systems (HIdSs).
• Main aim of HIDS is to recognize and segregate against insider and external threats.
• The area were divided into networked zones.
• Each zones has its critical process in isolation.
Countermeasures
• Technology could not stop the success rate of cyber attack.
• New attack came into force like:
Malware: malicious software/ sites
phishing and pharming: redirecting to malicious addresses as look-alikesites.
Spyware: send user names and passwords to criminal data collection websites
And many more………
➢ The concern of the cyber security Expert was to focus on prevention of all such cybercrimes.
➢ The countermeasures were dictated for the prevention of Cyber Attacks.
• Data thefts through laptops, stolen devices.
• Remote user backup there data on USB devices.
• Some steps were taken to destroy all data on the devices through software and programming technologies in case of device theft.
• Vendors hastly provided methods to encrypt laptop disks and USB devices.
• Companies adopted standards and procedures for the authorized use of digital media, and restricted access to the devices.
• Many devices were being encrypted, it became difficult for administrators to keep up with procedures to safeguard encryption
keys.
• Simple key management systems such as password-protected key databases were used in1990s,but later landed in trouble of huge
generation of keys.
• Security vendors stepped in with automated key storage and retrieval systems.
• keys are stored on special hardware chips physically protected in isolated locations and accessible only by the equipment used to
control access to the devices.
• This created trouble in decryption when required at different locations.
• Not such security is designed for E mails server since Morris warm Attack.
• No proper agreements are used for encryption on both ends.
• Attempts are made to identify authorized emails servers via Certificates like keys.
• Email security vendors created software to assist in the analysis of email content, and many companies who suspected that
confidential data such as PII was being sent via email for work-at-home purposes thereby found that many of their business
processes routinely emailed suchdata to customer or service providers.
• Internal users ignore security policy.
• content filtering adopted.
• Patterns were created for identifying sensitive information.
• generalized social security numbers and tax identification numbers from other countries.
• snippets in internally developed company software.
• All information sent by users to the Internet, or other publicly accessible networks, is routed through a device that either
blocks the information from leaving or silentlyalerts security staff, who investigate the internal user.
• Hackers still found there way to infect the network.
• The network control of the dMZ does not prevent a web software developer from deploying code that can be used to imitate
any network activity that is allowed by the web server itself.
• developers innovate by sharing the software source code via both public (“open source”) and proprietary development
projects.
• Reusing the codes for more functionality.
• Use free software (“freeware”) for which no source code is available.
• Like the lists of viruses and software vulnerabilities, software security mistakes have been cataloged as part of the
national vulnerability database project (MITRE 2009; MITREongoing).
• Cyber security vendors have created security source code analy- sis software to be incorporated into source code
control systems so these bugs can be found before software is deployed.
• Staticsoftware analysis, which reads code as written.
• Dynamic software analysis, which reads code as it is being executed.
• web access firewalls (WAFWs), are programmed to detect unsecure software as it is used, and block attempts to exploit
it in real time.
• Content filters prevent users from sending sensitive information to the Internet.
• Intrusion prevention devices have replaced intrusion detection devices.
Cyberspace and cyber security countermeasures.
Cyber crime attack paths.
CHALLENGES
• Cyber security policy is concerned with stakeholders in cyberspace .
• The number and type of cyberspace stakeholders far exceeds the scope envisioned with the first Computer
Security Act.
• Threats are detected, no optimum counter measures.
100
Security Logs
80 Encryption
Identity Managment
60
Web Security
40
Operating System Security
20 Remote and Wireless
0 Network Security
Finance Marketing Sales Operations
• In computer system, vulnerability is a weakness which can be exploited by threat actor, such as an actors, to perform
unauthorized action within the system.
• To Exploit vulnerability Attackers must have at least one tool or technique that can connect to a system weakness.in this
frame vulnerability is also known as attack surface.
• Vulnerability management is a cyclic practice of identifying, classifying, remediating and mitigating vulnerability. This
practice generally referred to as software vulnerability of computing system.
• A Security Risk is often incorrectly classified as a vulnerability.
• The window of vulnerability is the time from when the security hole was introduced in deployed software, to when access
was removed, a security fix was available/deployed, or the attackers was disabled-Zero Day attack.
• A notable exception to technology management approach to security metrices, though still one does not directly measures
security, is vulnerability and threat focus.
• This is the enumeration of system vulnerability and misuse techniques.
• NIST and MITRE encouraged a consortium of security product vendors and practitioners to contribute to an endlessly
growing repository of structured data describing known software vulnerabilities in a project known as the National
vulnerability Database (NVD)
• the first Common Vulnerability Enumeration (CVE) waspublished in 1997 (MITRE ongoing).
• this provided some standard by whichsecurity protection efforts would be judged to be effective by providing a “to-fix” list.
• Just listing the vulnerabilities that allowed malware to work did not address the concern that malware had to be identified in order
for it to be eradicated,
• in 2004, the CVE was followed with a Common Malware Enumeration(CME) that catalogs malware that exploits vulnerabilities.
• This facilitates the development of automated methods to detect and eradicate malware.
• the MITRE NVD data was extended in 2006 to include the Common Weakness Enumeration (CWE), which is a list of software
developmentmistakes that are made frequently and commonly result in vulnerabilities.
• An example of a specific issue would be the identification of a softwaresecurity flaw that appears on the “Never-Events” list.
• the list is a metaphorical reference to the National Quality Forum’s (NQF) medical Never- Events list.
• that list includes medical mistakes that are serious, largely preventable, and of concern to both the public and health- care providers
for the purpose of public accountability such as leaving asurgical instrument in a patient.
• the software integrity version of the Never- Events list is the list of the top 25 mistakes software developers make that introduce
security flaws.
• SQL Injection in the metric example for this category refers to one of those never-events.
• An SQL-injection mistake allows database commands to be entered by web page users in such a way that the users have the ability to
execute arbitrarydatabase queries that provide them with information that the application is not designed to allow them to access.
• SQL injections is a code injection technique that might destroy database.
• SQL injections is most common web hacking technique.
• SQL injections is a placement of malicious code in SQL Statement via web page input.
• the metric is the number of applications that allow SQL injection tooccur.
• to cover the possibility that some system access feature may have been intended, but nevertheless introduces a security
vulnerability.
• in 2009, NIST introduced a Common Misuse Scoring System, which provides a method to measure the severity of software
“trust” flaws by correlating them with estimates of negative impact.
• All types of vulnerabilities in the NVD are used to create security metrics by using them as a checklist and checking a
technology environment tosee if they exist.
• this database is also used by security software vendors used to create a set of test cases for vulnerabilities against which
securitysoftware should be effective.
• these are not only anti-malware vendors, butvendors of software vulnerability testing software.
• . Penetration tests of the type used by malicious hackers (also known as “black hats” in reference to old Western movies where
the heroes always wore white hats) are designed by cyber security analysts (“white hats”) to exploit any and all of the
vulnerabilities in the NVD.
• they are automated so they can be run from a console. the security metric is usually the inverse of the percentage of machines
in inventory that test positive for any of the vulnerabilities in the database.
• If a stated security goal is to have no known vulnerabilities, this type of test may seem to provide a good cyber
security metric.
• these metrics will necessarily miss the zero-day attack, and so, if a complete technology inventory test for all the
known NVD vulnerabilities was passed with flying colors, then this would not mean that the system was secure.
• It could simply mean that if the system had security bugs and flaws, those bugs andflaws were not yet identified.
• As one software security expert puts it, they are a badness-ometer (McGraw 2006). As illustrated in Figure 3.7, these
types of measures can provide evidence that security is bad, but there is no number on the scale that would show
security is good.
Security badness-ometer. Source: McGraw (2006).
• ICSs operate the industrial infrastructures worldwide including electric power, water, oil/gas, pipelines, chemicals, mining,
pharmaceuticals, transportation, and manufacturing.
• ICSs measure, control, and provide a view of the physical process ICSs monitor sensors and automatically move physical
machinery such as levers, valves, and conveyor belts. When most people think of cyberspace, they think of Internet-enabled
applications andcorresponding information technology (It).
• ICSs also utilize advanced communication capabilities and are networked to improve process efficiency, productivity,
regulatory compliance, and safety.
• When an ICS does not operate properly, it can result in impacts ranging fromminor to catastrophic. Consequently, there is a
critical need to ensure thatelectronic impacts do not cause, or enable, operation of ICSs.
• A typical ICS is composed of a control center that will house the human–machine interface (HMI),that is, the operator
displays.
• these are generally Windows-based workstations. Other typical components of an ICS control center include Supervisory
Control and Data Acquisition (SCADA) and Distributed ControlSystems (DCSs).
• the control center communicates to the remote field devices over communication networks using proprietary
communicationprotocols.
Industrial control system framework
• the control center generally communicates to a remote control device such as a remote terminal unit (Rtu) or directly to a
controller such as programmable logic controller (PLC) or an intelligent electronic device.
• the PLC or IED communicates via serial, Ethernet, micro-wave, spread spectrum radio, and a variety of other
communication protocols.
• the communication is received by sensors, gathering measurements of pressure, temperature, flow, current, voltage, motor
speed, chemical composition, or other physical phenomena, to determine when and if final elements such as valves, motors,
and switches need to be actuated if the system requirements change or if the system is out specification.
• Generally, these changes are made automatically with the changes sent back to the operator of the control center.
Personal Mobile Devices
• mobile devices are designed to allow themobile carrier service providers to control the device.
• Mobile operatingsystems are in some sense tethered to the mobile carrier and unable tofulfill their purpose without it.
• this is why the mobile carrier has more interest in ensuring that the configuration of the device can be accessed remotely
than in providing the user control over its content.
• For example, some device operating systems may have configurable security settings that allow an administrator to disallow
installation of applications, but allow installation of applications from the corporate server.
• Figure 3.12 illustrates mobile phone connectivity.
• Phones signal cell towers, which relay the signals to equipment that identifies the transmitting device and allocates land-
based telecommunications bandwidth to the mobile device based on the tower operator’s agreements with the mobile carrier
who administers the phone
Mobile device system framework
Where device configuration is administered via the cell service, administration occurs from computers in the mobile carrier’s
data centers.
they identify the device that is connected and send it data and commands that update the softwareon the device.
Note that this administration process uses part of the same bandwidth that is reserved for cell service itself, and mobile carriers
do notcharge the customer for the service time spent updating software.
keeps mobile carrier updates to a minimum and thus may actually delaythe implementation of security patches if they become
available during times of peak mobile service requirements. Security features that facilitate these goals include, though are not
limited to:
• Possession—the phone number associated with the device is not transferable without permission of the owner.
• Reliability—transmissions sent by one user are received by the specifiedrecipients.
• Connectivity—the system is available to transmit and receive.
• Confidentiality—mobile users expect that data transmissions will not be intercepted by parties other than those with
whom they specifically choose to communicate.
Guidance for Decision Makers
• cyber security is managed as a program, the program structure provides organization, strategy,
and operational process to maintain activities in support of cyber security.
• Where security is viewed as part of, or integrated with, other business or mission goals, it
becomes evident that the strategy to achieve security objectives cannot be a stand- alone
project, but must be part of a larger program.
• an enterprise management structure, the cyber security program will be a set of inter- related
discrete projects and combined with processes managed in a coor- dinated way to obtain benefits
and control not available from managing them individually.
• Policy is an extremely important component of strategy execution because it is used to
communicate desired outcomes.
• Even if an executive issues only one policy statement, that statement will be interpreted in the
context of other plans, objectives, and operational environments that complete an organization’s
cyber security posture.
Gantt chart
Resourses:
• policy awareness is a necessary step to complete after policy development and before
implementation.
• security standards, operating procedures, and guidelines are also often issued in conjunction with
policy to demonstrate how compliance with a given policy may be achieved.
• Procedures are documented step-by-step implementation instructions that a technician may
follow in order to be successful in implementing policy and standards.
• Used to train new technicians on the mechanics of configuring the technology.
• Procedures therefore must be written at a much lower level of detail than policies or standards,
and they must fully explain how to operate technology.
• Guidelines are the most general type of security document.
• CISOs documented cyber security policy.
• Cyber security specialists often act as trusted advisors to executive decision makers, but are not as
well-versed on overall organizational mission as the executives who would be expected to create
cyber security strategy.
• Cyber security specialists usually advise on matters of cyber security technology and
implementation while leaving the organizational goals that form the basis of the policy to
executive decision makers.
Using the Catalog
• In a physical security environment, each significant social, economic, institutional, and political
segment of the community has a number of potential resources that can be brought to bear (NCPI
2001).
• Cybersecurity policies are not implemented in complete sense.
• in order to coordinate response, one first needs an ability to detect cyber attacks, access to
intelligence with which to analyze them, and a method and means of response.
• An individual organization may lay plans to coordinate its own response, but for response to cross
all communities of interest, more coordinated policies are required on common fronts.
• Policy should not only address goals, but also identify key barriers to goal achievement and
anticipate resistance to change.
• The resistance may come from sources both internal and external to the organization.
• Those with experience in accountability for security measures well understand that security
policy is often used as a shield against change.
• a true enterprise strategist will see security policy as a flexible tool with which to achieve
objectives, not as a barrier or disincentive to innovation.
The Catalog Approach
• The fullspectrum of issues that may one day be laid before cyber security policydecision makers would be similarly long.
• A listing of all cyber security policy issues is not feasible to attempt because it is the type of list that would be out of date as
soon as it was done.
• a catalog approach provides structure for classification and examples of cyber secu-rity policy issues.
The primary reason for listing and explaining a set of issues:
• to introduce and explain the foundations of concepts that frequently recur in cybersecurity policy debates.
• A secondary reason for presenting a catalog is to impress the reader with the variety and breadth of the field of cyber
security policy.
• A third reason is to include enough detail in the explanation of cyber security policy issues for decision makers to recognize
how the consequence of a given policy may affect their enterprise, whether or not it is a policy they themselves adopt, or a
policy that has been adopted by others.
• The process of listing the issues and the corresponding discussion among authors while contributing to the list altered the
taxonomy several times.
• Root cause analysis of cyber security incidents, as in any root cause analysis exercise, will produce two types of causes:
events and conditions.
• Events are the proximate causes, and conditions arethe situations that allowed the event to occur.
▪ Events are by nature unpredictable and difficult to control. But conditions that allow events in cyberspace to become
security issues may be controlled with policy.
• Concentration on conditions rather than events led to the currenttaxonomy for the catalog of cyber security policy issues.
• Cyber policy issues faced by individual agencies and organizations seem hopelessly complicated in isolation, but in the
context of the issues faced globally, sense can be made of the individual organization’s choices in the context of the cyber-
enabled community.
• a solid understanding of cyber security policy issues suggests potential solutions not only for the organization, but provides
a solid foundationfor the organization to lobby for choices made by others that affect them.
• For example, nearly everyone who uses cyberspace is affected by mechanisms that govern the allocation of Internet
domain names and numbers.
• But only those who have been affected to the extent that policy choices in this domain have facilitated incidents that cause
negative impact to theirenterprise have likely investigated these issues.
• Even then, the investigation is typically into how Internet governance works, rather than how it could work if policy was
different.
• From the Catalog’s clear presentation of the issues related to Internet Governance, it is apparent that no matter how many
lawyers one has, all domains will continue to be subject to threats of impersonation unless several policies are changed
globally.
• five aspects of cyber security policy goals:
1. Cyber Governance Issues
2. Cyber User Issues
3. Cyber Conflict Issues
4. Cyber Management Issues
5. Cyber Infrastructure Issues
Cyber security policy taxonomy
• Cyber Governance is concerned with issuesrelating to Internet operation and its continued utility and feasibility.
• The resolution of issues in the governance arena undoubtedly will heavily influence the e-commerce environment, which is
how most users are exposed to cyber security policyissues.
• Cyber Users are concerned with the stability of cyberspace as a platform upon which to conduct business, as well as their
own personal expectations for Internet communication. Cyber security policy issues decided in that arena may have
downstream consequences, both intendedand unintended, on Cyber Conflict between political factions and nation- states.
• Cyber Management policies in some sense form a baseline of due care with respect to security, although each industry will
face issues ofunique concern. Hence, we provide examples of Cyber Infrastructure issues.
• foster an understanding of the various types of policy issues in order to prompt recognition that they are separate and
distinct.
• For example, most cyber governance issues may be resolved independent of user issues, though some may constrain the
policy choices made on behalf of users.
• Also, the resolution of user privacy issues may limit choices or introduce constraints in alterna- tives for cyber policy
concerning cyber conflict issues.
Catalog Format
• Each section of the Catalog follows a uniform format.
• Each section begins with an overview of the issues of interest for that section.
• . The overview is meant to shed light on cyber security policy concerns and introduce a taxonomy for the issues within the
general section heading.
• Each item in the taxonomy will have its own subsection introductory description.
• These descriptions are followed by a categorization of cyber security policy issues that illustrate the concerns of the
subsection and may include examples of events that illustrate major cyberspace developments and corresponding security
impact.
• The opening discussion in each subsection is followed by a table that lists specific examples of cyber security policy
issues.
• Each policy statement in a tabular list is enhanced with both explanation and opinions that indicate why cyber security
policy constituents may be concerned about the issuance of executive mandates with respect to the issue.
• Readers should also keep in mind that cyber security policy that makes sense for one organization does not necessarily
make sense for any other, and two organizations with inconsistent internal cyber security policies may nevertheless coexist
in harmony.
• the reasons why a statement may stir controversy are presented in the form of virtual constitu- ent opinions.
• There are at least two reasons for controversy cited for each policy statement.
• the reasons for controversy reveal that there are often more than two sides to a cyber security policy debate.
• all issues and corresponding literature have surfaced in published information security standards, government directives, or
academic literature.
• executives today are faced with responsibility for creating their own organizational cyber strategy and cyber security policy
statements.
• These reasons for controversy are highlighted solely to enhance awareness of debates in progress while encouraging
development of new opinions on the issue.
• In line with the objective of providing a comprehensive guide to cyber security policy issues for executive decision makers,
an attempt has been made to phrase the cyber security policy issues in such a manner that an executive in the domain sees
the consequences of mandating these statements as policy within their own sphere of organizational control.
• Themembers of the list have been grouped by subject of concern to the corresponding domain in order for an executive to
quickly get a sense of how cyber security policy issues within a given domain may be related to each other.
• The adoption of one may entail the adoption of another, or it mayconflict with the opportunity to adopt another.
• The catalog approach is intended to ensure that policy issues are captured systematically and without prejudice toward one
overarching global strategy to accomplish any given organization’s objective for the utilization of cyberspace.
• A key goal of the Catalog is to provide well-articulated constituent opinions with respect to each policy statement.
• These opinions are clearly demarcated from the explanation of the policy issue itself, as the explanation is intended to be
fact-based. Inclusion of a policy statement in thisdocument in no way implies endorsement.
• A reason for controversy withrespect to a policy statement is not highlighted as either a pro or a con.
• Though they may be grouped by category or similarity of opinion, reasons for controversy are not listed in any purposeful
order.
• all policiesare subject to unanticipated, as opposed to unintended, consequences.
• Unanticipated consequences are inherently unknown and so will not belisted.
• By contrast, unintended consequences may be anticipated, though they are not certain to occur.
• an unintended consequence carriesa likelihood value that is subject to opinion.
• If unintended consequencesare included in the catalog in the context of a policy statement, they will be listed as opinions,
that is, as reasons for controversy.
Cyber Security Policy Taxonomy
• The original domain sub- sections for the Catalog were loosely modeled on the U.S. Department of
Homeland Security Critical Infrastructure domains.