Discussion T

Assign11
Chapter07_Cyber_Attacks.pdf
Home>Information Systems homework help>Discussion T

1

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 7

Discretion

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Proprietary information will be exposed if discovered by hackers

• National infrastructure protection initiatives most prevent leaks – Best approach: Avoid vulnerabilities in the first place

– More practically: Include a customized program focused mainly on the most critical information

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Introduction

3

• A trusted computing base (TCB) is the totality of hardware, software, processes, and individuals considered essential to system security

• A national infrastructure security protection program will include – Mandatory controls

– Discretionary policy

• A smaller, less complext TCB is easier to protect

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Trusted Computing Base

4

Fig. 7.1 – Size comparison issues in a trusted computing base

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

5

• Managing discretion is critical; questions about the following should be asked when information is being considered for disclosure – Assistance

– Fixes

– Limits

– Legality

– Damage

– Need

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Trusted Computing Base

6

• Security through obscurity is often maligned and misunderstood by security experts – Long-term hiding of vulnerabilities

– Long-term suppression of information

• Security through obscurity is not recommended for long-term protection, but it is an excellent complementary control – E.g., there’s no need to publish a system’s architecture

– E.g., revealing a flaw before it’s fixed can lead to rushed work and an unnecessary complication of the situation

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Security Through Obscurity

7

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.2 – Knowledge lifecycle for security through obscurity

8

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.3 – Vulnerability disclosure lifecycle

9

• Information sharing may be inadvertent, secretive, or willful

• Government most aggressive promoting information sharing

• Government requests information from industry for the following reasons – Government assistance to industry

– Government situational awareness

– Politics

• Government and industry have conflicting motivations

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Information Sharing

10

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.4 – Inverse value of information sharing for government and industry

11

• Adversaries regularly scout ahead and plan before an attack

• Reconnaissance planning levels – Level #1: Broad, wide-reaching collection from a variety of

sources

– Level #2: Targeted collection, often involving automation

– Level #3: Directly accessing the target

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Information Reconnaissance

12

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.5 – Three stages of reconnaissance for cyber security

13

• At each stage of reconnaissance, security engineers can introduce information obscurity

• The specific types of information that should be obscured are – Attributes

– Protections

– Vulnerabilities

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Information Reconnaissance

14

• Layering methods of obscurity and discretion adds depth to defensive security program

• Even with layered obscurity, asset information can find a way out – Public speaking

– Approved external site

– Search for leakage

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Obscurity Layers

15

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.6 – Obscurity layers to protect asset information

16

• Governments have been successful at protecting information by compartmentalizing information and individuals – Information is classified

– Groups of individuals are granted clearance

• Compartmentalization defines boundaries, which helps guides decisions

• Private companies can benefit from this model

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Organizational Compartments

17

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.7 – Using clearances and classifications to control information

disclosure

18

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

Fig. 7.8 – Example commercial mapping of clearances and classifications

19

• To implement a national discretion program will require – TCB definition

– Reduced emphasis on information sharing

– Coexistence with hacking community

– Obscurity layered model

– Commercial information protection models

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 7 –

D is

c re

tio n

National Discretion Program