Discussion

profile[email protected]
Chapter5Commonalitypdf.pdf
Home>Computer Science homework help>Discussion

1 Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 5

Commonality

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Certain security attributes must be present in all aspects and areas of national infrastructure to ensure maximum resilience against attack

• Best practices, standards, and audits establish a low- water mark for all relevant organizations

• Audits must be both meaningful and measurable – Often the most measurable things aren’t all that

meaningful

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Introduction

3

• Common security-related best practice standards – Federal Information Security Management Act (FISMA) – Health Insurance Portability and Accountability Act (HIPAA) – Payment Card Industry Data Security Standard (PCI DSS) – ISO/IEC 27000 Standard (ISO27K)

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Introduction

4

Fig. 5.1 – Illustrative security audits for two organizations

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

5 Copyright © 2012, Elsevier Inc.

All rights Reserved

C hapter 5 –

C om

m onality

Fig. 5.2 – Relationship between meaningful and measurable

requirements

6

• The primary motivation for proper infrastructure protection should be success based and economic – Not the audit score

• Security of critical components relies on – Step #1: Standard audit – Step #2: World-class focus

• Sometimes security audit standards and best practices proven through experience are in conflict

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Meaningful Best Practices for Infrastructure Protection

7 Copyright © 2012, Elsevier Inc.

All rights Reserved

C hapter 5 –

C om

m onality

Fig. 5.3 – Methodology to achieve world-class infrastructure

protection practices

8

• Four basic security policy considerations are recommended – Enforceable: Policies without enforcement are not

valuable – Small: Keep it simple and current – Online: Policy info needs to be online and searchable – Inclusive: Good policy requires analysis in order to include

computing and networking elements in the local nat’l infrastructure environment

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Locally Relevant and Appropriate Security Policy

9 Copyright © 2012, Elsevier Inc.

All rights Reserved

C hapter 5 –

C om

m onality

Fig. 5.4 – Decision process for security policy analysis

10

• Create an organizational culture of security protection

• Culture of security is one where standard operating procedures provide a secure environment

• Ideal environment marries creativity and interest in new technologies with caution and a healthy aversion to risk

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Culture of Security Protection

11 Copyright © 2012, Elsevier Inc.

All rights Reserved

C hapter 5 –

C om

m onality

Fig. 5.5 – Spectrum of organizational culture of security options

12

• Organizations should be explicitly committed to infrastructure simplification

• Common problems found in design and operation of national infrastructure – Lack of generalization – Clouding the obvious – Stream-of-consciousness design – Nonuniformity

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Infrastructure Simplification

13 Copyright © 2012, Elsevier Inc.

All rights Reserved

C hapter 5 –

C om

m onality

Fig. 5.6 – Sample cluttered engineering chart

14 Copyright © 2012, Elsevier Inc.

All rights Reserved

C hapter 5 –

C om

m onality

Fig. 5.7 – Simplified engineering chart

15

• How to simplify a national infrastructure environment – Reduce its size – Generalize concepts – Clean interfaces – Highlight patterns – Reduce clutter

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Infrastructure Simplification

16

• Key decision-makers need certification and education programs

• Hundred percent end-user awareness is impractical; instead focus on improving security competence of decision-makers – Senior Managers – Designers and developers – Administrators – Security team members

• Create low-cost, high-return activities to certify and educate end users

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Certification and Education

17 Copyright © 2012, Elsevier Inc.

All rights Reserved

C hapter 5 –

C om

m onality

Fig. 5.8 – Return on investment (ROI) trends for security education

18

• Create and establish career paths and reward structures for security professionals

• These elements should be present in national infrastructure environments – Attractive salaries – Career paths – Senior managers

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Career Path and Reward Structure

19

• Companies and agencies being considered for national infrastructure work should be required to demonstrate past practice in live security incidents

• Companies and agencies must do a better job of managing their inventory of live incidents

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Responsible Past Security Practice

20

• Companies and agencies being considered for national infrastructure work should provide evidence of the following past practices – Past damage – Past prevention – Past response

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

Responsible Past Security Practice

21

• A national commonality plan involves balancing the following concerns – Plethora of existing standards – Low-water mark versus world class – Existing commissions and boards

Copyright © 2012, Elsevier Inc. All rights Reserved

C hapter 5 –

C om

m onality

National Commonality Program