Discussion Topic
SunnyCool
Cyber_Attacks_Chapter05_PowerPoint_Lecture_Slides.pptxCopyright © 2012, Elsevier Inc. All Rights Reserved
Chapter 5
Commonality
Cyber Attacks
Protecting National Infrastructure, 1st ed.
‹#›
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
1
Certain security attributes must be present in all aspects and areas of national infrastructure to ensure maximum resilience against attack
Best practices, standards, and audits establish a low-water mark for all relevant organizations
Audits must be both meaningful and measurable
Often the most measurable things aren’t all that meaningful
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Introduction
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
2
Common security-related best practice standards
Federal Information Security Management Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Data Security Standard (PCI DSS)
ISO/IEC 27000 Standard (ISO27K)
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Introduction
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
3
Fig. 5.1 – Illustrative security audits for two organizations
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.2 – Relationship between meaningful and measurable requirements
‹#›
The primary motivation for proper infrastructure protection should be success based and economic
Not the audit score
Security of critical components relies on
Step #1: Standard audit
Step #2: World-class focus
Sometimes security audit standards and best practices proven through experience are in conflict
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Meaningful Best Practices for Infrastructure Protection
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
6
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.3 – Methodology to achieve world-class infrastructure protection practices
‹#›
Four basic security policy considerations are recommended
Enforceable: Policies without enforcement are not valuable
Small: Keep it simple and current
Online: Policy info needs to be online and searchable
Inclusive: Good policy requires analysis in order to include computing and networking elements in the local nat’l infrastructure environment
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Locally Relevant and Appropriate Security Policy
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
8
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.4 – Decision process for security policy analysis
‹#›
Create an organizational culture of security protection
Culture of security is one where standard operating procedures provide a secure environment
Ideal environment marries creativity and interest in new technologies with caution and a healthy aversion to risk
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Culture of Security Protection
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
10
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.5 – Spectrum of organizational culture of security options
‹#›
Organizations should be explicitly committed to infrastructure simplification
Common problems found in design and operation of national infrastructure
Lack of generalization
Clouding the obvious
Stream-of-consciousness design
Nonuniformity
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Infrastructure Simplification
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
12
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.6 – Sample cluttered engineering chart
‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.7 – Simplified engineering chart
‹#›
How to simplify a national infrastructure environment
Reduce its size
Generalize concepts
Clean interfaces
Highlight patterns
Reduce clutter
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Infrastructure Simplification
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
15
Key decision-makers need certification and education programs
Hundred percent end-user awareness is impractical; instead focus on improving security competence of decision-makers
Senior Managers
Designers and developers
Administrators
Security team members
Create low-cost, high-return activities to certify and educate end users
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Certification and Education
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
16
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.8 – Return on investment (ROI) trends for security education
‹#›
Create and establish career paths and reward structures for security professionals
These elements should be present in national infrastructure environments
Attractive salaries
Career paths
Senior managers
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Career Path and Reward Structure
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
18
Companies and agencies being considered for national infrastructure work should be required to demonstrate past practice in live security incidents
Companies and agencies must do a better job of managing their inventory of live incidents
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Responsible Past Security Practice
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
19
Companies and agencies being considered for national infrastructure work should provide evidence of the following past practices
Past damage
Past prevention
Past response
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Responsible Past Security Practice
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
20
A national commonality plan involves balancing the following concerns
Plethora of existing standards
Low-water mark versus world class
Existing commissions and boards
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
National Commonality Program
‹#›
The University of Adelaide, School of Computer Science
2 June 2019
Chapter 2 — Instructions: Language of the Computer
21
