discussion 7

profilematt25
Cyber_Attacks_Chapter07_PowerPoint_Lecture_Slides.ppt
Home>Information Systems homework help>discussion 7

*

Copyright © 2012, Elsevier Inc. All Rights Reserved

Chapter 7

Discretion

Cyber Attacks

Protecting National Infrastructure, 1st ed.

Copyright © 2012, Elsevier Inc. All Rights Reserved

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer

*

  • Proprietary information will be exposed if discovered by hackers
  • National infrastructure protection initiatives most prevent leaks
  • Best approach: Avoid vulnerabilities in the first place
  • More practically: Include a customized program focused mainly on the most critical information

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Introduction

Copyright © 2012, Elsevier Inc. All rights Reserved

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer

*

  • A trusted computing base (TCB) is the totality of hardware, software, processes, and individuals considered essential to system security
  • A national infrastructure security protection program will include
  • Mandatory controls
  • Discretionary policy
  • A smaller, less complext TCB is easier to protect

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Trusted Computing Base

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer

*

Fig. 7.1 – Size comparison issues in a trusted computing base

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

*

  • Managing discretion is critical; questions about the following should be asked when information is being considered for disclosure
  • Assistance
  • Fixes
  • Limits
  • Legality
  • Damage
  • Need

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Trusted Computing Base

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer

*

  • Security through obscurity is often maligned and misunderstood by security experts
  • Long-term hiding of vulnerabilities
  • Long-term suppression of information
  • Security through obscurity is not recommended for long-term protection, but it is an excellent complementary control
  • E.g., there’s no need to publish a system’s architecture
  • E.g., revealing a flaw before it’s fixed can lead to rushed work and an unnecessary complication of the situation

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Security Through Obscurity

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Fig. 7.2 – Knowledge lifecycle for security through obscurity

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Fig. 7.3 – Vulnerability disclosure lifecycle

*

  • Information sharing may be inadvertent, secretive, or willful
  • Government most aggressive promoting information sharing
  • Government requests information from industry for the following reasons
  • Government assistance to industry
  • Government situational awareness
  • Politics
  • Government and industry have conflicting motivations

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Information Sharing

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Fig. 7.4 – Inverse value of information sharing for government and industry

*

  • Adversaries regularly scout ahead and plan before an attack
  • Reconnaissance planning levels
  • Level #1: Broad, wide-reaching collection from a variety of sources
  • Level #2: Targeted collection, often involving automation
  • Level #3: Directly accessing the target

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Information Reconnaissance

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Fig. 7.5 – Three stages of reconnaissance for cyber security

*

  • At each stage of reconnaissance, security engineers can introduce information obscurity
  • The specific types of information that should be obscured are
  • Attributes
  • Protections
  • Vulnerabilities

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Information Reconnaissance

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer

*

  • Layering methods of obscurity and discretion adds depth to defensive security program
  • Even with layered obscurity, asset information can find a way out
  • Public speaking
  • Approved external site
  • Search for leakage

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Obscurity Layers

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Fig. 7.6 – Obscurity layers to protect asset information

*

  • Governments have been successful at protecting information by compartmentalizing information and individuals
  • Information is classified
  • Groups of individuals are granted clearance
  • Compartmentalization defines boundaries, which helps guides decisions
  • Private companies can benefit from this model

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Organizational Compartments

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Fig. 7.7 – Using clearances and classifications to control information disclosure

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

Fig. 7.8 – Example commercial mapping of clearances and classifications

*

  • To implement a national discretion program will require
  • TCB definition
  • Reduced emphasis on information sharing
  • Coexistence with hacking community
  • Obscurity layered model
  • Commercial information protection models

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 7 – Discretion

National Discretion Program

The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science

*

Chapter 2 — Instructions: Language of the Computer

*

Chapter 2 — Instructions: Language of the Computer