week5 discussion

srk

Week5emerging.pptx

Home >Information Systems homework help >week5 discussion

Week 5

Read Chapter 7- Discretion

Listen to Week 5 Lecture

Participate in Week 5 discussion

Complete quiz 3 based on Chapter 4 and Chapter 5

‹#›

Chapter 7

Discretion

Cyber Attacks

Protecting National Infrastructure, 1st ed.

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer

Proprietary information will be exposed if discovered by hackers

National infrastructure protection initiatives must prevent leaks

Best approach: Avoid vulnerabilities in the first place

More practically: Include a customized program focused mainly on the most critical information

Chapter 7 – Discretion

Introduction

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer

A trusted computing base (TCB) is the totality of hardware, software, processes, and individuals considered essential to system security

A national infrastructure security protection program will include

Mandatory controls

Discretionary policy

A smaller, less complex TCB is easier to protect

Chapter 7 – Discretion

Trusted Computing Base

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer

Managing discretion is critical; questions about the following should be asked when information is being considered for disclosure

Assistance

Fixes

Limits

Legality

Damage

Need

Chapter 7 – Discretion

Trusted Computing Base

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer

Security through obscurity is often maligned and misunderstood by security experts

Long-term hiding of vulnerabilities

Long-term suppression of information

Security through obscurity is not recommended for long-term protection, but it is an excellent complementary control

E.g., there’s no need to publish a system’s architecture

E.g., revealing a flaw before it’s fixed can lead to rushed work and an unnecessary complication of the situation

Chapter 7 – Discretion

Security Through Obscurity

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer

Chapter 7 – Discretion

Fig. 7.2 – Knowledge lifecycle for security through obscurity

‹#›

Chapter 7 – Discretion

Fig. 7.3 – Vulnerability disclosure lifecycle

‹#›

Information sharing may be inadvertent, secretive, or willful

Government most aggressive promoting information sharing

Government requests information from industry for the following reasons

Government assistance to industry

Government situational awareness

Politics

Government and industry have conflicting motivations

Chapter 7 – Discretion

Information Sharing

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer

Chapter 7 – Discretion

Fig. 7.4 – Inverse value of information sharing for government and industry

‹#›

Adversaries regularly scout ahead and plan before an attack

Reconnaissance planning levels

Level #1: Broad, wide-reaching collection from a variety of sources

Level #2: Targeted collection, often involving automation

Level #3: Directly accessing the target

Chapter 7 – Discretion

Information Reconnaissance

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer

Chapter 7 – Discretion

Fig. 7.5 – Three stages of reconnaissance for cyber security

‹#›

At each stage of reconnaissance, security engineers can introduce information obscurity

The specific types of information that should be obscured are

Attributes

Protections

Vulnerabilities

Chapter 7 – Discretion

Information Reconnaissance

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer

Layering methods of obscurity and discretion adds depth to defensive security program

Even with layered obscurity, asset information can find a way out

Public speaking

Approved external site

Search for leakage

Chapter 7 – Discretion

Obscurity Layers

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer

Chapter 7 – Discretion

Fig. 7.6 – Obscurity layers to protect asset information

‹#›

Governments have been successful at protecting information by compartmentalizing information and individuals

Information is classified

Groups of individuals are granted clearance

Compartmentalization defines boundaries, which helps guides decisions

Private companies can benefit from this model

Chapter 7 – Discretion

Organizational Compartments

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer

Chapter 7 – Discretion

Fig. 7.7 – Using clearances and classifications to control information disclosure

‹#›

Chapter 7 – Discretion

Fig. 7.8 – Example commercial mapping of clearances and classifications

‹#›

To implement a national discretion program will require

TCB definition

Reduced emphasis on information sharing

Coexistence with hacking community

Obscurity layered model

Commercial information protection models

Chapter 7 – Discretion

National Discretion Program

‹#›

The University of Adelaide, School of Computer Science

30 July 2019

Chapter 2 — Instructions: Language of the Computer