Masters Response Only updated

profilejacsny
csec670_01.pdf

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 1 of 35

Contents Topic 1: Scenario ............................................................................................................................. 2

Scenario: Digital Pearl Harbor ..................................................................................................... 2 Topic 2: Module Introduction ........................................................................................................... 4 Topic 3: What is Revolutionary Change? ........................................................................................ 5

Attributes of Revolutionary Change ............................................................................................. 5 Instances of Revolutionary Change ............................................................................................. 7

Topic 4: Understanding Paradigm Shifts ....................................................................................... 10 Kuhn's View ............................................................................................................................... 10 From Rejection to a New Hypothesis......................................................................................... 12 A New Disciplinary Construct for Cybersecurity ........................................................................ 13

Topic 5: The Analogous Asymmetric Threat of Terrorism ............................................................. 15 The Impact of 9/11 ..................................................................................................................... 15 Findings of the 9/11 Commission............................................................................................... 17 The Westphalian Model ............................................................................................................. 18

Topic 6: Defense-in-Depth Strategy .............................................................................................. 21 Defense in Depth in Cybersecurity ............................................................................................ 21 A New Disciplinary Construct ..................................................................................................... 23

Topic 7: Moving from a Static to a Dynamic Paradigm ................................................................. 31 Legacy Frameworks ................................................................................................................... 31 A Dynamic Strategy for an Asymmetric Threat .......................................................................... 32

Topic 8: Summary.......................................................................................................................... 34 Glossary ......................................................................................................................................... 35

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 2 of 35

Topic 1: Scenario

Scenario: Digital Pearl Harbor

Responding to an Asymmetric Threat CSEC670—Module 1

Digital Pearl Harbor Jonathan Brassard is lying in his hammock, enjoying a peaceful day near his lakeside vacation cabin. Recently retired, Jonathan has had an eventful career in the IT industry. With a master's degree in cybersecurity, Jonathan held notable cybersecurity policy positions in both the private and public sector. He pioneered a cybersecurity consulting business in which he advised CEOs of top companies. He also consulted with the White House several times as a cybersecurity expert. Although he is retired, Jonathan still maintains an office at his company and keeps abreast of events in the cyberworld. On this morning, November 9, he is in for a surprise as he clicks on his tablet to check the stock market. Disclaimer: The storyline and characters in this part of the module are fictitious and were developed for the purposes of this course. No association with any real person, places, or events is intended or should be inferred from the use of the fictitious names.

Scenario Jonathan is taken by surprise as he scans the headlines on his tablet. He follows the link to read the full story. Digital Pearl Harbor; Stock Markets Crash! Otto Processing Systems, the provider of back office transaction processing to almost 92 percent of U.S. financial institutions during the past 10 years, is under a cyberattack. Otto, a third-party service provider, is the leader in technologies used in banking and financial institutions. Otto has been processing all its transactions over the Internet using Secure Sockets Layer (SSL), and it is this security technology that has been compromised in the cyberattack. The Anarchists, a self-described social action group, have claimed responsibility for the attack. For some time now, the Anarchists have been protesting the high salaries paid to Wall Street executives and traders. As part of their protest, they have now cracked the encryption in Otto’s SSL. Experts say that this attack constitutes a major cybersecurity issue with the potential to shut down a significant portion of America's financial services sector, one of the nation's critical infrastructures. While the full impact of the cyberattack has not yet been determined, the president of the United States has declared the incident to be a threat to national security. In a television broadcast, he stated that the security breach could lead to the financial services sector lacking confidence in the authenticity of its trading data. As Jonathan digests this disturbing news, his cell phone rings. It is Jonathan's colleague and friend, Tom Baines, who works for the federal government in a national security role.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 3 of 35

Here is a transcript of the conversation between Jonathan and Tom. Tom: Hi, Jonathan. I guess you’ve heard about the attack on Otto. Jonathan: Yes, I was just reading about it. Tom: Well, I need some help that would require you to put your retirement on hold. Jonathan: Tell me what you have in mind. Tom: The president is forming a group that will be called "The November 9 Commission". Tom: The commission will investigate the incident and prepare a report on how it happened and what needs to be done to prevent further attacks. Jonathan: That sounds like a good start to me. How can I help you? Tom: The president would like you to serve on the commission. Will you do it? Jonathan: I’m honored to be asked. What role would he like me to have? Tom: Your primary role would be to look at the big picture and make specific recommendations related to the financial services industry. Jonathan: Okay. I’ll be back in Washington in three days, and we can discuss this in detail. Tom: Thanks, Jonathan! Three Days Later Three days later, Jonathan is in Washington, D.C., in a boardroom at his company filled with staffers who are busy reading reports and answering phones. He walks into his office, looks out the window, and ponders the project ahead.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 4 of 35

Topic 2: Module Introduction

History is witness to the revolutions that have transformed society. The Industrial Revolution was driven by technological advances, while the American Revolution was driven by ideological and societal values. Religion, commerce, culture, and politics have also played prominent roles in influencing history during periods of revolutionary change. Similarly, the Internet age has been changing society for almost two decades now. The ever-multiplying technologies, increased bandwidth and speed, and advanced networking are features of the Internet revolution. From communications to advertising, from content delivery to gadgets, and now in the Smart Grid, changes in Internet-based technologies keep altering how we view our lives. Recently, however, cybersecurity concerns have emerged as a prominent aspect of the Internet age. With increasing Internet access, cyberthreats have become national security dangers that can jeopardize economic prosperity. Understanding our evolving Internet-based society helps us address cybersecurity concerns. Cybersecurity has several components, such as national security, law enforcement, intelligence, intellectual property, privacy, and public-private partnerships. Understanding cyberspace in the context of these related concerns raises the question of whether legacy frameworks of these related spheres are appropriate and effective for cyberspace. The challenge of keeping the Internet trustworthy requires a full study of the prevailing governance frameworks. Fortunately, the Internet revolution follows earlier periods of revolutionary change. This module will cover some effective strategies for understanding the impact of the Internet revolution and addressing modern cybersecurity challenges.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 5 of 35

Topic 3: What is Revolutionary Change?

Attributes of Revolutionary Change

Theorists, scientists, and academicians have explored revolution and evolution for centuries. They have often had to tackle the severe social repercussions of upsetting the status quo. Studies of organizational change have shown that change can occur swiftly or slowly. Movements aimed at social change have often failed, at least in the political sense. External factors radically upset the status quo—sometimes in relatively minor ways, such as within an industry—and other times permanently, changing the international order. Revolutionary change often brings about fundamental changes in elements of society such as underlying business processes, supporting frameworks, and interrelationships. Fundamental elements must often be refashioned to address the needs that emerge during periods of revolutionary change. Darwin's Theory of Evolution Charles Darwin is known for his theories of evolution and common ancestry. He proposed the theory of natural selection, which rejected earlier concepts of transmutation of species. His studies were met with a great deal of resistance and his works were violently attacked. However, in the face of all opposition, he was able to bring about a scientific revolution. Copernicus' Theory of Heliocentricity When Nicolaus Copernicus proposed his theory of heliocentricity, countering the Roman Catholic Church's view that the Earth was at the center of the universe, he created a furor. Copernicus held instead that the Earth revolves around the Sun. Copernicus created a revolution in astronomy. After many years of scientific research and experiments, it was proven that Copernicus was indeed correct. Air Power In order to realize the potential of air power—the use of aircraft in war—new munitions and ballistic research were needed. Warships and ground systems had to be modified to defend against new airborne weapons. Brig. Gen. Billy Mitchell of the U.S. Army famously championed the emergence of air power with a demonstration in 1921 in which the former German battleship Ostfriesland was sunk near the Chesapeake Bay. This exercise advanced the debate as to the future role of air power in warfare, ultimately leading to an expanded role for military and naval air forces. Industrial Revolution After the Industrial Revolution, a completely new theory of law emerged: negligence theory. Previously, in common law, a direct relationship was required between litigants, and only actions under a contract theory were permitted. Negligence theory was proposed to restore balance to the rights and obligations of different members of society. It emerged to enable enforcement of a "duty" on the part of a distant party who had no contractual relationship with a victim of harm. If harm was committed, it could be redressed, regardless of the nonexistence of a contract. The extended economic relationships brought about by the Industrial Revolution, along with vastly expanded

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 6 of 35

production and distribution of goods, triggered this change in law to protect consumers and other downstream product users from harm. Internet Age Changes to business enterprises in response to the commercialization and growth of the Internet demonstrate that the Internet age is a period of revolutionary change. One indication of the change is linguistic. Terms such as Internet, cyber, e-, and brick and mortar are descriptors that seek to capture new ideas. For example, brick and mortar emerged to describe a legacy business model, in contrast to e-commerce. In distinguishing brick and mortar from e-commerce, what emerges is not just a new lexicon, but also a fundamentally different mode of business. This new business mode is what created the need for the new lexicon. The Internet age has brought about a revolution in the ways we communicate with each other, do our shopping, pursue our daily activities, and conduct business. The methods we use to buy airline tickets, make hotel reservations, register for college courses, and order pizza have all changed in a fundamental way.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 7 of 35

Topic 3: What is Revolutionary Change?

Instances of Revolutionary Change

Industrial Revolution Step 1 The Industrial Revolution brought changes in manufacturing and distribution processes. It established expanded markets, scaled production and distribution, and introduced new methods and technologies, thus causing society to change. Step 2 Working conditions changed and shift work became common. The relationship between supplier and consumer changed. Instead of businesses based on relationships, such as those of a village blacksmith or baker who knew their customers, producers and suppliers became disconnected from their customers. Step 3 For example, in pre-Industrial Revolution England, the legal mechanism to remedy harm required a direct contractual relationship. The concept of negligence did not yet exist in tort law. Therefore, when consumers were harmed by the negligence of a distant producer, they could not sue that producer. Step 4 After the Industrial Revolution, the English courts fashioned a new legal remedy based on negligence theory. Step 5 This redress mechanism for victims of harm demonstrates how a period of revolutionary change—the Industrial Revolution—caused structures within society to change. Question for Industrial Revolution What were the effects of the Industrial Revolution on society and business processes? a. Altered manufacturing processes b. Improved distribution methods c. Reduced profits for companies d. Reduced profit incentives for businesses Correct Answer: Options a and b Feedback: The Industrial Revolution enhanced manufacturing processes and distribution methods. Neither profits nor incentives were reduced as a result of the Industrial Revolution. The Westphalian Nation-State Model After the Thirty Years' War (1618-1648) in Europe, the Westphalian nation-state model was developed. After decades of fighting, a system of sovereignty and nation-state boundaries emerged that was known as the Peace of Westphalia. Fiefdoms died out, and modern countries began to emerge. An international framework aimed at security through the sovereignty principle was established in hopes that each nation would respect this vision.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 8 of 35

The legacy of the Westphalian system is seen in modern international frameworks such as the Hague Conventions, the Geneva Conventions, and the United Nations Charter. An underlying feature of each of these agreements is their support of the nation-state construct. These agreements sought to expand protections with respect to human rights and to regulate warfare through compliance by nation-state signatories. Question for The Westphalian Nation-State Model Which of the following correctly describes the Westphalian nation-state model? a. A platform for the theories of communism b. An international model to promote respect for sovereignty c. A model that provides the framework for the European Union d. A model that allowed dictators to expand their empires Correct Answer: Option b Feedback: The Westphalian nation-state model emerged internationally to promote respect for sovereignty. Internet Age Major technological and social changes over the years include air travel, nuclear power, freedom movements, the aerospace industry, and now, the Internet. The changes that have been brought about by the Internet are actually more fundamental and universal than any that have come before. The Internet has influenced business models, increased efficiencies, and transformed industries. Examples of this include the Smart Grid in the energy sector and digital trading in the financial services industry. Music Delivery of media content, such as music and videos, has moved from in-store sales to online sales and on-demand video delivery. The Internet has revolutionized the way we perceive media. Mobile Mobile communication has taken the world by storm. An amazing range of cell phones are being offered at ever-lower costs while simultaneously incorporating more and more features. Newspaper Print media, such as newspapers and magazines, have seen their circulation and profitability decrease. Many people no longer receive home newspaper delivery, preferring instead to get their news online. Radio We have witnessed the near-dissolution of the record store industry, including the bankruptcy of chains like Tower Records. Today, there are free subscription-based radio stations and music offerings on the Web, such as those provided by the British Broadcasting Corporation. The original brick and mortar CD and tape stores have now adopted different business strategies.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 9 of 35

Question for Internet Age Tower Records was a chain of brick-and-mortar record stores. How did the Internet change music delivery methods, and why did Tower Records and other record stores go out of business? a. People were no longer interested in the genre of music that Tower Records sold. b. Tower Records’ business model became uncompetitive in the Internet Age. c. The audience for 1970's music dwindled. d. Internet-based music delivery became very popular. Correct Answer: Options b and d Feedback: Tower Records' business model became uncompetitive in comparison with Internet- based music delivery platforms like iTunes. While older genres of music are still popular today, online delivery mechanisms are putting brick-and-mortar record stores out of business. The original brick and mortar CD and Tape stores have now adopted different business strategies.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 10 of 35

Topic 4: Understanding Paradigm Shifts

Kuhn's View

Changes in Society Changes in human society are an ongoing and accepted process. However, revolutionary change goes beyond the standard adaptability processes through which social changes occur. While society is adept at handling change that manifests at a certain level of complexity, society's adaptability mechanisms are ill-suited for recognizing when the status quo is being tilted. Societal frameworks facilitate order and tranquility, and therefore, they may actually be part of the problem in that they can delay recognition that revolutionary change is occurring. The frameworks and processes under a status quo need refining or even transformation after a revolutionary change. Kuhn's View In 1962, Thomas Kuhn wrote a book titled The Structure of Scientific Revolutions. Its subject is the dynamics of new field emergence. His influential work about the progress of science introduced a new model for understanding the dynamics of fundamental change. Kuhn's view is that only after a new domain has fully emerged do paradigm changes make themselves apparent to society. Once the emergence of the new domain is understood, science can assess issues within new frameworks, using new formulas, theorems, and problem-solving constructs that may not have previously existed. Kuhn's work suggests that a domain must be accepted before beneficial scientific work can begin. Acceptance is required to appreciate the existence of a new discipline thus allowing the development of a new status quo and rule-body. Reference: Kuhn, Thomas S. The Structure of Scientific Revolutions. 3rd ed. Chicago, IL: University of Chicago Press, 1996.

The Kuhn Cycle Phases of Kuhn's Cycle Normal Science In phase one, normal science, scientists can be found working on normal, small, incremental improvements in their fields. For instance, the mobile phone industry began by manufacturing short-range car phones. Years down the line, we now have 3G cell phones and 4G smartphones. In cybersecurity, initial hacking tactics involved Web site defacements. Improved security practices and technologies emerged to address this challenge. Web site defacements, however, are a comparatively low-level threat compared to modern advanced persistent threats. Model Drift In phase two, a model drift occurs when the original model can no longer support changes. For example, in the field of cybersecurity, Ethernet replaced ARCNET, an older LAN protocol, because of modernization of computer network devices. Model Crisis In phase 3, model crisis occurs when an old model is not able to sustain itself. For instance, in cybersecurity, some people have come to believe that the conventional use

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 11 of 35

of a user ID and password is an outdated and ineffective means of reliably authenticating a user's identity. Model Revolution In phase four, model revolution changes the game. At this point, the old model is no longer able to support reliable decision making, so the need for a new model becomes imperative. One example from the field of cybersecurity is the transition from computer workstations to small-scale digital devices. Phase four, model revolution, may result from a changed scope or dimension of the environment. One example is the recent extensive proliferation of networked devices and our rapidly growing reliance on them. At the same time, bandwidth and speed have become attack enablers. The proliferation of Internet devices, along with increases in speed and connectivity, have changed the paradigm for security on the Internet. Paradigm Change In phase five, a paradigm change occurs when a new scientific model is discovered and utilized. One example of this occurred in cybersecurity when it was recognized that stopping attacks and securing the Internet absolutely is perhaps not a feasible goal. Instead, risk management has become the prevailing strategy, leading to the emergence of new security techniques.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 12 of 35

Topic 4: Understanding Paradigm Shifts

From Rejection to a New Hypothesis

Kuhn's view provides a useful lens for assessing current approaches to cybersecurity. According to his view, it would be beneficial to redraw the cybersecurity landscape to critically assess how cybersecurity should be defined. An adequate definition enables effective problem solving. Through Kuhn's Lens Cybersecurity remains largely undefined. Is it a function or task? Is it a strategy? Is it about crime? Is it about national security? Is it purely a technical problem for network technicians? Cybersecurity can be considered a discipline, a field that incorporates strategy, function, and a variety of other features and components. Viewed through Kuhn's perspective, cybersecurity represents a revolutionary change; and new disciplinary constructs must emerge so the cybersecurity challenge can be met effectively. A New Approach While multidisciplinary approaches are emerging, the typical cybersecurity incident is thought of as "a problem for the IT guy." Cybersecurity is not merely a technological problem; it is a multidisciplinary problem, requiring more than one area of expertise in order to find solutions. The White House's 60-day Cyberspace Policy Review is an example of a multidisciplinary approach. Similarly, U.S. Cyber Command (CYBERCOM) has been established as an operational command in charge of military cybersecurity efforts. Additionally, the National Institute of Standards and Technology (NIST) is pursuing a risk management approach that is quite different from the notion of securing cyberspace. These efforts demonstrate the beginning of a wider understanding that cybersecurity presents a problem beyond the capability and authority of an organization's IT department. However, these efforts are mechanisms that have emerged in response to a difficult challenge, and it is not yet clear that the problem has been defined adequately.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 13 of 35

Topic 4: Understanding Paradigm Shifts

A New Disciplinary Construct for Cybersecurity

Disciplines such as law and the social and physical sciences typically include distinct building blocks, methodologies, and processes. In every instance, an emerging field caused processes and functional components to be developed as deemed necessary by professionals in that field. Therefore, cybersecurity must develop its own disciplinary construct, with supporting processes and functional components. Rather than pigeonhole cyberevents as cybercrimes or privacy matters, as national security incidents, or as intellectual property matters, cybersecurity should incorporate each of these areas of concern as functional components of the discipline. Moreover, modern cybersecurity challenges present an operational dynamic. Therefore, planning for cybersecurity defenses is akin to planning military operations. An adversary is likely to probe for weak points; therefore, a defender must use risk management planning techniques and be agile in order to respond to attacks. A disciplinary construct for cybersecurity that incorporates its many components can act as a method for comprehensively addressing the revolutionary changes that are occurring in cyberspace. Question A federal agency is planning to create a specialized department to monitor e-mail messages. The department will determine potential malicious communication and the information exchange among its employees and external entities. The agency is wary of terror attacks during communication exchange with external private agencies. Prevention of terrorist attacks and organized crime in money laundering tops the agency's list. The department is required to store massive amount of data in a highly secure manner. Additionally, an entire legal framework has to be created to ensure that the collection of this data is done in a legally sound manner. The agency has given you the following draft list of aspects on which the cybersecurity plan could focus. Your boss asks you to narrow the list to those aspects that would be most appropriate for the plan to focus upon. Options a. Integrity because unauthorized individuals or systems should be unable to modify the

information being exchanged b. Personal privacy because it is an important aspect of cybersecurity and related to e-

mail communication c. Information sharing because information exchanged between agencies would be

strategic in nature d. Confidentiality because only authorized individuals or systems should access certain

types of information e. National security because information being exchanged is related to the government

and will be of the classified nature f. Risk mitigation because it is an important aspect of cybersecurity since national

security cannot be compromised

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 14 of 35

g. Cybercrime because money laundering cases when information is being exchanged electronically is an example of a cybersecurity breach

Correct Answer: Options b, e, f, and g Feedback: Aspects such as confidentiality and integrity from the Confidentiality, Integrity, and Availability (CIA) triad are most commonly associated within the narrow scope of traditional information security rather than cybersecurity. Cybersecurity incorporates a wide number of disciplines and has grown beyond the older, narrowly focused field of information security. It should be looked at as a new discipline in itself and include a variety of aspects such as national security, personal privacy, cybercrime, information sharing, and risk mitigation as functional components.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 15 of 35

Topic 5: The Analogous Asymmetric Threat of Terrorism

The Impact of 9/11

The Internet's Maginot Line Then Step 1 France thought it had learned its lessons from World War I, when it was invaded by Germany. As part of France's national defense strategy, it constructed the Maginot Line around part of its border. Step 2 The French built a series of fortifications in a static defensive line that was thought to be impenetrable. Step 3 During World War II, mobile German forces bypassed the Maginot Line by attacking through Belgium. Now Step 1 The Internet has its own Maginot Line that confers advantages to attackers instead of defenders. Step 2 Static defenses in a network await attacks from anonymous, unseen vectors, cloaked by proxy servers and compromised bot networks. In this way, the Internet can enable an asymmetric attack that is similar to the blitzkrieg attack past the Maginot Line. Step 3 Cybersecurity strategies must address these unseen vectors. Dynamic approaches and broad situational awareness are the hallmarks of a new strategy for defending against asymmetric threats.

Presidential Decision Directive The threat to interconnected networks was recognized during the Clinton administration. In 1998, Presidential Decision Directive 63 (PDD-63) was signed. Well before the evolution of cyberthreats as we now know them, PDD-63 stated:

As a result of advances in information technology and the necessity of improved efficiency, however, [nation critical] infrastructures have become increasingly automated and interlinked. These same advances have created new vulnerabilities to equipment failure, human error, weather and other natural causes, and physical and cyberattacks. Addressing these vulnerabilities will necessarily require flexible, evolutionary approaches that span both the public and private sectors, and protect both domestic and international security (The White House, 1998, p.1).

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 16 of 35

Reference: The White House. (1998, May 22). The Clinton Administration's policy on critical infrastructure protection: Presidential Decision Directive 63. Retrieved from the National Institute of Standards and Technology, Computer Security Division, Computer Security Resource Center Web site: http://csrc.nist.gov/drivers/documents/paper598.pdf

PDD-63 envisioned public-private partnerships and the creation of Information Sharing and Analysis Centers (ISAC) among different sectors of the economy. Post-9/11 Development After the terrorist attacks on September 11, 2001, the federal government rapidly pursued critical infrastructure protection. Homeland Security Presidential Directive 7 (HSPD-7) replaced PDD-63. HSPD-7 described U.S. policy as follows:

It is the policy of the United States to enhance the protection of our Nation's critical infrastructure and key resources against terrorist acts (The White House, 2003).

Reference: The White House. (2003, December 17). Homeland Security Presidential Directive 7. Retrieved from the U.S. Department of Homeland Security Web site: http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm

The secretary of homeland security was charged with coordinating the nation's efforts to protect critical infrastructure. HSPD-7 established a sector approach to accomplish its mission. Government agencies in particular sectors were responsible for coordinating and implementing the National Infrastructure Protection Plan (NIPP) within those sectors. The sector approach enabled a degree of integration between the public and private sectors with respect to cybersecurity. However, the challenge of this strategy lies in adequately addressing asymmetric threats that can exploit unguarded weak spots across sectors. That is, while the government was organizing vertically, threats could appear horizontally across the verticals. Indeed, that is the very nature of an asymmetric threat.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 17 of 35

Topic 5: The Analogous Asymmetric Threat of Terrorism

Findings of the 9/11 Commission

Asymmetric attack is not a new phenomenon. The 9/11 Commission, which issued its report following the terrorist attacks of 2001, recognized that stovepipes, centralized bureaucracies, and the government itself were impediments to the dynamic sharing of information that is needed to counter a sophisticated, dynamic, and asymmetric threat. An asymmetric threat is compounded by cyberspace because of its automation. The challenge is more complex than just uncovering cells of terrorists. In cyberspace, targets range from bots to hidden exploits to unforeseen vulnerability vectors. Findings of the 9/11 Commission

Finding 1 As presently configured, the national security institutions of the U.S. government are still the institutions constructed to win the Cold War. The United States confronts a very different world today. Instead of facing a few very dangerous adversaries, the United States confronts a number of less visible challenges that surpass the boundaries of traditional nation-states and call for quick, imaginative, and agile responses (9/11 Commission, 2004, p. 399).

Finding 2 We recommend significant changes in the organization of the government. We know that the quality of the people is more important than the quality of the wiring diagrams (9/11 Commission, 2004, p. 399). Finding 3 The importance of integrated, allsource analysis cannot be overstated. Without it, it is not possible to "connect the dots." No one component holds all the relevant information (9/11 Commission, 2004, p. 408). Finding 4 We propose that information be shared horizontally, across new networks that transcend individual agencies (9/11 Commission, 2004, p. 418).

Reference: National Commission on Terrorist Attacks upon the United States (9/11 Commission). (2004, July 22). The 9/11 Commission report. Retrieved from http://www.9- 11commission.gov/report/index.htm

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 18 of 35

Topic 5: The Analogous Asymmetric Threat of Terrorism

The Westphalian Model

Attacker Asymmetric threats should generally be met with a domestic strategy, but attacks also can originate from outside the United States. Attackers from outside the country can enjoy both anonymity and sovereign protection. In other words, the nation-state or Westphalian model upholds the sovereignty principle behind which attackers can hide.

National Borders A nation's borders are more than physical lines on a map. Borders are deemed legitimate and inviolable by international legal constructs. A nation enjoys sovereign rights with respect to its borders. A cyberattack can damage a country's assets just as a physical invasion can, but when the cyberattack is launched from abroad, the attackers can enjoy the protection offered by the sovereignty of the countries from which they operate. Shield from Outside Interference The Westphalian international system effectively insulates the world from effective cybersecurity. The horizontal mechanisms needed to combat asymmetric threats are difficult to establish under this structure. A universal right to violate the sovereignty principle in the interest of upholding a higher principle—protecting the Internet—would have to emerge in order to enable the 9/11 Commission's findings to be effective in the Westphalian model. Try This! The quotations presented here come from the 9/11 Commission Report. Select the best-known outcome of each quoted recommendation. Recommendation 1

As presently configured, the national security institutions of the U.S. government are still the institutions constructed to win the Cold War. The United States confronts a very different world today. Instead of facing a few very dangerous adversaries, the United States confronts a number of less visible challenges that surpass the boundaries of traditional nation-states and call for quick, imaginative, and agile responses (9/11 Commission, 2004, p. 399).

Reference: National Commission on Terrorist Attacks upon the United States (9/11 Commission). (2004, July 22). The 9/11 Commission report. Retrieved from http://www.9- 11commission.gov/report/index.htm

Options a. Increasing the national debt ceiling b. Adding foreign counterterrorism to the FBI’s mission statement c. Recruiting more personnel into the armed forces d. Training more cyberforensic examiners Correct Answer: Option b

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 19 of 35

Feedback: The 9/11 Commission's recommendation led to the FBI's focusing additional efforts on counterterrorism. Recommendation 2

We recommend significant changes in the organization of the government. We know that the quality of the people is more important than the quality of the wiring diagrams (9/11 Commission, 2004, p. 399).

Reference: National Commission on Terrorist Attacks upon the United States (9/11 Commission). (2004, July 22). The 9/11 Commission report. Retrieved from http://www.9-

11commission.gov/report/index.htm

Options a. Increasing the use of contractors at the National Security Agency b. Sharing intelligence with our allies c. Increasing research and development funding for cybersecurity d. Establishing the Department of Homeland Security Correct Answer: Option d Feedback: Establishing the Department of Homeland Security (DHS) was a recommendation of the 9/11 Commission. Recommendation 3

The importance of integrated, all-source analysis cannot be overstated. Without it, it is not possible to 'connect the dots.' No one component holds all the relevant information (9/11 Commission, 2004, p. 408).

Reference: National Commission on Terrorist Attacks upon the United States (9/11 Commission). (2004, July 22). The 9/11 Commission report. Retrieved from http://www.9- 11commission.gov/report/index.htm

Options a. Hiring more intelligence analysts b. Establishing the Office of the Director of National Intelligence c. Providing merit pay increases for employees at the CIA d. Reducing the number of intelligence agents deciphering messages in

uncommon and complex languages

Correct Answer: Option b Feedback: The establishment of the Office of the Director of National Intelligence (ODNI) resulted from the recommendations of the 9/11 Commission.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 20 of 35

Recommendation 4

We propose that information be shared horizontally, across new networks that transcend individual agencies (9/11 Commission, 2004, p. 418).

Reference: National Commission on Terrorist Attacks upon the United States (9/11 Commission). (2004, July 22). The 9/11 Commission report. Retrieved from http://www.9- 11commission.gov/report/index.htm

Options a. Reducing the amount of classified information across the government b. Sharing more intelligence with the public at large c. Adopting the latest NIST recommendations on public key infrastructure d. Increasing information sharing among federal agencies and

departments Correct Answer: Option d Feedback: Information sharing among federal agencies and departments has increased since 9/11. Recommendation 5

The U.S. government cannot meet its own obligations to the American people to prevent the entry of terrorists without a major effort to collaborate with other governments (9/11 Commission, 2004, p. 390).

Reference: National Commission on Terrorist Attacks upon the United States (9/11 Commission). (2004, July 22). The 9/11 Commission report. Retrieved from http://www.9-

11commission.gov/report/index.htm

Options a. Sharing only classified information with the private sector and with other

levels of government b. Sharing more information with the United Kingdom and Canada c. Increasing the use of e-mail across the government d. Developing new diplomatic relationships with adversaries of the United

States Correct Answer: Option b Feedback: The U.S. government has increased intelligence sharing with the United Kingdom and Canada, which are among the five English-speaking countries that have a special relationship with DHS.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 21 of 35

Topic 6: Defense-in-Depth Strategy

Defense in Depth in Cybersecurity

Changes in Network Security Initially, network security requirements did not bring about revolutionary change. However, as networking sophistication grew, speeds improved, and information within networks increased in value, threats that emerged necessitated more robust security architecture. Consequently, defense in depth emerged as a preferred method for designing secure networks. In early 2011, the National Science Foundation (NSF) and the Networking and Information Technology Research and Development (NITRD) program got together—a federation of national research and development departments of federal agencies—to assess the continued viability of defense in depth. They determined that defense in depth had come to be understood in static terms, and network security features and applications were designed to ensure compliance rather than improve security. Their finding was that defense in depth was no longer viable. Instead, dynamic approaches were preferred. Information security standards such as ISO 27001/27002 have created frameworks to enable design and security auditing, but there is a lack of real-time situational awareness among network defenders. Like the Maginot Line in France, many networks have static security features, whereas the asymmetric threat from cyberspace has become dynamic, persistent, and sophisticated. Secure Network Disclaimer: The storyline and characters in this part of the module are fictitious and were developed for the purposes of this course. No association with any real person, places, or events is intended or should be inferred from the use of the fictitious names.

Step 1 King William’s sources have warned him of an impending attack on his castle by the forces of his archenemey, King Edgar. King William has ordered the deployment of various defenses to protect his castle. Step 2 His men fill the moat surrounding the castle, just outside the castle walls, with water to drown enemies that might come charging on foot. Step 3 Guard towers along the walls house guards who keep an eye out for any suspicious movement outside the walls. Step 4 Teams of sentries are stationed at every entry point to keep out anyone who is not authorized to enter the castle.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 22 of 35

Step 5 A battalion of archers is positioned all day and night along the walls of the castle, ready at any moment to defend the castle. Step 6 King William’s various defenders are on duty day and night. Little do they know, though, that King Edgar’s men have been digging a tunnel under the castle. Step 7 The tunnel dug by King Edgar’s men opens straight into King William’s castle. As soon as King Edgar’s men enter the castle, they attacked King William's men. Step 8 King William’s men are unprepared for this method of attack, and after a short battle, they surrender to King Edgar’s forces. King William and his men had prepared themselves for the kind of attack they were used to. The defense-in-depth mechanism in place was static in nature. However, they were defeated by an unprecedented attack, one that was asymmetric in nature.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 23 of 35

Topic 6: Defense-in-Depth Strategy

A New Disciplinary Construct

Defense in Depth in Cybersecurity Defense in depth is not an obsolete methodology. The NITRD workshop pointed out a disconnect between the defense-in-depth concept "as applied" versus the concept "as intended." The strategy of defense in depth is intended to design controls and defenses at various belts or vulnerability points. This approach is similar to the risk management processes that have emerged from NIST and the Department of Defense. For example, host-based intrusion detection emerged under the defense-in-depth strategy. Host- based controls focus on a different vector and a different type of threat than gateway- associated controls and technologies. Defense in depth is a useful concept for defending against an asymmetric threat. Determining the necessary depth and type of control requires a risk-based analysis. Dynamic planning in response to emerging conditions is the sort of methodology that works well when viewing cybersecurity as a discipline. For example, a defense-in-depth approach may require attention to a training control rather than a technological control. User training to defeat a certain tactic used by an adversary might prove more useful than a certain technology control. Approaching cybersecurity from a multidisciplinary mindset, one that considers policy, training, and strategy as complementary to security technology, is one way in which cybersecurity can be viewed as a new discipline. Activity Jonathan Brassard has investigated the case at Otto Processing Systems and its implications for national information security. He has recommended a defense-in-depth security strategy for the company. Identify the elements that Jonathan should include in his design of a defense-in-depth strategy for Otto Processing Systems. Part 1 Which of the following controls should be considered when designing the defense-in- depth strategy for an organization like Otto Processing Systems? Arrange the controls in order of hierarchy to design a defense-in-depth strategy for Otto. (1 = Highest Priority; 6 = Lowest Priority)

Controls Order of Hierarchy

Internal Network Security

Vehicle Security

Perimeter Security

Policies, Procedures, and Awareness

Host Security

Power System Security

Personnel Security

Physical Security

Data Security

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 24 of 35

Correct Answer:

Controls Order of Hierarchy

Internal Network Security 4

Vehicle Security

Perimeter Security 3

Policies, Procedures, and Awareness 1

Host Security 5

Power System Security

Personnel Security

Physical Security 2

Data Security 6

Feedback for Correct Answer: In today's cybersecurity environment, organizations face a multitude of threats, most of which are not fully understood by all personnel in the organization. It is the chief information security officer's responsibility to educate management about the threats and to design an effective defense-in-depth strategy. In order for this strategy to be truly effective, it is often layered. Some of the related controls are human factor-oriented, such as policies, procedures, and security awareness, while others are more technically oriented. This human-factor orientation is the reason why a hierarchical structure is important to the defense-in-depth strategy. Different controls are needed to counter different threats, providing a further reason to have a layered approach that places multiple effective countermeasures against their corresponding threats. Feedback for Incorrect Answer: While security does need to be in place for this type of system, the system itself is not part of the cybersecurity domain. Therefore, this system does not fit into the hierarchy of cybersecurity layers within the defense-in-depth strategy. In today's cybersecurity environment, organizations face a multitude of threats, most of which are not fully understood by all personnel in the organization. It is the chief information security officer's responsibility to educate management about the threats and to design an effective defense-in-depth strategy. In order for this strategy to be truly effective, it is often layered. Some of the related controls are human factor-oriented, such as policies, procedures, and security awareness, while others are more technically oriented. This human-factor orientation is the reason why a hierarchical structure is important to the defense-in-depth strategy. Different controls are needed to counter different threats, providing a further reason to have a layered approach that places multiple effective countermeasures against their corresponding threats.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 25 of 35

Part 2 Defense in Depth Here are the defense-in-depth controls in their order of hierarchy and the components they use. Policies, Procedures, and Awareness Policies, procedures, and awareness include various enterprise-wide controls that help employees understand the organization's overall security posture and the rationale for the controls. Examples of such controls are the corporate code of conduct and laptop encryption procedures. Physical Security Physical security includes controls like facility security and the use of biometric systems for access control. These controls are important because they can defeat such threats as an unwanted visitor entering the organization's premises and gaining access to high- security locations.

Perimeter Security Perimeter security includes controls such as fencing systems and protective landscape devices. These controls are important because they help prevent criminals and undesirable visitors from entering the organization’s facilities. Internal Network Security Internal network security is a key technical component of most organizations’ cybersecurity plans. This category of controls includes countermeasures like network management systems that look for anomalies in user behavior, such as multiple unsuccessful logons and suspicious activity during non-business hours. This category of controls tries to prevent threats like network intrusions and hacker activities.

Host Security Host security is a technical aspect of defense in depth. It provides a number of important countermeasures. For example, it can help prevent threats arising from weak authentication mechanisms and zero-day attacks against the company's IT infrastructure. Data Security Data security is another critical element of a successful defense-in-depth strategy. The countermeasures in this category are designed to prevent data theft and leakage. Common controls in this domain include endpoint security mechanisms and secure protocols such as SSH.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 26 of 35

Part 3 Controls in Place For each category and layer presented, select the controls that Jonathan needs to recommend so that Otto Processing Systems is protected from the kind of attacks it has faced. Category 1: Physical Security Layer 1: Physical Security Options a. Locked doors b. Metal detectors c. Security guards d. Physical inspection of briefcases and handbags Correct Answer: Options a and c Feedback: Locked doors and security guards are both common physical security controls found in nearly all organizations. Metal detectors, along with physical inspection of briefcases, handbags, and similar items are normally only implemented in high security facilities such as government departments and defense contractors. Therefore, these controls would not normally be in place in a company such as Otto. Layer 2: Perimeter Security Options a. CCTV b. Firewalls c. Virtual private networks d. Roving security patrols Correct Answer: Options b and c Feedback: Within a network, firewalls and virtual private networks are two of the most popular types of perimeter security controls. In Otto’s business environment, CCTV and roving security patrols are not a common security practice based on the threats that they face; these types of controls would be considered excessive by most security professionals. Layer 3: Internal Network Security Options a. Computer guards b. Internal network security mechanisms c. Network segments d. Intrusion detection system

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 27 of 35

Correct Answer: Options c and d Feedback: Presently, two of the most popular and cost effective internal network security control components are to create network segments and implement intrusion detection systems. For Otto, implementing additional and costly controls such as computer guards such as internal firewalls between departments, and other internal network security mechanisms are considered excessive for this organization. Category 2: Host Security Layer 4: Host Security Options a. Port controls b. Firewall rule set configuration c. Disabling TCP/IP d. Not using SSH Correct Answer: Options a and b Feedback: Both port controls and firewall rule sets are common controls used by organizations in implementing their defenses in depth strategy. Based on the information provided about Otto’s business operations and overall security posture it does not appear necessary to disable TCP/IP or decline the use of SSH. If operating conditions change these additional controls should be considered for implementation across the enterprise. Layer 5: Server Hardening Options a. Hardening the operating system b. Leaving the server in plain view c. Not locking the closets where servers reside d. Generating audit logs Correct Answer: Options a and d Feedback: As part of an enterprise's defense-in-depth strategy, hardening the operating system and generating audit logs are important controls to consider when hardening a server. Leaving the server in plain view or not locking the closets are security vulnerabilities and are therefore, not part of an enterprise's defense in depth strategy.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 28 of 35

Layer 6: Host-Based Firewall Options a. Enabling RAID 4 backup system b. Inbound TCP/IP controls c. Procuring three backup firewall devices d. Installing a redundant firewall Correct Answer: Option b Feedback: Inbound TCP/IP controls can be very effective components in securing a host-based firewall. Enabling the RAID 4 backup system, procuring three backup firewall devices, and installing a redundant firewall would be considered excessive by cybersecurity professionals. Layer 7: Virus Protection Options a. Implementing multiple virus products on workstations b. Switching to a free antivirus tool c. Installing virus updates d. Asking employees to disable their personal firewalls Correct Answer: Option c Feedback: Receiving and implementing timely virus updates are an essential aspect of an effective virus protection plan for all IT dependent organizations. Installing multiple virus products on workstations and asking employees to disable their firewalls are not practical solutions for a company like Otto. These added countermeasures are both complicated to implement and difficult to monitor and enforce. Layer 8: Intrusion Prevention and Detection Systems Options a. Implementing a research honey pot b. Zero-day attack prevention c. Having employees monitor every user sign-on d. Installing an Internet appliance device Correct Answer: Options b and d Feedback: Zero-day attack prevention, and using an Internet appliance for detecting and preventing threats are common aspects of intrusion prevention and detection systems.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 29 of 35

Implementing a research honeypot can provide valuable research information, but it is not an effective intrusion prevention or detection system. Additionally, having employees monitor every user sign-on is not a practical intrusion prevention or detection procedure. Layer 9: Patch Management Options a. Applying patches without performing testing beforehand b. Critical upgrades c. Security updates d. Waiting until an attack occurs, and then installing vendor-supplied patches Correct Answer: Options b and c Feedback: Critical upgrades and security updates are both very powerful and commonly used controls in patch management. Patches are software that needs to be tested just like a large software package to ensure its reliability, stability, security, and inter-operability with other software applications. Therefore, applying patches without testing them beforehand is a risky IT practice. Waiting for an attack to occur is an unwise cybersecurity practice, as it puts the enterprise in a very dangerous position where systems will be damaged and even destroyed. Category 3: Data Security Layer 10: Data Security Options a. Using SSL b. Using S-FTP c. Using Telnet d. Implementing IPSec Correct Answer: Options a, b, and d Feedback: SSL, S-FTP, and IPSec are strong controls that enterprises use for defense in depth. Otto should not implement an insecure communications protocol such as Telnet because this is not in fact a control; instead, it would add a vulnerability. Layer 11: Applications and Data Options a. Assigning a full-time ISO to monitor data security b. Providing all users with the same level of access c. Access control lists d. Strong password controls Correct Answer: Options c and d

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 30 of 35

Feedback: Access control lists and strong password controls both of which are part of applications and data security, are important controls to use when implementing a defense in depth. Assigning a full-time ISO to monitor data security would be excessive, and granting all users the same level of access would be an ill-advised approach to data security.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 31 of 35

Topic 7: Moving from a Static to a Dynamic Paradigm

Legacy Frameworks

Static Standards David Lacey was the primary author of the precursor to ISO 27002. He produced the main body of work for British Standard (BS) 7799, which became ISO 27002. 27002 is a broad standard which describes security techniques, controls, threats, risks, and methods of organizing and coordinated information security in an enterprise. In January 2011, Lacey wrote that the product he produced, which became widely used within the industry, had become obsolete in the new Internet age. Reference: Lacey, D. (2011, January 12). Security: Best practice or ancient ritual? Time to scrap ISO 27002 security standard says its author. Computerworld UK. Retrieved from http://www.computerworlduk.com/in- depth/security/3256436/security-best-practice-or-ancient-ritual/ Among information security practitioners, ISO 27001/27002 has been among the more robust standards. Many information security consultants and auditors use ISO 27001/27002 as their standard for compliance purposes. Lacey pointed out, though, that the standard is static. In essence, Lacey declared that his standard is not responsive to the dynamic, asymmetric nature of modern threats. FISMA Standards The federal government practices information security in accordance with the Federal Information Security Management Act (FISMA). Within FISMA, NIST is in charge of creating information security standards. The FISMA definition adopts the information security triad of Confidentiality, Integrity, and Availability (CIA). Thus, the federal government's approach to cybersecurity, at least in its statutory mandate, is to utilize the CIA triad. The definition of information security that informs FISMA does not address dynamic threats, criminal or national security aspects, asymmetric attackers, or other dimensions of the modern Internet dynamic. FISMA became law in 2002. Ten years later, the cybersecurity environment differs from FISMA's original information security definition.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 32 of 35

Topic 7: Moving from a Static to a Dynamic Paradigm

A Dynamic Strategy for an Asymmetric Threat

National Strategy Reviews Most national strategy reviews related to cybersecurity are focused on cyberspace or the components of cybersecurity. The federal government has produced The National Strategy to Secure Cyberspace, which represents the national strategy. Subsequently, another strategy document emerged from the White House in 2009, The Comprehensive National Cybersecurity Initiative (CNCI). The Obama administration presented the White House 60-day Cyberspace Policy Review that same year. The 9/11 Commission was not drawn from the national security community, representatives of which authored the strategy documents listed above. In addition, the 9/11 Commission was formed to study a specific problem, how the 9/11 attacks occurred. Its charge was not to accept that the status quo functioned properly. Indeed, the purpose of the commission was to ascertain why national security systems failed. 9/11 Commission Ponder This The 9/11 attacks were asymmetric in nature, and asymmetric threats continue to exist today. The 9/11 Commission was set up after the attacks to uncover how they occurred and to recommend changes to address their root causes. What lessons can we learn from the 9/11 attacks that will help us combat asymmetric threats in the cyberworld? Jonathan uses the findings of the 9/11 Commission when he talks to his team about the approach they need to adopt for their own commission. Here is a transcript of the discussion Jonathan has with his team. Jonathan: Hi, team. I think we should take a cue from the 9/11 Commission and their findings for how we conduct our research. Jonathan: As you know, the 9/11 Commission focused on terrorism and explored how

government operated its effectiveness and its gaps. Team Member 1: Yes, Jonathan. The public environment during the commission’s proceedings was one of intense commitment to uncovering facts and ensuring another 9/11 doesn’t happen. Jonathan: That's right. The approach of the commission was to be extremely open to receiving information and engaging in critical analysis of how government should operate in a new era of terrorism. Team Member 2: Are you saying that we should also adopt a policy of reviewing all information available to us? Jonathan: Yes, I am.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 33 of 35

Team Member 2: The commission found that when they were piecing together bits of information, government agencies had emphasized classification over information sharing. Team Member 2: This particular finding has tremendous application when it comes to dealing with an asymmetric threat from cyberspace. Team Member 3: Countering terrorism requires extensive and effective information sharing. Jonathan: Yes, so what I see is that we need to refashion cybersecurity approaches and start from scratch in much the same way the 9/11 Commission did. Team Member 3: That means we need new fact-finding procedures to guarantee that all the dimensions of cybersecurity are fully understood. Team Member 2: Yes, that step is imperative because the asymmetric nature of the threat mandates that we consider dynamic solutions. Jonathan: OK, team, now let's look at another recommendation from the 9/11 Commission. This recommendation looks like it applies to improving situational awareness in order to meet the asymmetric threat. Recommendation "We propose that information be shared horizontally, across new networks that transcend individual agencies." (9/11 Commission, 2004, p. 418) Reference: National Commission on Terrorist Attacks upon the United States (9/11 Commission). (2004, July 22). The 9/11 Commission report. Retrieved from http://www.9- 11commission.gov/report/index.htm

Reflect What does Jonathan's proposed recommendation mean to you? How would it apply in a new cybersecurity discipline? How could a cybersecurity strategy be designed to incorporate this recommendation?

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 34 of 35

Topic 8: Summary

We have come to the end of Module 1. The key concepts covered in this module are listed below.

Revolutions, such as the Industrial Revolution, the American Revolution, and the formation of nation-states, brought with them shifts in how society functioned. Similarly, the Internet age has brought a revolution in the ways we communicate with each other, do our shopping, pursue our daily activities, and conduct business.

With every major change, a paradigm shift occurs. Understanding this paradigm shift is made easier by Thomas Kuhn's work on the dynamics of new-field emergence. Kuhn's work suggests that a new scientific domain must gain acceptance before beneficial work in that domain can begin.

The Kuhn cycle can be used to explain the scientific analysis of a revolutionary change. The cycle has five phases: normal science, model drift, model crisis, model revolution, and paradigm shift.

As cybersecurity is largely undefined, new disciplinary constructs must emerge in order to meet the cybersecurity challenge effectively.

To address the cybersecurity challenge, horizontal information sharing is required among nations throughout the world.

The Westphalian nation-state model allows cyberattackers to enjoy both anonymity and sovereignty protection. Hackers can take refuge within their nations' borders. Thus, the Westphalian model prevents the effective implementation of cybersecurity.

The preferred method for designing secure networks is based on defense in depth. This method uses dynamic planning and risk-based analysis to counter asymmetric threats.

Defense in depth uses a layered approach that places multiple effective countermeasures against corresponding threats. It has a hierarchical structure with different controls to counter different threats.

Many information security consultants and auditors use ISO 27001/27002 as their standard for compliance purposes. However, this standard is static and is therefore unresponsive to dynamic threats.

UMUC Cybersecurity Capstone CSEC670

© UMUC 2012 Page 35 of 35

Glossary

Term Definition

Asymmetric Attack An asymmetric attack is a strategy between adversaries possessing different capabilities, strengths and weaknesses whereby the attacking party chooses tactics and vectors that target the defender’s weaknesses and avoids strength-on- strength confrontations. In cyberspace, this strategy refers to features of the Internet such as connectivity to critical infrastructure, anonymity, and remote access.

Backdoor A backdoor is a remote access point for software that allows remote connectivity. Though originally intended for debugging purposes, backdoors are currently used for remote command and control actions.

Cybercrime Cybercrimes are criminal acts that are committed using a computer as a tool or target, such as hacking, Internet fraud, and identity theft.

Defense in Depth Defense in depth is a comprehensive system of network security that involves adding many layers of security between the threat and targeted asset to impede any intruder’s progress toward the asset.

E-Commerce System

An e-Commerce system is a system of commerce used for buying and selling products or providing services over the Internet.

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) mandates that government agencies maintain information security risks at a minimum level by developing annual security reports, risk assessments, configuration guidelines, continuity plans, security policies, and inventories of systems.

Firewall A firewall is the hardware or software that prevents unauthorized users from accessing a computer or a network.

Homeland Security Presidential Directives (HSPDs)

HSPDs are directives issued by the president of the United States regarding homeland security.

National Institute of Standards and Technology (NIST)

NIST exists within the Department of Commerce and works to promote innovation and competitiveness by developing standards and technology.

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a system that consists of hardware, software, policies, processes, and people that is used to manage and control the creation, use, and storage of public-private key pairs.

Secure Socket Layer (SSL)

SSL is a standard security protocol that creates an encrypted link between a Web server and a Web browser to secure all data that passes between a Web site and a customer.