Apa Masters level responses
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 1 of 39
Contents Topic 1: Scenario ............................................................................................................................. 2
Scenario: It's a Steal! ................................................................................................................... 2 Topic 2: Module Introduction ........................................................................................................... 5 Topic 3: Advanced Persistent Threats............................................................................................. 6
What Are APTs? .......................................................................................................................... 6 Policies and Procedures for Mitigation ........................................................................................ 9 Sarbanes-Oxley and APTs ........................................................................................................ 10
Topic 4: Emerging Vulnerabilities in Cybersecurity ....................................................................... 12 Social Networks ......................................................................................................................... 12 Mobile Devices ........................................................................................................................... 14 Remote Hostile Takeovers ......................................................................................................... 17 Cybersecurity Vulnerabilities in the Smart Grid ......................................................................... 18
Topic 5: Global Information Infrastructure Vulnerabilities ............................................................. 20 Stuxnet ....................................................................................................................................... 20 A Shrinking World ...................................................................................................................... 21
Topic 6: Elements of a Vulnerability Assessment ......................................................................... 22 Vulnerability Assessment: Characteristics ................................................................................. 22 Steps in Vulnerability Assessment ............................................................................................. 23
Topic 7: New Approaches to Vulnerability Assessment ................................................................ 26 Approaches and Frameworks .................................................................................................... 26
Topic 8: Activity.............................................................................................................................. 28 Activity: Vulnerability Assessment ............................................................................................. 28
Topic 9: Summary.......................................................................................................................... 36 Glossary ......................................................................................................................................... 37
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 2 of 39
Topic 1: Scenario
Scenario: It's a Steal!
Vulnerability Assessment CSEC670—Module 2
It's a Steal! BuyBig is a successful retailer that sells televisions, computers, and other electronics. One of the first retailers to launch an online shopping portal, BuyBig offers its customers easy, round-the-clock access to 10,000 products. So far, BuyBig's foray into cyberspace has led to a sharp increase in sales and heightened customer satisfaction. Recently, a major hacking incident has been discovered in which sensitive customer information was stolen from a major competitor, Electronics Buzz. BuyBig's management is concerned about their security, and they are rethinking the company's security strategy. Scenario BuyBig is a multinational electronics retailer with operations in the United States, Canada, China, Singapore, Latin America, and Europe. The company generates more than $10 billion in annual revenue and employs more than 70,000 people worldwide. It serves its customers through retail outlets and its Web site. BuyBig's management is very concerned about a security breach at Electronics Buzz, its biggest competitor. The breach has compromised personal information belonging to 2.6 million customers. Electronics Buzz received a lot of negative media coverage, and as a result, its stock price has dropped 15 percent. BuyBig has had routine security patch issues in the past, but there have not yet been any security incidents that hurt its reputation or financial position. The company's management wants to ensure that nothing bad happens now. Chelsea Smith, CISO Chelsea Smith has been the Chief Information Security Officer (CISO) at BuyBig for the past five years. Before that, she was a senior cybersecurity advisor at the Pentagon. Chelsea has installed a very robust IT security system at BuyBig. However, because of financial pressures in the retail electronics industry, her budget has been decreasing every year. Chelsea has advised Ryan Smith, the current Chief Information Officer (CIO), that the company needs additional tools and resources to ensure that its security is not compromised. Ryan Ford, CIO Ryan Ford has been with BuyBig for the past nine years. He is extremely worried about the incident at Electronics Buzz. Having moved most of its business online, BuyBig cannot afford a security breach like the one at Electronics Buzz. Jim Strader, CEO Jim Strader has been with BuyBig for the past 11 years. He led the company to its position as market leader, and during his tenure, customer satisfaction has reached record levels. Jim has been responsible for expanding the company's online presence,
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 3 of 39
as well as its focus on superior product selection, service, and customer experience. He believes that the customer's trust is of supreme importance. Ryan stops by Chelsea's office with a copy of USA Now. A front-page article describes a security breach at Electronics Buzz. Ryan has just had a conversation with Jim about the news. Jim wants to avoid a similar situation at any cost. Here is a transcript of the conversation between Chelsea and Ryan. Ryan: Hi, Chelsea. Did you see the front page of today's USA Now? Chelsea: Yes, hackers broke in and stole 2.6 million customer records! Chelsea: It seems the hackers may have been operating from outside the United States. Ryan: I remember our discussion regarding the cost of system security when we put together this year's budget. Ryan: Jim's very concerned, too. Do you think we could be vulnerable to such an attack? Chelsea: We have some great monitoring tools in place, so I don't think we're as vulnerable as Electronics Buzz. Chelsea: However, I still believe that we need to increase capital spending in this area. Chelsea: Security threats and vulnerabilities are increasing dramatically. Ryan: You do have a point. However, we just had our last quarterly budget meeting for the fiscal year. Ryan: Right now, the company's earnings are below projections. We need to further cut expenses. Chelsea: Ryan, I understand that we have budget constraints, but look at the reputational damage as well as the financial impact of the breach at Electronics Buzz. Chelsea: Their stock price is down 15 percent, and they will have to pay for the reissue of credit cards and other penalties. Chelsea: When the dust settles, this incident may cost them millions. Ryan: OK, what do you think we should do? Chelsea: We need to perform a vulnerability assessment. Chelsea: If you recall, we started one a few years ago, but then we realized we did not have anyone who could work on it. Chelsea: The threat and vulnerability landscape has changed since then, so we can use the format, but we'll have to start over.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 4 of 39
Ryan: That will be quite expensive. Chelsea: Yes, but not as expensive as it would be after a security breach! What Are Their Concerns? Chelsea (thinking): This is my job. I am a cybersecurity expert. There are many cybersecurity threats to BuyBig. A cyberbreach could ruin BuyBig’s reputation and cost more money in the long run. Ryan (thinking): I want to protect my job and the entire enterprise. I know security is important, but our expenses are too high and our stockholders expect dividends. How do I juggle BuyBig’s competing priorities? Jim (thinking): I want to protect the company in an atmosphere of shrinking margins in the retail electronics industry. I don't want to see the incident that happened at Electronics Buzz repeat itself at BuyBig.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 5 of 39
Topic 2: Module Introduction
An information security vulnerability assessment can be described as a process that is used to identify and understand vulnerabilities in the confidentiality, integrity, and availability of data contained in a system.
This module examines the composition of an effective vulnerability assessment, how a vulnerability assessment is developed, factors to consider while developing it, and finally, the process of rolling it out to an organization. A number of organizational factors need to be considered while developing and rolling out security policies. This module also covers present and future threats, including vulnerabilities at the enterprise, national, and international levels. It also delves into effective management policies for countering the risks associated with cyberattacks, emerging vulnerabilities, and global vulnerabilities.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 6 of 39
Topic 3: Advanced Persistent Threats
What Are APTs?
Advanced Persistent Threats (APTs) are a new class of threats that have been observed and categorized over the past few years. APTs are considered "advanced" in both the methods they employ and the actual nature of the threats themselves commonly deployed by state actors (Tankard, 2011, p. 16). Methods of initial entry can include fairly standard forms of malware or social engineering. However, the attack methods following a breach are highly sophisticated, and frequently involve improvised recompilation of malware code and the use of encryption to evade detection (Tankard, 2011, p. 16). The term advanced persistent threats was coined after the Operation Aurora attacks in 2009 against companies such as Google, Adobe Systems, Juniper Networks, Rackspace, Yahoo!, Symantec, Northrop Grumman, and Dow Chemical. The Methodology of a Typical APT Step 1
Attackers can use a variety of methods to gain a foothold in a target’s network. Social engineering techniques and malware insertions into servers are two very popular methods.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 7 of 39
Step 2
The attacker opens a shell prompt to see whether the victim’s system is mapped to a network drive.
Step 3
If the victim’s system is mapped to a network drive, the attacker initiates a port scan of the system.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 8 of 39
Step 4
The port scan informs the attacker about available ports, services running on other systems, and network segment identification.
Step 5
The attacker can now maneuver to execute command and control functions such as data exfiltration from victims (Tankard, 2011, p. 17).
Reference: Tankard, C. (2011, August). Advanced persistent threats and how to monitor and deter them.
Network Security, 2011(8), 16-19. doi:10.1016/S1353-4858(11)70086-1
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 9 of 39
Topic 3: Advanced Persistent Threats
Policies and Procedures for Mitigation
An organization will remain highly vulnerable if it does not maintain an awareness of APTs, as well as appropriate hardware, software, and IT policies to detect, respond to, and mitigate such threats. The most effective way of establishing policies and procedures to mitigate APTs relies on the support of security initiatives at the executive level, through approval as well as funding.
Here are some measures that can mitigate or prevent APTs.
Risk Assessments
Risk assessments are a fundamental part of strategic decision making. The use of threat information collected by federal government agencies—such as the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and others—is necessary to put effective security decisions in place (Grayson, Peters, & Conrades, 2007, p. 21). Reference: Grayson, M. E., Peters, G., & Conrades, G. (2007, January 16). The NIAC convergence of physical and cyber technologies and related security management challenges working group. Retrieved from U.S. Department of Homeland Security Web site: http://www.dhs.gov/xlibrary/assets/niac/niac_physicalcyberreport-011607.pdf
Guidelines for Sharing Information
Attackers that launch APTs carry out reconnaissance, gathering significant amounts of information from social networking sites and other Web sites. Therefore, a crucial element of security policy involves indicating the types of company information employees can and cannot share publicly.
Separation of Duties
Separation of duties is another mandatory attribute of an effective internal security protection for an organization. It is risky to offer full system access and control—whether role-based, mandatory, or other—to any single person without the proper access control model in place. For example, an employee could harbor ulterior nefarious motives and decide to act upon them in a technically sophisticated way.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 10 of 39
Topic 3: Advanced Persistent Threats
Sarbanes-Oxley and APTs
It has been argued that the requirements of the Sarbanes-Oxley Act of 2002 (SOX) make it "appropriate" for organizations subject to the law to include cybercrime-related risks in their risk assessment programs (Moore, 2010, p. 29). Section 302 of SOX "requires public companies’ management to attest to the adequacy of internal controls over financial reporting," while Section 404 "requires the companies’ auditors to attest to and report on management’s assessment of internal controls" (Moore, 2010, p. 30). Reporting risks from APTs and other forms of cybercrime as part of SOX compliance directly correlates to the objectives of the vulnerability assessment, as the assessment defines risk areas and weaknesses across an enterprise. In addition new SEC guidelines provide that a cyberintrusion should be considered a "material event". Once the vulnerabilities are identified, the enterprise can deploy resources to mitigate those vulnerabilities. Reference: Moore, J. W. (2010). From phishing to advanced persistent threats: The application of cybercrime risk to the enterprise risk management model. Review of Business Information Systems, 14(4),
27-36. Retrieved from http://journals.cluteonline.com/index.php/RBIS/article/view/358/347
SOX Section 302 The Sarbanes-Oxley Act of 2002, Section 302,
requires public companies’ management to attest to the adequacy of internal controls over financial reporting. … Under Section 302, management is responsible for establishing, maintaining, and regularly evaluating the effectiveness of its internal controls over financial reporting. If deficiencies are found, they must be evaluated in two dimensions, significance and likelihood, to identify their relative significance … The evaluation of internal control deficiencies must consider whether the internal control system is incapable of stopping material errors from entering the financial statements. This requires considering the likelihood of that happening (from remote to probable) and the significance of a potential misstatement (from immaterial to material) (Moore, 2010, p. 30).
In addition,
those deficiencies that have a more than remote likelihood of occurring will have to be disclosed in the opinion, if they are judged to be material. Those significant deficiencies that do not rise to the level of a material weakness will not be reported out but need to be discussed with the audit committee (Moore, 2010, p. 30).
Reference: Moore, J. W. (2010). From phishing to advanced persistent threats: The application of
cybercrime risk to the enterprise risk management model. Review of Business Information Systems, 14(4),
27-36. Retrieved from http://journals.cluteonline.com/index.php/RBIS/article/view/358/347
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 11 of 39
SOX Section 404
Section 404 of SOX requires a public company's "auditors to attest to and report on management's assessment of internal controls" (Moore, 2010, p. 30).
Complying with SOX alone will not ensure that an enterprise is protected. However, the vulnerability assessment can be leveraged to mitigate risks responsibly and protect the enterprise.
Reference: Moore, J. W. (2010). From phishing to advanced persistent threats: The application of
cybercrime risk to the enterprise risk management model. Review of Business Information Systems, 14(4),
27-36. Retrieved from http://journals.cluteonline.com/index.php/RBIS/article/view/358/347
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 12 of 39
Topic 4: Emerging Vulnerabilities in Cybersecurity
Social Networks
Case Study Over the past few years, social media has increased exponentially in popularity, with Facebook and Twitter leading the way. Social networking sites add a whole new dimension of personal information vulnerabilities for federal agencies, businesses, and individuals. Sensitive information may be inadvertently communicated to potential hackers via social media. The matter is further complicated for users by frequent changes in the privacy settings and terms of use for these sites. For example, in 2010-11 alone, Facebook's layout and privacy settings changed several times. On July 4, 2011, hackers compromised Fox News's Twitter feed and falsely reported that President Obama had been killed while campaigning at a restaurant in Iowa. In this case, hackers were behind the controversial post. In this way, one can imagine the potential effect of an individual making a single ill-advised post on a social network. Reference: Robbins, L. & Stelter, B. (2011, July 4). Hackers commandeer a Fox News Twitter account. The New York Times. Retrieved from http://www.nytimes.com/2011/07/05/business/media/05fox.html
Example Scenarios Here are some vulnerabilities inherent in the use of social networking sites. Disclaimer: The storyline and characters in this part of the module are fictitious and were developed for the purposes of this course. No association with any real person, places, or events is intended or should be inferred from the use of the fictitious names.
Jenny White Secretary to the FAA Chief of Staff Jenny posts a simple message on a social networking site about the weather in Orlando, Florida. Jenny's message on the social networking site: Fantastic weather here in Orlando! As secretary to the chief of staff of the Federal Aviation Administration, Jenny may have accidentally leaked information about where agency leaders are meeting. Jim Coleman Intern at the Pentagon Jim is an intern at the Pentagon. He creates and uploads a message to a social networking site about how he's having a late night at work. Jim's update on the social networking site: Yet another long night with pizza for dinner!! Jim may have let the world know that something major is going on at the Pentagon, requiring staff to work late shifts.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 13 of 39
Felicia Overland Analyst, U.S. Department of the Treasury Felicia works at the Treasury Department. She checks her social networking account during lunch and clicks a link posted by a friend. By clicking the link, Felicia may have launched malware that could compromise her work computer. The malware may or may not be detected by her antivirus software.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 14 of 39
Topic 4: Emerging Vulnerabilities in Cybersecurity
Mobile Devices
Data Security Concerns Scenario 1 Linda is taking a coffee break with her friend, Jesse. Linda checks her office e-mail and quickly updates her Facebook status via her Bluetooth device, while she and her friend wait for their coffee. Question: What is the risk level for the data on Linda’s phone? a. High b. Medium c. Low Correct Answer: Options a and b Feedback for High and Medium: Linda could be an unsuspecting victim of a hacker using Bluetooth to access the data on her mobile device. The hacker could be picking up a signal from her phone to gain access to and compromise her e-mail and other data. The attacker could use her phone to make long-distance calls, change phone numbers in her address book, or eavesdrop on her conversations. Therefore, the risk level for the data on Linda's phone could be High or Medium. Feedback for Low: Today’s smartphones are in the category of small scale digital devices. They have numerous features and can store proprietary, open source, trusted and malicious software applications. Therefore, the risk level for the data on Linda's phone could be High or Medium. Scenario 2 James has set his smartphone to use the grocery store's free, unsecured wireless network while he is shopping. His wife sends him an e-mail to buy extra items. James accesses the e-mail using the store's wireless network. However, James is unaware that an employee in the store has installed a sniffer to capture customers' e-mails. Question: What is the risk level for the data on James's smartphone? a. High b. Medium c. Low Correct Answer: Options a and b Feedback for High and Medium: While James is viewing the shopping list on his mobile phone, the sniffer would have captured his emails. This would cause the hacker to access all of James' data and thus compromise his privacy. Therefore, the risk level for the data on James's smartphone could be High or Medium.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 15 of 39
Feedback for Low: Public wireless networks are very convenient, but often insecure for users. From a cybersecurity perspective, James would have been better off using the data plan through his wireless carrier. Therefore, the risk level for the data on James's smartphone could be High or Medium. Scenario 3 Suzanne has had a busy day at work, and she needs a break. She walks away from her workstation to find a quiet corner where she can play her favorite online game on her mobile phone. Ten minutes later, Suzanne is engrossed in the game and making micropayments to purchase virtual goods for the game. Question: What level of data security risk has Suzanne assumed by taking her break to play some online games? a. High b. Medium c. Low Correct Answer: Options a and b Feedback for High and Medium: Suzanne is vulnerable; her micropayments show up as charges on her mobile phone bill. A malicious virus-maker could take advantage of the micropayments by issuing "reverse SMS" orders. Therefore, Suzanne should understand that from a cybersecurity perspective her risk level could be High or Medium. Feedback for Low: Games and other freeware software are often embedded with malicious software such as viruses and worms. Therefore, Suzanne should understand that from a cybersecurity perspective her risk level could be High or Medium. Protecting Mobile Devices Protecting mobile devices is extremely important because their use for personal and business purposes is so widespread. As more people worldwide use mobile devices such as smartphones and tablet computers, vulnerability assessment for these areas must be expanded. In addition, vulnerability assessment needs to include not only specific users, but also others with access to their devices, such as family members. Mobile devices have unique vulnerabilities, such as differences in operating systems, service providers, speeds, architectures, and security protocols across networks. These differences will continue to increase the complexity of managing the security of mobile devices even as their role in global communications grows. What the Numbers Say A study of IT professionals found that "41 percent of IT professionals are carrying sensitive information on mobile devices unprotected" (Eddy, 2011). This study highlights the need to provide more security controls and raise awareness of the need for robust security for mobile devices. The same study found that "19 percent [of IT professionals] revealed that their organization had suffered a data breach following
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 16 of 39
the loss of a portable device…with 54 percent confessing the device had not been encrypted" (Eddy, 2011). Reference: Eddy, N. (2011, May 11). IT specialists at risk transmitting unsecure mobile data: Report. Channel Insider. Retrieved from http://www.channelinsider.com/c/a/Security/IT-Specialists-at-Risk-
Transmitting-Unsecure-Mobile-Data-Report-725300/
How Safe Is Your Mobile Device? Moving forward, it is critical to protect mobile devices, provide user training, and conduct vulnerability testing to protect the data that these devices contain. Some of the security vulnerabilities associated with mobile devices include: Monitoring data transmissions and conversations while the device is in use The ability of the device to be compromised and used as a collector to monitor data
or conversations in the device's vicinity even when it is inactive The ability of the device to be cloned and used by others to transmit data or make
telephone calls
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 17 of 39
Topic 4: Emerging Vulnerabilities in Cybersecurity
Remote Hostile Takeovers
In the past few years, there have been a number of highly publicized remote hostile takeover attempts. Attack victims have ranged from factory machinery to unmanned aerial vehicles. The Aurora Test
Idaho National Laboratory created a 21-line piece of software code for an “Aurora test” that introduced destructive instructions into a closed computer network that “caused the generator to blow up,” said Rep. Jim Langevin (D-R.I.) during a House Armed Services subcommittee hearing Sept. 23 [2010]. The 2007 test indicates that this kind of cyberweapon "is not just sitting around on a shelf somewhere." The Aurora test’s target was a $1 million, diesel-powered, industrial electrical generator. The software caused the machine’s circuit breakers to cycle on and off rapidly, causing vibrations so pronounced that the machine spewed black smoke and ground to a halt (Fulghum, 2010).
A comprehensive vulnerability assessment examines all the threats inherent to the specific technological system or apparatus. Reference: Fulghum, D. A. (2010, September 28). Cyber-attack turns physical. Aviation Week. Retrieved from http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/asd/2010/09/27/05.x ml
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 18 of 39
Topic 4: Emerging Vulnerabilities in Cybersecurity
Cybersecurity Vulnerabilities in the Smart Grid
The Smart Grid The U.S. Department of Energy defines the Smart Grid as leveraging computer automation and remote control technologies to efficiently interconnect electric delivery and utility power origination systems. The Smart Grid uses computer technology and bilateral remote communications mechanisms that have been commonly used in other industries for many years. These systems comprise a connected electrical network originating at wind farms and power plants, where electricity is generated across high lines, to end points at businesses and homes. Smart Grid electrical systems provide energy efficiencies for utilities and consumers, along with other significant benefits, through the effective use of technology. Reference: U.S. Department of Energy. (n.d.) How the Smart Grid promotes a greener future. Retrieved from http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/Environmentalgroups.pdf
Vulnerabilities An extreme difficulty exists in designing proper security controls in emerging industries such as the Smart Grid. The Smart Grid Interoperability Panel, a public-private partnership with more than 200 members, works collaboratively with the National Institute of Standards and Technology (NIST) on specific Smart Grid security issues. The panel has created a working subgroup, the Cyber Security Working Group (CSWG), to address security priorities. Based on this work, NIST has issued Guidelines for Smart Grid Cyber Security (Document NISTIR 7628), which details testing plans as well as security requirements and compliance. This is just one example of public-private collaboration in the area of defining vulnerabilities. Based on the ever-changing technology and threat matrices, here are some potential vulnerabilities in the Smart Grid.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 19 of 39
Hacking Experts have stated that once hackers get inside the Smart Grid, they may have the ability to access an unlimited number of control devices, actuators, and meters across the power delivery system, allowing them to systematically take control of the system. Once they gain control, the hackers could shut off individual devices, or they could overload systems and devices, causing blackouts by unbalancing loads at the local level. This could cause a domino effect across the power grid, leading to blackouts in one area after another. Insiders In today’s smart grid environment it is extremely difficult to design and implement proper security controls. If a troubled or disgruntled employee were to make improper or unethical decisions, the impact could be catastrophic. External Threats Although they are protected, most utility providers do not have the same level of security as other protected facilities. A well-organized, well-armed team of attackers could overwhelm a facility's physical security and cause damage. Other Threats The Smart Grid is vulnerable to many other threats, ranging from tornadoes in Kansas to hurricanes in Florida to earthquakes in California. To create an accurate vulnerability matrix, consideration must be given to all external and internal threats. Also, the vulnerability matrix must take into account critical but relatively unprotected elements such as dams, transformers, and transmission lines.
Consider This Non-technical vulnerabilities that exist may also affect an enterprise like the Smart Grid. These vulnerabilities may include tornadoes, hurricanes, earthquakes, floods, and other acts of nature. Other vulnerabilities may also include work stoppages, physical security, or chemical, nuclear or radiation attacks. All vulnerabilities should be considered.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 20 of 39
Topic 5: Global Information Infrastructure Vulnerabilities
Stuxnet
In June [2010], a malicious code named "Stuxnet" — designed to attack precise elements of very specific pieces of equipment, perhaps even operating in closed networks — was identified by German researchers. … The code has infected thousands of machines in Pakistan, Iran, Indonesia and India, but has not been associated with any actual damage. The cyber-worm has not been identified in any U.S. systems, a DHS official says (Fulghum, 2010).
Stuxnet was created specifically as a cyberweapon. It was designed to target and compromise Supervisory Control and Data Acquisition (SCADA) networks. SCADA networks are primarily used in nuclear power plants, oil and gas refineries, and utilities. Considering that SCADA networks may or may not be connected to other networks, some attack techniques attributed to Stuxnet may not be feasible. However, the emergence of Stuxnet demonstrates the importance of having effective vulnerability assessment, as the threat landscape is continually evolving.
The U.S., China, Russia and Israel are not the only countries that write sophisticated algorithms and design them into computer worms and viruses, noted U.S. Army Gen. Keith Alexander, who testified to the full House Armed Services committee on Sept. 23 [2010]. (Fulghum, 2010).
Reference: Fulghum, D. A. (2010, September 28). Cyber-attack turns physical. Aviation Week. Retrieved from http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/asd/2010/09/27/05.x ml
Media Reports Security expert Bruce Schneier has claimed that the depiction of Stuxnet in the media includes certain speculative details. He has also stated that doubts surround the postulated possible target—Iranian power plants and defense industries (Schneier, 2010). Some suggest that the worm came from Israel's Cyber Warfare Administration, which is a closely guarded secret operation (Woodward, 2010). Reference: Schneier, B. (2010, October 7). The story behind the Stuxnet virus. Forbes. Retrieved from http://www.forbes.com/2010/10/06/iran-nuclear-computer-technology-security-stuxnet-worm.html Woodward, P. (2010). Israel: smart enough to create Stuxnet and stupid enough to use it. War in Context. Retrieved from: http://warincontext.org/2010/10/01/israel-smart-enough-to-create-stuxnet-and- stupid-enough-to-use-it/
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 21 of 39
Topic 5: Global Information Infrastructure Vulnerabilities
A Shrinking World
The nature of the Internet and worldwide connectivity has changed the traditional paradigm regarding proximity. In today's world, a bank that has an Internet presence looks the same to someone in St. Petersburg, Florida, as it does to someone in St. Petersburg, Russia. In theory, attacks originating from either place will look the same. As criminals get more sophisticated and the Internet provides more capabilities for speed and concealment, it is critical to ensure that vulnerability assessment includes proactive security measures ranging from network monitoring to internal sensing capabilities. Examining this from a pure vulnerability assessment perspective, all stakeholders must critically evaluate vulnerabilities not in terms of what has been done in the past, but in terms of what will be feasible in the future.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 22 of 39
Topic 6: Elements of a Vulnerability Assessment
Vulnerability Assessment: Characteristics
The objective of a vulnerability assessment is to identify and value assets and analyze those assets in terms of potential threats and vulnerabilities, resulting in a ranking and prioritization of risks. The resulting information can be used to develop strategies to mitigate those risks. The challenge is directly proportional to the ever-changing threat landscape as well as an organization's ability to detect, avoid, and mitigate the vulnerabilities.
The threat landscape will continue to evolve as more sophisticated technologies become available.
Identifies Known and Potential Threats A successful vulnerability assessment includes vulnerabilities that an organization is aware of. However, more importantly, an organization needs to have the foresight to proactively identify vulnerabilities. This requires a dynamic vulnerability assessment process that is constantly monitored and updated, based on situational awareness. Defines Risk Mitigation Strategy A thorough vulnerability assessment identifies the sensitivity of and the potential cost resulting from the exposure of system components and information; it also correlates that information to the risks associated with the vulnerability and threat exposure. The vulnerability assessment is one of the initial steps in the creation of the overall risk mitigation strategy. An organization will follow this process through the basic development, implementation, testing, and maintenance steps to create an effective enterprise-wide systems security plan. The first time an organization creates a vulnerability assessment, it will take a substantial amount of time and effort. After the initial assessment is created, maintaining the assessment will take less effort and should be integrated into the organization's ongoing information security program efforts. Offers Wide Scope Vulnerability assessment includes all forms of risk, including human factors. Additionally, vulnerability assessment should include nontechnical threats, such as natural disasters, accidents, and physical threats. Regardless of the kind of threat, organizations should limit, manage, and mitigate risks to the extent that this is possible. Customized to Industry Needs In some industries, vulnerability assessments may focus primarily on the risks related to the specific industry and the tasks performed within that industry. For example, telephone providers share network and connectivity vulnerabilities. They, like many other industries and companies, must also include the vulnerabilities affecting customer information.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 23 of 39
Topic 6: Elements of a Vulnerability Assessment
Steps in Vulnerability Assessment
Process A vulnerability assessment starts at the enterprise level and drills down to the granular level to safeguard the assets of the organization. The vulnerability assessment process continues as a life cycle; as it goes through the four steps, every revolution of the process improves the organization's handling of vulnerabilities.
Information Gathering This step includes capturing information on every area of an enterprise's vulnerabilities, including people, process, and technology.
People: The assessment gathers information on user access and user abilities, such as the ability to copy data, access USB drives, and access the Internet.
Process: The assessment captures activities such as the removal of terminated employees and responses to the loss of a notebook computer.
Technology: The assessment gathers information on technology components, equipment, and infrastructure, such as router settings, security equipment, patch management, and virus protection technologies.
Analyzing Data This phase includes analyzing all of the information gathered. This step determines the potential impact of the loss, the probability of the loss, the direct and indirect risks, and the threats to the organization.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 24 of 39
Prioritizing Responses This step includes prioritizing the responses to the vulnerabilities, based on their business relevance and the impact on stakeholders. Implementation The final step includes implementation of solutions and action plans to responsibly mitigate the risks and vulnerabilities, based on priority to the organization. Sample Vulnerability Assessment Marjorie Jones is a vulnerability assessment expert with several years of experience in working with industrial and government clients. She has been hired to assess the physical risks and vulnerabilities faced by Skyline Heights, a prominent commercial complex in downtown Chicago. Marjorie's Assessments Introduction Marjorie: Skyline Heights is a well-known landmark in Chicago, and it houses the headquarters of several prominent banks and other companies. The building could be vulnerable to a wide range of threats and risks, including terrorism and natural calamities. It's my job to find out what these are and to recommend solutions.
Information Gathering Marjorie: The first step is to assess the threats that the building faces. In this step, it is necessary to gather the maximum amount of information about all the possibilities, regardless of their relevance and priority. I will look at all the possible types of threats, such as natural disasters, criminal activities, and accidents, and I will examine the likelihood of each threat. For example, since the building has a bank on the ground floor, it may be targeted by criminal gangs.
Analyzing Data Marjorie: In the analysis stage, I will consider the likelihood and impact of each threat. The business impact takes into account each business function that could be impaired by an attack or accident, and the potential effect of such impairment. Each threat and loss is assigned a rating based on the nature of the business. The threat ratings used are Devastating, Severe, Moderate, and Minor. I will also assign a vulnerability rating based on the likelihood of the threats. The vulnerability ratings are Very High, High, Moderate, and Low.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 25 of 39
Prioritizing Responses Marjorie: After analyzing the threats and assigning ratings, a vulnerability matrix is created to help evaluate and prioritize responses. Here is the vulnerability matrix for the Skyline Heights complex.
Vulnerability Rating
Impact of Loss Very High
High Moderate Low
Devastating
Severe
Moderate
Minor
Interpretation of the risk ratings
These risks are high. Countermeasures recommended to mitigate these risks should be implemented as soon as possible.
These risks are moderate. Countermeasure implementation should be planned in the near future.
These risks are low. Countermeasures will enhance security, but implementation is of lower urgency than in the case of moderate or high risks.
Implementation Marjorie: Based on the risk matrix, I will advise Skyline Heights on the measures and countermeasures to use to mitigate vulnerability. I will also include the potential cost of implementing the measures. As vulnerability assessment is a continuous process, the complex will need to be reevaluated frequently to determine the efficacy of the measures and identify any additional measures that are required.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 26 of 39
Topic 7: New Approaches to Vulnerability Assessment
Approaches and Frameworks
Differences in Matrices Organizations use many different vulnerability assessment approaches and control frameworks. Every government agency or business faces different threats and vulnerabilities. Here is a comparison of the differences in the vulnerability matrices for a national bank and an automobile manufacturer, based on their specific business needs. Vulnerability Matrix for a Bank
Internet banking
ATM activity
Loan activity
Cash management
Teller activity Vulnerability Matrix for an Automobile Manufacturer
Quality of assembly line performance
Parts and materials delivery
Shift worker/union activity data
Vehicle inventory
Intellectual property Frameworks For any framework to be effective, it must employ continuous monitoring and updating that is based on situational awareness and the threat landscape, in contrast to purely static control processes and frameworks. In the future, different frameworks and systems could be interlinked and coupled with artificial intelligence to raise the standards of vulnerability assessments and frameworks. Based on the different requirements, there are different approaches and frameworks. Vulnerability Assessment Frameworks
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) by the Computer Emergency Response Team (CERT)
Committee of Sponsoring Organizations (COSO) Enterprise Risk Vulnerability Management
National Institute of Standards and Technology (NIST) Risk Management Framework Vulnerability Metabases Vulnerability and incident metabases that are used in the industry include:
Common Vulnerabilities and Exposures (CVE)
NIST's Internet-Categorization of Attacks Toolkit (ICAT) vulnerability indexing
The Open Source Vulnerability Database (OSVDB)
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 27 of 39
Vulnerability Notification Systems
CERT
Cassandra vulnerability updates by the Center for Education and Research in Information Assurance and Security (CERIAS)
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 28 of 39
Topic 8: Activity
Activity: Vulnerability Assessment
Introduction PS Bank is a large commercial bank headquartered in the financial district of Manhattan. Over the past 16 years, this Wall Street organization has built a strong reputation as a successful and reliable institution, based largely on its custom-built trading software. The bank has a large network of 400 devices and runs an Active Directory infrastructure to help administer user rights. Since the economic downturn, the company has introduced cuts to the IT capital budget. The CIO and the staff have to work with older information systems and infrastructure components. The CIO welcomes the idea of a vulnerability assessment, since she believes that this process will highlight potential areas where the company can improve its cybersecurity. PS Bank has hired Usseus, a risk assessment company, to identify issues and potential threats to its network. Usseus has scanned the bank's network and identified a number of issues to address. Vulnerability Assessment Question 1: The Usseus scan report has identified issues in the network. The next step in the vulnerability assessment is to consider the potential impact of a successful attack as well as the vulnerability of assets. Then, PS Bank needs to define the risk ratings for the potential impacts. Assess the impact of loss or vulnerability to PS Bank by assigning a criticality rating to each issue identified in the network scan. How critical to PS Bank's business are the issues identified in the Usseus scan report? Critical Ratings
Devastating: These risks are extremely high. Countermeasures recommended to mitigate these risks should be implemented immediately. Action should be initiated within minutes or hours, depending upon the specifics, in order to mitigate loss.
Severe: These risks are high. Countermeasures recommended to mitigate these risks should be implemented as soon as possible. Action should be initiated within hours or days, depending upon the specifics, in order to mitigate loss.
Moderate: These risks are moderate. Countermeasures will enhance security, but implementation is of lower urgency than in the case of devastating or severe risk. Action could be initiated within days or weeks with moderate exposure, depending upon the specifics, in order to mitigate loss.
Minor: These risks are low. Countermeasures will enhance security, but implementation is of lower urgency than in the case of devastating, severe, or moderate risk. Action could be initiated within weeks or months with minimal exposure, depending upon the specifics, in order to mitigate loss.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 29 of 39
Select the criticality rating for each issue.
Usseus Scan Report
Informational: Devices Running Operating System Windows 7 = 382, Windows XP = 18 The following issues have been found.
ID Name No. of Issues
Criticality Rating
1021 Devices infected with rootkits
11 Devastating
Severe
Moderate
Minor
1022 Number of administrator accounts
12 Devastating
Severe
Moderate
Minor
1023 Number of active user accounts
415 Devastating
Severe
Moderate
Minor
1024 Number of user accounts not used in past 90 days
3 Devastating
Severe
Moderate
Minor
1025 Types of services running on network: TCP/IP, FTP, Telnet, SSH, and Ethernet
5 Devastating
Severe
Moderate
Minor
1026 Number of devices with social network software installed
122 Devastating
Severe
Moderate
Minor
1027 Number of unpatched servers
6 Devastating
Severe
Moderate
Minor
1028 One user account stored in two groups in Active Directory
1 Devastating
Severe
Moderate
Minor
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 30 of 39
Correct Answer:
ID Name No. of Issues
Criticality Rating
1021 Devices infected with rootkits 11 Devastating/ Severe
1022 Number of administrator accounts 12 Devastating/ Severe
1023 Number of active user accounts 415 Moderate/ Minor
1024 Number of user accounts not used in past 90 days
3 Moderate/ Minor
1025 Types of services running on network: TCP/IP, FTP, Telnet, SSH, and Ethernet
5 Devastating/ Severe
1026 Number of devices with social network software installed
122 Moderate/ Minor
1027 Number of unpatched servers 6 Devastating/ Severe
1028 One user account stored in two groups in Active Directory
1 Minor/ Moderate
Question 2: PS Bank had earlier conducted a vulnerability assessment that assigned vulnerability ratings to potential threats that the bank faces. The bank will now use a combination of the criticality rating and the vulnerability rating to evaluate the potential risks to its business from the issues in the network scan. Evaluate the potential risk for each issue by assigning a risk level to it. Risk Levels
Extremely High: Countermeasures recommended to mitigate these risks should be implemented immediately.
High: Countermeasures recommended to mitigate these risks should be implemented as soon as possible.
Medium: Countermeasures will enhance security, but implementation is of lower urgency than in the case of high or extremely high risk.
Low: These risks are low. Countermeasures will enhance security, but implementation is of the lowest urgency.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 31 of 39
Select the risk factor for each issue.
Usseus Scan Report
Informational: Devices Running Operating System Windows 7 = 382, Windows XP = 18. The following issues have been found.
Issue No. of Issues
Criticality Vulnerability Risk Level
Devices infected with rootkits
11 Devastating Extremely High
Extremely High
High
Medium
Low
Number of administrator accounts
12 Devastating Extremely High
Extremely High
High
Medium
Low
Number of active user accounts
415 Moderate Moderate Extremely High
High
Medium
Low
Number of user accounts not used in past 90 days
3 Moderate High Extremely High
High
Medium
Low
Types of services running on network: TCP/IP, FTP, Telnet, SSH, and Ethernet
5 Devastating Extremely High
Extremely High
High
Medium
Low
Number of devices with social network software installed
122 Moderate High Extremely High
High
Medium
Low
Number of unpatched servers
6 Devastating Extremely High
Extremely High
High
Medium
Low
One user account stored in two groups in Active Directory
1 Minor Low Extremely High
High
Medium
Low
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 32 of 39
Correct Answer:
Issue No. of Issues
Criticality Vulnerability Risk Level
Devices infected with rootkits
11 Devastating Extremely High Extremely High/ High
Number of administrator accounts
12 Devastating Extremely High Extremely High/ High
Number of active user accounts
415 Moderate Moderate Medium/ Low
Number of user accounts not used in past 90 days
3 Moderate High Medium/ Low
Types of services running on network: TCP/IP, FTP, Telnet, SSH, and Ethernet
5 Devastating Extremely High Extremely High/ High
Number of devices with social network software installed
122 Moderate High High/ Medium
Number of unpatched servers
6 Devastating Extremely High High/ Medium
One user account stored in two groups in Active Directory
1 Minor Low Low/ Medium
Feedback: Let’s spend more time to discuss risk ratings. The risk matrix for every organization will differ, based on the risk attributes and specifics within the company. Risk ratings are based on perspectives and the type of organization. The risk matrix for every organization will differ, based on the vulnerability and criticality ratings evaluated across the enterprise. In addition, perspectives are different based on the organization. For example, in one organization, an attribute described as devastating (i.e., number of administrators) in one organization may be categorized severe or moderate in another organization. Here is the risk matrix for PS Bank. The intersection of the criticality and vulnerability ratings provide a perspective relative to the level of risk. In this example, in this industry, a devastating criticality rating coupled with an extremely high vulnerability rating would be categorized as High Risk.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 33 of 39
The risk level for each issue could fall within a range of two choices. For every issue, different individuals could select a different risk level based on their experiences or subjective reasoning as given in the correct answer. Risk Matrix for PS Bank
Criticality Rating
Vulnerability Rating
Extremely High
High Medium Low
Devastating High Risk High Risk
High Risk Moderate Risk
Severe High Risk
High Risk Moderate Risk Low Risk
Moderate High Risk
Moderate Risk Moderate Risk Low Risk
Minor Moderate Risk
Moderate Risk Low Risk Low Risk
As every organization is different, the risk matrix is different based. Let’s look at a small bicycle shop. Their Web site is just informational, they have a limited number of employees, one location, and not many technological dependencies. Their risk matrix may look like this: Risk Matrix for Bicycle Shop
Criticality Rating
Vulnerability Rating
Extremely High
High Medium Low
Devastating High Risk High Risk
Moderate Risk Moderate Risk
Severe High Risk
High Risk Moderate Risk Low Risk
Moderate Moderate Risk
Moderate Risk Low Risk Low Risk
Minor Moderate Risk
Low Risk Low Risk Low Risk
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 34 of 39
Action Plan Question 1: The network scan has identified 11 devices with rootkits installed. What action do you recommend that PS Bank take with regard to these devices? a. Change user profiles. b. Update the virus definitions on the bank's antivirus software. c. Remove the rootkits from these machines. d. Take no action.
Correct Answer: Options b and c
Feedback: The company should make sure that its antivirus software is updated with the latest virus definitions, and it should also remove the rootkits from the infected machines. Question 2: The scan report indicated that the services active on the network include FTP, Telnet, and SSH. What would be the best recommendation for managing the risk from these services? a. Make no changes at this time. b. Remove the Telnet service. c. Replace the FTP service. d. Remove the SSH service. Correct Answer: Options b and c
Feedback for Correct Answer: Removing Telnet and replacing FTP are advised because these are insecure services. Feedback for Incorrect Answer: Changes regarding insecure services should be made to better protect the organization's network. SSH is a secure service and should remain on the network. Removing Telnet and replacing FTP are advised because these are insecure services. Question 3: The scan revealed six unpatched servers. What would be the most feasible course of corrective action for the unpatched servers? a. Replace the current servers with new, expensive servers. b. Obtain the latest patch from the hardware vendor and begin the installation phase. c. Wait until the server is probed or attacked by hackers, and then patch the server. d. Ask the IT department to pay special attention to activity on these servers. Correct Answer: Option b Feedback: The company needs to obtain the latest patch from the hardware vendor and begin installation. This is the best and most feasible course of corrective action, given the company's current financial position.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 35 of 39
Question 4: The scan also revealed that the enterprise has 15 unassigned accounts. What would be the best course of action with regard to these accounts? a. Run another scan. b. Ask IT personnel about the accounts. c. Activate the organization's incident response team. d. Contact the CISO. Correct Answer: Option b Feedback: The first step should be to ask IT personnel about the accounts, as the organization might need guest accounts and other types of unassigned accounts. Question 5: A subsequent scan identified 12 employees with administrator privileges. What action(s) do you recommend that the company take with regard to the number of administrator accounts? a. Research the rationale for having so many administrators. b. Reduce the number of administrators. c. Increase the number of administrators to 15. d. Take no further action.
Correct Answer: Options a and b Feedback: The company should first see if there is a reasonable rationale for the large number of administrator accounts, and if not, this number should be reduced. Question 6: The network scan identifies three employees who have not used their accounts in the past 90 days. What action should the company take with regard to the unused accounts? a. Permit the accounts to remain active. b. Delete the accounts. c. Disable the accounts. d. Purge the accounts. Correct Answer: Option c Feedback: Disabling accounts is the correct course of action, since this will retain system activities performed by these employees and will not erase data that might be needed at a later date. Permitting the accounts to remain active poses a potential risk, as attackers could use unused accounts to enter the network. Deleting or purging accounts would erase all details of past account activity, depriving network administrators of a useful source of information.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 36 of 39
Topic 9: Summary
We have come to the end of Module 2. The key concepts covered in this module are listed below.
Advanced Persistent Threats (APTs) use sophisticated code, recompilation, and encryption to evade detection and compromise systems.
Sections 302 and 404 of the Sarbanes-Oxley Act (SOX) are directly relevant to the management and auditing of electronic financial records in organizations, and they promote vigilance and risk assessment.
The growing use of new technologies like social media and smartphones is an added source of vulnerabilities for individuals, businesses, and government organizations.
The Aurora test and the Stuxnet worm are real-life examples of how cyberweapons could be used to disable and disrupt a country's critical infrastructure, such as its power grid.
An effective vulnerability assessment identifies known and potential threats, defines a risk mitigation strategy, offers a wide scope, and is customized to a business's particular needs.
Vulnerability assessments consist of four steps—gathering information, analyzing data, prioritizing responses, and implementing measures.
A vulnerability matrix can be based on a framework provided by organizations such as the National Institute of Standards and Technology (NIST), and will vary according to the needs of a business.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 37 of 39
Glossary
Term Definition
Active Directory (AD) Active Directory (AD) is a technology developed by Microsoft that allows system administrators to use a centralized authority to control and manage a network. AD consists of applications that allow allocation of authority, information security, unified sign-on to different systems, central storage, and synchronized directory updates.
Access Control Access control is the process of regulating which individuals or users have access to particular assets.
Advanced Persistent Threats (APTs)
Advanced Persistent Threats (APTs) are threats that use advanced and sophisticated methods to compromise or disrupt individual, company, or government networks and devices.
Computer Emergency Response Team (CERT)
The Computer Emergency Response Team (CERT) is an institution established by Carnegie Mellon University to deal with security incidents, and to develop an extensive database and training material on threats and vulnerabilities.
Critical Infrastructure Critical infrastructure consists of physical and virtual assets, systems, and networks, the incapacitation or destruction of which could have a significant negative impact on a national level. Any threat or damage to critical infrastructure could affect national security, the economy, and public health and safety.
Criticality Criticality is the quality, state, or degree of being of the highest importance. In cybersecurity and risk management, this includes the most important elements when evaluating vulnerabilities.
Encryption Encryption is the process of using algorithms to change readable text into a format that is unreadable by unauthorized persons.
Ethernet Ethernet is used to create a local area network by connecting several computer systems governed by protocols for the transmission of data.
File Transfer Protocol (FTP)
File Transfer Protocol (FTP) is an application protocol that uses TCP/IP (or the Internet) to transfer files between computers.
Insider Threats Insider threats are potential crimes, including theft, fraud, and workplace violence, that can be committed by employees or contractors of an organization.
Malware Malware is a category of malicious software that is intended to harm a computer or a network.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 38 of 39
Term Definition
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is an agency within the U.S. Department of Commerce that works to promote innovation and competitiveness by developing standards and technology.
Network Segment A network can be split into one or more groups of computers, known as network segments. This helps improve the security of each segment, eases the flow of traffic, and limits the impact of any issues.
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a set of comprehensive tools, frameworks, and techniques that can be used to determine and assess the risks and vulnerabilities an organization faces.
Operation Aurora Operation Aurora was an Advanced Persistent Threat (APT) attack that targeted several companies, including Google, Adobe Systems, Juniper Networks, Rackspace, Yahoo!, Symantec, Northrop Grumman, and Dow Chemical, during a six-month period in 2009.
Port Scanning Port scanning is used by intruders to identify open ports, which are vulnerable access points in targeted network systems.
Rootkit A rootkit is software or a set of tools that allows an intruder to gain administrative-level access to a target system and, at the same time, hides its own presence.
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 (SOX) governs information security programs in companies that are traded on major stock exchanges in the United States.
Supervisory Control and Data Acquisition (SCADA)
Supervisory Control and Data Acquisition (SCADA) is a computer-based system that gathers, processes, and analyzes real-time system data. SCADA systems are used to monitor and control plants or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining, and transportation.
Secure Shell (SSH) Secure Shell (SSH) is a secure version of Telnet. It is resistant to attacks by eavesdroppers.
Smart Grid The Smart Grid is an electricity procurement and delivery system that uses sophisticated technology to make the electricity delivery grid more efficient.
Social Engineering Social engineering is a method of gathering information, seeking computer access, or committing fraud by using manipulation and deceit to get an individual to reveal confidential information about an organization.
Stuxnet Stuxnet is a malicious worm that was designed to use sophisticated code to disrupt and disable specific components of a SCADA network.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 39 of 39
Term Definition
TCP/IP Transmission Control Protocol/Internet Protocol (TCP/IP) is the communication protocol suite for the Internet.
Telnet Telnet enables the remote use and supervision of systems. Network administrators use Telnet to monitor and control systems remotely.
Vulnerability A vulnerability is a weakness or group of weaknesses that can be exploited, resulting in a security breach and/or damage to an organization.