MAster's Level Response Please
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 1 of 38
Contents Topic 1: Scenario ............................................................................................................................. 2
Scenario: The Christmas Fiasco .................................................................................................. 2 Topic 2: Module Introduction ........................................................................................................... 4 Topic 3: Decision Making in Response to Cyberattacks ................................................................. 5
The Decision-Making Process ..................................................................................................... 5 Determining the Appropriate Response ....................................................................................... 6 Crisis Management ...................................................................................................................... 7 The Elements of a Business Continuity Plan ............................................................................. 10 The Business Continuity Planning Process ............................................................................... 12 The Business Impact Analysis ................................................................................................... 16 Activity: You Decide! .................................................................................................................. 20
Topic 4: Offensive Cyberattack Technologies ............................................................................... 23 Offensive Cyberattack Technologies ......................................................................................... 23
Topic 5: Organizations: Roles and Responsibilities ...................................................................... 26 Federal Government Roles and Responsibilities ....................................................................... 26 Use of Military Organizations and Assets .................................................................................. 28 Role of the Private Sector .......................................................................................................... 30 Role of International Organizations............................................................................................ 32
Topic 6: Summary.......................................................................................................................... 36 Glossary ......................................................................................................................................... 38
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 2 of 38
Topic 1: Scenario
Scenario: The Christmas Fiasco
Executing the Response to a Cyberattack CSEC670—Module 4
The Christmas Fiasco Crazy Steve's is an online electronics store based in New York City. The business has an excellent reputation based on the variety of products it offers and its commitment to excellent customer service. The Christmas season is the busiest time of year for the company. However, this year the company faced some problems with its order fulfillment system. The system incorrectly bypassed the normal order fulfillment programs and shipped 200 orders without receiving any payment for them. Is this just a system glitch, or were cybercriminals at work? Disclaimer: The storyline and characters in this part of the module are fictitious and were developed for the purposes of this course. No association with any real person, places, or events is intended or should be inferred.
Scenario Scene 1 Stephan Jones has been the Chief Information Security Officer (CISO) at Crazy Steve's for more than two years. The financial impact of the security incident involving the fake orders has put a lot of pressure on Stephan to ensure that such an incident is not repeated. Scene 2 Stephan discusses the incident with his colleagues: Jamie, from the IT Department; Rory, from the Finance Department; Darren, from Customer Service; and others. Here is a transcript of the conversation. Jamie: Did you know that our competitors have nicknamed the recent security incident "the Christmas Fiasco?" Stephan: This is the first time in two years that I've had to deal with an incident worse than a virus outbreak. Stephan: So far, we've only had to deal with minor issues like employees surfing the Internet at work. Rory: None of those incidents caused any major damage to the company's reputation. The financial damage was also insignificant. This is different. Darren: This incident has raised some serious concerns among our customers. We've seen a significant decline in the number of visitors to the Web site and we are receiving fewer orders. Jamie: We really need to find out why the system processed and shipped those orders.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 3 of 38
Stephan: That's not all. We also need to ensure that such an incident never occurs again. If it does, we need to be better-prepared. Scene 3 Stephan's investigation shows that cybercriminals infiltrated the company's servers, entered fake orders directly into the shipping system. Using this technique they were able to completely bypass the order entry and payment modules of the company's ERP system. After the Christmas security incident, Stephan realizes that Crazy Steve's entire system will need to be updated to prevent similar incidents from happening in the future. Scene 4 One of the main challenges that Stephan now faces is to persuade top management to execute vital changes. He has to convince Chief Information Officer (CIO) Jonathan Kessler that he needs a larger budget to keep up with the organization's adoption of new technologies as well as the changing threat environment. Scene 5 In the past, Stephan has not had much luck convincing Jonathan to increase funding for his department. Stephan believes that company executives do not focus on cybersecurity because their profits are generated by other sectors of the business. Nevertheless, Stephan keeps pushing for a larger budget. He feels the company is quite unprepared for a sophisticated attack on its IT systems and infrastructure. Scene 6 After a lot of hard work, Stephan manages to get his point across to Jonathan. Together, they decide to form an internal incident response team to prepare for potential future security incidents at Crazy Steve's and ensure business continuity.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 4 of 38
Topic 2: Module Introduction
Whether they are customers buying goods online, tellers in a bank, or cashiers at a gas station, individuals are critically dependent on the systems and infrastructures with which they work. The impact and dependencies of a health care provider or a military service member deployed overseas are even more critical. Executing the response to a cyberattack is an important responsibility of every person within an organization, as a potential attack can come from any place, anywhere, and at any time. The process of dealing with cyberattacks includes prevention, defense, detection, recovery, and finally, the response to an attack. Every government agency and private business has a different matrix of cyberthreats and vulnerabilities. For example, the vulnerability matrix for the U.S. Department of Defense will not be the same as that of a bicycle manufacturer. The final element of response may be different, depending on the organization attacked and the type of attack. This module will examine how the response to a cyberattack is executed. It will also examine factors to consider when developing a response plan, the process involved in implementing a response plan, disaster recovery, and business continuity planning.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 5 of 38
Topic 3: Decision Making in Response to Cyberattacks
The Decision-Making Process
The decisions made by Crazy Steve's management and the incident response team are critical, and they will play an important role in getting business back to normal after the attack. The stakeholders at Crazy Steve's, which include the technical staff and the business leadership, need to work together to address the security incident. In this case, the company stakeholders decide to have the delivery company return the shipment of 200 orders. Response to a Cyberattack
Cyberattacks may vary from a denial of service to outright theft. Regardless of the type of attack, organizations should compartmentalize, manage, and mitigate risks after the attack to the fullest extent possible to avoid additional damage. The process for most organizations includes prevention, defense, detection, recovery, and finally, the response to a cyberattack. In order to achieve success, members of the organization must work together to make the right decisions for the enterprise. As in the case of Crazy Steve's, most companies' responses will include remediating and mitigating the risk exposed by the attack.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 6 of 38
Topic 3: Decision Making in Response to Cyberattacks
Determining the Appropriate Response
Response to a Cyberattack A business continuity and disaster recovery plan helps companies to deal effectively with threats and disasters, including cyberthreats and security incidents. A well-developed plan will identify the potential threats to the company, and provide adequate support for prevention and recovery in the event of an incident. A critical element in the process of business continuity planning is determining the appropriate response to a cyberattack. Cyberattacks may include the destruction or modification of system configurations or data, unauthorized system access, or attempts to penetrate technologies and systems. If incidents of this type occur, critical data can be compromised, causing enterprise-wide system failures that may impact the business. Role of Leadership The main responsibility of a company's leadership when a cyberattack occurs is to protect confidential information and information systems, while at the same time restoring business continuity. At Crazy Steve's, the leadership's ultimate objective is to mitigate the damage to customers, their data, and the enterprise through isolation of the incident while restoring critical business systems, and maintain the integrity of the organization.
Advance Planning Advance planning is a key element of any response to a cyberattack. Stephan, Jonathan, and selected members of their team have determined roles and responsibilities for evaluation, response, and management of future attack-related events. They have also developed steps and guidelines that employees will adhere to for reporting and escalation of duties if another attack occurs. Designating Members Team members of the leadership team have been identified and assigned duties. The process has been mapped out with a clear designation of who will declare the occurrence of an event and who will begin the overall business continuity and resumption plan. Once the declaration is made, selected members of the organization will begin their tasks and address the damage while restoring critical system components. Proper Training of Team Members Extensive training sessions and workshops have been implemented to ensure that staff members with critical responsibilities and expertise across the enterprise are properly trained to respond immediately and fulfill their duties. Regular Testing with Simulations Training simulations and drills will be conducted to continually evaluate the incident response team's reactions to emergency situations. Only by testing practices before an emergency occurs will management be able to evaluate whether the practices align with the organization's overall business resumption strategies.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 7 of 38
Topic 3: Decision Making in Response to Cyberattacks
Crisis Management
For effective crisis management in the event of a cyberattack, organizations should determine in advance the staffing of the crisis management team and determine the steps and processes for a responsible crisis management approach. The crisis management team normally leads activities that are part of the business continuity plan. Crisis Management Team The crisis management team will lead all activities as well as coordinate with dependent departments such as utilities, infrastructure, and emergency communications management. The crisis management team normally includes members from various key departments throughout the enterprise. The members of Crazy Steve's crisis management team are listed here.
Name Designation Department
Role
1 Shara Vandivort
President Executive/Senior Management
The executive/senior management members are responsible for top- level critical and strategic decision making for the enterprise.
2 Jonathan Kessler
Chief Information Officer
IT Management The IT management members are responsible for tactical and strategic implementation and protection of critical systems, system security, remediation, and system or infrastructure continuity operations.
3 Lesley Ruthers
Vice President of Facilities Management
Facilities Management
The facilities management members are responsible for physical infrastructure, physical security, and logistics.
4 Garrett Westerling
Vice President of Human Resources
Human Resources The Human Resources Department is responsible for personnel, staffing issues, and travel.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 8 of 38
Name Designation Department
Role
5 Sara Chang Vice President of Communications
Communications and Public Relations
The Public Relations Department is responsible for internal and external communications, including media contact.
6 Norman Calwell
Chief Financial Officer
Finance and Accounting
The Finance and Accounting Department is responsible for critical financial decisions as well as funds disbursement.
7 Andre Parker
Vice President of Risk Management
Risk Management The risk management members are responsible for internal and external evaluation of potential risks and exposure areas.
8 Perry Prichett
General Counsel
Legal The Legal Department is responsible for counsel and guidance regarding legal issues.
9 Sharon Murphy
Vice President of Compliance
Compliance The Compliance Department is responsible for internal and external assurance that the organization is conforming to laws and regulations affecting the industry.
10 Jerry Kripke Chief Operating Officer
Operations The operations area covers other parts of the organization that may not be included above, but are critical to the functioning of the organization.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 9 of 38
Responsibilities A strong crisis management team, with team members who have the skills to perform their duties, makes plans well in advance of an event. In addition, an effective team has the authority to make rapid decisions based on available information. Every recovery scenario will require a different plan for internal and external communication and notification. A strong business continuity plan allows the organization to focus on business recovery while the crisis management team focuses on mitigating the crisis. The crisis management team should perform tests and drills that allow participants to exercise and practice delegating authority. This ensures that the end-to-end process meets the business's needs.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 10 of 38
Topic 3: Decision Making in Response to Cyberattacks
The Elements of a Business Continuity Plan
Business Continuity Plan The main responsibility of the senior management and leadership of a company is to make sure the organization follows the appropriate plans and processes. The steps of a solid Business Continuity Plan (BCP) include identification, assessment, prioritization, management, and mitigation of risk. This is not an easy process, and it requires that individuals work collaboratively across the enterprise to identify both the vulnerabilities and potential threats. An effective BCP contains internal and external elements mirroring business priorities across the enterprise. It includes collaboration across the components, identifying system dependencies and potential processes while responsibly addressing the risks associated with any identified interdependencies. This is a cyclic process, and every cycle brings improvements in its ability to address known and potential threats and vulnerabilities. Elements of a Business Continuity Plan Policies and Processes One of the key elements of a good BCP is establishing policies and processes to determine the steps the organization will take to identify, manage, and mitigate risks that are identified. Competent Staff Deploying staff with sufficient knowledge, appropriate levels of authority, and budget authority to deploy the BCP responsibly is a crucial factor in ensuring the success of a BCP. Regular Review It is important to test the BCP on an annual basis and have it reviewed independently to ensure an unbiased perspective. Awareness and Training Requiring everyone in the organization to be aware of threats, and to have the proper training and skills to succeed, is another critical element of a strong BCP. Organization-Wide Testing Testing the BCP across the organization on a regular basis helps ensure that a BCP is capable of meeting the needs of the organization. Critical Evaluation A BCP's testing process needs to be critically evaluated, and the results have to be reviewed with the staff, to ensure complete understanding of weaknesses and areas for improvement.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 11 of 38
Regular Updates An effective BCP is modified and updated on a regular basis so it is a living and evolving plan that meets the needs of the organization, and adapts to changes in the operating environment and threat landscape.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 12 of 38
Topic 3: Decision Making in Response to Cyberattacks
The Business Continuity Planning Process
Crazy Steve's Problem Stephan and Jonathan manage to fix the main issue that allowed the multiple fake orders to be placed via Crazy Steve's Web site. Stephan realizes that this was a close call. While working to mitigate the issue, he discovers that the company's business continuity plan does not include strategies for handling cybersecurity incidents. As the success of the entire business continuity effort hinges on advance planning, Stephan believes that a plan should be put in place to address cyberattacks. He decides to discuss this with Jonathan. Here is a transcript of the conversation between Stephan and Jonathan. Stephan: Hi, Jonathan. Are you free? I need to discuss something with you. Jonathan: Yes. Go on. Stephan: Now that the Christmas incident has been handled, there is one thing that I would like to bring to your attention. Stephan: While handling the security incident, I realized that our company's business continuity plan does not consider cybersecurity. Jonathan: Yes, I realized that as well. The BCP focuses primarily on natural threats such as fire and flooding. It also addresses major power outages and system breakdowns. Jonathan: It does not deal specifically with cybersecurity incidents. Stephan: I think it would be prudent to call a meeting of the BCP steering committee, discuss this issue in depth, and decide on a proper plan of action for fixing this gap in the BCP. Jonathan: I agree. I will send an e-mail immediately and get this process started. The Meeting The BCP steering committee at Crazy Steve's convenes to discuss the proposed changes. Among the members are Jerry Kripke, the chief operating officer, and Patricia Gunter, the head of IT. Here is a transcript of the conversation. Jonathan: As you all know, this meeting has been called to reassess the company's business continuity plan. Jonathan: The recent security incident regarding the fake Christmas orders has made us aware that the BCP does not include strategies for handling cybersecurity incidents.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 13 of 38
Jonathan: Stephan and I propose that the BCP should include plans and processes for rapid and effective response, management, and recovery from any cyberattacks that could have a significant impact on performance, customer expectations, our brand, or our finances. Stephan: Advance planning will enable us to have discussions regarding emergency decisions before an actual cyberemergency, when many other issues will require our immediate attention. Patricia: I agree. This will allow us to discuss known risk areas and research other potential risks as well. Patricia: I feel strongly that we should include cybersecurity incidents in the BCP. Jerry: I think that cybersecurity incidents should be managed by the CISO and his team. I believe that he has a plan in place. Stephan: This is a very serious matter that needs to be analyzed and discussed thoroughly before we come to a decision. Stephan: I suggest we see what the other members of the steering committee have to say and consider all aspects before making a decision. Conclusion A thorough discussion follows. Some members agree with Jonathan's proposal to include cybersecurity incidents in the BCP, and some do not. Ultimately, the committee decides to include cybersecurity incidents in the BCP. The BCP Process At Crazy Steve's, the process of developing the BCP is collaborative; stakeholders from all areas of the business provide input. It requires business units across the enterprise to assess their critical processes, dependencies, operations, and facilities, and then develop an appropriate business continuity strategy. Organizations that have solid business continuity plans, in addition to reviewing, modifying, and testing them on a regular basis, do much better during cyberattacks and other emergencies than organizations that do not take these precautions. Critical Functions The BCP steps should focus on critical business functions, including resumption, recovery, and maintenance, rather than focusing solely on technology (FFIEC, 2008, p. 4). Priorities The BCP process includes evaluation and development of a cross-enterprise prioritization plan that aligns with critical business functions and operational expectations (FFIEC, 2008, p. 4). Interdependencies The BCP process includes interdependencies and integrates expected interactions with other critical partners, such as utilities and service providers (FFIEC, 2008, p. A-4).
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 14 of 38
Regular Updates The overall BCP process should include regular plan updates based on changes in people, processes, and technologies, as well as independent audit findings and lessons learned from internal reviews and regular tests of the process (FFIEC, 2008, p. 18). Lifecycle Approach The BCP process requires a lifecycle approach that incorporates the risks identified through the Business Impact Analysis (BIA), the vulnerability assessment, and the ongoing risk management and assessment process, in order to continually improve the BCP, from planning to final testing and monitoring (FFIEC, 2008, pp. 4, 13). Reference: Federal Financial Institutions Examination Council (FFIEC). (2008, March). Business continuity planning: IT examination handbook. Retrieved from http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_BusinessContinuityPlanning.pdf Analyze This Question 1: Which of the following scenarios should be included in the BCP for cybersecurity incidents involving Crazy Steve's Web site and online ordering infrastructure? a. A Distributed Denial Of Service (DDoS) attack on the servers b. A Structured Query Language (SQL) injection attack on the Web site, aiming to
extract financial and customer information c. A virus infection on the servers d. A developer accidentally uploading a Web page with incorrect information Correct Answer: Options a, b, and c Feedback: DDoS attacks on the servers, SQL injection attacks on the Web site, and virus infections on the servers should all be included in the BCP for cybersecurity incidents. DDoS, SQL injections and viruses are all serious attack methodology that can be used by adversaries. These scenarios therefore require careful and detailed analysis in order to assess how they are addressed in the company’s BCP. Uploading incorrect data onto the company’s web page is normally just a simple error that can be easily corrected and does not affect Business Continuity Planning. Question 2: Which of the following key personnel should provide input for the steps to be taken when a cybersecurity incident occurs on Crazy Steve's retail Web site? Choose all options that apply. a. The Chief Financial Officer (CFO) b. The Chief Information Officer (CIO) c. The Chief Information Security Officer (CISO) d. The public relations and media advisor Correct Answer: Options a, b, c, and d Feedback: The BCP process is a collaborative undertaking in which stakeholders from all areas of the business should give their input.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 15 of 38
Question 3: Which of the following inputs are relevant to the BCP process for Crazy Steve's Web site? Choose all that apply. a. Vulnerability assessment and penetration testing reports b. Previous audit reports c. A Service Level Agreement (SLA) with the hosting provider d. Legal or regulatory requirements for data protection Correct Answer: Options a, b, c, and d Feedback: Vulnerability assessment and penetration testing reports, previous audit reports, an SLA with the hosting provider, and legal or regulatory requirements for data protection are all relevant to the BCP process. All of the possible answers are important inputs to the company’s Business Continuity Plan. For example, prior audit reports can highlight weaknesses in technical controls that the organization should implement corrective action, or be prepared to accept the risk related to the vulnerability. An additional example is that vulnerability assessments and penetration testing provide an organization with a thorough analysis of the WAN and/or Enterprise Infrastructure. This is very relevant information for the BCP.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 16 of 38
Topic 3: Decision Making in Response to Cyberattacks
The Business Impact Analysis
Scenario The first task that Crazy Steve's BCP steering committee faced was carrying out a Business Impact Analysis (BIA). BIA is a three-step process that organizations use to calculate the potential qualitative and quantitative impact of a crisis. With information from a BIA, an organization can refine its growth strategies, risk management practices, and cybersecurity infrastructure. The time and resources required for a BIA will vary, based on the complexity and size of the organization. The BIA process is dynamic, and it includes internal and external interdependencies among departments, staff, and integral business operations. During the BIA process at Crazy Steve's, stakeholders identified interdependencies and prioritized them according to their business objectives. This prioritization process plays an important role in driving the required business recovery timelines and expectations. Analyze This The BCP steering committee discussed the BIA process and made several important findings. Answer the following questions to learn more. Question 1: Which of the following are critical functions or processes at Crazy Steve's? a. Supply chain management b. Customer relationship management c. Order processing d. Online order management Correct Answer: Options a, b, c, and d Feedback: Supply chain management, customer relationship management, order processing, and online order management are all critical functions or processes at Crazy Steve's. In an online e-tailer environment like Crazy Steve’s all of the systems listed should be considered mission critical. The failure of any one system would have a significant impact on the organization’s overall business operations. Therefore, unexpected downtime in any one or more of these information systems would damage the company (i.e. their reputation, ability to service customers and/or earn profits). Question 2: Since the bulk of Crazy Steve's business is conducted online, which of the following scenarios would have the greatest impact on business? a. The payroll processing department sends the wrong information to the bank b. Corporate headquarters catches fire c. The hosting company where all of Crazy Steve's servers are located shuts down due
to a power outage d. The CEO gets stuck at his vacation destination due to heavy snowfall Correct Answer: Option c
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 17 of 38
Feedback: A shutdown at the hosting company where all of Crazy Steve's servers are located would have the greatest impact on Crazy Steve's business. Due to the fact that Crazy Steve’s business is entirely online their IT systems are the most essential aspect to the business. This would include the availability of their Web site. Therefore, a power outage at the company’s external hosting company would have the greatest impact on their overall business. Question 3: Customers have come to value Crazy Steve's because of its unparalleled online transaction speed, the lack of any significant downtime on the company's Web site, and the company's quick delivery of products. What is most likely the industry standard for acceptable downtime for Crazy Steve's retail Web site? a. Less than a minute, with almost no data loss b. Less than an hour, with a few hundred recent transactions being unavailable c. Less than a day, with the current day's transactions being unavailable d. More than two days Correct Answer: Option a Feedback: Considering the company's previous performance and reputation, less than a minute with almost no data loss is the likely acceptable downtime. Question 4: When focusing on the retail Web site, the BCP steering committee will detail the dependencies for Web site operations. Which of the following dependencies should the committee include? a. The server hosting the Web site b. The Internet link to the Web site c. The DNS servers hosting the domain name d. The power supply to the hosting company's data center Correct Answer: Options a, b, c, and d Feedback: The server hosting the Web site, the Internet link to the Web site, the DNS servers hosting the domain name, and the power supply to the hosting company's data center are all dependencies that the BCP steering committee should consider. In data center operations, all the options are essential components of maintaining continuity of service to external customers and internal stakeholders. Therefore, these dependencies and for that matter inter-dependencies should be evaluated by the BCP Steering Committee. BIA During his background research, Stephan creates a presentation about BIA. Slide 1: The BIA should critically evaluate and prioritize functions and processes by business line. In addition, it should identify interdependencies.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 18 of 38
Slide 2: The BIA should highlight the possible business impact for nonspecific, uncontrolled events that may disrupt functions and processes across the enterprise. Slide 3: The BIA should highlight the regulatory and legal responsibilities and requirements that are integral to the company's business and processes. Slide 4: The BIA should estimate, by business function, the parameters of acceptable and unacceptable downtime and loss from a business perspective. Slide 5: The BIA should determine objectives for an acceptable critical recovery path that includes acceptable recovery times and recovery point objectives.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 19 of 38
Checklist To define the critical objectives and functions across the enterprise, each business entity involved in the BIA process should ask relevant questions and gather data. Stephan shares a checklist with relevant details that need to be collected before a BIA.
Identify the vital interdependencies among applications, systems, departments, and critical business processes. Determine the criticality and function of specific equipment across departments.
Ascertain the impact to the department if a critical computing environment and support hardware (for example, a network or the Internet) is unavailable, and identify a fallback position.
Determine and identify single threads and points of failure, as well as the impact of the risks identified.
Determine whether there are any critical dependencies involving outsourcing arrangements.
Determine how the enterprise and third-party providers will meet their service level obligations during an emergency. Define how this will impact the department.
Determine how effective security processes and operational controls will be maintained during the recovery process.
From a staffing and space perspective, determine the minimum that will be required to meet business requirements. Identify any alternatives. List any special business supplies, forms, or collateral required at the recovery site.
Determine whether communications provisions are available at the backup site to facilitate communications with customers, vendors, and employees. Identify the alternatives and backup.
If the recovery site is a common site used by other companies, determine whether the critical business resumption operations are prioritized at the site and whether this prioritization aligns with the company's business requirements and expectations.
Understand how employees are trained to perform multiple duties in the event of an emergency and whether additional cross-training is necessary. Create a succession plan in case key leaders are unavailable.
Determine how the personal and family needs of employees will be addressed. Identify and detail the proper plans adequately to meet these needs.
From a financial perspective, determine which issues must be addressed in an emergency situation.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 20 of 38
Topic 3: Decision Making in Response to Cyberattacks
Activity: You Decide!
Dealing with a cybersecurity incident can be a major crisis for an organization to cope with effectively. Take on the role of a decision maker and help handle the crisis in this scenario. For the following questions, assume the role of the CISO of a publishing house. You have just been informed that parts of the latest unpublished book by your best-selling author have been found online. You suspect that the company database has been compromised and information has been stolen. Question 1: The Decision-Making Process Which of the following steps should be initially included in the decision-making process that you would carry out in response to this cyberattack? a. Inform and bring together all decision makers b. Focus on factors that will get the business back to normal c. Gather all the facts to make an informed decision d. Understand the main points related to the security incident e. Review the results of the forensic examination of previous cyberattacks f. Obtain advice from legal counsel
Correct Answer: Options a, b, c, and d Feedback: The decision-making process includes gathering all decision makers, focusing on factors that will get the business back to normal, gathering all the facts to make an informed decision, and understanding the main points related to the security incident. Conducting a forensic examination and involving legal counsel would come after the attack has been contained and broadly understood. Obtaining advice from legal counsel is an important task. However, it is not part of the preliminary steps in counteracting a cyberattack on your organization. This would normally be done after the attack is contained, a damage assessment can be ascertained and results of a digital forensic investigation are shared. Question 2: Determining the Appropriate Process Which of the following steps would you initially take while determining the appropriate process you would initiate in response to a cyberattack? a. Identify the organization's critical business functions b. Discuss how to prevent further harm to the business and supporting systems c. Analyze the qualifications of staff members d. Assign roles and responsibilities to staff members Correct Answer: Options a, b, and d
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 21 of 38
Feedback: Determining the appropriate process includes identifying the organization's business priorities, discussing how to prevent further damage, and assigning roles and responsibilities to staff members. Question 3: Crisis Management Which of the following steps should be part of the crisis management process? a. Predetermining the members of the crisis management team b. Involving the Marketing Department in media relations c. Coordinating with external agencies and organizations d. Involving senior management, IT management, and other critical teams e. Following the practices and procedures outlined in the BCP Correct Answer: Options a, c, d, and e Feedback: The crisis management process includes the following steps:
Predetermining the members of the crisis management team
Coordinating with external agencies and organizations
Involving senior management, IT management, and other critical teams
Following the practices and procedures outlined in the BCP Communications with the media would typically be handled by the Public Relations or Corporate Communications division, and not by Marketing. Question 4: Critical Elements of a BCP Which of the following are critical elements of a BCP? a. Testing the BCP once every five years b. Identifying risks c. Prioritizing risks d. Assigning mitigation strategies e. Updating the BCP regularly Correct Answer: Options b, c, d, and e Feedback: Identifying and prioritizing risks, assigning mitigation strategies, and regular updating are all elements of a BCP. Question 5: Additional Elements of a BCP Which of the following elements should be included in a BCP? a. Understanding key business processes b. Developing plans in advance c. Prioritizing cross-organizational requirements d. Focusing only on IT aspects e. Testing the organization's BCP regularly Correct Answer: Options a, b, c, and e
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 22 of 38
Feedback: Developing plans in advance, prioritizing cross-organizational requirements, understanding key business processes, and regular testing are all elements of a BCP. Question 6: Elements of the BIA Process Which of the following options are parts of the BIA process? a. Understanding that the BIA process is dynamic b. Documenting key business processes and procedures c. Adjusting the BIA to reflect changes in technology d. Explaining and discussing risks and threats e. Ad hoc review of the BIA whenever there is time available to do it
Correct Answer: Options a, b, c, and d Feedback: Understanding the process, documenting key business processes and procedures, adjusting the BIA to reflect changes in technology, and explaining and discussing risks and threats are all parts of the BIA process.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 23 of 38
Topic 4: Offensive Cyberattack Technologies
Offensive Cyberattack Technologies
Case Study Step 1 In 2011, growing concern over Iran's alleged nuclear weapons program led the United States to increase surveillance of possible Iranian nuclear sites. Step 2 The intelligence-gathering process included the use of drones, or Unmanned Aerial Vehicles (UAVs), which can be operated from thousands of miles away. In late 2011, a drone operated by U.S. forces in Afghanistan was forced to land on Iranian soil (Gladstone, 2011). Reference: Gladstone, R. (2011, December 15). Stop U.S. drone flights, Iran warns Afghanistan. The New York Times. Retrieved from http://www.nytimes.com/2011/12/16/world/middleeast/iran-warns-afghanistan-to- stop-us-drone-flights.html
Step 3 While some drones can be armed with missiles, the U.S. military reacted to Iranian reports of the drone's capture by saying Tehran might have been referring to a missing "unarmed reconnaissance aircraft" (Jaffe & Erdbrink, 2011). Reference: Jaffe, G., & Erdbrink, T. (2011, December 4). Iran says it downed U.S. stealth drone; Pentagon acknowledges aircraft downing. The Washington Post. Retrieved from http://www.washingtonpost.com/world/national-security/iran-says-it-downed-us-stealth-drone-pentagon- acknowledges-aircraft-downing/2011/12/04/gIQAyxa8TO_story.html?wprss=rss_national-security Step 4 Drones run the risk of being shot down or crashing as a result of malfunction or operator error, and then being captured by foreign adversaries. U.S. Defense authorities later admitted that this drone was in fact spying on Iran. This corroborates statements by Iranian military authorities that they were able to do so using an electronic attack (Popular Mechanics 2011). In this case, the Iranians stated at one point that they had shot down the drone (The Daily Mail, 2011). References: Popular Mechanics. (2011, December 5). 3 Questions After Iran's Claimed Shoot-Down of U.S. Drone. Retrieved from http://www.popularmechanics.com/technology/military/planes-uavs/3-questions-after-irans- claimed-shoot-down-of-us-drone-6610661 The Daily Mail. (2011, December 5). Iran threatens retaliation after 'shooting down' U.S. spy drone in its air space. Retrieved from http://www.dailymail.co.uk/news/article-2069818/Iran-shoots-U-S-spy-plane.html Step 5 However, Iran has made a separate claim that it captured the drone after hacking its navigation system (Gladstone, 2011). Reference: Gladstone, R. (2011, December 15). Stop U.S. drone flights, Iran warns Afghanistan. The New York Times. Retrieved from http://www.nytimes.com/2011/12/16/world/middleeast/iran-warns-afghanistan-to- stop-us-drone-flights.html
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 24 of 38
Cyberattack Technologies Many organizations and governments around the world are examining, testing, and deploying offensive cyberattack strategies and technologies. In the United States, strong laws forbid aggressive actions if they entail unauthorized access to a device connected to the Internet. Such laws do not exist in other parts of the world, nor does the law in some countries protect U.S. companies from attacks by foreign hackers. In light of this global predicament, enterprises need to be aware of aggressive plans that are being considered and implemented globally. As a cyberattack can originate anywhere, governments and other organizations may need to take proactive steps to protect their assets. In traditional warfare, attacking communications and command and control functions are crucial to victory; attacking the systems that host and facilitate these critical functions is also crucial to victory. Identify Cyberattack Methods Identify the cyberattack technologies that have offensive capabilities. a. Denial of Service (DoS) attacks b. Remote keyloggers c. Electromagnetic Pulse (EMP) weapons d. Bolt phase attacks e. Attacks on control systems that cause assets to self-destruct f. Trojan implantations that allow control of systems activity g. Root core scans h. Flooding attacks Correct Answer: Options a, b, c, e, f, and h Feedback: The following cyberattack technologies have offensive capabilities:
Distributed Denial of Service (DDoS) attacks have definite offensive capabilities. By using a large group of zombie computers an attacker can generate a very damaging attack.
Remote keyloggers are also useful offensive cyberwarfare tools because they relay back each and every keystroke made on an enemy’s computer.
Electromagnetic Pulse (EMP) weapons imitate the gamma-ray pulse caused by a nuclear explosion, disabling all electronics over wide areas (Gertz, 2011). These weapons are currently designed to knock out electronic equipment and possibly even affect humans.
Attacking a control system normally has the objective of causing a failure of the operating system. This is potentially a very dangerous offensive action that an adversary might wish to use.
A Trojan program allows an outsider to gain control of a program or system. Often, a Trojan gains entry to a system to allow access at a later time.
A flooding attack can easily be a very damaging offensive attack by a government organization, or cybercriminals. In this type of attack, a large number of remote servers are used to generate massive volumes of data packets. In turn, this creates so much data that the receiving organization’s systems are overrun and cannot function normally.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 25 of 38
Reference: Gertz, B. (2011, July 21). Report: China building electromagnetic pulse weapons for use against U.S. carriers. The Washington Times. Retrieved from http://www.washingtontimes.com/news/2011/jul/21/beijing-develops-radiation-weapons/?page=all
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 26 of 38
Topic 5: Organizations: Roles and Responsibilities
Federal Government Roles and Responsibilities
Within the U.S. government, no single department or agency has the ultimate responsibility for securing against or responding to cyberattacks. The government is in charge of leadership and sector-specific duties, and it requires the coordination and collaboration of many different organizations. The organizations that play a role in handling cybersecurity include the Department of Homeland Security (DHS), the Department of Defense (DoD), the Department of Justice (DOJ), and other federal agencies both inside and outside the Intelligence Community. Together, they execute a comprehensive strategy across the federal government. This table shows the organizations with authorities for handling cyberattacks within the United States.
Executive Branch
Within the Intelligence Community
Within Federal Jurisdiction
Executive authority, issued in the form of Presidential findings, executive orders, and Presidential Directives, issue responsibility to government departments and agencies to take actions within the scope of authority granted.
Intelligence Community Directives (ICDs) are responsible for containing the intelligence governance authorities.
Federal law enforcement responsibilities are largely defined within federal laws. Based on the type of crime, the FBI, the Secret Service, or other law enforcement agencies may have jurisdiction.
The National Cyber Response Coordination Group The National Cyber Response Coordination Group (NCRCG), composed of 13 federal agencies, collaborates with the Intelligence Community, law enforcement, and the U.S. Computer Emergency Readiness Team (US-CERT) before, during, and after a cyberincident. It serves as the leading disseminator of information and coordinates responses among government agencies following a cyberincident. National Cybersecurity and Communications Integration Center DHS's National Cybersecurity and Communications Integration Center (NCCIC) is a "watch and warning" center with 24/7 capabilities for emergency communications related to cybersecurity. The NCCIC works across all levels of the private sector and government. It provides a unified and integrated response to incidents that may impact homeland security. The NCCIC is collocated with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the National Coordinating Center for Telecommunications (NCC), and US-CERT. Other federal partners, including the Department of Defense, members of the Intelligence Community, and law enforcement, also collaborate with the NCCIC. Information Sharing and Analysis Center (ISAC) activities for a few sectors also originate with the NCCIC (DHS, 2011).
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 27 of 38
Reference: U.S. Department of Homeland Security. (2011, August 9). About the National Cybersecurity and Communications Integration Center (NCCIC). Retrieved from http://www.dhs.gov/xabout/structure/gc_1306334251555.shtm
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 28 of 38
Topic 5: Organizations: Roles and Responsibilities
Use of Military Organizations and Assets
In July 2010, The Economist described cyberwarfare as "the fifth domain of warfare, after land, sea, air, and space" (The Economist, 2010). A cyberattack that could cripple critical systems like the power grid, security systems, and financial or governmental systems could have devastating effects on a nation. Some believe that the United States should move to a more aggressive posture for offensive and defensive cybermeasures. Many countries have developed cyberattack capabilities. For example, "Iran claims to have the world's second-largest cyber-army," while China, Russia, Israel, and North Korea have capabilities of their own (The Economist, 2010). As of now, it is difficult to gauge the true capabilities of potential enemies. Thus, countries need to prepare for worst-case scenarios. The concurrent challenge is the anonymity of a cyberattack. For example, one country could launch a cyberattack on another through a third and innocent nation. An attack of this type could create mistaken identity, misattribution, and lack of confidence, which could easily escalate to military action. Reference: The Economist. (2010, July 1). Cyberwar: It is time for countries to start talking about arms control on the internet. Retrieved from http://www.economist.com/node/16481504?story_id=16481504&source=features_box1 Georgia Cyberattacks Russia's military advance on Georgia during the South Ossetia war of 2008 was accompanied by cyberattacks, which included both DOS attacks on numerous Georgian Web sites and hacking of some government sites (Moses, 2008). While Georgia has accused Russia of orchestrating the cyberattacks, it is difficult to prove that actions like these are the result of action by an enemy state, as opposed to independent hackers working on their own (McCullagh, 2010). Attribution is complicated by the fact that cyberattacks can be geographically decentralized. For example, when Estonia was subjected to cyberattack in 2007, it blamed Russia. However, the attack was carried out using a network of thousands of infected computers, 17 percent of which were said to have been located in the United States (Baldor, 2011). References: Baldor, L. C. (2011, June 22). New orders detail Pentagon cyberwar guidelines. The Associated Press. Retrieved from Air Force Times Web site: http://www.airforcetimes.com/mobile/index.php?storyUrl=http%3A%2F%2Fwww.airforcetimes.com%2Fnews %2F2011%2F06%2Fap-pentagon-gets-cyberwar-guidelines-062211%2F McCullagh, D. (2010, July 29). U.S. military cyberwar: What's off-limits? CNET News. Retrieved from http://news.cnet.com/8301-31921_3-20012121-281.html
Moses, A. (2008, August 12). Georgian websites forced offline in "cyber war." The Sydney Morning Herald.
Retrieved from http://www.smh.com.au/news/technology/georgian-websites-forced-offline-in-cyber- war/2008/08/12/1218306848654.html
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 29 of 38
GhostNet Espionage An investigation has found circumstantial evidence that China has used the GhostNet cyberespionage network to compromise Tibetan computer systems. The investigation revealed that GhostNet consisted of more than 1,295 infected hosts in 103 countries. Thirty percent of the hosts were high-value targets that included computers housed at "ministries of foreign affairs, embassies, international organizations, news media," and nongovernmental organizations (Information Warfare Monitor, 2009). Reference: Information Warfare Monitor. (2009, March 29). Tracking GhostNet: Investigating a cyber espionage network. Retrieved from http://www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating- a-cyber-espionage-network/
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 30 of 38
Topic 5: Organizations: Roles and Responsibilities
Role of the Private Sector
Militias Militias of the Past and Cybermilitias of Today Around the world, there are many private companies engaged in developing cyberwarfare technologies. As technology evolves to meet the needs of competing militaries, leading-edge innovations will continue to originate in the private sector. Public- private partnerships have been successful over the years, as they perform specialized functions that harness the capabilities of each sector. Then In the 1850s, Allan Pinkerton created the Pinkerton National Detective Agency. The Pinkertons, as the agency's detectives were popularly known, foiled an alleged early plot to assassinate Abraham Lincoln and were a prominent private security force in the United States during the late 1800s. As experts in their field, Pinkertons were hired to perform security services and military contract work. At their height, the agency had more documented members than the U.S. military and formed the largest private detective organization. Reference: Morn, F. (1982). The eye that never sleeps: A history of the Pinkerton National Detective Agency. Bloomington: Indiana University Press. Now Blackwater Security Consulting (BSC), formed in 1997 and renamed in 2011 as Academi is a private firm that performed some security functions under federal contract during the Iraq War. Blackwater provided support for coalition forces and installations, and trained Iraqi military and police forces. Just as the Pinkertons did, in the 1850s, Blackwater has used its expertise to aid the U.S. government in various ways.
Public-Private Partnerships Public-private partnerships have been used in research and development efforts in many areas. This is also true in cybersecurity. The private sector's contribution to advances in cybertechnology is bound to have a tremendous impact on the future of cyberwarfare. The market for such technology is not limited by borders or nationalities. For example, a company could develop a specific technology and sell it across borders with ease, via the Internet. Global innovation in technology, for both good and evil purposes, can now originate virtually anywhere. This changing characteristic could be a critical aspect of cyberwar in the 21st century, and could dramatically change the landscape and nature of future military conflicts. Defense Contractors Private-sector firms currently assist traditional war operations in areas ranging from training to logistics. A private company's flexibility with resources can help it meet critical demands with dedicated expertise during a cyberemergency.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 31 of 38
For example, a company that routinely develops antivirus code can quickly and efficiently dedicate the resources necessary to address a new virus when it appears. The private sector is often more efficient, faster, and able to function at a lower cost than the government. Different vendors can work independently to resolve a single problem, in a competitive process that can result in the best solutions for government and other customers. As the development of military technology increasingly becomes the province of private contractors instead of governments, these technologies will very likely flow to other countries that are willing to pay for them. Countries that do not embrace the outsourcing trend will not be able to keep up with other countries that possess the latest technologies available in the marketplace. Their capacity to retain military prowess, especially in cyberwar, will be challenged (Carafano, 2005). Reference: Carafano, J. J. (2005, September 6). Sustaining military capabilities in the 21st century: Rethinking the utility of the principles of war. Retrieved from Heritage Foundation Web site: http://www.heritage.org/Research/Lecture/Sustaining-Military-Capabilities-in-the-21st-Century-Rethinking- the-Utility-of-the-Principles-of-War
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 32 of 38
Topic 5: Organizations: Roles and Responsibilities
Role of International Organizations
Over the past few centuries, new technology has changed the face of warfare. With the advent of the Internet, cyberwarfare has become the latest threat to security. International organizations like the United Nations (UN) and North Atlantic Treaty Organization (NATO) are debating the effect of cyberwar and the appropriate responses to cyberattacks. As cyberattacks are not covered under the Geneva Conventions and there is no formal agreement among nations, limitations on cyberwar and international protocols of engagement are not defined.
Activity Read and analyze each fictitious scenario, and answer the related questions. Question 1: A country has been under cyberattack by a known and highly capable adversary. The government has talked for a long time about treating cyberwarfare the same as it would treat kinetic warfare. What kind of effective counterattack can it mount? a. Kinetic warfare b. Offensive cyberwarfare c. A blended attack using both kinetic warfare and cyberwarfare d. Disconnect the country's Internet connection
Correct Answer: Options a, b, and c Feedback for Correct Answer: The response would differ depending on the severity of the cyberattack. For example, if the cyberattack is against a water system, and it results in the loss of 50,000 lives, a decision might be made to not only initiate a cyberattack but also to include a kinetic strike against the facility that initiated the action. Conversely, if an attack results exclusively in damage to data, the response might be entirely cyber. Feedback for Incorrect Answer: Disconnecting the country's Internet connection would not be an effective measure to use in the case of launching a cyberattack. As a cyberattack would require utilizing the Internet, and if you disconnect from the Internet this would be view solely as a defensive maneuver. The response would differ depending on the severity of the cyberattack. For example, if the cyberattack is against a water system, and it results in the loss of 50,000 lives, a decision might be made to not only initiate a cyberattack but also to include a kinetic strike against the facility that initiated the action. Conversely, if an attack results exclusively in damage to data, the response might be entirely cyber.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 33 of 38
Question 2: You are a member of the team evaluating the decision-making process related to disaster recovery. Which of the following information and/or technologies would you need most? a. Blueprints of the facility that was attacked b. Advanced disaster management plans c. A smartphone d. A backup copy of your computer's data
Correct Answer: Option b Feedback: Having advance plans in place that are based on different scenarios will help your team make the right decision more quickly. Question 3: Hurricane Helen is just beginning to make landfall. For the past five days, the weather service has been saying that this storm is going to hit land with Category 5 force. Which function of the weather service is best equipped to deal with the media? a. Legal counsel b. Information Systems Department c. Public relations d. Executive management e. Office of the Chief Meteorologist Correct Answer: Option c Feedback: The weather service's public relations function is best-suited to deal with the media. The office of the chief meteorologist, the executive management, or the information systems department shouldn't deal with media because this is not their area of expertise. The best organizational unit to deal with the media is the public relations group since this is a professionally trained group that knows what to say, as well as what not to say during a cybersecurity incident. Question 4: You work for Herbert & Sons, a local consulting firm, and you have been hired to develop a BCP for a large community hospital. What information should not be included in the BCP? a. Test plans b. System interdependencies c. Staff assignments and responsibilities d. Capital cost of capital expenditures by fiscal year Correct Answer: Option d Feedback: Cost calculations about capital expenditures should not be included in the BCP. These cost calculations would instead be included in the planning and budgeting processes. Capital cost expenditures are one-time costs that are normally depreciated over the individual asset’s useful life. For accounting purposes, this is normally done over a 2-10 year period of time.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 34 of 38
Question 5: Which of the following items is not true of a successful BCP process? a. The BCP is updated regularly as part of a living process. b. The BCP focuses on critical business processes. c. The BCP excludes relationships with external service providers. d. The BCP is tested regularly. Correct Answer: Option c Feedback: A well-written and comprehensive BCP should be updated as part of an ongoing process, and it should include adequate information about the organization's relationships with key external service providers. The BCP should also be tested regularly. Question 6: Which of the following items should be part of a BIA? a. Acceptable recovery times for each system b. Interdependencies between individual systems c. CISO responsibilities for incident response d. Manual processes that can be initiated if systems are down for a long time Correct Answer: Options a, b, and d Feedback: Along with acceptable recovery times and interdependencies for each system, manual processes that can be initiated for each system if it is down should be a part of the BIA. The CISO's responsibilities for incident response are not part of a business impact analysis. These responsibilities would typically be outlined in the CISO's job description as well as the organization's business continuity and disaster recovery plans. Question 7: Which of the following options is not considered an offensive cybertechnology? a. DDoS b. Viruses c. Worms d. Dedicated firewalls Correct Answer: Option d Feedback: DDoS, viruses, and worms have offensive capabilities. A dedicated firewall has defensive capability. Question 8: Which of the following options is not a role of the federal government as it relates to cybersecurity? a. Maintaining civil order b. Reviewing the BCPs of Fortune 500 companies c. Maintaining resilient public critical infrastructures d. Debating and enacting laws about cybersecurity Correct Answer: Option b
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 35 of 38
Feedback: Reviewing the BCPs of Fortune 500 companies is not the government's responsibility. All of the other options are key federal government functions.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 36 of 38
Topic 6: Summary
We have come to the end of Module 4. The key concepts covered in this module are listed below.
After a cyberattack, organizational decision making and response to the attack is critical in getting an organization through the incident and back to normal. For most companies, the response will include mitigating and remediating the loss caused by the attack.
The process of handling a cyberattack generally includes prevention, defense, detection, recovery, and response. All facets of an organization, including technical members and leaders, should work together to make the right decisions.
Business continuity and disaster recovery plans help companies to deal effectively with cyberthreats and security incidents. A well-developed plan will identify the potential threats to the company, and provide adequate support for prevention and recovery in the event of an incident.
The main responsibility of a company's leadership in the event of a cyberattack is to protect confidential information and information systems while ensuring business continuity.
A strong crisis management team will plan far in advance of an event, with team members who have the skills to perform their duties. The crisis management team normally includes members from various key departments.
The steps of a solid Business Continuity Plan (BCP), along with the planning process, include identification, assessment, prioritization, management, and mitigation of risk.
The first step in the BCP process is the Business Impact Analysis (BIA). Companies perform BIAs in order to determine the priority of business functions that need to be restored in the event of a crisis.
Many countries have developed cyberattack capabilities. As it is difficult to gauge the true capabilities of potential enemies, countries need to prepare for worst- case scenarios.
Private-sector firms currently assist traditional war operations in areas ranging from training to logistics. Private companies' flexibility with resources can help them meet critical demands with dedicated expertise during a cyberemergency.
Private companies around the world are now engaged in developing cyberwarfare technologies. Public-private partnerships have been successful over the years, as they perform specialized functions that harness the capabilities of each sector.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 37 of 38
The private sector's contribution to advances in cybertechnology is bound to have a tremendous impact on the future of cyberwarfare. The market for such technology is not limited by borders or nationalities.
UMUC Cybersecurity Capstone CSEC670
© UMUC 2012 Page 38 of 38
Glossary
Term Definition
Business Continuity Business continuity is ensured by running a parallel line of business operations from an alternative geographic location. This parallel operation may also house a backup of the company's valuable data. Business continuity allows uninterrupted workflow and customer service in the event of a crisis or attack.
Business Continuity Plan (BCP)
A Business Continuity Plan (BCP) guarantees that the company can function normally in times of crisis, such as following natural disasters, IT crashes, deliberate destruction, and power failures.
Business Impact Analysis (BIA)
A Business Impact Analysis (BIA) is a three-step process that organizations use to calculate the qualitative and quantitative impact crises can have on them. The crises can have human or natural origins. With information from a BIA, an organization can refine its growth strategies, risk management, and cybersecurity infrastructure.
Denial of Service (DoS) Attack
Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks use "zombie" servers to flood a target site with large volumes of traffic. This flood of traffic consumes the target site's network or system resources and denies access to legitimate users.
Disaster Recovery Plan A disaster recovery plan is a comprehensive plan for enabling a company to resume work quickly in the wake of a disaster or damage to IT infrastructure.
Electromagnetic Pulse (EMP) Weapons
Electromagnetic Pulse (EMP) weapons disable electronics over wide areas by imitating the gamma-ray pulse caused by a nuclear explosion. These weapons are currently designed to knock out electronic equipment and possibly even affect humans.
Service Level Agreement (SLA)
A Service Level Agreement (SLA) is a contract between a customer and an IT service provider. It lists all the work tasks outsourced to the provider and the output the provider is expected to deliver.
National Cybersecurity and Communications Integration Center (NCCIC)
The Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) is a "watch and warning" center with 24/7 capabilities for emergency communications related to cybersecurity.
National Cyber Response Coordination Group (NCRCG)
The National Cyber Response Coordination Group (NCRCG), composed of 13 federal agencies, serves as the leading disseminator of information and responses among government agencies following a cyberincident.