1
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter 5
Commonality
Cyber Attacks
Protecting National Infrastructure, 1st ed.
2
• Certain security attributes must be present in all
aspects and areas of national infrastructure to
ensure maximum resilience against attack
• Best practices, standards, and audits establish a low-
water mark for all relevant organizations
• Audits must be both meaningful and measurable
– Often the most measurable things aren’t all that
meaningful
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
hapter 5 –
C
om
m
onality
Introduction
3
• Common security-related best practice standards
– Federal Information Security Management Act (FISMA)
– Health Insurance Portability and Accountability Act (HIPAA)
– Payment Card Industry Data Security Standard (PCI DSS)
– ISO/IEC 27000 Standard (ISO27K)
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
hapter 5 –
C
om
m
onality
Introduction
4
Fig. 5.1 – Illustrative security audits for two
organizations
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
hapter 5 –
C
om
m
onality
5
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
hapter 5 –
C
om
m
onality
Fig. 5.2 – Relationship between
meaningful and measurable
requirements
6
• The primary motivation for proper infrastructure
protection should be success based and economic
– Not the audit score
• Security of critical components relies on
– Step #1: Standard audit
– Step #2: World-class focus
• Sometimes security audit standards and best
practices proven through experience are in conflict
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
hapter 5 –
C
om
m
onality
Meaningful Best Practices for
Infrastructure Protection
7
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
hapter 5 –
C
om
m
onality
Fig. 5.3 – Methodology to achieve
world-class infrastructure
protection practices
8
• Four basic security policy considerations are
recommended
– Enforceable: Policies without enforcement are not
valuable
– Small: Keep it simple and current
– Online: Policy info needs to be online and searchable
– Inclusive: Good policy requires analysis in order to include
computing and networking elements in the local nat’l
infrastructure environment
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
hapter 5 –
C
om
m
onality
Locally Relevant and
Appropriate Security Policy
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
hapter 5 –
C
om
m
onality
Fig. 5.4 – Decision process for security
policy analysis
10
• Create an organizational culture of security
protection
• Culture of security is one where standard operating
procedures provide a secure environment
• Ideal environment marries creativity and interest in
new technologies with caution and a healthy
aversion to risk
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
hapter 5 –
C
om
m
onality
Culture of Security Protection
11
Copyrigh.