11 Copyright © 2012, Elsevier Inc. All Rights Reserved Chapter 1 Introduction Cyber Attacks Protecting National Infrastructure, 1st ed. 2 • National infrastructure – Refers to the complex, underlying delivery and support systems for all large-scale services considered absolutely essential to a nation • Conventional approach to cyber security not enough • New approach needed – Combining best elements of existing security techniques with challenges that face complex, large-scale national services Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 1 – In tro d u c tio n Introduction 3 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 1 – In tro d u c tio n Fig. 1.1 – National infrastructure cyber and physical attacks 4 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 1 – In tro d u c tio n Fig. 1.2 – Differences between small- and large-scale cyber security 5 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 1 – In tro d u c tio n• Three types of malicious adversaries – External adversary – Internal adversary – Supplier adversary National Cyber Threats, Vulnerabilities, and Attacks 6 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 1 – In tro d u c tio n Fig. 1.3 – Adversaries and exploitation points in national infrastructure 7 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 1 – In tro d u c tio n• Three exploitation points – Remote access – System administration and normal usage – Supply chain National Cyber Threats, Vulnerabilities, and Attacks 8 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 1 – In tro d u c tio n• Infrastructure threatened by most common security concerns: – Confidentiality – Integrity – Availability – Theft National Cyber Threats, Vulnerabilities, and Attacks 9 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 1 – In tro d u c tio n Botnet Threat • What is a botnet attack? – The remote collection of compromised end-user machines (usually broadband-connected PCs) is used to attack a target. – Sources of attack are scattered and difficult to identify – Five entities that comprise botnet attack: botnet operator, botnet controller, collection of bots, botnot software drop, botnet target 10 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 1 – In tro d u c tio n • Five entities that comprise botnet attack: – Botnet operator – Botnet controller – Collection of bots – Botnot software drop – Botnet target • Distributed denial of service (DDOS) attack: bots create “cyber traffic jam” Botnet Threat 11 Copyright © 2012, Elsevier Inc. All rights Reserved C h a p te r 1 – In tro d u c tio n Fig. 1.4 – Sample DDOS attack from a botnet 12 National Cyber Security Methodology Components Copyright © 2012, Elsevier In ...

1. 11
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter 1
Introduction
Cyber Attacks
Protecting National Infrastructure, 1st ed.
2
• National infrastructure
– Refers to the complex, underlying delivery and support
systems for all large-scale services considered absolutely
essential to a nation
• Conventional approach to cyber security not enough
• New approach needed
– Combining best elements of existing security techniques
with challenges that face complex, large-scale national
services
Copyright © 2012, Elsevier Inc.

2. All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Introduction
3
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p

3. te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.1 – National infrastructure
cyber and physical attacks
4
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In

4. tro
d
u
c
tio
n
Fig. 1.2 – Differences between
small- and large-scale cyber security
5
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio

5. n• Three types of malicious adversaries
– External adversary
– Internal adversary
– Supplier adversary
National Cyber Threats,
Vulnerabilities, and Attacks
6
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio

6. n
Fig. 1.3 – Adversaries and
exploitation points in national
infrastructure
7
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n• Three exploitation points
– Remote access
– System administration and normal usage

7. – Supply chain
National Cyber Threats,
Vulnerabilities, and Attacks
8
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n• Infrastructure threatened by most common security
concerns:
– Confidentiality

8. – Integrity
– Availability
– Theft
National Cyber Threats,
Vulnerabilities, and Attacks
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n

9. Botnet Threat
• What is a botnet attack?
– The remote collection of compromised end-user machines
(usually broadband-connected PCs) is used to attack a
target.
– Sources of attack are scattered and difficult to identify
– Five entities that comprise botnet attack: botnet operator,
botnet controller, collection of bots, botnot software drop,
botnet target
10
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u

10. c
tio
n
• Five entities that comprise botnet attack:
– Botnet operator
– Botnet controller
– Collection of bots
– Botnot software drop
– Botnet target
• Distributed denial of service (DDOS) attack: bots
create “cyber traffic jam”
Botnet Threat
11
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te

11. r 1
–
In
tro
d
u
c
tio
n
Fig. 1.4 – Sample DDOS attack from a
botnet
12
National Cyber Security
Methodology Components
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–

12. In
tro
d
u
c
tio
n• Ten basic design and operation principles:
– Deception – Discretion
– Separation – Collection
– Diversity – Correlation
– Commonality – Awareness
– Depth – Response
13
• Deliberately introducing misleading functionality or
misinformation for the purpose of tricking an
adversary
– Computer scientists call this functionality a honey pot
• Deception enables forensic analysis of intruder
activity
• The acknowledged use of deception may be a
deterrent to intruders (every vulnerability may
actually be a trap)

13. Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Deception
14
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a

14. p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.5 – Components of an interface
with deception
15
• Separation involves enforced access policy
restrictions on users and resources in a computing
environment
• Most companies use enterprise firewalls, which are
complemented by the following:
– Authentication and identity management
– Logical access controls
– LAN controls

15. – Firewalls
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Separation
16
Fig. 1.6 – Firewall enhancements for
national infrastructure
Copyright © 2012, Elsevier Inc.

16. All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
17
• Diversity is the principle of using technology and
systems that are intentionally different in substantive
ways.
• Diversity hard to implement
– A single software vendor tends to dominate the PC
operating system business landscape
– Diversity conflicts with organizational goals of simplifying
supplier and vendor relationships

17. Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Diversity
18
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h

18. a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.7 – Introducing diversity to
national infrastructure
19
• Consistency involves uniform attention to security
best practices across national infrastructure
components
• Greatest challenge involves auditing
• A national standard is needed
Copyright © 2012, Elsevier Inc.
All rights Reserved

19. C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Commonality
20
• Depth involves using multiple security layers to
protect national infrastructure assets
• Defense layers are maximized by using a combination
of functional and procedural controls
Copyright © 2012, Elsevier Inc.
All rights Reserved
C

20. h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Depth
21
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–

21. In
tro
d
u
c
tio
n
Fig. 1.8 – National infrastructure
security through defense in depth
22
• Discretion involves individuals and groups making
good decisions to obscure sensitive information
about national infrastructure
• This is not the same as “security through obscurity”
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–

22. In
tro
d
u
c
tio
n
Discretion
23
• Collection involves automated gathering of system-
related information about national infrastructure to
enable security analysis
• Data is processed by a security information
management system.
• Operational challenges
– What type of information should be collected?
– How much information should be collected?
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a

23. p
te
r 1
–
In
tro
d
u
c
tio
n
Collection
24
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In

24. tro
d
u
c
tio
n
Fig. 1.9 – Collecting national
infrastructure-related security
information
25
• Correlation involves a specific type of analysis that
can be performed on factors related to national
infrastructure protection
– This type of comparison-oriented analysis is indispensable
• Past initiatives included real-time correlation of data
at fusion center
– Difficult to implement
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te

25. r 1
–
In
tro
d
u
c
tio
n
Correlation
26
Fig. 1.10 – National infrastructure high-
level correlation approach
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–

26. In
tro
d
u
c
tio
n
27
• Awareness involves an organization understanding
the differences between observed and normal status
in national infrastructure
• Most agree on the need for awareness, but how can
awareness be achieved?
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro

27. d
u
c
tio
n
Awareness
28
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n

28. Fig. 1.11 – Real-time situation
awareness process flow
29
• Response involves the assurance that processes are
in place to react to any security-related indicator
– Indicators should flow from the awareness layer
• Current practice in smaller corporate environments
of reducing “false positives” by waiting to confirm
disaster is not acceptable for national infrastructure
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio

29. n
Response
30
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Fig. 1.12 – National infrastructure
security response approach

30. 31
• Commissions and groups
• Information sharing
• International cooperation
• Technical and operational costs
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
–
In
tro
d
u
c
tio
n
Implementing the Principles
Nationally