2. ...............................................................................................
................................ 10
From Rejection to a New
Hypothesis..............................................................................
........... 12
A New Disciplinary Construct for Cybersecurity
........................................................................ 13
Topic 5: The Analogous Asymmetric Threat of Terrorism
............................................................. 15
The Impact of 9/11
...............................................................................................
...................... 15
Findings of the 9/11
Commission............................................................................
................... 17
The Westphalian Model
...............................................................................................
.............. 18
Topic 6: Defense-in-Depth Strategy
..............................................................................................
21
Defense in Depth in Cybersecurity
............................................................................................
21
A New Disciplinary Construct
...............................................................................................
...... 23
Topic 7: Moving from a Static to a Dynamic Paradigm
................................................................. 31
Legacy Frameworks
...............................................................................................
.................... 31
A Dynamic Strategy for an Asymmetric Threat
4. positions in both the private and public sector. He pioneered a
cybersecurity consulting
business in which he advised CEOs of top companies. He also
consulted with the White
House several times as a cybersecurity expert. Although he is
retired, Jonathan still
maintains an office at his company and keeps abreast of events
in the cyberworld. On
this morning, November 9, he is in for a surprise as he clicks on
his tablet to check the
stock market.
Disclaimer: The storyline and characters in this part of the
module are fictitious and were developed for the
purposes of this course. No association with any real person,
places, or events is intended or should be
inferred from the use of the fictitious names.
Scenario
Jonathan is taken by surprise as he scans the headlines on his
tablet. He follows the link
to read the full story.
Digital Pearl Harbor; Stock Markets Crash!
Otto Processing Systems, the provider of back office transaction
processing to almost 92
percent of U.S. financial institutions during the past 10 years, is
under a cyberattack.
Otto, a third-party service provider, is the leader in
technologies used in banking and
financial institutions. Otto has been processing all its
transactions over the Internet using
Secure Sockets Layer (SSL), and it is this security technology
that has been
compromised in the cyberattack. The Anarchists, a self-
5. described social action group,
have claimed responsibility for the attack. For some time now,
the Anarchists have been
protesting the high salaries paid to Wall Street executives and
traders.
As part of their protest, they have now cracked the encryption
in Otto’s SSL. Experts say
that this attack constitutes a major cybersecurity issue with the
potential to shut down a
significant portion of America's financial services sector, one of
the nation's critical
infrastructures. While the full impact of the cyberattack has not
yet been determined, the
president of the United States has declared the incident to be a
threat to national
security. In a television broadcast, he stated that the security
breach could lead to the
financial services sector lacking confidence in the authenticity
of its trading data.
As Jonathan digests this disturbing news, his cell phone rings. It
is Jonathan's colleague
and friend, Tom Baines, who works for the federal government
in a national security role.
UMUC
Cybersecurity Capstone
CSEC670
8. culture, and politics have
also played prominent roles in influencing history during
periods of revolutionary change.
Similarly, the Internet age has been changing society for almost
two decades now. The
ever-multiplying technologies, increased bandwidth and speed,
and advanced
networking are features of the Internet revolution. From
communications to advertising,
from content delivery to gadgets, and now in the Smart Grid,
changes in Internet-based
technologies keep altering how we view our lives.
Recently, however, cybersecurity concerns have emerged as a
prominent aspect of the
Internet age. With increasing Internet access, cyberthreats have
become national
security dangers that can jeopardize economic prosperity.
Understanding our evolving
Internet-based society helps us address cybersecurity concerns.
Cybersecurity has
several components, such as national security, law enforcement,
intelligence, intellectual
property, privacy, and public-private partnerships.
Understanding cyberspace in the
context of these related concerns raises the question of whether
legacy frameworks of
these related spheres are appropriate and effective for
cyberspace.
The challenge of keeping the Internet trustworthy requires a full
study of the prevailing
governance frameworks. Fortunately, the Internet revolution
follows earlier periods of
revolutionary change. This module will cover some effective
10. and interrelationships.
Fundamental elements must often be refashioned to address the
needs that emerge
during periods of revolutionary change.
Darwin's Theory of Evolution
Charles Darwin is known for his theories of evolution and
common ancestry. He
proposed the theory of natural selection, which rejected earlier
concepts of
transmutation of species. His studies were met with a great deal
of resistance and his
works were violently attacked. However, in the face of all
opposition, he was able to
bring about a scientific revolution.
Copernicus' Theory of Heliocentricity
When Nicolaus Copernicus proposed his theory of
heliocentricity, countering the Roman
Catholic Church's view that the Earth was at the center of the
universe, he created a
furor. Copernicus held instead that the Earth revolves around
the Sun. Copernicus
created a revolution in astronomy. After many years of
scientific research and
experiments, it was proven that Copernicus was indeed correct.
Air Power
In order to realize the potential of air power—the use of aircraft
in war—new munitions
and ballistic research were needed. Warships and ground
systems had to be modified to
defend against new airborne weapons. Brig. Gen. Billy Mitchell
of the U.S. Army
famously championed the emergence of air power with a
demonstration in 1921 in which
12. and other downstream product users from harm.
Internet Age
Changes to business enterprises in response to the
commercialization and growth of the
Internet demonstrate that the Internet age is a period of
revolutionary change. One
indication of the change is linguistic. Terms such as Internet,
cyber, e-, and brick and
mortar are descriptors that seek to capture new ideas. For
example, brick and mortar
emerged to describe a legacy business model, in contrast to e-
commerce.
In distinguishing brick and mortar from e-commerce, what
emerges is not just a new
lexicon, but also a fundamentally different mode of business.
This new business mode is
what created the need for the new lexicon.
The Internet age has brought about a revolution in the ways we
communicate with each
other, do our shopping, pursue our daily activities, and conduct
business. The methods
we use to buy airline tickets, make hotel reservations, register
for college courses, and
order pizza have all changed in a fundamental way.
UMUC
Cybersecurity Capstone
CSEC670
14. on negligence theory.
Step 5
This redress mechanism for victims of harm demonstrates how a
period of revolutionary
change—the Industrial Revolution—caused structures within
society to change.
Question for Industrial Revolution
What were the effects of the Industrial Revolution on society
and business processes?
a. Altered manufacturing processes
b. Improved distribution methods
c. Reduced profits for companies
d. Reduced profit incentives for businesses
Correct Answer: Options a and b
Feedback:
The Industrial Revolution enhanced manufacturing processes
and distribution methods.
Neither profits nor incentives were reduced as a result of the
Industrial Revolution.
The Westphalian Nation-State Model
After the Thirty Years' War (1618-1648) in Europe, the
Westphalian nation-state model
was developed. After decades of fighting, a system of
sovereignty and nation-state
boundaries emerged that was known as the Peace of Westphalia.
Fiefdoms died out,
and modern countries began to emerge. An international
framework aimed at security
through the sovereignty principle was established in hopes that
each nation would
respect this vision.
16. sovereignty.
Internet Age
Major technological and social changes over the years include
air travel, nuclear power,
freedom movements, the aerospace industry, and now, the
Internet.
The changes that have been brought about by the Internet are
actually more
fundamental and universal than any that have come before. The
Internet has influenced
business models, increased efficiencies, and transformed
industries. Examples of this
include the Smart Grid in the energy sector and digital trading
in the financial services
industry.
Music
Delivery of media content, such as music and videos, has moved
from in-store sales to
online sales and on-demand video delivery. The Internet has
revolutionized the way we
perceive media.
Mobile
Mobile communication has taken the world by storm. An
amazing range of cell phones
are being offered at ever-lower costs while simultaneously
incorporating more and more
features.
Newspaper
Print media, such as newspapers and magazines, have seen their
circulation and
profitability decrease. Many people no longer receive home
19. that manifests at a
certain level of complexity, society's adaptability mechanisms
are ill-suited for
recognizing when the status quo is being tilted. Societal
frameworks facilitate order and
tranquility, and therefore, they may actually be part of the
problem in that they can delay
recognition that revolutionary change is occurring. The
frameworks and processes under
a status quo need refining or even transformation after a
revolutionary change.
Kuhn's View
In 1962, Thomas Kuhn wrote a book titled The Structure of
Scientific Revolutions. Its
subject is the dynamics of new field emergence. His influential
work about the progress
of science introduced a new model for understanding the
dynamics of fundamental
change.
Kuhn's view is that only after a new domain has fully emerged
do paradigm changes
make themselves apparent to society. Once the emergence of the
new domain is
understood, science can assess issues within new frameworks,
using new formulas,
theorems, and problem-solving constructs that may not have
previously existed. Kuhn's
work suggests that a domain must be accepted before beneficial
scientific work can
begin. Acceptance is required to appreciate the existence of a
new discipline thus
allowing the development of a new status quo and rule-body.
Reference: Kuhn, Thomas S. The Structure of Scientific
20. Revolutions. 3rd ed. Chicago, IL: University of
Chicago Press, 1996.
The Kuhn Cycle
Phases of Kuhn's Cycle
Normal Science
In phase one, normal science, scientists can be found working
on normal, small,
incremental improvements in their fields. For instance, the
mobile phone industry began
by manufacturing short-range car phones. Years down the line,
we now have 3G cell
phones and 4G smartphones. In cybersecurity, initial hacking
tactics involved Web site
defacements. Improved security practices and technologies
emerged to address this
challenge. Web site defacements, however, are a comparatively
low-level threat
compared to modern advanced persistent threats.
Model Drift
In phase two, a model drift occurs when the original model can
no longer support
changes. For example, in the field of cybersecurity, Ethernet
replaced ARCNET, an
older LAN protocol, because of modernization of computer
network devices.
Model Crisis
In phase 3, model crisis occurs when an old model is not able to
sustain itself. For
instance, in cybersecurity, some people have come to believe
that the conventional use
23. about crime? Is it about national security? Is it purely a
technical problem for network
technicians? Cybersecurity can be considered a discipline, a
field that incorporates
strategy, function, and a variety of other features and
components.
Viewed through Kuhn's perspective, cybersecurity represents a
revolutionary change;
and new disciplinary constructs must emerge so the
cybersecurity challenge can be met
effectively.
A New Approach
While multidisciplinary approaches are emerging, the typical
cybersecurity incident is
thought of as "a problem for the IT guy." Cybersecurity is not
merely a technological
problem; it is a multidisciplinary problem, requiring more than
one area of expertise in
order to find solutions. The White House's 60-day Cyberspace
Policy Review is an
example of a multidisciplinary approach. Similarly, U.S. Cyber
Command (CYBERCOM)
has been established as an operational command in charge of
military cybersecurity
efforts. Additionally, the National Institute of Standards and
Technology (NIST) is
pursuing a risk management approach that is quite different
from the notion of securing
cyberspace.
These efforts demonstrate the beginning of a wider
understanding that cybersecurity
presents a problem beyond the capability and authority of an
organization's IT
25. each of these areas of concern as functional components of the
discipline. Moreover,
modern cybersecurity challenges present an operational
dynamic. Therefore, planning
for cybersecurity defenses is akin to planning military
operations. An adversary is likely
to probe for weak points; therefore, a defender must use risk
management planning
techniques and be agile in order to respond to attacks.
A disciplinary construct for cybersecurity that incorporates its
many components can act
as a method for comprehensively addressing the revolutionary
changes that are
occurring in cyberspace.
Question
A federal agency is planning to create a specialized department
to monitor e-mail
messages. The department will determine potential malicious
communication and the
information exchange among its employees and external
entities. The agency is wary of
terror attacks during communication exchange with external
private agencies.
Prevention of terrorist attacks and organized crime in money
laundering tops the
agency's list. The department is required to store massive
amount of data in a highly
secure manner. Additionally, an entire legal framework has to
be created to ensure that
the collection of this data is done in a legally sound manner.
The agency has given you the following draft list of aspects on
which the cybersecurity
plan could focus. Your boss asks you to narrow the list to those
26. aspects that would be
most appropriate for the plan to focus upon.
Options
a. Integrity because unauthorized individuals or systems should
be unable to modify the
information being exchanged
b. Personal privacy because it is an important aspect of
cybersecurity and related to e-
mail communication
c. Information sharing because information exchanged between
agencies would be
strategic in nature
d. Confidentiality because only authorized individuals or
systems should access certain
types of information
e. National security because information being exchanged is
related to the government
and will be of the classified nature
f. Risk mitigation because it is an important aspect of
cybersecurity since national
security cannot be compromised
UMUC
Cybersecurity Capstone
CSEC670
29. Static defenses in a network await attacks from anonymous,
unseen vectors, cloaked by
proxy servers and compromised bot networks. In this way, the
Internet can enable an
asymmetric attack that is similar to the blitzkrieg attack past the
Maginot Line.
Step 3
Cybersecurity strategies must address these unseen vectors.
Dynamic approaches and
broad situational awareness are the hallmarks of a new strategy
for defending against
asymmetric threats.
Presidential Decision Directive
The threat to interconnected networks was recognized during
the Clinton administration.
In 1998, Presidential Decision Directive 63 (PDD-63) was
signed. Well before the
evolution of cyberthreats as we now know them, PDD-63 stated:
As a result of advances in information technology and the
necessity
of improved efficiency, however, [nation critical]
infrastructures have
become increasingly automated and interlinked. These same
advances have created new vulnerabilities to equipment failure,
human error, weather and other natural causes, and physical and
cyberattacks. Addressing these vulnerabilities will necessarily
require
flexible, evolutionary approaches that span both the public and
private sectors, and protect both domestic and international
security
(The White House, 1998, p.1).
31. our
Nation's critical infrastructure and key resources against
terrorist acts
(The White House, 2003).
Reference: The White House. (2003, December 17). Homeland
Security Presidential Directive 7. Retrieved
from the U.S. Department of Homeland Security Web site:
http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm
The secretary of homeland security was charged with
coordinating the nation's efforts to
protect critical infrastructure. HSPD-7 established a sector
approach to accomplish its
mission. Government agencies in particular sectors were
responsible for coordinating
and implementing the National Infrastructure Protection Plan
(NIPP) within those
sectors.
The sector approach enabled a degree of integration between the
public and private
sectors with respect to cybersecurity. However, the challenge of
this strategy lies in
adequately addressing asymmetric threats that can exploit
unguarded weak spots
across sectors. That is, while the government was organizing
vertically, threats could
appear horizontally across the verticals. Indeed, that is the very
nature of an asymmetric
threat.
33. today. Instead of facing a few very dangerous adversaries, the
United States confronts a number of less visible challenges that
surpass the boundaries of traditional nation-states and call for
quick, imaginative, and agile responses (9/11 Commission,
2004,
p. 399).
Finding 2
We recommend significant changes in the organization of the
government. We know that the quality of the people is more
important than the quality of the wiring diagrams (9/11
Commission, 2004, p. 399).
Finding 3
The importance of integrated, allsource analysis cannot be
overstated. Without it, it is not possible to "connect the dots."
No
one component holds all the relevant information (9/11
Commission, 2004, p. 408).
Finding 4
We propose that information be shared horizontally, across new
networks that transcend individual agencies (9/11 Commission,
2004,
p. 418).
Reference: National Commission on Terrorist Attacks upon the
United States (9/11 Commission).
(2004, July 22). The 9/11 Commission report. Retrieved from
http://www.9-
11commission.gov/report/index.htm
35. countries from which they
operate.
Shield from Outside Interference
The Westphalian international system effectively insulates the
world from effective
cybersecurity. The horizontal mechanisms needed to combat
asymmetric threats are
difficult to establish under this structure. A universal right to
violate the sovereignty
principle in the interest of upholding a higher principle—
protecting the Internet—would
have to emerge in order to enable the 9/11 Commission's
findings to be effective in the
Westphalian model.
Try This!
The quotations presented here come from the 9/11 Commission
Report.
Select the best-known outcome of each quoted recommendation.
Recommendation 1
As presently configured, the national security institutions of the
U.S.
government are still the institutions constructed to win the Cold
War. The United States confronts a very different world today.
Instead of facing a few very dangerous adversaries, the United
States confronts a number of less visible challenges that surpass
the boundaries of traditional nation-states and call for quick,
imaginative, and agile responses (9/11 Commission, 2004, p.
399).
Reference: National Commission on Terrorist Attacks upon the
United States (9/11 Commission).
37. 2004, p. 399).
Reference: National Commission on Terrorist Attacks upon the
United States (9/11 Commission).
(2004, July 22). The 9/11 Commission report. Retrieved from
http://www.9-
11commission.gov/report/index.htm
Options
a. Increasing the use of contractors at the National Security
Agency
b. Sharing intelligence with our allies
c. Increasing research and development funding for
cybersecurity
d. Establishing the Department of Homeland Security
Correct Answer: Option d
Feedback:
Establishing the Department of Homeland Security (DHS) was a
recommendation of the 9/11 Commission.
Recommendation 3
The importance of integrated, all-source analysis cannot be
overstated. Without it, it is not possible to 'connect the dots.'
No
one component holds all the relevant information (9/11
Commission, 2004, p. 408).
Reference: National Commission on Terrorist Attacks upon the
United States (9/11 Commission).
38. (2004, July 22). The 9/11 Commission report. Retrieved from
http://www.9-
11commission.gov/report/index.htm
Options
a. Hiring more intelligence analysts
b. Establishing the Office of the Director of National
Intelligence
c. Providing merit pay increases for employees at the CIA
d. Reducing the number of intelligence agents deciphering
messages in
uncommon and complex languages
Correct Answer: Option b
Feedback:
The establishment of the Office of the Director of National
Intelligence
(ODNI) resulted from the recommendations of the 9/11
Commission.
UMUC
Cybersecurity Capstone
CSEC670
40. The U.S. government cannot meet its own obligations to the
American people to prevent the entry of terrorists without a
major
effort to collaborate with other governments (9/11 Commission,
2004,
p. 390).
Reference: National Commission on Terrorist Attacks upon the
United States (9/11 Commission).
(2004, July 22). The 9/11 Commission report. Retrieved from
http://www.9-
11commission.gov/report/index.htm
Options
a. Sharing only classified information with the private sector
and with other
levels of government
b. Sharing more information with the United Kingdom and
Canada
c. Increasing the use of e-mail across the government
d. Developing new diplomatic relationships with adversaries of
the United
States
Correct Answer: Option b
Feedback:
The U.S. government has increased intelligence sharing with the
United
Kingdom and Canada, which are among the five English-
42. assess the continued viability of defense in depth. They
determined that defense in
depth had come to be understood in static terms, and network
security features and
applications were designed to ensure compliance rather than
improve security. Their
finding was that defense in depth was no longer viable. Instead,
dynamic approaches
were preferred.
Information security standards such as ISO 27001/27002 have
created frameworks to
enable design and security auditing, but there is a lack of real-
time situational awareness
among network defenders. Like the Maginot Line in France,
many networks have static
security features, whereas the asymmetric threat from
cyberspace has become dynamic,
persistent, and sophisticated.
Secure Network
Disclaimer: The storyline and characters in this part of the
module are fictitious and were developed for the
purposes of this course. No association with any real person,
places, or events is intended or should be
inferred from the use of the fictitious names.
Step 1
King William’s sources have warned him of an impending
attack on his castle by the
forces of his archenemey, King Edgar. King William has
ordered the deployment of
various defenses to protect his castle.
45. Defense in Depth in Cybersecurity
Defense in depth is not an obsolete methodology. The NITRD
workshop pointed out a
disconnect between the defense-in-depth concept "as applied"
versus the concept "as
intended." The strategy of defense in depth is intended to design
controls and defenses
at various belts or vulnerability points. This approach is similar
to the risk management
processes that have emerged from NIST and the Department of
Defense. For example,
host-based intrusion detection emerged under the defense-in-
depth strategy. Host-
based controls focus on a different vector and a different type of
threat than gateway-
associated controls and technologies.
Defense in depth is a useful concept for defending against an
asymmetric threat.
Determining the necessary depth and type of control requires a
risk-based analysis.
Dynamic planning in response to emerging conditions is the sort
of methodology that
works well when viewing cybersecurity as a discipline. For
example, a defense-in-depth
approach may require attention to a training control rather than
a technological control.
User training to defeat a certain tactic used by an adversary
might prove more useful
than a certain technology control. Approaching cybersecurity
from a multidisciplinary
mindset, one that considers policy, training, and strategy as
complementary to security
technology, is one way in which cybersecurity can be viewed as
46. a new discipline.
Activity
Jonathan Brassard has investigated the case at Otto Processing
Systems and its
implications for national information security. He has
recommended a defense-in-depth
security strategy for the company.
Identify the elements that Jonathan should include in his design
of a defense-in-depth
strategy for Otto Processing Systems.
Part 1
Which of the following controls should be considered when
designing the defense-in-
depth strategy for an organization like Otto Processing
Systems?
Arrange the controls in order of hierarchy to design a defense-
in-depth strategy for Otto.
(1 = Highest Priority; 6 = Lowest Priority)
Controls Order of Hierarchy
Internal Network Security
Vehicle Security
Perimeter Security
Policies, Procedures, and Awareness
Host Security
Power System Security
48. Personnel Security
Physical Security 2
Data Security 6
Feedback for Correct Answer:
In today's cybersecurity environment, organizations face a
multitude of threats, most of
which are not fully understood by all personnel in the
organization. It is the chief
information security officer's responsibility to educate
management about the threats and
to design an effective defense-in-depth strategy.
In order for this strategy to be truly effective, it is often
layered. Some of the related
controls are human factor-oriented, such as policies,
procedures, and security
awareness, while others are more technically oriented. This
human-factor orientation is
the reason why a hierarchical structure is important to the
defense-in-depth strategy.
Different controls are needed to counter different threats,
providing a further reason to
have a layered approach that places multiple effective
countermeasures against their
corresponding threats.
Feedback for Incorrect Answer:
While security does need to be in place for this type of system,
the system itself is not
part of the cybersecurity domain. Therefore, this system does
not fit into the hierarchy of
50. Part 2
Defense in Depth
Here are the defense-in-depth controls in their order of
hierarchy and the components
they use.
Policies, Procedures, and Awareness
Policies, procedures, and awareness include various enterprise-
wide controls that help
employees understand the organization's overall security
posture and the rationale for
the controls. Examples of such controls are the corporate code
of conduct and laptop
encryption procedures.
Physical Security
Physical security includes controls like facility security and the
use of biometric systems
for access control. These controls are important because they
can defeat such threats
as an unwanted visitor entering the organization's premises and
gaining access to high-
security locations.
Perimeter Security
Perimeter security includes controls such as fencing systems
and protective landscape
devices. These controls are important because they help prevent
criminals and
undesirable visitors from entering the organization’s facilities.
Internal Network Security
Internal network security is a key technical component of most
organizations’
51. cybersecurity plans. This category of controls includes
countermeasures like network
management systems that look for anomalies in user behavior,
such as multiple
unsuccessful logons and suspicious activity during non-business
hours. This category of
controls tries to prevent threats like network intrusions and
hacker activities.
Host Security
Host security is a technical aspect of defense in depth. It
provides a number of important
countermeasures. For example, it can help prevent threats
arising from weak
authentication mechanisms and zero-day attacks against the
company's IT
infrastructure.
Data Security
Data security is another critical element of a successful defense-
in-depth strategy. The
countermeasures in this category are designed to prevent data
theft and leakage.
Common controls in this domain include endpoint security
mechanisms and secure
protocols such as SSH.
UMUC
Cybersecurity Capstone
CSEC670
53. Layer 2: Perimeter Security
Options
a. CCTV
b. Firewalls
c. Virtual private networks
d. Roving security patrols
Correct Answer: Options b and c
Feedback:
Within a network, firewalls and virtual private networks are two
of the most popular types
of perimeter security controls.
In Otto’s business environment, CCTV and roving security
patrols are not a common
security practice based on the threats that they face; these types
of controls would be
considered excessive by most security professionals.
Layer 3: Internal Network Security
Options
a. Computer guards
b. Internal network security mechanisms
c. Network segments
d. Intrusion detection system
UMUC
Cybersecurity Capstone
CSEC670
55. decline the use of SSH. If
operating conditions change these additional controls should be
considered for
implementation across the enterprise.
Layer 5: Server Hardening
Options
a. Hardening the operating system
b. Leaving the server in plain view
c. Not locking the closets where servers reside
d. Generating audit logs
Correct Answer: Options a and d
Feedback:
As part of an enterprise's defense-in-depth strategy, hardening
the operating system and
generating audit logs are important controls to consider when
hardening a server.
Leaving the server in plain view or not locking the closets are
security vulnerabilities and
are therefore, not part of an enterprise's defense in depth
strategy.
UMUC
Cybersecurity Capstone
CSEC670
58. Implementing a research honeypot can provide valuable
research information, but it is
not an effective intrusion prevention or detection system.
Additionally, having employees
monitor every user sign-on is not a practical intrusion
prevention or detection procedure.
Layer 9: Patch Management
Options
a. Applying patches without performing testing beforehand
b. Critical upgrades
c. Security updates
d. Waiting until an attack occurs, and then installing vendor-
supplied patches
Correct Answer: Options b and c
Feedback:
Critical upgrades and security updates are both very powerful
and commonly used
controls in patch management.
Patches are software that needs to be tested just like a large
software package to
ensure its reliability, stability, security, and inter-operability
with other software
applications. Therefore, applying patches without testing them
beforehand is a risky IT
practice. Waiting for an attack to occur is an unwise
cybersecurity practice, as it puts the
enterprise in a very dangerous position where systems will be
damaged and even
destroyed.
Category 3: Data Security
59. Layer 10: Data Security
Options
a. Using SSL
b. Using S-FTP
c. Using Telnet
d. Implementing IPSec
Correct Answer: Options a, b, and d
Feedback:
SSL, S-FTP, and IPSec are strong controls that enterprises use
for defense in depth.
Otto should not implement an insecure communications protocol
such as Telnet
because this is not in fact a control; instead, it would add a
vulnerability.
Layer 11: Applications and Data
Options
a. Assigning a full-time ISO to monitor data security
b. Providing all users with the same level of access
c. Access control lists
d. Strong password controls
Correct Answer: Options c and d
UMUC
Cybersecurity Capstone
CSEC670
61. broad standard which describes security techniques, controls,
threats, risks, and
methods of organizing and coordinated information security in
an enterprise. In January
2011, Lacey wrote that the product he produced, which became
widely used within the
industry, had become obsolete in the new Internet age.
Reference: Lacey, D. (2011, January 12). Security: Best
practice or ancient ritual? Time to scrap ISO 27002
security standard says its author. Computerworld UK. Retrieved
from http://www.computerworlduk.com/in-
depth/security/3256436/security-best-practice-or-ancient-ritual/
Among information security practitioners, ISO 27001/27002 has
been among the more
robust standards. Many information security consultants and
auditors use ISO
27001/27002 as their standard for compliance purposes. Lacey
pointed out, though, that
the standard is static. In essence, Lacey declared that his
standard is not responsive to
the dynamic, asymmetric nature of modern threats.
FISMA Standards
The federal government practices information security in
accordance with the Federal
Information Security Management Act (FISMA). Within
FISMA, NIST is in charge of
creating information security standards. The FISMA definition
adopts the information
security triad of Confidentiality, Integrity, and Availability
(CIA). Thus, the federal
government's approach to cybersecurity, at least in its statutory
mandate, is to utilize the
CIA triad.
63. House 60-day Cyberspace Policy Review that same year.
The 9/11 Commission was not drawn from the national security
community,
representatives of which authored the strategy documents listed
above. In addition, the
9/11 Commission was formed to study a specific problem, how
the 9/11 attacks
occurred. Its charge was not to accept that the status quo
functioned properly. Indeed,
the purpose of the commission was to ascertain why national
security systems failed.
9/11 Commission
Ponder This
The 9/11 attacks were asymmetric in nature, and asymmetric
threats continue to exist
today. The 9/11 Commission was set up after the attacks to
uncover how they occurred
and to recommend changes to address their root causes. What
lessons can we learn
from the 9/11 attacks that will help us combat asymmetric
threats in the cyberworld?
Jonathan uses the findings of the 9/11 Commission when he
talks to his team about the
approach they need to adopt for their own commission.
Here is a transcript of the discussion Jonathan has with his
team.
Jonathan: Hi, team. I think we should take a cue from the 9/11
Commission and their
findings for how we conduct our research.
Jonathan: As you know, the 9/11 Commission focused on
65. over information
sharing.
Team Member 2: This particular finding has tremendous
application when it comes to
dealing with an asymmetric threat from cyberspace.
Team Member 3: Countering terrorism requires extensive and
effective information
sharing.
Jonathan: Yes, so what I see is that we need to refashion
cybersecurity approaches and
start from scratch in much the same way the 9/11 Commission
did.
Team Member 3: That means we need new fact-finding
procedures to guarantee that all
the dimensions of cybersecurity are fully understood.
Team Member 2: Yes, that step is imperative because the
asymmetric nature of the
threat mandates that we consider dynamic solutions.
Jonathan: OK, team, now let's look at another recommendation
from the 9/11
Commission. This recommendation looks like it applies to
improving situational
awareness in order to meet the asymmetric threat.
Recommendation
"We propose that information be shared horizontally, across
new networks that
transcend individual agencies." (9/11 Commission, 2004, p.
418)
67. formation of nation-states, brought with them shifts in how
society functioned.
Similarly, the Internet age has brought a revolution in the ways
we communicate
with each other, do our shopping, pursue our daily activities,
and conduct
business.
With every major change, a paradigm shift occurs.
Understanding this paradigm
shift is made easier by Thomas Kuhn's work on the dynamics of
new-field
emergence. Kuhn's work suggests that a new scientific domain
must gain
acceptance before beneficial work in that domain can begin.
The Kuhn cycle can be used to explain the scientific analysis of
a revolutionary
change. The cycle has five phases: normal science, model drift,
model crisis,
model revolution, and paradigm shift.
As cybersecurity is largely undefined, new disciplinary
constructs must emerge in
order to meet the cybersecurity challenge effectively.
To address the cybersecurity challenge, horizontal information
sharing is
required among nations throughout the world.
The Westphalian nation-state model allows cyberattackers to
68. enjoy both
anonymity and sovereignty protection. Hackers can take refuge
within their
nations' borders. Thus, the Westphalian model prevents the
effective
implementation of cybersecurity.
The preferred method for designing secure networks is based
on defense in
depth. This method uses dynamic planning and risk-based
analysis to counter
asymmetric threats.
Defense in depth uses a layered approach that places multiple
effective
countermeasures against corresponding threats. It has a
hierarchical structure
with different controls to counter different threats.
Many information security consultants and auditors use ISO
27001/27002 as
their standard for compliance purposes. However, this standard
is static and is
therefore unresponsive to dynamic threats.
UMUC
Cybersecurity Capstone
CSEC670
70. System
An e-Commerce system is a system of commerce used for
buying and selling products or providing services over the
Internet.
Federal Information
Security
Management Act
(FISMA)
The Federal Information Security Management Act (FISMA)
mandates that government agencies maintain information
security risks at a minimum level by developing annual security
reports, risk assessments, configuration guidelines, continuity
plans, security policies, and inventories of systems.
Firewall A firewall is the hardware or software that prevents
unauthorized users from accessing a computer or a network.
Homeland Security
Presidential
Directives (HSPDs)
HSPDs are directives issued by the president of the United
States regarding homeland security.
National Institute of
Standards and
Technology (NIST)
NIST exists within the Department of Commerce and works to
promote innovation and competitiveness by developing
standards and technology.
Public Key
71. Infrastructure (PKI)
Public Key Infrastructure (PKI) is a system that consists of
hardware, software, policies, processes, and people that is
used to manage and control the creation, use, and storage of
public-private key pairs.
Secure Socket
Layer (SSL)
SSL is a standard security protocol that creates an encrypted
link between a Web server and a Web browser to secure all
data that passes between a Web site and a customer.
Short Paper/Case Study Analysis Rubric
Requirements of submission: Short paper assignments must
follow these formatting guidelines: double spacing, 12-point
Times New Roman font, one-inch margins, and discipline-
appropriate citations. Page length requirements: 1-2 pages
undergraduate courses; 2-4 pages graduate courses. Failure to
adhere to these requirements of submission will result in the
paper not being graded.
Refer to this link for viewing and printing Turnitin paper
feedback.
Instructor Feedback: Students can find their feedback in the
grade book as an attachment.
Critical Elements
Distinguished
Proficient
Emerging
72. Not Evident
Value
Main Elements
Includes all of the main elements and requirements and cites
multiple examples to illustrate each element
(23-25)
Includes most of the main elements and requirements and cites
many examples to illustrate each element
(20-22)
Includes some of the main elements and requirements
(18-19)
Does not include any of the main elements and requirements
(0-17)
25
Inquiry and Analysis
Provides in-depth analysis that demonstrates complete
understanding of multiple concepts
(18-20)
Provides in-depth analysis that demonstrates complete
understanding of some concepts
(16-17)
Provides in-depth analysis that demonstrates complete
understanding of minimal concepts
(14-15)
Does not provide in-depth analysis
(0-13)
20
Integration and Application
All of the course concepts are correctly applied
73. (9-10)
Most of the course concepts are correctly applied
(8)
Some of the course concepts are correctly applied
(7)
Does not correctly apply any of the course concepts
(0-6)
10
Critical Thinking
Draws insightful conclusions that are thoroughly defended with
evidence and examples
(18-20)
Draws informed conclusions that are justified with evidence
(16-17)
Draws logical conclusions, but does not defend with evidence
(14-15)
Does not draw logical conclusions
(0-13)
20
Research
Incorporates many scholarly resources effectively that reflect
depth and breadth of research
(14-15)
Incorporates some scholarly resources effectively that reflect
depth and breadth of research
(12-13)
Incorporates very few scholarly resources that reflect depth and
breadth of research
(11)
Does not incorporate scholarly resources that reflect depth and
breadth of research
74. (0-10)
15
Writing
(Mechanics/Citations)
No errors related to organization, grammar and style, and
citations
(9-10)
Minor errors related to organization, grammar and style, and
citations
(8)
Some errors related to organization, grammar and style, and
citations
(7)
Major errors related to organization, grammar and style, and
citations
(0-6)
10
Earned Total:
Comments:
100%
5-3 Short Paper: International Labor Standards
Visit The ILO (International Labor Organization) website. The
ILO is a UN agency that promotes social justice and
internationally recognized human and labor rights. Established
in 1919, it is the only surviving major creation of the Treaty of
Versailles. The ILO Declaration on Fundamental Principles and
Rights at Work covers four areas:
Freedom of association and the right to collective bargaining
The elimination of forced and compulsory labor
The abolition of child labor
The elimination of discrimination in the workplace
75. Research the history of international labor standards. Are labor
standards feasible? What are the advantages and disadvantages
of standards? Write a short paper describing the ILO history and
answering the questions about their standards
Reference:
UMUC, 2014. Responding to an Asymmetric Threat. Retrieved
from
http://tychousa9.umuc.edu/CSEC670/1206/csec670_01/assets/cs
ec670_01.pdf
1. Not only must asymmetric advantages be countered
domestically, attackers often originate from outside the United
States. Given that situation, describe how the Westphalian
model would aid cybersecurity at the global level.
Answer:
2. This week we are reviewing responses to an asymmetric
threat.
A. What is an asymmetric threat?
B. Describe some dynamic approaches for defending against
an asymmetric threat.
Answer:
3. Revolutionary change often creates a paradigm shift. Given a
new paradigm, it would be beneficial to redraw the
cybersecurity landscape, critically assessing how the problem of
cybersecurity should be defined.
What exactly is cybersecurity? Is it a function or task? Is it a
strategy? Is it about crime? Is it about national security?
Answer:
4 Changes to business enterprises in response to the
commercialization and growth of the Internet are often seen as
by-products of revolutionary change.
A. Why is the Internet viewed as a revolutionary change?
76. B. Describe some of the attributes of revolutionary change
brought about by the Internet and the impact on security.
You are encouraged to include real examples from your past
studies that you can share with your fellow students.