UMUC .docx

UMUC
Cybersecurity Capstone
CSEC670
© UMUC 2012 Page 1 of 35
Contents
Topic 1: Scenario
...............................................................................................
.............................. 2
Scenario: Digital Pearl Harbor
...............................................................................................
...... 2
Topic 2: Module Introduction
...............................................................................................
............ 4
Topic 3: What is Revolutionary Change?
........................................................................................ 5
Attributes of Revolutionary Change
.............................................................................................
5
Instances of Revolutionary Change
.............................................................................................
7
Topic 4: Understanding Paradigm Shifts
....................................................................................... 10
Kuhn's View

...............................................................................................
................................ 10
From Rejection to a New
Hypothesis..............................................................................
........... 12
A New Disciplinary Construct for Cybersecurity
........................................................................ 13
Topic 5: The Analogous Asymmetric Threat of Terrorism
............................................................. 15
The Impact of 9/11
...............................................................................................
...................... 15
Findings of the 9/11
Commission............................................................................
................... 17
The Westphalian Model
...............................................................................................
.............. 18
Topic 6: Defense-in-Depth Strategy
..............................................................................................
21
Defense in Depth in Cybersecurity
............................................................................................
21
A New Disciplinary Construct
...............................................................................................
...... 23
Topic 7: Moving from a Static to a Dynamic Paradigm
................................................................. 31
Legacy Frameworks
...............................................................................................
.................... 31
A Dynamic Strategy for an Asymmetric Threat

.......................................................................... 32
Topic 8:
Summary.................................................................................
......................................... 34
Glossary
............................................................................. ..................
.......................................... 35
UMUC
CSEC670
Topic 1: Scenario
Scenario: Digital Pearl Harbor
Responding to an Asymmetric Threat
CSEC670—Module 1
Digital Pearl Harbor
Jonathan Brassard is lying in his hammock, enjoying a peaceful
day near his lakeside
vacation cabin. Recently retired, Jonathan has had an eventful
career in the IT industry.
With a master's degree in cybersecurity, Jonathan held notable
cybersecurity policy

positions in both the private and public sector. He pioneered a
cybersecurity consulting
business in which he advised CEOs of top companies. He also
consulted with the White
House several times as a cybersecurity expert. Although he is
retired, Jonathan still
maintains an office at his company and keeps abreast of events
in the cyberworld. On
this morning, November 9, he is in for a surprise as he clicks on
his tablet to check the
stock market.
Disclaimer: The storyline and characters in this part of the
module are fictitious and were developed for the
purposes of this course. No association with any real person,
places, or events is intended or should be
inferred from the use of the fictitious names.
Scenario
Jonathan is taken by surprise as he scans the headlines on his
tablet. He follows the link
to read the full story.
Digital Pearl Harbor; Stock Markets Crash!
Otto Processing Systems, the provider of back office transaction
processing to almost 92
percent of U.S. financial institutions during the past 10 years, is
under a cyberattack.
Otto, a third-party service provider, is the leader in
technologies used in banking and
financial institutions. Otto has been processing all its
transactions over the Internet using
Secure Sockets Layer (SSL), and it is this security technology
that has been
compromised in the cyberattack. The Anarchists, a self-

described social action group,
have claimed responsibility for the attack. For some time now,
the Anarchists have been
protesting the high salaries paid to Wall Street executives and
traders.
As part of their protest, they have now cracked the encryption
in Otto’s SSL. Experts say
that this attack constitutes a major cybersecurity issue with the
potential to shut down a
significant portion of America's financial services sector, one of
the nation's critical
infrastructures. While the full impact of the cyberattack has not
yet been determined, the
president of the United States has declared the incident to be a
threat to national
security. In a television broadcast, he stated that the security
breach could lead to the
financial services sector lacking confidence in the authenticity
of its trading data.
As Jonathan digests this disturbing news, his cell phone rings. It
is Jonathan's colleague
and friend, Tom Baines, who works for the federal government
in a national security role.
UMUC
CSEC670

Here is a transcript of the conversation between Jonathan and
Tom.
Tom: Hi, Jonathan. I guess you’ve heard about the attack on
Otto.
Jonathan: Yes, I was just reading about it.
Tom: Well, I need some help that would require you to put your
retirement on hold.
Jonathan: Tell me what you have in mind.
Tom: The president is forming a group that will be called "The
November 9
Commission".
Tom: The commission will investigate the incident and prepare
a report on how it
happened and what needs to be done to prevent further attacks.
Jonathan: That sounds like a good start to me. How can I help
you?
Tom: The president would like you to serve on the commission.
Will you do it?
Jonathan: I’m honored to be asked. What role would he like me
to have?
Tom: Your primary role would be to look at the big picture and
make specific
recommendations related to the financial services industry.

Jonathan: Okay. I’ll be back in Washington in three days, and
we can discuss this in
detail.
Tom: Thanks, Jonathan!
Three Days Later
Three days later, Jonathan is in Washington, D.C., in a
boardroom at his company filled
with staffers who are busy reading reports and answering
phones. He walks into his
office, looks out the window, and ponders the project ahead.
UMUC
CSEC670
Topic 2: Module Introduction
History is witness to the revolutions that have transformed
society. The Industrial
Revolution was driven by technological advances, while the
American Revolution was
driven by ideological and societal values. Religion, commerce,

culture, and politics have
also played prominent roles in influencing history during
periods of revolutionary change.
Similarly, the Internet age has been changing society for almost
two decades now. The
ever-multiplying technologies, increased bandwidth and speed,
and advanced
networking are features of the Internet revolution. From
communications to advertising,
from content delivery to gadgets, and now in the Smart Grid,
changes in Internet-based
technologies keep altering how we view our lives.
Recently, however, cybersecurity concerns have emerged as a
prominent aspect of the
Internet age. With increasing Internet access, cyberthreats have
become national
security dangers that can jeopardize economic prosperity.
Understanding our evolving
Internet-based society helps us address cybersecurity concerns.
Cybersecurity has
several components, such as national security, law enforcement,
intelligence, intellectual
property, privacy, and public-private partnerships.
Understanding cyberspace in the
context of these related concerns raises the question of whether
legacy frameworks of
these related spheres are appropriate and effective for
cyberspace.
The challenge of keeping the Internet trustworthy requires a full
study of the prevailing
governance frameworks. Fortunately, the Internet revolution
follows earlier periods of
revolutionary change. This module will cover some effective

strategies for understanding
the impact of the Internet revolution and addressing modern
cybersecurity challenges.
UMUC
CSEC670
Attributes of Revolutionary Change
Theorists, scientists, and academicians have explored revolution
and evolution for
centuries. They have often had to tackle the severe social
repercussions of upsetting the
status quo. Studies of organizational change have shown that
change can occur swiftly
or slowly. Movements aimed at social change have often failed,
at least in the political
sense. External factors radically upset the status quo—
sometimes in relatively minor
ways, such as within an industry—and other times permanently,
changing the
international order.
Revolutionary change often brings about fundamental changes
in elements of society
such as underlying business processes, supporting frameworks,

and interrelationships.
Fundamental elements must often be refashioned to address the
needs that emerge
during periods of revolutionary change.
Darwin's Theory of Evolution
Charles Darwin is known for his theories of evolution and
common ancestry. He
proposed the theory of natural selection, which rejected earlier
concepts of
transmutation of species. His studies were met with a great deal
of resistance and his
works were violently attacked. However, in the face of all
opposition, he was able to
bring about a scientific revolution.
Copernicus' Theory of Heliocentricity
When Nicolaus Copernicus proposed his theory of
heliocentricity, countering the Roman
Catholic Church's view that the Earth was at the center of the
universe, he created a
furor. Copernicus held instead that the Earth revolves around
the Sun. Copernicus
created a revolution in astronomy. After many years of
scientific research and
experiments, it was proven that Copernicus was indeed correct.
Air Power
In order to realize the potential of air power—the use of aircraft
in war—new munitions
and ballistic research were needed. Warships and ground
systems had to be modified to
defend against new airborne weapons. Brig. Gen. Billy Mitchell
of the U.S. Army
famously championed the emergence of air power with a
demonstration in 1921 in which

the former German battleship Ostfriesland was sunk near the
Chesapeake Bay. This
exercise advanced the debate as to the future role of air power
in warfare, ultimately
leading to an expanded role for military and naval air forces.
Industrial Revolution
After the Industrial Revolution, a completely new theory of law
emerged: negligence
theory. Previously, in common law, a direct relationship was
required between litigants,
and only actions under a contract theory were permitted.
Negligence theory was
proposed to restore balance to the rights and obligations of
different members of society.
It emerged to enable enforcement of a "duty" on the part of a
distant party who had no
contractual relationship with a victim of harm. If harm was
committed, it could be
redressed, regardless of the nonexistence of a contract. The
extended economic
relationships brought about by the Industrial Revolution, along
with vastly expanded
UMUC
CSEC670
production and distribution of goods, triggered this change in
law to protect consumers

and other downstream product users from harm.
Internet Age
Changes to business enterprises in response to the
commercialization and growth of the
Internet demonstrate that the Internet age is a period of
revolutionary change. One
indication of the change is linguistic. Terms such as Internet,
cyber, e-, and brick and
mortar are descriptors that seek to capture new ideas. For
example, brick and mortar
emerged to describe a legacy business model, in contrast to e-
commerce.
In distinguishing brick and mortar from e-commerce, what
emerges is not just a new
lexicon, but also a fundamentally different mode of business.
This new business mode is
what created the need for the new lexicon.
The Internet age has brought about a revolution in the ways we
communicate with each
other, do our shopping, pursue our daily activities, and conduct
business. The methods
we use to buy airline tickets, make hotel reservations, register
for college courses, and
order pizza have all changed in a fundamental way.
UMUC
CSEC670

Instances of Revolutionary Change
Industrial Revolution
Step 1
The Industrial Revolution brought changes in manufacturing
and distribution processes.
It established expanded markets, scaled production and
distribution, and introduced new
methods and technologies, thus causing society to change.
Step 2
Working conditions changed and shift work became common.
The relationship between
supplier and consumer changed. Instead of businesses based on
relationships, such as
those of a village blacksmith or baker who knew their
customers, producers and
suppliers became disconnected from their customers.
Step 3
For example, in pre-Industrial Revolution England, the legal
mechanism to remedy harm
required a direct contractual relationship. The concept of
negligence did not yet exist in
tort law. Therefore, when consumers were harmed by the
negligence of a distant
producer, they could not sue that producer.
Step 4
After the Industrial Revolution, the English courts fashioned a
new legal remedy based

on negligence theory.
Step 5
This redress mechanism for victims of harm demonstrates how a
period of revolutionary
change—the Industrial Revolution—caused structures within
society to change.
Question for Industrial Revolution
What were the effects of the Industrial Revolution on society
and business processes?
a. Altered manufacturing processes
b. Improved distribution methods
c. Reduced profits for companies
d. Reduced profit incentives for businesses
Correct Answer: Options a and b
Feedback:
The Industrial Revolution enhanced manufacturing processes
and distribution methods.
Neither profits nor incentives were reduced as a result of the
Industrial Revolution.
The Westphalian Nation-State Model
After the Thirty Years' War (1618-1648) in Europe, the
Westphalian nation-state model
was developed. After decades of fighting, a system of
sovereignty and nation-state
boundaries emerged that was known as the Peace of Westphalia.
Fiefdoms died out,
and modern countries began to emerge. An international
framework aimed at security
through the sovereignty principle was established in hopes that
each nation would
respect this vision.

UMUC
CSEC670
The legacy of the Westphalian system is seen in modern
international frameworks such
as the Hague Conventions, the Geneva Conventions, and the
United Nations Charter.
An underlying feature of each of these agreements is their
support of the nation-state
construct. These agreements sought to expand protections with
respect to human rights
and to regulate warfare through compliance by nation-state
signatories.
Question for The Westphalian Nation-State Model
Which of the following correctly describes the Westphalian
nation-state model?
a. A platform for the theories of communism
b. An international model to promote respect for sovereignty
c. A model that provides the framework for the European Union
d. A model that allowed dictators to expand their empires
Correct Answer: Option b
Feedback:
The Westphalian nation-state model emerged internationally to
promote respect for

sovereignty.
Internet Age
Major technological and social changes over the years include
air travel, nuclear power,
freedom movements, the aerospace industry, and now, the
Internet.
The changes that have been brought about by the Internet are
actually more
fundamental and universal than any that have come before. The
Internet has influenced
business models, increased efficiencies, and transformed
industries. Examples of this
include the Smart Grid in the energy sector and digital trading
in the financial services
industry.
Music
Delivery of media content, such as music and videos, has moved
from in-store sales to
online sales and on-demand video delivery. The Internet has
revolutionized the way we
perceive media.
Mobile
Mobile communication has taken the world by storm. An
amazing range of cell phones
are being offered at ever-lower costs while simultaneously
incorporating more and more
features.
Newspaper
Print media, such as newspapers and magazines, have seen their
circulation and
profitability decrease. Many people no longer receive home

newspaper delivery,
preferring instead to get their news online.
Radio
We have witnessed the near-dissolution of the record store
industry, including the
bankruptcy of chains like Tower Records. Today, there are free
subscription-based radio
stations and music offerings on the Web, such as those provided
by the British
Broadcasting Corporation. The original brick and mortar CD
and tape stores have now
adopted different business strategies.
UMUC
CSEC670
Question for Internet Age
Tower Records was a chain of brick-and-mortar record stores.
How did the Internet
change music delivery methods, and why did Tower Records
and other record stores go
out of business?
a. People were no longer interested in the genre of music that
Tower Records sold.
b. Tower Records’ business model became uncompetitive in the
Internet Age.
c. The audience for 1970's music dwindled.
d. Internet-based music delivery became very popular.

Correct Answer: Options b and d
Feedback:
Tower Records' business model became uncompetitive in
comparison with Internet-
based music delivery platforms like iTunes. While older genres
of music are still popular
today, online delivery mechanisms are putting brick-and-mortar
record stores out of
business. The original brick and mortar CD and Tape stores
have now adopted different
business strategies.
UMUC
CSEC670
Kuhn's View
Changes in Society
Changes in human society are an ongoing and accepted process.
However,
revolutionary change goes beyond the standard adaptability
processes through which
social changes occur. While society is adept at handling change

that manifests at a
certain level of complexity, society's adaptability mechanisms
are ill-suited for
recognizing when the status quo is being tilted. Societal
frameworks facilitate order and
tranquility, and therefore, they may actually be part of the
problem in that they can delay
recognition that revolutionary change is occurring. The
frameworks and processes under
a status quo need refining or even transformation after a
revolutionary change.
Kuhn's View
In 1962, Thomas Kuhn wrote a book titled The Structure of
Scientific Revolutions. Its
subject is the dynamics of new field emergence. His influential
work about the progress
of science introduced a new model for understanding the
dynamics of fundamental
change.
Kuhn's view is that only after a new domain has fully emerged
do paradigm changes
make themselves apparent to society. Once the emergence of the
new domain is
understood, science can assess issues within new frameworks,
using new formulas,
theorems, and problem-solving constructs that may not have
previously existed. Kuhn's
work suggests that a domain must be accepted before beneficial
scientific work can
begin. Acceptance is required to appreciate the existence of a
new discipline thus
allowing the development of a new status quo and rule-body.
Reference: Kuhn, Thomas S. The Structure of Scientific

Revolutions. 3rd ed. Chicago, IL: University of
Chicago Press, 1996.
The Kuhn Cycle
Phases of Kuhn's Cycle
Normal Science
In phase one, normal science, scientists can be found working
on normal, small,
incremental improvements in their fields. For instance, the
mobile phone industry began
by manufacturing short-range car phones. Years down the line,
we now have 3G cell
phones and 4G smartphones. In cybersecurity, initial hacking
tactics involved Web site
defacements. Improved security practices and technologies
emerged to address this
challenge. Web site defacements, however, are a comparatively
low-level threat
compared to modern advanced persistent threats.
Model Drift
In phase two, a model drift occurs when the original model can
no longer support
changes. For example, in the field of cybersecurity, Ethernet
replaced ARCNET, an
older LAN protocol, because of modernization of computer
network devices.
Model Crisis
In phase 3, model crisis occurs when an old model is not able to
sustain itself. For
instance, in cybersecurity, some people have come to believe
that the conventional use

UMUC
CSEC670
of a user ID and password is an outdated and ineffective means
of reliably
authenticating a user's identity.
Model Revolution
In phase four, model revolution changes the game. At this point,
the old model is no
longer able to support reliable decision making, so the need for
a new model becomes
imperative. One example from the field of cybersecurity is the
transition from computer
workstations to small-scale digital devices.
Phase four, model revolution, may result from a changed scope
or dimension of the
environment. One example is the recent extensive proliferation
of networked devices
and our rapidly growing reliance on them. At the same time,
bandwidth and speed have
become attack enablers. The proliferation of Internet devices,
along with increases in
speed and connectivity, have changed the paradigm for security
on the Internet.
Paradigm Change
In phase five, a paradigm change occurs when a new scientific

model is discovered and
utilized. One example of this occurred in cybersecurity when it
was recognized that
stopping attacks and securing the Internet absolutely is perhaps
not a feasible goal.
Instead, risk management has become the prevailing strategy,
leading to the emergence
of new security techniques.
UMUC
CSEC670
From Rejection to a New Hypothesis
Kuhn's view provides a useful lens for assessing current
approaches to cybersecurity.
According to his view, it would be beneficial to redraw the
cybersecurity landscape to
critically assess how cybersecurity should be defined. An
adequate definition enables
effective problem solving.
Through Kuhn's Lens
Cybersecurity remains largely undefined. Is it a function or
task? Is it a strategy? Is it

about crime? Is it about national security? Is it purely a
technical problem for network
technicians? Cybersecurity can be considered a discipline, a
field that incorporates
strategy, function, and a variety of other features and
components.
Viewed through Kuhn's perspective, cybersecurity represents a
revolutionary change;
and new disciplinary constructs must emerge so the
cybersecurity challenge can be met
effectively.
A New Approach
While multidisciplinary approaches are emerging, the typical
cybersecurity incident is
thought of as "a problem for the IT guy." Cybersecurity is not
merely a technological
problem; it is a multidisciplinary problem, requiring more than
one area of expertise in
order to find solutions. The White House's 60-day Cyberspace
Policy Review is an
example of a multidisciplinary approach. Similarly, U.S. Cyber
Command (CYBERCOM)
has been established as an operational command in charge of
military cybersecurity
efforts. Additionally, the National Institute of Standards and
Technology (NIST) is
pursuing a risk management approach that is quite different
from the notion of securing
cyberspace.
These efforts demonstrate the beginning of a wider
understanding that cybersecurity
presents a problem beyond the capability and authority of an
organization's IT

department. However, these efforts are mechanisms that have
emerged in response to a
difficult challenge, and it is not yet clear that the problem has
been defined adequately.
UMUC
CSEC670
A New Disciplinary Construct for Cybersecurity
Disciplines such as law and the social and physical sciences
typically include distinct
building blocks, methodologies, and processes. In every
instance, an emerging field
caused processes and functional components to be developed as
deemed necessary by
professionals in that field. Therefore, cybersecurity must
develop its own disciplinary
construct, with supporting processes and functional components.
Rather than pigeonhole cyberevents as cybercrimes or privacy
matters, as national
security incidents, or as intellectual property matters,
cybersecurity should incorporate

each of these areas of concern as functional components of the
discipline. Moreover,
modern cybersecurity challenges present an operational
dynamic. Therefore, planning
for cybersecurity defenses is akin to planning military
operations. An adversary is likely
to probe for weak points; therefore, a defender must use risk
management planning
techniques and be agile in order to respond to attacks.
A disciplinary construct for cybersecurity that incorporates its
many components can act
as a method for comprehensively addressing the revolutionary
changes that are
occurring in cyberspace.
Question
A federal agency is planning to create a specialized department
to monitor e-mail
messages. The department will determine potential malicious
communication and the
information exchange among its employees and external
entities. The agency is wary of
terror attacks during communication exchange with external
private agencies.
Prevention of terrorist attacks and organized crime in money
laundering tops the
agency's list. The department is required to store massive
amount of data in a highly
secure manner. Additionally, an entire legal framework has to
be created to ensure that
the collection of this data is done in a legally sound manner.
The agency has given you the following draft list of aspects on
which the cybersecurity
plan could focus. Your boss asks you to narrow the list to those

aspects that would be
most appropriate for the plan to focus upon.
Options
a. Integrity because unauthorized individuals or systems should
be unable to modify the
information being exchanged
b. Personal privacy because it is an important aspect of
cybersecurity and related to e-
mail communication
c. Information sharing because information exchanged between
agencies would be
strategic in nature
d. Confidentiality because only authorized individuals or
systems should access certain
types of information
e. National security because information being exchanged is
related to the government
and will be of the classified nature
f. Risk mitigation because it is an important aspect of
cybersecurity since national
security cannot be compromised
UMUC
CSEC670

g. Cybercrime because money laundering cases when
information is being exchanged
electronically is an example of a cybersecurity breach
Correct Answer: Options b, e, f, and g
Feedback:
Aspects such as confidentiality and integrity from the
Confidentiality, Integrity, and
Availability (CIA) triad are most commonly associated within
the narrow scope of
traditional information security rather than cybersecurity.
Cybersecurity incorporates a
wide number of disciplines and has grown beyond the older,
narrowly focused field of
information security. It should be looked at as a new discipline
in itself and include a
variety of aspects such as national security, personal privacy,
cybercrime, information
sharing, and risk mitigation as functional components.
UMUC
CSEC670

The Impact of 9/11
The Internet's Maginot Line
Then
Step 1
France thought it had learned its lessons from World War I,
when it was invaded by
Germany. As part of France's national defense strategy, it
constructed the Maginot Line
around part of its border.
Step 2
The French built a series of fortifications in a static defensive
line that was thought to be
impenetrable.
Step 3
During World War II, mobile German forces bypassed the
Maginot Line by attacking
through Belgium.
Now
Step 1
The Internet has its own Maginot Line that confers advantages
to attackers instead of
defenders.
Step 2

Static defenses in a network await attacks from anonymous,
unseen vectors, cloaked by
proxy servers and compromised bot networks. In this way, the
Internet can enable an
asymmetric attack that is similar to the blitzkrieg attack past the
Maginot Line.
Step 3
Cybersecurity strategies must address these unseen vectors.
Dynamic approaches and
broad situational awareness are the hallmarks of a new strategy
for defending against
asymmetric threats.
Presidential Decision Directive
The threat to interconnected networks was recognized during
the Clinton administration.
In 1998, Presidential Decision Directive 63 (PDD-63) was
signed. Well before the
evolution of cyberthreats as we now know them, PDD-63 stated:
As a result of advances in information technology and the
necessity
of improved efficiency, however, [nation critical]
infrastructures have
become increasingly automated and interlinked. These same
advances have created new vulnerabilities to equipment failure,
human error, weather and other natural causes, and physical and
cyberattacks. Addressing these vulnerabilities will necessarily
require
flexible, evolutionary approaches that span both the public and
private sectors, and protect both domestic and international
security
(The White House, 1998, p.1).

UMUC
CSEC670
Reference: The White House. (1998, May 22). The Clinton
Administration's policy on critical
infrastructure protection: Presidential Decision Directive 63.
Retrieved from the National Institute
of Standards and Technology, Computer Security Division,
Computer Security Resource Center
Web site: http://csrc.nist.gov/drivers/documents/paper598.pdf
PDD-63 envisioned public-private partnerships and the creation
of Information Sharing
and Analysis Centers (ISAC) among different sectors of the
economy.
Post-9/11 Development
After the terrorist attacks on September 11, 2001, the federal
government rapidly
pursued critical infrastructure protection. Homeland Security
Presidential Directive 7
(HSPD-7) replaced PDD-63. HSPD-7 described U.S. policy as
follows:
It is the policy of the United States to enhance the protection of

our
Nation's critical infrastructure and key resources against
terrorist acts
(The White House, 2003).
Reference: The White House. (2003, December 17). Homeland
Security Presidential Directive 7. Retrieved
from the U.S. Department of Homeland Security Web site:
http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm
The secretary of homeland security was charged with
coordinating the nation's efforts to
protect critical infrastructure. HSPD-7 established a sector
approach to accomplish its
mission. Government agencies in particular sectors were
responsible for coordinating
and implementing the National Infrastructure Protection Plan
(NIPP) within those
sectors.
The sector approach enabled a degree of integration between the
public and private
sectors with respect to cybersecurity. However, the challenge of
this strategy lies in
adequately addressing asymmetric threats that can exploit
unguarded weak spots
across sectors. That is, while the government was organizing
vertically, threats could
appear horizontally across the verticals. Indeed, that is the very
nature of an asymmetric
threat.

UMUC
CSEC670
Findings of the 9/11 Commission
Asymmetric attack is not a new phenomenon. The 9/11
Commission, which issued its
report following the terrorist attacks of 2001, recognized that
stovepipes, centralized
bureaucracies, and the government itself were impediments to
the dynamic sharing of
information that is needed to counter a sophisticated, dynamic,
and asymmetric threat.
An asymmetric threat is compounded by cyberspace because of
its automation. The
challenge is more complex than just uncovering cells of
terrorists. In cyberspace, targets
range from bots to hidden exploits to unforeseen vulnerability
vectors.
Findings of the 9/11 Commission
Finding 1
As presently configured, the national security institutions of the
U.S. government are still the institutions constructed to win the
Cold War. The United States confronts a very different world

today. Instead of facing a few very dangerous adversaries, the
United States confronts a number of less visible challenges that
surpass the boundaries of traditional nation-states and call for
quick, imaginative, and agile responses (9/11 Commission,
2004,
p. 399).
Finding 2
We recommend significant changes in the organization of the
government. We know that the quality of the people is more
important than the quality of the wiring diagrams (9/11
Commission, 2004, p. 399).
Finding 3
The importance of integrated, allsource analysis cannot be
overstated. Without it, it is not possible to "connect the dots."
No
one component holds all the relevant information (9/11
Finding 4
We propose that information be shared horizontally, across new
networks that transcend individual agencies (9/11 Commission,
2004,
p. 418).
Reference: National Commission on Terrorist Attacks upon the
United States (9/11 Commission).
(2004, July 22). The 9/11 Commission report. Retrieved from
http://www.9-
11commission.gov/report/index.htm

UMUC
CSEC670
The Westphalian Model
Attacker
Asymmetric threats should generally be met with a domestic
strategy, but attacks also
can originate from outside the United States. Attackers from
outside the country can
enjoy both anonymity and sovereign protection. In other words,
the nation-state or
Westphalian model upholds the sovereignty principle behind
which attackers can hide.
National Borders
A nation's borders are more than physical lines on a map.
Borders are deemed
legitimate and inviolable by international legal constructs. A
nation enjoys sovereign
rights with respect to its borders. A cyberattack can damage a
country's assets just as a
physical invasion can, but when the cyberattack is launched
from abroad, the attackers
can enjoy the protection offered by the sovereignty of the

countries from which they
operate.
Shield from Outside Interference
The Westphalian international system effectively insulates the
world from effective
cybersecurity. The horizontal mechanisms needed to combat
asymmetric threats are
difficult to establish under this structure. A universal right to
violate the sovereignty
principle in the interest of upholding a higher principle—
protecting the Internet—would
have to emerge in order to enable the 9/11 Commission's
findings to be effective in the
Westphalian model.
Try This!
The quotations presented here come from the 9/11 Commission
Report.
Select the best-known outcome of each quoted recommendation.
Recommendation 1
As presently configured, the national security institutions of the
U.S.
government are still the institutions constructed to win the Cold
War. The United States confronts a very different world today.
Instead of facing a few very dangerous adversaries, the United
States confronts a number of less visible challenges that surpass
the boundaries of traditional nation-states and call for quick,
imaginative, and agile responses (9/11 Commission, 2004, p.
399).

http://www.9-
Options
a. Increasing the national debt ceiling
b. Adding foreign counterterrorism to the FBI’s mission
statement
c. Recruiting more personnel into the armed forces
d. Training more cyberforensic examiners
UMUC
CSEC670
Feedback:
The 9/11 Commission's recommendation led to the FBI's
focusing
additional efforts on counterterrorism.
Recommendation 2
We recommend significant changes in the organization of the
government. We know that the quality of the people is more
important than the quality of the wiring diagrams (9/11
Commission,

2004, p. 399).
http://www.9-
Options
a. Increasing the use of contractors at the National Security
Agency
b. Sharing intelligence with our allies
c. Increasing research and development funding for
cybersecurity
d. Establishing the Department of Homeland Security
Correct Answer: Option d
Feedback:
Establishing the Department of Homeland Security (DHS) was a
recommendation of the 9/11 Commission.
Recommendation 3
The importance of integrated, all-source analysis cannot be
overstated. Without it, it is not possible to 'connect the dots.'
No
one component holds all the relevant information (9/11

http://www.9-
Options
a. Hiring more intelligence analysts
b. Establishing the Office of the Director of National
Intelligence
c. Providing merit pay increases for employees at the CIA
d. Reducing the number of intelligence agents deciphering
messages in
uncommon and complex languages
Feedback:
The establishment of the Office of the Director of National
Intelligence
(ODNI) resulted from the recommendations of the 9/11
Commission.
UMUC
CSEC670

Recommendation 4
We propose that information be shared horizontally, across new
networks that transcend individual agencies (9/11 Commission,
2004,
p. 418).
http://www.9-
Options
a. Reducing the amount of classified information across the
government
b. Sharing more intelligence with the public at large
c. Adopting the latest NIST recommendations on public key
infrastructure
d. Increasing information sharing among federal agencies and
departments
Correct Answer: Option d
Feedback:
Information sharing among federal agencies and departments
has
increased since 9/11.
Recommendation 5

The U.S. government cannot meet its own obligations to the
American people to prevent the entry of terrorists without a
major
effort to collaborate with other governments (9/11 Commission,
2004,
p. 390).
http://www.9-
Options
a. Sharing only classified information with the private sector
and with other
levels of government
b. Sharing more information with the United Kingdom and
Canada
c. Increasing the use of e-mail across the government
d. Developing new diplomatic relationships with adversaries of
the United
States
Feedback:
The U.S. government has increased intelligence sharing with the
United
Kingdom and Canada, which are among the five English-

speaking
countries that have a special relationship with DHS.
UMUC
CSEC670
Changes in Network Security
Initially, network security requirements did not bring about
revolutionary change.
However, as networking sophistication grew, speeds improved,
and information within
networks increased in value, threats that emerged necessitated
more robust security
architecture. Consequently, defense in depth emerged as a
preferred method for
designing secure networks.
In early 2011, the National Science Foundation (NSF) and the
Networking and
Information Technology Research and Development (NITRD)
program got together—a
federation of national research and development departments of
federal agencies—to

assess the continued viability of defense in depth. They
determined that defense in
depth had come to be understood in static terms, and network
security features and
applications were designed to ensure compliance rather than
improve security. Their
finding was that defense in depth was no longer viable. Instead,
dynamic approaches
were preferred.
Information security standards such as ISO 27001/27002 have
created frameworks to
enable design and security auditing, but there is a lack of real-
time situational awareness
among network defenders. Like the Maginot Line in France,
many networks have static
security features, whereas the asymmetric threat from
cyberspace has become dynamic,
persistent, and sophisticated.
Secure Network
Disclaimer: The storyline and characters in this part of the
module are fictitious and were developed for the
purposes of this course. No association with any real person,
places, or events is intended or should be
inferred from the use of the fictitious names.
Step 1
King William’s sources have warned him of an impending
attack on his castle by the
forces of his archenemey, King Edgar. King William has
ordered the deployment of
various defenses to protect his castle.

Step 2
His men fill the moat surrounding the castle, just outside the
castle walls, with water to
drown enemies that might come charging on foot.
Step 3
Guard towers along the walls house guards who keep an eye out
for any suspicious
movement outside the walls.
Step 4
Teams of sentries are stationed at every entry point to keep out
anyone who is not
authorized to enter the castle.
UMUC
CSEC670
Step 5
A battalion of archers is positioned all day and night along the
walls of the castle, ready
at any moment to defend the castle.
Step 6
King William’s various defenders are on duty day and night.
Little do they know, though,

that King Edgar’s men have been digging a tunnel under the
castle.
Step 7
The tunnel dug by King Edgar’s men opens straight into King
William’s castle. As soon
as King Edgar’s men enter the castle, they attacked King
William's men.
Step 8
King William’s men are unprepared for this method of attack,
and after a short battle,
they surrender to King Edgar’s forces.
King William and his men had prepared themselves for the kind
of attack they were used
to. The defense-in-depth mechanism in place was static in
nature. However, they were
defeated by an unprecedented attack, one that was asymmetric
in nature.
UMUC
CSEC670
A New Disciplinary Construct

Defense in depth is not an obsolete methodology. The NITRD
workshop pointed out a
disconnect between the defense-in-depth concept "as applied"
versus the concept "as
intended." The strategy of defense in depth is intended to design
controls and defenses
at various belts or vulnerability points. This approach is similar
to the risk management
processes that have emerged from NIST and the Department of
Defense. For example,
host-based intrusion detection emerged under the defense-in-
depth strategy. Host-
based controls focus on a different vector and a different type of
threat than gateway-
associated controls and technologies.
Defense in depth is a useful concept for defending against an
asymmetric threat.
Determining the necessary depth and type of control requires a
risk-based analysis.
Dynamic planning in response to emerging conditions is the sort
of methodology that
works well when viewing cybersecurity as a discipline. For
example, a defense-in-depth
approach may require attention to a training control rather than
a technological control.
User training to defeat a certain tactic used by an adversary
might prove more useful
than a certain technology control. Approaching cybersecurity
from a multidisciplinary
mindset, one that considers policy, training, and strategy as
complementary to security
technology, is one way in which cybersecurity can be viewed as

a new discipline.
Activity
Jonathan Brassard has investigated the case at Otto Processing
Systems and its
implications for national information security. He has
recommended a defense-in-depth
security strategy for the company.
Identify the elements that Jonathan should include in his design
of a defense-in-depth
strategy for Otto Processing Systems.
Part 1
Which of the following controls should be considered when
designing the defense-in-
depth strategy for an organization like Otto Processing
Systems?
Arrange the controls in order of hierarchy to design a defense-
in-depth strategy for Otto.
(1 = Highest Priority; 6 = Lowest Priority)
Controls Order of Hierarchy
Internal Network Security
Vehicle Security
Perimeter Security
Policies, Procedures, and Awareness
Host Security
Power System Security

Personnel Security
Physical Security
Data Security
UMUC
CSEC670
Correct Answer:
Controls Order of Hierarchy
Internal Network Security 4
Vehicle Security
Perimeter Security 3
Policies, Procedures, and Awareness 1
Host Security 5
Power System Security

Personnel Security
Physical Security 2
Data Security 6
Feedback for Correct Answer:
In today's cybersecurity environment, organizations face a
multitude of threats, most of
which are not fully understood by all personnel in the
organization. It is the chief
information security officer's responsibility to educate
management about the threats and
to design an effective defense-in-depth strategy.
In order for this strategy to be truly effective, it is often
layered. Some of the related
controls are human factor-oriented, such as policies,
procedures, and security
awareness, while others are more technically oriented. This
human-factor orientation is
the reason why a hierarchical structure is important to the
defense-in-depth strategy.
Different controls are needed to counter different threats,
providing a further reason to
have a layered approach that places multiple effective
countermeasures against their
corresponding threats.
Feedback for Incorrect Answer:
While security does need to be in place for this type of system,
the system itself is not
part of the cybersecurity domain. Therefore, this system does
not fit into the hierarchy of

cybersecurity layers within the defense-in-depth strategy.
In today's cybersecurity environment, organizations face a
multitude of threats, most of
which are not fully understood by all personnel in the
organization. It is the chief
information security officer's responsibility to educate
management about the threats and
to design an effective defense-in-depth strategy.
In order for this strategy to be truly effective, it is often
layered. Some of the related
controls are human factor-oriented, such as policies,
procedures, and security
awareness, while others are more technically oriented. This
human-factor orientation is
the reason why a hierarchical structure is important to the
defense-in-depth strategy.
Different controls are needed to counter different threats,
providing a further reason to
have a layered approach that places multiple effective
countermeasures against their
corresponding threats.
UMUC
CSEC670

Part 2
Defense in Depth
Here are the defense-in-depth controls in their order of
hierarchy and the components
they use.
Policies, Procedures, and Awareness
Policies, procedures, and awareness include various enterprise-
wide controls that help
employees understand the organization's overall security
posture and the rationale for
the controls. Examples of such controls are the corporate code
of conduct and laptop
encryption procedures.
Physical Security
Physical security includes controls like facility security and the
use of biometric systems
for access control. These controls are important because they
can defeat such threats
as an unwanted visitor entering the organization's premises and
gaining access to high-
security locations.
Perimeter Security
Perimeter security includes controls such as fencing systems
and protective landscape
devices. These controls are important because they help prevent
criminals and
undesirable visitors from entering the organization’s facilities.
Internal Network Security
Internal network security is a key technical component of most
organizations’

cybersecurity plans. This category of controls includes
countermeasures like network
management systems that look for anomalies in user behavior,
such as multiple
unsuccessful logons and suspicious activity during non-business
hours. This category of
controls tries to prevent threats like network intrusions and
hacker activities.
Host Security
Host security is a technical aspect of defense in depth. It
provides a number of important
countermeasures. For example, it can help prevent threats
arising from weak
authentication mechanisms and zero-day attacks against the
company's IT
infrastructure.
Data Security
Data security is another critical element of a successful defense-
in-depth strategy. The
countermeasures in this category are designed to prevent data
theft and leakage.
Common controls in this domain include endpoint security
mechanisms and secure
protocols such as SSH.
UMUC
CSEC670

Part 3
Controls in Place
For each category and layer presented, select the controls that
Jonathan needs to
recommend so that Otto Processing Systems is protected from
the kind of attacks it has
faced.
Category 1: Physical Security
Layer 1: Physical Security
Options
a. Locked doors
b. Metal detectors
c. Security guards
d. Physical inspection of briefcases and handbags
Correct Answer: Options a and c
Feedback:
Locked doors and security guards are both common physical
security controls found in
nearly all organizations.
Metal detectors, along with physical inspection of briefcases,
handbags, and similar
items are normally only implemented in high security facilities
such as government
departments and defense contractors. Therefore, these controls
would not normally be
in place in a company such as Otto.

Layer 2: Perimeter Security
Options
a. CCTV
b. Firewalls
c. Virtual private networks
d. Roving security patrols
Correct Answer: Options b and c
Feedback:
Within a network, firewalls and virtual private networks are two
of the most popular types
of perimeter security controls.
In Otto’s business environment, CCTV and roving security
patrols are not a common
security practice based on the threats that they face; these types
of controls would be
considered excessive by most security professionals.
Layer 3: Internal Network Security
Options
a. Computer guards
b. Internal network security mechanisms
c. Network segments
d. Intrusion detection system
UMUC
CSEC670

Correct Answer: Options c and d
Feedback:
Presently, two of the most popular and cost effective internal
network security control
components are to create network segments and implement
intrusion detection systems.
For Otto, implementing additional and costly controls such as
computer guards such as
internal firewalls between departments, and other internal
network security mechanisms
are considered excessive for this organization.
Category 2: Host Security
Layer 4: Host Security
Options
a. Port controls
b. Firewall rule set configuration
c. Disabling TCP/IP
d. Not using SSH
Correct Answer: Options a and b
Feedback:
Both port controls and firewall rule sets are common controls
used by organizations in
implementing their defenses in depth strategy.
Based on the information provided about Otto’s business
operations and overall security
posture it does not appear necessary to disable TCP/IP or

decline the use of SSH. If
operating conditions change these additional controls should be
considered for
implementation across the enterprise.
Layer 5: Server Hardening
Options
a. Hardening the operating system
b. Leaving the server in plain view
c. Not locking the closets where servers reside
d. Generating audit logs
Correct Answer: Options a and d
Feedback:
As part of an enterprise's defense-in-depth strategy, hardening
the operating system and
generating audit logs are important controls to consider when
hardening a server.
Leaving the server in plain view or not locking the closets are
security vulnerabilities and
are therefore, not part of an enterprise's defense in depth
strategy.
UMUC
CSEC670

Layer 6: Host-Based Firewall
Options
a. Enabling RAID 4 backup system
b. Inbound TCP/IP controls
c. Procuring three backup firewall devices
d. Installing a redundant firewall
Feedback:
Inbound TCP/IP controls can be very effective components in
securing a host-based
firewall.
Enabling the RAID 4 backup system, procuring three backup
firewall devices, and
installing a redundant firewall would be considered excessive
by cybersecurity
professionals.
Layer 7: Virus Protection
Options
a. Implementing multiple virus products on workstations
b. Switching to a free antivirus tool
c. Installing virus updates
d. Asking employees to disable their personal firewalls
Correct Answer: Option c
Feedback:
Receiving and implementing timely virus updates are an
essential aspect of an effective

virus protection plan for all IT dependent organizations.
Installing multiple virus products on workstations and asking
employees to disable their
firewalls are not practical solutions for a company like Otto.
These added
countermeasures are both complicated to implement and
difficult to monitor and enforce.
Layer 8: Intrusion Prevention and Detection Systems
Options
a. Implementing a research honey pot
b. Zero-day attack prevention
c. Having employees monitor every user sign-on
d. Installing an Internet appliance device
Correct Answer: Options b and d
Feedback:
Zero-day attack prevention, and using an Internet appliance for
detecting and preventing
threats are common aspects of intrusion prevention and
detection systems.
UMUC
CSEC670

Implementing a research honeypot can provide valuable
research information, but it is
not an effective intrusion prevention or detection system.
Additionally, having employees
monitor every user sign-on is not a practical intrusion
prevention or detection procedure.
Layer 9: Patch Management
Options
a. Applying patches without performing testing beforehand
b. Critical upgrades
c. Security updates
d. Waiting until an attack occurs, and then installing vendor-
supplied patches
Correct Answer: Options b and c
Feedback:
Critical upgrades and security updates are both very powerful
and commonly used
controls in patch management.
Patches are software that needs to be tested just like a large
software package to
ensure its reliability, stability, security, and inter-operability
with other software
applications. Therefore, applying patches without testing them
beforehand is a risky IT
practice. Waiting for an attack to occur is an unwise
cybersecurity practice, as it puts the
enterprise in a very dangerous position where systems will be
damaged and even
destroyed.
Category 3: Data Security

Layer 10: Data Security
Options
a. Using SSL
b. Using S-FTP
c. Using Telnet
d. Implementing IPSec
Correct Answer: Options a, b, and d
Feedback:
SSL, S-FTP, and IPSec are strong controls that enterprises use
for defense in depth.
Otto should not implement an insecure communications protocol
such as Telnet
because this is not in fact a control; instead, it would add a
vulnerability.
Layer 11: Applications and Data
Options
a. Assigning a full-time ISO to monitor data security
b. Providing all users with the same level of access
c. Access control lists
d. Strong password controls
Correct Answer: Options c and d
UMUC
CSEC670

Feedback:
Access control lists and strong password controls both of which
are part of applications
and data security, are important controls to use when
implementing a defense in depth.
Assigning a full-time ISO to monitor data security would be
excessive, and granting all
users the same level of access would be an ill-advised approach
to data security.
UMUC
CSEC670
Legacy Frameworks
Static Standards
David Lacey was the primary author of the precursor to ISO
27002. He produced the
main body of work for British Standard (BS) 7799, which
became ISO 27002. 27002 is a

broad standard which describes security techniques, controls,
threats, risks, and
methods of organizing and coordinated information security in
an enterprise. In January
2011, Lacey wrote that the product he produced, which became
widely used within the
industry, had become obsolete in the new Internet age.
Reference: Lacey, D. (2011, January 12). Security: Best
practice or ancient ritual? Time to scrap ISO 27002
security standard says its author. Computerworld UK. Retrieved
from http://www.computerworlduk.com/in-
depth/security/3256436/security-best-practice-or-ancient-ritual/
Among information security practitioners, ISO 27001/27002 has
been among the more
robust standards. Many information security consultants and
auditors use ISO
27001/27002 as their standard for compliance purposes. Lacey
pointed out, though, that
the standard is static. In essence, Lacey declared that his
standard is not responsive to
the dynamic, asymmetric nature of modern threats.
FISMA Standards
The federal government practices information security in
accordance with the Federal
Information Security Management Act (FISMA). Within
FISMA, NIST is in charge of
creating information security standards. The FISMA definition
adopts the information
security triad of Confidentiality, Integrity, and Availability
(CIA). Thus, the federal
government's approach to cybersecurity, at least in its statutory
mandate, is to utilize the
CIA triad.

The definition of information security that informs FISMA does
not address dynamic
threats, criminal or national security aspects, asymmetric
attackers, or other dimensions
of the modern Internet dynamic. FISMA became law in 2002.
Ten years later, the
cybersecurity environment differs from FISMA's original
information security definition.
UMUC
CSEC670
A Dynamic Strategy for an Asymmetric Threat
National Strategy Reviews
Most national strategy reviews related to cybersecurity are
focused on cyberspace or the
components of cybersecurity. The federal government has
produced The National
Strategy to Secure Cyberspace, which represents the national
strategy. Subsequently,
another strategy document emerged from the White House in
2009, The Comprehensive
National Cybersecurity Initiative (CNCI). The Obama
administration presented the White

House 60-day Cyberspace Policy Review that same year.
The 9/11 Commission was not drawn from the national security
community,
representatives of which authored the strategy documents listed
above. In addition, the
9/11 Commission was formed to study a specific problem, how
the 9/11 attacks
occurred. Its charge was not to accept that the status quo
functioned properly. Indeed,
the purpose of the commission was to ascertain why national
security systems failed.
9/11 Commission
Ponder This
The 9/11 attacks were asymmetric in nature, and asymmetric
threats continue to exist
today. The 9/11 Commission was set up after the attacks to
uncover how they occurred
and to recommend changes to address their root causes. What
lessons can we learn
from the 9/11 attacks that will help us combat asymmetric
threats in the cyberworld?
Jonathan uses the findings of the 9/11 Commission when he
talks to his team about the
approach they need to adopt for their own commission.
Here is a transcript of the discussion Jonathan has with his
team.
Jonathan: Hi, team. I think we should take a cue from the 9/11
Commission and their
findings for how we conduct our research.
Jonathan: As you know, the 9/11 Commission focused on

terrorism and explored how
government operated its effectiveness and its gaps.
Team Member 1: Yes, Jonathan. The public environment during
the commission’s
proceedings was one of intense commitment to uncovering facts
and ensuring another
9/11 doesn’t happen.
Jonathan: That's right. The approach of the commission was to
be extremely open to
receiving information and engaging in critical analysis of how
government should
operate in a new era of terrorism.
Team Member 2: Are you saying that we should also adopt a
policy of reviewing all
information available to us?
Jonathan: Yes, I am.
UMUC
CSEC670
Team Member 2: The commission found that when they were
piecing together bits of
information, government agencies had emphasized classification

over information
sharing.
Team Member 2: This particular finding has tremendous
application when it comes to
dealing with an asymmetric threat from cyberspace.
Team Member 3: Countering terrorism requires extensive and
effective information
sharing.
Jonathan: Yes, so what I see is that we need to refashion
cybersecurity approaches and
start from scratch in much the same way the 9/11 Commission
did.
Team Member 3: That means we need new fact-finding
procedures to guarantee that all
the dimensions of cybersecurity are fully understood.
Team Member 2: Yes, that step is imperative because the
asymmetric nature of the
threat mandates that we consider dynamic solutions.
Jonathan: OK, team, now let's look at another recommendation
from the 9/11
Commission. This recommendation looks like it applies to
improving situational
awareness in order to meet the asymmetric threat.
Recommendation
"We propose that information be shared horizontally, across
new networks that
transcend individual agencies." (9/11 Commission, 2004, p.
418)

http://www.9-
Reflect
What does Jonathan's proposed recommendation mean to you?
How would it
apply in a new cybersecurity discipline? How could a
cybersecurity strategy be
designed to incorporate this recommendation?
UMUC
CSEC670
Topic 8: Summary
We have come to the end of Module 1. The key concepts
covered in this module are
listed below.
Revolutions, such as the Industrial Revolution, the American
Revolution, and the

formation of nation-states, brought with them shifts in how
society functioned.
Similarly, the Internet age has brought a revolution in the ways
we communicate
with each other, do our shopping, pursue our daily activities,
and conduct
business.
With every major change, a paradigm shift occurs.
Understanding this paradigm
shift is made easier by Thomas Kuhn's work on the dynamics of
new-field
emergence. Kuhn's work suggests that a new scientific domain
must gain
acceptance before beneficial work in that domain can begin.
The Kuhn cycle can be used to explain the scientific analysis of
a revolutionary
change. The cycle has five phases: normal science, model drift,
model crisis,
model revolution, and paradigm shift.
As cybersecurity is largely undefined, new disciplinary
constructs must emerge in
order to meet the cybersecurity challenge effectively.
To address the cybersecurity challenge, horizontal information
sharing is
required among nations throughout the world.
The Westphalian nation-state model allows cyberattackers to

enjoy both
anonymity and sovereignty protection. Hackers can take refuge
within their
nations' borders. Thus, the Westphalian model prevents the
effective
implementation of cybersecurity.
The preferred method for designing secure networks is based
on defense in
depth. This method uses dynamic planning and risk-based
analysis to counter
asymmetric threats.
Defense in depth uses a layered approach that places multiple
effective
countermeasures against corresponding threats. It has a
hierarchical structure
with different controls to counter different threats.
Many information security consultants and auditors use ISO
27001/27002 as
their standard for compliance purposes. However, this standard
is static and is
therefore unresponsive to dynamic threats.
UMUC
CSEC670

Glossary
Term Definition
Asymmetric Attack An asymmetric attack is a strategy between
adversaries
possessing different capabilities, strengths and weaknesses
whereby the attacking party chooses tactics and vectors that
target the defender’s weaknesses and avoids strength-on-
strength confrontations. In cyberspace, this strategy refers to
features of the Internet such as connectivity to critical
infrastructure, anonymity, and remote access.
Backdoor A backdoor is a remote access point for software that
allows
remote connectivity. Though originally intended for debugging
purposes, backdoors are currently used for remote command
and control actions.
Cybercrime Cybercrimes are criminal acts that are committed
using a
computer as a tool or target, such as hacking, Internet fraud,
and identity theft.
Defense in Depth Defense in depth is a comprehensive system
of network
security that involves adding many layers of security between
the threat and targeted asset to impede any intruder’s progress
toward the asset.
E-Commerce

System
An e-Commerce system is a system of commerce used for
buying and selling products or providing services over the
Internet.
Federal Information
Security
Management Act
(FISMA)
The Federal Information Security Management Act (FISMA)
mandates that government agencies maintain information
security risks at a minimum level by developing annual security
reports, risk assessments, configuration guidelines, continuity
plans, security policies, and inventories of systems.
Firewall A firewall is the hardware or software that prevents
unauthorized users from accessing a computer or a network.
Homeland Security
Presidential
Directives (HSPDs)
HSPDs are directives issued by the president of the United
States regarding homeland security.
National Institute of
Standards and
Technology (NIST)
NIST exists within the Department of Commerce and works to
promote innovation and competitiveness by developing
standards and technology.
Public Key

Infrastructure (PKI)
Public Key Infrastructure (PKI) is a system that consists of
hardware, software, policies, processes, and people that is
used to manage and control the creation, use, and storage of
public-private key pairs.
Secure Socket
Layer (SSL)
SSL is a standard security protocol that creates an encrypted
link between a Web server and a Web browser to secure all
data that passes between a Web site and a customer.
Short Paper/Case Study Analysis Rubric
Requirements of submission: Short paper assignments must
follow these formatting guidelines: double spacing, 12-point
Times New Roman font, one-inch margins, and discipline-
appropriate citations. Page length requirements: 1-2 pages
undergraduate courses; 2-4 pages graduate courses. Failure to
adhere to these requirements of submission will result in the
paper not being graded.
Refer to this link for viewing and printing Turnitin paper
feedback.
Instructor Feedback: Students can find their feedback in the
grade book as an attachment.
Critical Elements
Distinguished
Proficient
Emerging

Not Evident
Value
Main Elements
Includes all of the main elements and requirements and cites
multiple examples to illustrate each element
(23-25)
Includes most of the main elements and requirements and cites
many examples to illustrate each element
(20-22)
Includes some of the main elements and requirements
(18-19)
Does not include any of the main elements and requirements
(0-17)
25
Inquiry and Analysis
Provides in-depth analysis that demonstrates complete
understanding of multiple concepts
(18-20)
understanding of some concepts
(16-17)
understanding of minimal concepts
(14-15)
Does not provide in-depth analysis
(0-13)
20
Integration and Application
All of the course concepts are correctly applied

(9-10)
Most of the course concepts are correctly applied
(8)
Some of the course concepts are correctly applied
(7)
Does not correctly apply any of the course concepts
(0-6)
10
Critical Thinking
Draws insightful conclusions that are thoroughly defended with
evidence and examples
(18-20)
Draws informed conclusions that are justified with evidence
(16-17)
Draws logical conclusions, but does not defend with evidence
(14-15)
Does not draw logical conclusions
(0-13)
20
Research
Incorporates many scholarly resources effectively that reflect
depth and breadth of research
(14-15)
Incorporates some scholarly resources effectively that reflect
depth and breadth of research
(12-13)
Incorporates very few scholarly resources that reflect depth and
breadth of research
(11)
Does not incorporate scholarly resources that reflect depth and
breadth of research

(0-10)
15
Writing
(Mechanics/Citations)
No errors related to organization, grammar and style, and
citations
(9-10)
Minor errors related to organization, grammar and style, and
citations
(8)
Some errors related to organization, grammar and style, and
citations
(7)
Major errors related to organization, grammar and style, and
citations
(0-6)
10
Earned Total:
Comments:
100%
5-3 Short Paper: International Labor Standards
Visit The ILO (International Labor Organization) website. The
ILO is a UN agency that promotes social justice and
internationally recognized human and labor rights. Established
in 1919, it is the only surviving major creation of the Treaty of
Versailles. The ILO Declaration on Fundamental Principles and
Rights at Work covers four areas:
Freedom of association and the right to collective bargaining
The elimination of forced and compulsory labor
The abolition of child labor
The elimination of discrimination in the workplace

Research the history of international labor standards. Are labor
standards feasible? What are the advantages and disadvantages
of standards? Write a short paper describing the ILO history and
answering the questions about their standards
Reference:
UMUC, 2014. Responding to an Asymmetric Threat. Retrieved
from
http://tychousa9.umuc.edu/CSEC670/1206/csec670_01/assets/cs
ec670_01.pdf
1. Not only must asymmetric advantages be countered
domestically, attackers often originate from outside the United
States. Given that situation, describe how the Westphalian
model would aid cybersecurity at the global level.
Answer:
2. This week we are reviewing responses to an asymmetric
threat.
A. What is an asymmetric threat?
B. Describe some dynamic approaches for defending against
an asymmetric threat.
Answer:
3. Revolutionary change often creates a paradigm shift. Given a
new paradigm, it would be beneficial to redraw the
cybersecurity landscape, critically assessing how the problem of
cybersecurity should be defined.
What exactly is cybersecurity? Is it a function or task? Is it a
strategy? Is it about crime? Is it about national security?
Answer:
4 Changes to business enterprises in response to the
commercialization and growth of the Internet are often seen as
by-products of revolutionary change.
A. Why is the Internet viewed as a revolutionary change?

B. Describe some of the attributes of revolutionary change
brought about by the Internet and the impact on security.
You are encouraged to include real examples from your past
studies that you can share with your fellow students.

UMUC .docx

Recommended

Recommended

More Related Content

Similar to UMUC .docx

Similar to UMUC .docx (18)

More from willcoxjanay

More from willcoxjanay (20)

Recently uploaded

Recently uploaded (20)

UMUC .docx