A CONTINUOUS MONITORING FRAMEWORK TO MANAGE CYBERSECURITY AGAINST INSIDER THREATS
by Behnam Shariati
M.S. in Engineering Management, May 1998, The George Washington University
A Dissertation submitted to
The Faculty of The School of Engineering and Applied Science of The George Washington University in partial fulfillment of the requirements for the degree of Doctor Philosophy
August 31, 2016
Dissertation directed by
E. L. Murphree Jr. Professor Emeritus of Engineering Management and Systems Engineering
The School of Engineering and Applied Science of The George Washington University certifies that Behnam Shariati has passed the Final Examination for the degree of Doctor of Philosophy as of August 15, 2016. This is the final and approved form of the dissertation.
A CONTINUOUS MONITORING FRAMEWORK TO MANAGE CYBERSECURITY AGAINST INSIDER THREATS
Behnam Shariati
Dissertation Research Committee: E. L. Murphree, Professor Emeritus of Engineering Management and Systems Engineering, Dissertation Director
Thomas Andrew Mazzuchi, Professor of Engineering Management and Systems Engineering and of Decision Sciences, Committee Member
Shahram Sarkani, Professor of Engineering Management and Systems Engineering, Committee Member
Bhagirath Narahari, Professor of Computer, Committee Member
Michael J. Stone, Senior Security Engineer, NIST/ National Cybersecurity Center of Excellence, Committee Member
ii Acknowledgment
First and foremost, I would like to express the deepest appreciation to everyone in my committee. I would like to gratefully and sincerely thank Dr. Murphree for his guidance, understanding and patience. His mentorship was paramount in completing this dissertation. I also would like to express my deepest gratitude to Dr. Mazzuchi for his support and encouragement throughout my studies. Without his incredible leadership and timely wisdom this dissertation would not have been possible. In addition, my appreciation to Dr. Sarkani, Dr, Narahari and Mr. Stone for having served on my committee, their thoughtful questions and suggestions were valued gratefully.
This dissertation is dedicated to memory of my parents, you are in my heart and...
Tamom Shod. Also special thanks to Kayko, yes it did happened. To the most important individuals in my life, A1 & A2 sometimes in the future you may read this work, so you should know this; that I never give up and I hope you both do the same and never give up in life and follow your dreams (Eshghe mani). I would also like to wish my deepest and sincere appreciation to RRR, who was instrumental in getting me started and without his help I wouldn’t have been successful, I am sincerely grateful Robert. I dreamt of this day when I was sixteen years old, it has been a long journey but it has finally concluded successfully. Thank you all.
iii Abstract of Dissertation
A CONTINUOUS MONITORING FRAMEWORK TO MANAGE CYBERSECURITY AGAINST INSIDER THREATS
In today’s “Cyber-Society,” an enterprise faces numerous Cybersecurity challenges as Cybercriminals, hackers, and insider threats constantly threaten to compromise the
Confidentiality, Integrity, and Availability (CIA) of the enterprise’s assets and data.
This research presents a Dynamic Framework system that has a proactive security concept as opposed to the traditional reactive approach. This Dynamic Framework system minimizes the risks that Cybercriminals, hackers, and insider threats pose to an enterprise’s
CIA.
The Dynamic Framework system is mapped to the National Institute of Standards and Technology’s (NIST) Risk Framework (RF), is designed based on three functional
Controls (Preventive, Detective and Corrective), enables an enterprise to develop a healthier Cyber Hygiene (CH) through continuous monitoring of its assets, and is capable of ensuring a proper alignment between the business functionality and Cybersecurity missions of an enterprise. Furthermore, although the Dynamic Framework system was developed based the Financial Services Sector’s vulnerabilities, its functionality applies to all enterprises.
This research recognizes that the current Cybersecurity practices are insufficient to prevent a Cyber-Attack, respond to a Cyber-Attack, and, most importantly, remain resilient during a Cyber-Attack. The purpose of the Dynamic Framework system is to recommend a new and near-future Cyber-Ecosystem (CE), which an enterprise in the Financial Services
Sector, or other sectors, can use to improve its security posture.
iv Table of Contents
Acknowledgment ...... iii Abstract of Dissertation ...... iii Table of Contents ...... v List of Figures...... vii List of Tables...... ix List of Abbreviations ...... x List of Terms/Glossary...... xv Chapter 1. Introduction ...... 1 1.1 Overview ...... 1 1.2 Research Contributions...... 5 1.3 Significance ...... 6 1.4 Limitations ...... 11 1.5 Organization of the Document ...... 12 Chapter 2. Literature Review ...... 14 2.1 Overview ...... 14 2.2 Executive Order 13636 – Improving Critical Infrastructure Cybersecurity...... 14 2.3 Current Cybersecurity Practices in Industry ...... 16 2.4 The NICE - Financial Services Sector-Specific Plan ...... 19 2.4.1 Sector-Specific Agency ...... 20 2.4.2 Sector Goals and Objectives...... 21 2.4.3 Asset, System, and Network Identification...... 22 2.4.4 The Financial Services Sector Vulnerabilities ...... 24 2.5 NIST Special Publication 800-53 Revision 4 ...... 25 2.5.1 Applicability...... 27 2.6 Framework for Improving Critical Infrastructure Cybersecurity ...... 28 2.6.1 Framework Core...... 29 2.6.2 Framework Implementation Tiers...... 31 2.6.3 Framework Profile ...... 31 2.6.4 Applicability...... 32 2.7 Review of Current Situational Awareness ...... 32 2.8 Importance of Situational Awareness in Cybersecurity ...... 34 Chapter 3. Framework ...... 37 3.1 Overview ...... 37 3.2 Framework Architecture ...... 37 3.3 Dynamic Framework Pre-Conditions...... 40 3.4 Dynamic Framework System Modules ...... 43 3.5 Identity Management (IM) Module ...... 45 3.6 Access Management (AM) Module...... 47 3.7 Privilege Management (PM) Module ...... 47 3.8 Detecting Management (DM) Module ...... 48
v 3.8.1 Registration Process ...... 49 3.9 Framework Outcome ...... 52 3.10 Supporting the Dynamic Framework...... 52 Chapter 4. Methodology ...... 53 4.1 Overview and Research Approach ...... 53 4.2 Background of Subject Matter Experts ...... 53 4.3 Data Quantification ...... 55 4.4 Interview Process...... 57 4.5 Creation and Selection of Questions ...... 62 4.6 Ethical Considerations ...... 63 4.7 Subject Matter Experts’ Confidence in the Dynamic Framework System...... 63 Chapter 5: Current State of Cybersecurity and Data Analysis...... 64 5.1 Overview ...... 64 5.2 Data Collection and Analysis ...... 64 5.3 Financial Services Sector Cyber Taxonomy...... 67 5.4 Current Cyber Strategies...... 68 5.5 Current Security Architecture and Capabilities ...... 69 5.6 Attack Vector ...... 71 5.7 Security Domain Categories ...... 72 5.8 Security Analysis ...... 73 5.9 Outcome Overview ...... 73 Chapter 6. Conclusions and Future Research ...... 74 6.1 Research Conclusions...... 74 6.2 Future Research...... 75 Appendix 1: Threat Agents and Some of Their Capabilities ...... 76 Appendix 2: Dynamic Framework System Administrative Dashboard ...... 79 Appendix 3: Certificate ...... 80 Appendix 4: Dynamic Framework System Configuration in an Enterprise...... 84 Appendix 5: Three Categories of Controls ...... 85 Appendix 6: Interview Participant Consent and Confidentiality Form...... 86 Appendix 7: Pool of Questions ...... 87 Appendix 8: Sample Interview Dialogue ...... 104 Appendix 9: Results ...... 106 Appendix 10: Demographics of SMEs ...... 116 References ...... 119
vi List of Figures
Figure 1: CIA Triad.
Figure 2: Al-Qassam Attacks Landscape. [Recorded Future, 2013].
Figure 3: GameOver Zeus Malware and Botnet Architecture. [FBI GOZ, 2014].
Figure 4: Industries Targeted by APT1. [Mandiant, 2013].
Figure 5: Geographic Location of APT1’s Victims. [Mandiant, 2013].
Figure 6: The Attack Progression by SANS. [Cloppert, 2009].
Figure 7: FY 2015 Incidents by Attempted Infection Vector, 295 Total. [ICS-CERT
Monitor].
Figure 8: Sphere of Security. [Whitman et al., 2012].
Figure 9: Classification of Threat Detection Techniques. [Vasumathi and Krishna, 2012].
Figure 10: Top Challenges. [Shenk, 2012].
Figure 11: Difficulties in Using Log Data. [Shenk, 2012].
Figure 12: Cyber Banking Fraud. [FBI, 2010].
Figure 13: FBIIC Members. [DHS, 2010].
Figure 14: Vulnerability Assessment Methodology. [DHS, 2010].
Figure 15: Banking and Finance Dependency Relationships. [DHS, 2010].
Figure 16: NIST 800-53 Security Controls and Families. [NIST SP 800-53, 2013].
Figure 17: Three-Tiered Risk Management Approach. [NIST SP 800-53, 2013].
Figure 18: Functions of the Framework Core. [NIST, 2014].
Figure 19: Dynamic Framework System Controls.
Figure 20: Dynamic Framework System Modules.
Figure 21: Seven Domains of IT with an Additional New Domain. [Gibson, 2015].
vii Figure 22: Layered Security with the Dynamic Framework System.
Figure 23: Dynamic Framework System Architecture mapped to NIST’s RF.
Figure 24: Dynamic Framework System Identities.
Figure 25: Dynamic Framework System User Groups.
Figure 26: Dynamic Framework System Device Identities.
Figure 27: Dynamic Framework Registration Process.
Figure 28: SME Demographics.
Figure 29: Pool of Question Process.
Figure 30: Previous Total Risk vs. Future Total Risk Levels After Implementation of the
Dynamic Framework System.
Figure 31: Previous Total Risk vs. Future Total Risk in Three Categories of Functional
Controls.
Figure 32: Financial Services Sector’s Cyber Taxonomy.
Figure 33: Rear-View-Mirror Picture of an Enterprise’s Network Security.
Figure 34: Cyber-Attack Process. [Coleman, 2012].
viii List of Tables
Table 1: Critical Infrastructure Sectors by Sector-Specific Agencies
Table 2: Threat Scale – Number of Users
Table 3: Vulnerability Scale – Number of IRD and ERD
Table 4: Impact Matrix
Table 5: Risk Matrix
Table 6: Frequency Table
Table 7: Frequency Analysis
ix List of Abbreviations
AAA – Authentication, Authorization, and Auditing
AADC – Administration Access Dashboard Control
AES WPA2 – Advanced Encryption Standard Wi-Fi Protected Access II
Al-Qassam – Izz ad-Din al-Qassam Cyber Fighters
AM – Access Management
AMS – Asset Management Security
AP – Access Point
APT – Advanced Persistent Threat
ARPANET – Advanced Research Projects Agency Network
AV – Attack Vectors
BRP – Business Resumption Plan
BYOD – Bring Your Own Device
C2 – Command and Control
CA – Certificate Authority
CE – Cyber-Ecosystem
Certificate(s) – Digital Certificates
CIA – Confidentiality, Integrity, and Availability
CI – Critical Infrastructure
CIKR – Critical Infrastructure and Key Resources
CIP – Critical Infrastructure Protection
CH – Cyber Hygiene
Core – Framework Core
x CP – Certificate Parser
CSO – Chief Security Officer
DARPA – Defense Advanced Research Projects Agency
DoS – Denial of Service
DDoS – Distributed Denial of Service
DHS – Department of Homeland Security
DI – Digital Infrastructure
DMZ – Demilitarized Zone
DNI – Director of National Intelligence
DoD – Department of Defense
Dynamic Framework - Dynamic Detecting Cybersecurity Management Framework
EGU – External Guest User
EO – Executive Order
EPU – External Privileged User
ER – Enterprise Resumption
ERD – External Registered Device
FBIIC – Financial and Banking Information Infrastructure Committee
FISMA – Federal Information Security Management Act
FS-ISAC – Financial Services Information Sharing and Analysis Center
FSSCC – Financial Services Sector Coordinating Council
ICS-CERT – Industrial Control Systems Cyber Emergency Response Team
IDS – Intrusion Detection System
IM – Identity Management
xi IMEI – International Mobile Station Equipment Identity
IGU – Internal Guest User
IPU – Internal Privileged User
IRD – Internal Registered Device
IPS – Intrusion Prevention System
IDPS – Intrusion Detection and Prevention System
ISAC – Information Sharing Analysis Centers
IT – Information Technology
LZ – Location Zone
MAC – Media Access Control Address
MDM – Mobile Device Management
NCCoE – National Cybersecurity Center of Excellence
NICCS - National Initiative For Cybersecurity Careers and Studies
NICE - National Initiative for Cybersecurity Education
NIPC – National Infrastructure Protection Center
NIPP – National Infrastructure Protection Plan
NIST – National Institute of Standards and Technology
NS – Network Security
NSC – National Security Council
OS – Operating System
PCCIP – President’s Commission on Critical Infrastructure Protection
PDD-63 – Presidential Decision Directive 63
PII – Personally Identifiable Information
xii PKI – Public Key Infrastructure
PLA – People’s Liberation Army
PM – Privilege Management
PPD-21 – Presidential Policy Directive 21
Profile – Framework Profile
QR Code – Quick Response
RBAC – Role-Based Access Control
RB-RBAC – Rule-Based Access Control
RF – Risk Framework
RFID – Radio-Frequency Identification
RM – Risk Management
RMD – Registered Mobile Device
SA – Security Audit
SAT – Security Awareness Training
SIEM – Security Incident and Event Management
SM – Sensing Management Module
SP – Special Publication
SSAs – Sector-Specific Agencies
SSP – Sector-Specific Plan
SME – Subject Matter Expert
SQL Injection – Structured Query Language Injection
US-CERT – United States Computer Emergency Readiness Team
WEP – Wired Equivalent Privacy
xiii WPA – Wi-Fi Protected Access
WPA2-ENT – Wi-Fi Protected Access II Enterprise
WPA2-PSK – Wi-Fi Protected Access II Pre-Shared Key
xiv List of Terms/Glossary*
AES WPA2: Commonly used on Wi-Fi using Advanced Encryption Standard encryption.
Attack Vectors: tactics, tools, and technologies used to launch a Cyber-Attack.
Availability: the property of being accessible and usable upon demand.
Asset(s): A person, structure, facility, information and records, information technology systems and resources, material, process, relationships, or reputation that has value. Anything useful that contributes to the success of something, such as an organizationa l mission; assets are things of value or properties to which value can be assigned.
Botnet(s): A collection of computers compromised by malicious code and controlled across a network.
Certificate Authority: An entity – software or hardware – responsible for issuing and revoking digital certificates.
Certificate Parser: A program that is generally a part of a compiler that receives input from sequential sources.
CIA: See Confidentiality, Integrity, and Availability.
Command and Control: A server that communicates with, and instructs, elements of the Attack Vector in the various phases of a Cyber-Attack.
Computer Hacker: An individual or a group that exploits a Vulnerability of computer systems or networks to gain unauthorized access.
Confidentiality: A property that information is not disclosed to users, processes, or devices unless they have been authorized to access the information.
Control(s): Actions, processes, technology, devices, or systems that serve to prevent or mitigate the effect of a Cyber-Attack or an insider threat.
Cyber Analytics: The process of deriving meaningful information and discovering patterns through auditing.
Cyber-Attack: An attempt by a Computer Hacker to exploit a Vulnerability within computer systems and networks.
* The majority of definitions used for this section are borrowed directly from the National Initiative For Cybersecurity Careers and Studies (NICCS) Cyber Glossary website, the Department of Defense, PC Magazine, and the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE).
xv Cyber-Crime: Crimes committed using the Internet.
Cyber-Ecosystem: A set of complex networks and/or interconnected systems utilizing the appropriate processes and technologies.
Cyber-Environment: Includes users, networks, devices, software, processes, information in storage or transit, applications, services, and systems that can be connected, directly or indirectly, to networks.
Cyber-Espionage: The theft of the Digital Currency of an enterprise from a computer or network.
Cyber-Event: Changes that may have an impact on enterprise operations, mission, capabilities, or reputation.
Cyber-Resilience: Ability to withstand and recover from deliberate attacks or naturally occurring threats, disruptions, or incidents.
Cyber-Society: A new paradigm of society that uses the Internet and Web 2.0 for communications and the exchange of ideas.
Cyber-Space: The environment formed by physical and non-physical components, characterized by the use of computers and electro-magnetic spectrum, to store, modify and exchange data using computer networks.
Cyber-Practitioner(s): An individual, group, organization, or government that protects a device, network, or other infrastructure from Threat Agents.
Database Server: A computer program that provides database services to other computer programs or computers. Defense in Depth: Coordinating multiple Controls to protect an enterprise’s assets and CIA.
Demilitarized Zone or DMZ: A middle ground between an enterprise’s trusted internal network and an untrusted, external network such as the Internet. Denial of Service: A condition in which a system can no longer respond to normal requests.
Digital Certificate: A cryptographically signed object that contains an identity and a public key associated with this identity. Typically referred to as a “Certificate.”
Digital Currency: Assets of an enterprise in the format of zeros and ones.
Distributed Denial of Service: An attack that can employ hundreds or even thousands of computers that have been previously infected. The computers act as “zombies” and work together to send out bogus messages, thereby creating huge volumes of phony traffic.
xvi Digital Infrastructure: Digital systems and/or assets, both physical and virtual.
E-mail Server: A computer that works as your virtual post office. Exploit: a tool designed to take advantage of a flaw in a computer system or software.
File Server: A computer responsible for the central storage and management of data files so that other computers on the same network can access the files. Firewall: A computer hardware or software with the capability to limit network traffic between networks and/or information systems. Framework: Framework for Improving Critical Infrastructure Cybersecurity published by NIST.
Hacktivist: a Computer Hacker whose activity is aimed at promoting a social or political cause.
High Impact: The exploit of a Vulnerability that would be unacceptable for an enterprise. The impact would significantly compromise the assets, CIA and the operations of the enterprise.
Human Assets: The intangible assets of an enterprise.
Identity Theft: A form of stealing someone’s personal identifiable information, such as Social Security Number, bank account information, or credit card information, in which the thief assumes the victim’s identity.
Impact: Consequences of a Cyber-Attack on an information system or network. Generally classified into three categories: Low, Medium, and High. See Low Impact, Medium Impact, and High Impact.
Insider: An individual in an organization with approved access, privilege, or knowledge of information systems and networks. An insider may be malicious if s/he is motivated to adversely impact the CIA of the organization’s data and assets.
Integrity: The property whereby information, an information system, or a component of a system has not been modified or destroyed in an unauthorized manner.
Layered Security: Different Controls with various tools utilized within the enterprise on multiple levels to protect the enterprise’s assets. Low Impact: The exploit of a Vulnerability that would be generally acceptable for an enterprise. The impact would have minimum effects on the enterprise assets, CIA, and operations.
Malicious Software or Malware: Software that compromises the operation of a system by performing an unauthorized function or process.
xvii
Medium Impact: The exploit of a Vulnerability that would be marginally acceptable for an enterprise. The impact would have a noticeable effect on an enterprise’s assets, CIA, and operations.
Mobile Device Management: Provides for the centralized system securing, monitoring, integrating, and controlling of smartphones, tablets and other mobile devices, which enables applications and configuration settings to be deployed to multiple devices in the enterprise.
Network Printer: A printer connected to a wired or wireless network. Non-State Sponsored Players: A Threat Agent who engages in detrimental activities in Cyber-Space but who is not sponsored by a state.
Packet Filter Firewall: A firewall technique to control network access by monitoring outgoing and incoming packets and allowing them to pass or stop based on the source and destination Internet Protocol (IP) addresses, protocols and ports. Pharming: the fraudulent practice of directing Internet users to a fake website that mimics the appearance of a legitimate one, in order to obtain personal information such as passwords, account numbers, etc.
Phishing: A digital form of Social Engineering to deceive individuals into providing sensitive information.
Proxy Server: A dedicated computer or a software system running on a computer which helps prevent an attacker from invading a private network. Quick Response Code: A type of a two-dimensional barcode that can be read by smartphones, and can be linked directly to emails, phone numbers, and other information.
Risk: The likelihood of loss when a threat exposes a Vulnerability.
Role-Based Access Control: Access control based on an individual’s job title within an enterprise. All employees within an enterprise are generally granted a default level of access based on previously established role classifications in the system.
Rule-Based Access Control: Narrowly tailored access authorized by the system administrator or data custodian based on specific job requirements of employees.
Security Incident and Event Management: A technical Control that provides the capabilities to support Cyber-Practitioners in managing Cyber-Events.
Social Engineering: Using deception to obtain confidential information from someone by phone, email, or in person.
Spear-Phishing: A more targeted form of Phishing.
xviii
State Sponsored State Players: A nationalist Threat Agent who is sponsored by a state in order to engage in detrimental activities in Cyber-Space.
State Sponsored Non-State Players: A Threat Agent who is sponsored by a state in order to engage in detrimental activities in Cyber-Space.
SQL Injection: An Exploit that takes advantage of database query software that does not thoroughly test a query statement for correctness.
Threat: An activity or action that represents a potential danger to an information system or network.
Threat Agent: An individual, group, organization, or government that conducts or has the capability to conduct detrimental activities in Cyber-Space or physically on computer systems.
Threat Signature: Identifiable characteristics of a Threat.
Token: A hardware or software that authorizes user access to network devices or resources.
User ID: User identification.
Vulnerability: A weakness.
Vulnerability Assessments: Cybersecurity techniques in which a person conducts assessments of threats and Vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, and assesses the level of risk.
Web 2.0: A new web of global communications, e-commerce, social media, and the exchange of ideas through computers and other mobile devices.
Web Server: A computer that delivers content or services to end-users over the Internet. A web server consists of hardware and software that facilitate communications.
WEP: A security standard that provides a Wi-Fi standard.
WPA: A security standard for users of computers equipped with Wi-Fi connections. This standard is replacing the original WEP.
WPA2-ENT: WPA2 Enterprise uses IEEE 802.1X, which offers enterprise-grade authentication.
WPA2-PSK: WPA2 with the use of the optional Pre-Shared Key authentication.
xix Zombie: A computer connected to the Internet that has been surreptitiously and/or secretly compromised with malicious logic to perform activities under the remote command and control of a remote administrator.
xx Chapter 1. Introduction 1.1 Overview
The Advanced Research Projects Agency Network (ARPANET) was created by the Defense Advanced Research Projects Agency (DARPA) during the late 1960s, grew quickly, and became well-established throughout the globe. The result is an interconnected world dependent on interconnected computers, which are used for all forms of business and personal activities. Over time, the flexibility of technology combined with consumer demand for convenience has led to a culture of “Plug and Play,” that stresses functional expediency over user interaction and involvement in the configuration of a system.
Essentially, individual users no longer require a technical background to install hardware and software prior to using their devices.
The unique capability to “Plug and Play” has resulted in a global communication revolution for the entire human race, and has created an opportunity for exceptional new threats to our “global society.” To be able to combat these new threats, the concept of security has been expanded to virtual space, resulting in the creation of new terms such as
“Cyber-Space” and “Cybersecurity.”
The Department of Defense (DoD) considers Cyber-Space as “a defining feature of modern life. Individuals and communities worldwide connect, socialize, and organize themselves in and through cyberspace.” [DoD, 2011]. According to the Tallinn Manual,
Cyber-Space can be further defined as: “the environment formed by physical and non- physical components, characterized by the use of computers and electro-magnetic spectrum, to store, modify and exchange data using computer networks.” [Schmitt, 2013].
What is Cybersecurity?
1 Cybersecurity is the collection of tools, policies, security concepts, security
safeguards, guidelines, risk management approaches, actions, training, best
practices, assurance and technologies that can be used to protect the cyber
environment and organization and user’s assets. Organization and user’s
assets include connected computing devices, personnel, infrastructure,
applications, services, telecommunications systems, and the totality of
transmitted and/or stored information in the cyber environment. Cybersecurity
strives to ensure the attainment and maintenance of the security properties of
organization and user’s assets against relevant security risks in the cyber
environment. The general security objectives comprise the following:
availability; integrity, which may include authenticity and non-repudiation;
and confidentiality. [International Telecommunication Union, 2015].
In today’s “Cyber-Society,” with globally connected cultures, zeros and ones are the new currency, or “virtual currency.” Cyber-Space has become a powerful component of our society, resulting in the creation of “Web 2.0,” a new web of global communication, e-commerce, social media, and the exchange of ideas. Cyber-Space has also created a new set of challenges, which threaten our privacy, way of life, and global security. One way to meet such challenges is to protect the Confidentiality, Integrity, and Availability (CIA) of resources. Figure 1 shows the CIA triad of the new “virtual currency,” which must be protected.
2
Figure 1. CIA Triad.
It is crucial that all industries, government entities, and people employ the appropriate best security practices to protect themselves from malicious attacks. Protecting
America’s Critical Infrastructure (CI) is one of the greatest security challenges facing the country today. According to retired Director of the National Security Agency, General
Keith Alexander, “on a scale of one to 10, with 10 being strongly defended, our critical infrastructure’s preparedness to withstand a destructive cyber attack is about a three based on my experience.” [Reuters, 2013].
Literature indicates that emerging Cyber threats will use attack vectors such as botnets, insider threats, Spear-Phishing campaigns, and Advanced Persistent Threats
(APTs) to target CI such as Financial Services, Water, Nuclear, Energy, Government, and
Chemical sectors in the United States. According to former Secretary of Defense Leon
Panetta, “Our mission is to defend the nation. We defend. We deter, and if called upon, we take decisive action to protect our citizens. In the past, we have done so through operations on land and at sea, in the skies and in space. In this century, the United States military must help defend the nation in cyberspace as well.” [Panetta, 2012].
While security technologies are widely used in today’s enterprises, the fact that
“security technology alone is not enough to produce effective and efficient security for an
3 entire organization” must be emphasized. [Sherwood et al., 2005]. For an enterprise to improve its security posture it must change its security approach from reactive to proactive, and combine technical and administrative controls of security.
One of the Department of Homeland Security’s (DHS) responsibilities is to secure
Cyber-Space. “With respect to the private sector, currently the job of DHS … is to provide information and otherwise help companies – critical-infrastructure firms, in particular – protect themselves.” [Wall Street Journal, 2011]. To achieve its responsibilities, the DHS relies on the United States Computer Emergency Readiness Team (US-CERT). To give
Cyber-Space a better security posture, US-CERT engages in information sharing with CI sectors via Information Sharing Analysis Centers (ISACs). By collecting, analyzing, and distributing information about threats facing their members, ISACs assist the CI enterprises in protecting themselves from Cyber threats and mitigating risks.
In 2013, the Industrial Control Systems Cyber Emergency Response Team (ICS-
CERT) received 181 vulnerability reports from researchers and ICS vendors. According to ICS-CERT about 87% of these vulnerabilities were exploitable remotely and the other
13% required local access to exploit the vulnerabilities. [DHS, 2014]. In one report,
FireEye, a private Cybersecurity company, found that both the frequency and sophistication of attacks increased by 42% from 2010 to 2013, and the activity spread from
130 countries to 184 countries. [FireEye, 2013]. The company reports that most Cyber-
Espionage events and Cyber-Attacks come from Eastern Europe and Asia and that 89% of
APT malware tools originate from China. [FireEye, 2013].
A list of additional CI sectors by Sector-Specific Agencies (SSAs) is presented in
Table 1.
Table 1: Critical Infrastructure Sectors by Sector-Specific Agencies
4
1.2 Research Contributions
This dissertation describes a research study that will contribute to the understanding of how Cybersecurity is practiced within an enterprise. The Financial Services Sector serves as the principal sector for this research. This research analyzes and identifies the vulnerabilities facing an enterprise in the Financial Services Sector, attempts to quantify them, and develops an effective framework to provide more significant security postures for the Financial Services Sector’s operations in the United States. Further, it studies and identifies existing standards, frameworks, and best practices of Cybersecurity that are applicable to improving the security of the Financial Services Sector against emerging
Cyber threats.
Additionally, it focuses on describing the Financial Services Sector Cybersecurity practices. The scope of this research includes:
1. Describing the Financial Services Sector’s current Cybersecurity posture.
2. Discussing the existing best practices among enterprises.
5 3. Describing the types of Cyber-Attacks.
4. Determining how an enterprise can achieve better security.
5. Introducing a new Cybersecurity framework.
This research will begin by describing the current Cybersecurity posture and best practices of enterprises within the Financial Services Sector. Thereafter, it will describe
Cyber-attacks facing such industries. These attacks will include relatively simple social engineering attacks to more sophisticated Advanced Persistent Threats (APTs), and will include both insider threats and threats originating from outside the enterprise. Then, after having discussed the existing vulnerabilities, this research will argue that the best method for an enterprise to achieve better security will be to adopt a proactive security concept as opposed to the traditional reactive approach.
Finally, this research will contribute to the field by introducing a new Cybersecurity
Framework (the Dynamic Framework system), which is mapped to the National Institute of Standards and Technology’s (NIST) Risk Framework (RF), is designed based on three functional Controls (Preventive, Detective and Corrective), enables an enterprise to develop a healthier Cyber Hygiene (CH) through continuous monitoring of its assets, and is capable of ensuring a proper alignment between the business functionality and
Cybersecurity missions of an enterprise.
1.3 Significance
A very significant global and national question is: how can nation states effectively safeguard their CI sectors and provide a comfort factor to their citizens that the CI sectors are secure in an era of insecurity, multiple Cyber-Attacks, and global challenges?
6 Cyber threats are pervasive, growing, and real, whether an individual is dealing with them professionally as a Cyber-Practitioner or has been touched by Cyber-Crime in his/her personal life. The “‘cyber threat is one of the most serious economic and national security challenges we face as a nation.’ [Obama, 2009]. Cyber-Attacks such as Advanced
Persistent Threats (APTs), phishing, etc., are on the rise and they are genuine, and we as an individual or company face the challenges of combating these attacks.” [Shariati, 2014].
The Researcher has classified Threat Agents into three categories: state sponsored state players, state sponsored non-state players, and non-state sponsored players.
A Threat Agent is one who has the capabilities to launch a Cyber or physical attack on computer systems. For a current, but perhaps not complete, list of Threat Agents and some of their capabilities see Appendix 1.
The significance of this research lies in identifying and managing particularly malicious and well-coordinated attacks against the Financial Services Sector. Insider threats or external Threat Agents can be the source of these attacks. A September 2013 report by the “Recorded Future” website shows attacks against the Bank of America website from a hacker group called Izz ad-Din al-Qassam Cyber Fighters (al-Qassam). In the same month the group attacked J.P. Morgan Chase Bank and the website of Wells
Fargo, and engaged in numerous other attacks. Figure 2 shows the al-Qassam attacks landscape.
7
Figure 2: Al-Qassam Attacks Landscape. [Recorded Future, 2013].
The rise in the frequency and extent of Cyber-Attacks can be credited to a number of factors, such as unfriendly nation-states, hacktivists, and organized Cyber-Crime. A black market for breached data also serves to incentivize Cyber-Crime syndicates to engage in further attacks.
According to a report released by the New York State Department of Financial
Services in May of 2014, a total of 154 financial institutions were asked to complete a security questionnaire, and most institutions, regardless of their size, have experienced intrusions or attempted intrusions into their IT systems over the preceding three years. The attempted methods included “malicious software (malware) (22%), phishing (21%), pharming (7%), and botnets or zombies (7%).” [The New York State Department of
Financial Services, 2014]. Furthermore, according to the same report the most frequent types of Cyber-Attack were “account takeovers (46%), identity theft (18%), telecommunication network disruptions (15%), and data integrity breaches (9.3%). Third- party payment processor breaches were also reported by 18% and 15% of small and large institutions, respectively.” [The New York State Department of Financial Services, 2014].
On June 2, 2014, the FBI announced a multinational effort to disrupt the GameOver
Zeus botnet. “GameOver Zeus is an extremely sophisticated type of malware designed
8 specifically to steal banking and other credentials from the computers it infects. It’s predominately spread through spam e-mail or phishing messages.” [FBI, 2014]. Figure 3 illustrates the GameOver Zeus Malware and Botnet Architecture.
Figure 3: GameOver Zeus Malware and Botnet Architecture. [FBI GOZ, 2014].
Threat Agents continually develop aggressive and sophisticated techniques, whose characteristics include excellent coordination, centralization, funding, and evasiveness.
One group in particular, known as “APT1 or “the Comment Crew,” has captured the attention of several U.S. Cybersecurity companies. APT1 has been targeting specific industries, the majority of which have been designated as strategic emerging industries in
China’s 12th Five Year Plan. For details see Figure 4.
Figure 4: Industries Targeted by APT1. [Mandiant, 2013].
9 Military Unit 61398 of China’s People’s Liberation Army (PLA) has also been linked to Cyber-Attacks targeting enterprises and CI in English-speaking countries including, but not limited to, the United States. Figure 5 identifies some of APT1’s confirmed targets.
Figure 5: Geographic Location of APT1’s Victims. [Mandiant, 2013].
Organized crime, Threat Agents, and others are using APT methods to acquire information to help them gain a competitive advantage, and they are succeeding.
According to SANS:
We have found that the phases of an attack can be described by 6 sequential
stages. [see Figure 6]. Once again loosely borrowing vernacular, the phases of
an operation can be described as a “cyber kill chain.” The importance here is
not that this is a linear flow - some phases may occur in parallel, and the order
of earlier phases can be interchanged - but rather how far along an adversary
has progressed in his or her attack, the corresponding damage, and
investigation that must be performed. [Cloppert, 2009].
10
Figure 6: The Attack Progression by SANS. [Cloppert, 2009].
While APTs, organized crime, and various attack methods can singlehandedly compromise an enterprise’s assets, any of these attacks would be significantly amplified with the help of an insider threat, causing considerably more damage. Further, the involvement of an insider threat damages the reputation of an enterprise, thereby causing unforeseen damages. As evidenced by recent insider threats, such as Edward Snowden or
Bradley Manning, an insider threat has the potential to lead to rising international tensions and national security threats. Finally, while the cases of Snowden or Manning did not involve the Financial Services Sector, there is no reason to believe that this Sector is exempt from insider threats.
1.4 Limitations
The limitations for this research as are follows:
1. Lack of quantifiable Data: given the security-sensitive and confidential nature of cybersecurity, it is difficult to capture quantifiable research data from the Financial
Services Sector or enterprises within this sector.
2. Use of Surveys: the use of surveys for this research is inappropriate. Entities in the Financial Services Sector will not respond to a survey due to the confidential and security-sensitive nature of their operations.
3. Use of the Researcher’s Framework in other Sectors - this research focuses primarily on the Financial Services Sector. The Researcher believes that proposed
11 Framework can be successfully implemented in any other Sector or industry. Nonetheless, another potential limitation of the research is the Researcher is not able to tailor the proposed Framework to the needs of each unique Sector, and ensure that it is as effective in the other sectors as the data suggests it will be in the Financial Services Sector.
Based on historical fact, the above discussion, the knowledge of Subject Matter
Experts (SMEs), and the Researcher’s expertise, this research is based on historical trends that show that the Financial Services Sector has Vulnerabilities, many of which are exploited by Threat Agents using various Threat Vectors. For more information, see Figure
7.
Figure 7: FY 2015 Incidents by Attempted Infection Vector, 295 Total. [ICS-CERT Monitor]. 1.5 Organization of the Document
This research document has six chapters. The first chapter, Introduction, provides the background and motivation for conducting this research. Chapter two covers the literature review of current existing standards, frameworks, and best practices of
Cybersecurity. The third chapter discusses the proposed Dynamic Framework system.
12 Chapter four, Research Methodology, addresses selected CI sectors, Subject Matter Expert
(SME) selection and interviews, and the process of collecting information. Chapter five discusses the current state of Cybersecurity, and, finally, Chapter six will conclude with recommendations and explore relevant topics for future research.
13 Chapter 2. Literature Review
2.1 Overview
The literature review was performed in the following areas:
1. Executive Order (EO) 13636 – Improving Critical Infrastructure Cybersecurity;
2. Cybersecurity Best Practices in Industry;
3. The National Infrastructure Protection Plan (NIPP) (Financial Services Sector-
Specific Plan);
4. National Institute of Standards and Technology (NIST) Special Publication (SP)
800-53 Revision 4;
5. Framework for Improving Critical Infrastructure Cybersecurity (Framework); and
6. Relevant literature from the private sector.
2.2 Executive Order 13636 – Improving Critical Infrastructure
Cybersecurity
The Obama Administration released its methodology for securing Critical
Infrastructure (CI) in two parts. The first part is: the Presidential Policy Directive 21 –
Critical Infrastructure Security and Resilience (PPD-21), which requests an update to the
NIPP. “This update is informed by significant evolution in the critical infrastructure risk, policy, and operating environments, as well as experience gained and lessons learned since the NIPP was last issued in 2009. [DHS, 2013]. The updated NIPP also stresses a better security posture for CI sectors, and “to achieve these goals, cyber and physical security and the resilience of critical infrastructure assets, systems, and networks are integrated into an enterprise approach to risk management.” [DHS, 2013].
14 The second part of the Obama Administration’s plan to secure the CI sectors in the
United States is: EO 13636 – Improving Critical Infrastructure Cybersecurity. In EO
13636 President Obama preserved the definition of CI as defined in the USA PATRIOT
Act. In addition, his administration considered securing the CI sectors a higher priority than all previous administrations. In EO 13636, President Obama stated that:
it is the policy of the United States to enhance the security and resilience of
the Nation’s critical infrastructure and to maintain a cyber environment that
encourages efficiency, innovation, and economic prosperity while
promoting safety, security, business confidentiality, privacy, and civil
liberties. [EO 13636, 2013].
Further, through a Cybersecurity information sharing process EO 13636 articulates the need for the U.S. government to “increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.” [EO 13636, 2013].
The EO also mandates that the Attorney General, the Secretary of Homeland
Security (the Secretary), and the Director of National Intelligence (DNI) establish processes for sharing Cyber threat reports with potentially targeted CI sectors.
In order to maximize the utility of cyber threat information sharing with the
private sector, the Secretary shall expand the use of programs that bring private
sector subject-matter experts into Federal service on a temporary basis. These
subject matter experts should provide advice regarding the content, structure,
and types of information most useful to critical infrastructure owners and
operators in reducing and mitigating cyber risks. [EO 13636, 2013].
15 2.3 Current Cybersecurity Practices in Industry
Current security postures focus on utilizing multiple technologies to protect against
Cyber-Attacks. Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Firewalls are used to prevent outsiders from accessing the network. [McCumber,
2004]. Additionally, to provide a Defense in Depth approach to security, supplementary technologies are incorporated, such as host based security solutions, auditing systems and various network sensors. See Figure 8.
Figure 8: Sphere of Security. [Whitman et al., 2012].
Cyber threat detection techniques include signature-based, anomaly-based, and specification-based, as shown in Figure 9. To provide a central method of managing all this information, Security Incident and Event Management (SIEM) systems have been used. The SIEM system is loaded with up-to-date threat signature files, programmed to
16 identify patterns of attacks, and has the ability to alert the appropriate Cyber-Practitioners.
Despite being automated, this process typically alerts the Cyber-Practitioner after an attack has been initiated and the systems compromised.
The problem is further compounded since the Cyber-Practitioners are limited by the amount of information they are capable of analyzing, and the fact that SIEM systems must be configured and deployed properly to function effectively. Moreover, because a
SIEM system may raise false positive and/or false negative alerts, a SIEM system may flag
Cyber-Events that fall into the routine operations of the enterprise. Nonetheless, current
Cybersecurity policies and solutions have a dependence on signature-based tools.
Cyber Threat Detection Techniques
Signature-based Anomaly-based Specification-based
Figure 9: Classification of Threat Detection Techniques. [Vasumathi and Krishna, 2012].
The SANS Institute conducted a survey in 2012, concluding that respondents are looking at more data than ever before, the industry continues to mature, and organizations expect to get more meaningful and actionable results from log data. Virtually every product that manages data logs is now developed with one or more built-in processes for extracting, analyzing, and alerting on data. [Shenk, 2012]. In the survey, 58 percent of respondents reported that they use a log manager to collect and analyze logs; 37 percent said they are using a SIEM system in some capacity, although 22 percent are collecting the logs and processing them entirely with their SIEM systems. [Shenk, 2012]. Security
Incident and Event Management data include the collection of log data as well as correlation of different logs of Cyber-Events from various sources, together with
17 suspicious Cyber-Event information. According to the survey, “this data is correlated and presented through other features such as dashboards, real-time alerting and reports and charts, depending on a particular vendor’s implementation.” [Shenk, 2012].
The issue that ranked most challenging and also had the highest total number of votes by the respondents was “Identification of key events from normal background activity,” as shown in Figure 10. [Shenk, 2012].
Figure 10: Top Challenges. [Shenk, 2012].
The 2012 survey responses indicate that enterprises are attempting to squeeze as much actionable data as they can out of their log management systems (e.g., firewalls, IDS, and IPS) so the convergence with SIEM systems is understandable. However, enterprises continue to struggle with Cyber-Attacks and screening out background noise (e.g., false positive and/or false negative Cyber-Events) from actionable data on their networks.
18 According to the respondents of the survey, from a technical perspective, today’s
Information Technology (IT) environments provide another security challenge in combatting Cyber-Attacks, as well as detecting new Attack Vectors (AV) and preventing incidents. See Figure 11. [Shenk, 2012].
Figure 11: Difficulties in Using Log Data. [Shenk 2012].
2.4 The NICE - Financial Services Sector-Specific Plan
The Financial Services Sector is paramount for the economic stability of any nation.
In today’s “Cyber-Ecosystem” and threat landscape, the Financial Services Sector has been a victim of numerous sophisticated Cyber-Attacks by Cyber criminals and organized crime
(see Figure 12). Furthermore, Cyber criminals and Cyber-Crime syndicates have frequently targeted the Financial Services Sector using different capabilities such as APTs,
19 spear-phishing attacks, Distributed Denial of Service (DDoS) attacks, and Structured
Query Language (SQL) Injections. See Appendix 1 for a current and non-comprehensive list of Threat Agents and some of their capabilities.
Figure 12: Cyber Banking Fraud. [FBI, 2010].
2.4.1 Sector-Specific Agency
The U.S. Department of the Treasury, which is the Sector-Specific Agency (SSA) for the Financial Services Sector, plays a vital role for both the financial regulators and the private sector and “these regulators and the private sector are committed to the Banking and Finance Sector’s critical infrastructure and key resources (CIKR) partnership.” [DHS,
2010]. The private sector element of this partnership is structured through numerous organizations, “such as the Financial Services Coordinating Council for Infrastructure
Protection and Homeland Security (FSSCC), the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the regional coalitions.” [DHS, 2010]. This
20 partnership was established to identify the necessary security posture and best practices to address the growing number of Cyber threats, and FS-ISAC shares specific information related to potential risks in the Financial Services Sector.
In 2010, the SSA approved the Financial Services Sector-Specific Plan (SSP). “The
Banking and Finance Sector is large in both the number of assets and the number of individual businesses.” [DHS, 2010]. As a result, the SSP was developed in partnership with two groups: 1) FSSCC, and 2) Members of the Financial and Banking Information
Infrastructure Committee (FBIIC), which are represented by the Federal financial regulators, and associations of State financial regulators. For details see Figure 13.
Figure 13: FBIIC Members. [DHS, 2010].
2.4.2 Sector Goals and Objectives
The U.S. Department of the Treasury, in partnership with the private sector, oversees and encourages security for the Financial Services Sector. Through this partnership the Financial Services Sector has implemented a method “to respond quickly and appropriately to detect, deter, prevent, and mitigate intrusions and attacks.” [DHS,
21 2010]. This capability supports and safeguards business continuity, as well as the operation of the Financial Services Sector.
Cybersecurity is at the forefront of our nation’s CI sectors. To combat Cyber-
Attacks, the Financial Services Sector’s vision statement is as follows:
To continue to improve the resilience and availability of financial services,
the Banking and Finance Sector will work through its public-private
partnership to address the evolving nature of threats and the risks posed by
the sector’s dependency upon other critical sectors. [DHS, 2010].
In order to achieve its vision this sector has three primary goals:
1. To achieve the best possible position in the face of a myriad of intentional,
unintentional, manmade, and natural threats against the sector’s physical
and cyber infrastructure;
2. To address and manage the risks posed by the dependence of the sector on
the Communications, IT, Energy, and Transportation Systems Sectors; and
3. To work with the law enforcement community, financial regulatory
authorities, the private sector, and our international counterparts to address
threats facing the financial services sector. [DHS, 2010].
2.4.3 Asset, System, and Network Identification
The Financial Services Sector is represented by the following products and services: “1) deposit, consumer credit, and payment systems; 2) credit and liquidity products; 3) investment products; and 4) risk transfer products (including insurance).”
[DHS, 2010]. The products of the Financial Services Sector are not physical in nature; therefore to conduct a risk assessment, the SSP process must focus on identifying critical
22 processes based on the sector’s member organizations rather than focusing on physical assets. See Figure 14 for details.
Figure 14: Vulnerability Assessment Methodology. [DHS, 2010].
To mitigate the risk of internal and external Vulnerabilities, as well as external dependencies, each organization conducts a risk assessment of its critical business functions such as information security. The U.S. Department of the Treasury collects sector-specific information via collaboration with the members of the FBIIC and the private sector.
All of the assets, such as systems, databases, and networks, are part of the physical assets of the organization; the following are also considered assets:
• Asset name, mailing address, physical location, owner/operator name;
• Function or type of transaction—deposit and payments systems or credit
and liquidity products, including investment and risk transfer;
• Geographic region, financial center;
• Number of people employed;
23 • Economic contribution—total market value of financial transactions
conducted by or through the asset on a daily, weekly, monthly, and yearly
basis;
• International considerations, if any;
• Existing and planned protective measures;
• Dependencies on other sectors such as Communications, Energy, IT, and
Transportation Systems;
• Interaction with other assets—those other critical national assets directly
and indirectly affected by the operation of each asset;
• Backup capability—the location and function of backup facilities (e.g.,
data center and business resumption); and
• Substitutability—whether other industry systems or infrastructures would
be able to serve the same function. [DHS, 2010].
Moreover, many of these member organizations have a significant role in the
Financial Services Sector, and that is to develop the appropriate business resumption plan and provide better compliancy. To accomplish this, however, the first step is to identify which organizations will have the vital operational responsibilities.
2.4.4 The Financial Services Sector Vulnerabilities
Managing risk is part of the Financial Services Sector’s business practices. This sector has a long history of conducting regular vulnerability assessments. After September
11, 2001, the FBIIC began an organized process to improve the Financial Services Sector’s security posture and its resiliency to man-made and natural disasters. This vulnerability assessment process has continued to evolve over the years and now includes physical and
24 Cyber components along with dependencies to other CI sectors (see Figure 15). [DHS,
2010].
This new vulnerability assessment also includes the testing of the “potential risks resulting from cross-sector dependence, sector-specific vulnerabilities, and dependencies on key assets, systems, technologies, and processes.” [DHS, 2010]. The assessment takes into consideration the following vulnerabilities: Cyber, Physical, and Human. This assessment has two dependencies: 1) sector-specific assets, systems and processes, and 2) cross-sector reliance. As a result, the vulnerability assessment is completed in a qualitative risk assessment process.
Figure 15: Financial Services Sector Dependency Relationships [DHS, 2010].
2.5 NIST Special Publication 800-53 Revision 4
The National Institute of Standards and Technology (NIST) has responsibilities under the Federal Information Security Management Act (FISMA) to develop the best practices and guidelines for industry. In accordance with this responsibility, NIST developed the Special Publication (SP) 800-53 Revision 4, which:
25 provides a catalog of security and privacy controls for federal information
systems and organizations and a process for selecting controls to protect
organizational operations (including mission, functions, image, and
reputation), organizational assets, individuals, other organizations, and the
Nation from a diverse set of threats including hostile cyber attacks, natural
disasters, structural failures, and human errors. [NIST SP 800-53, 2013].
Originally, there were 17 “families” of Controls that were aligned with the requirements of the Federal Information Processing Standards (FIPS) 200 – Minimum Security
Requirements for Federal Information and Information Systems. This was later updated to add an additional family, which was “Program Management.” This Control provides security at the organizational level as opposed to the system level. Figure 16 shows the 18 families of Controls.
Figure 16: NIST 800-53 Security Controls and Families. [NIST SP 800-53, 2013].
These security Controls address a diverse set of security requirements across the CI sectors, resulting from EOs, policies, legislation, standards, and best practices. Security
Controls are countermeasures to Cyber-Attacks against information systems or organizations, and these Controls are designed to: “(i) protect the confidentiality, integrity,
26 and availability of information that is processed, stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements.” [NIST SP
800-53, 2013].
2.5.1 Applicability
National Institute of Standards and Technology SP 800-53 Revision 4 offers both guidelines for high-impact systems as well as security Controls for enhanced security.
Computer network systems in the Financial Services Sector are undoubtedly high-impact
“based on [their] security requirements, security policies, and needed security capabilities…[and have] an expectation of (i) a limited strength of security functionality; and (ii) a limited degree of confidence…that the security functionality is complete, consistent, and correct.” [NIST SP 800-53, 2013].
The SP 800-53 provides guidelines for selecting and specifying security Controls for the Financial Services Sector, and these guidelines apply to all components of an information system such as workstations, servers, databases, electronic mail, authentication, websites, files’ security, and domain names. These guidelines also affect input and output devices and network components such as firewalls, routers, and gateways.
The SP 800-53 also
(i) provides a set of information security program management … controls
that are typically implemented at the organization level and not directed at
individual organizational information systems; (ii) provides a set of privacy
controls based on international standards and best practices that help
organizations enforce privacy requirements derived from federal
legislation, directives, policies, regulations, and standards; and (iii)
27 establishes a linkage and relationship between privacy and security controls
for purposes of enforcing respective privacy and security requirements
which may overlap in concept and in implementation within federal
information systems, programs, and organizations. [NIST SP 800-53,
2013].
Further, SP 800-53 guidelines start an organization-wide Cybersecurity initiative by implementing a program for the management of risk, which determines “the risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation of information systems.” [NIST SP 800-53, 2013]. Figure
17 illustrates the three-tiered approach to risk management.
Figure 17: Three-Tiered Risk Management Approach. [NIST SP 800-53, 2013].
2.6 Framework for Improving Critical Infrastructure Cybersecurity
The National Institute of Standards and Technology released the NIST
Cybersecurity Framework for improving Critical Infrastructure as a key component in the
Nation’s battle to protect CI sectors. According to NIST, the Framework is effective in
28 helping to reduce Cybersecurity risks and assisting organizations in addressing a variety of
Cybersecurity challenges. [NIST, 2014].
The Framework complements an organization’s risk management process and it provides a common mechanism for organizations to:
1. Describe their current cybersecurity posture;
2. Describe their target state for cybersecurity;
3. Identify and prioritize opportunities for improvement within the context
of a continuous and repeatable process;
4. Assess progress toward the target state;
5. Communicate among internal and external stakeholders about
cybersecurity risk. [NIST, 2014].
This Framework is composed of three primary elements: “the Framework Core,
Framework Profile, and Framework Implementation Tiers.” [NIST, 2014].
2.6.1 Framework Core
The Framework Core (Core) describes Cybersecurity activities, desired outcomes, and applicable references that are common across the CI sectors. The Core consists of four elements (functions, categories, subcategories, and informative references), the most relevant of which for this research is the first. The “functions” of the Core organize
Cybersecurity activities. Essentially, these functions assist an enterprise in managing the risk of Cybersecurity by organizing risk management decisions and mitigating threats. The functions are as follows: identify, protect, detect, respond, and recover. See Figure 18 for more information about the five elements. [NIST, 2014].
29
Figure 18: Functions of the Framework Core. [NIST, 2014].
The first function, “Identify” requires developing an enterprise’s plan to manage its
Cybersecurity risk concerning its assets, data, systems, and operations. “Protect” identifies, develops, and implements appropriate countermeasures or Controls to ensure the enterprise’s ongoing critical operations. “Detect” requires the development and implementation of the correct tools to identify and detect ongoing Cyber threats, and prevent Cyber-Events. “Respond” necessitates the development of response teams that can implement appropriate and timely actions to mitigate Cyber-Events. Finally, “Recover”
30 requires developing a plan to address restoring the capabilities of enterprise operations in a timely manner. [NIST, 2014].
2.6.2 Framework Implementation Tiers
The Framework Implementation Tiers (Tiers) describe the levels of security that an enterprise can provide to lower the risk of its security operations. The Tiers range from
Tier 1 to Tier 4. Tier 1 is known as “Partial Tier.” In Tier 1, risk informed management is the focal point. In this Tier, Partial Cybersecurity risk management practices are not formalized and Cyber risks are managed in an “ad hoc” and reactive manner. [NIST, 2014].
Tier 2 is known as “Risk Informed.” In this Tier, management within the organization approves risk mitigation decisions.
The third Tier is known as “Repeatable” and in this Tier, formal policies for risk- management processes and programs are placed among enterprise-wide organizations with partial external collaboration. In Tier 4, “Adaptive,” risk management processes are based on lessons learned, self-evaluation, and predictive threat indicators. In addition, enterprises and organizations in industry contribute in proactive collaboration with their partners and oversee previous Cybersecurity activities. [NIST, 2014].
2.6.3 Framework Profile
According to NIST, the Framework Profile (Profile), which is the alignment of functions, categories, and subcategories with business requirements, risk tolerance, and resources of an enterprise, is considered “much needed” in helping to identify opportunities for improving an organization’s Cybersecurity goals. The National Institute of Standards and Technology considers the Profile as a roadmap for reducing Cybersecurity risk, and believes that it is well aligned with an enterprise’s security operations procedures and
31 sector goals. [NIST, 2014]. Profiles can be used to identify opportunities for improving
Cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target”
Profile (the “to be” state). Both Current and Target profiles include processes, procedures, and technologies such as asset management, alignment with business strategies, risk assessment, access control, data security, and incident response plans.
2.6.4 Applicability
Currently, the Cybersecurity discussion centers on compliance. The Framework helps to move the discussion concerning Cybersecurity beyond a compliance mindset. One of the advantages of using the Framework is the resources and recognition designated for implementing better Cybersecurity practices. Working from the Framework provides the insight that Cybersecurity is a continuous improvement process, and not an exercise in compliance. According to the former Director of NIST, Patrick Gallagher, this “Could be extremely helpful to the federal government, because they move the debate past the application of controls and the notion that the only thing you can assess and measure is how many controls you put in place.” [Gallagher, 2014].
The Financial Services Sector’s security should be audited and analyzed for
Vulnerabilities and compliance with the Cybersecurity Framework. The Framework’s methodology provides a path to ensure a strong security posture, can be applied across various forms of technology, and relies on existing standards, guidelines and practices that will enable CI sectors to achieve a stronger resistance to Cyber-Attacks.
2.7 Review of Current Situational Awareness
Intrusion Detection Systems were created to protect critical information infrastructures against, DoS attacks (availability), attacks involving the unauthorized
32 disclosure of information (confidentiality), and/or attacks relating to the modification or destruction of data (integrity). Intrusion Detection Systems must have information in order to be effective, and the best way to provide the necessary information to these systems is to utilize various sensors in an organization.
The need to fuse data from various sensors in an organization was highlighted by
Tim Bass as early as the year 2000. In “Intrusion Detection Systems and Multisensor Data
Fusion,” he argued that in order to create cyberspace situation awareness, intrusion detection systems must fuse data from myriad of heterogeneous distributed network sensors effectively. [Bass, 2000]. The terms “data fusion” or “distributed sensing” involves combining “data from multiple and diverse sensors and sources in order to make inferences about events, activities, and situations.” [Bass, 2000].
One way to improve an enterprise’s ability to identify malicious actors and detect malicious activity on its network is to obtain better information using data mining. Data mining in cyberspace is an offline knowledge creation process where large sets of previously collected data are filtered, transformed, and organized into information sets.
This information set is then used to discover hidden, but previously undetected situational patterns. [Bass, 2000]. Data mining is slightly different from data fusion in that the latter users known ID templates and pattern recognition, while the former searches for hidden patterns. [Bass, 2000]. Moreover, “data fusion focuses on the current state of the network based on past data; data mining focuses on new or hidden patterns in old data to create previously unknown knowledge.” [Bass, 2000].
33 2.8 Importance of Situational Awareness in Cybersecurity
MITRE Corporation, the Northeast Regional Research Center (NRRC), and the
Advanced Research and Development Activity in Information Technology (ARDA), collaborated and published an article characterizing and creating analysis methods to counter sophisticated malicious insiders in the intelligence community of the United States.
[Maybury, et. al., 2005]. The report is a generic model of the behavior of malicious insiders, distinguishes their motives, their actions, associated observables, and outlines several techniques developed to provide early warning of insider activity. [Maybury, et. al., 2005].
According to Analysis and Detection of Malicious Insiders, while some malicious insiders can be detected using a single cyber observable, more sophisticated malicious insiders can only be detected if multiple observables are used. Further, fusing information from various sources, such as logs, authentication, and/or card readers, and various levels of IP stack allows more accurate and timely indications and warning of malicious insiders.
Additionally, observables combined with domain knowledge such as user roles, can help detect inappropriate behavior. [Maybury, et. al., 2005].
In order to test their hypothesis, MITRE simulated three malicious insiders: (1) an historical insider modeled as a prototype of past need-to-know violators called Pal; (2) a projected insider who would aim to disrupt, damage, or destroy the network or elements thereof called Jack; and (3) an application administrator called News Admin or Jill.
[Maybury, et. al., 2005]. The research team disclosed only the behavior of the first category of insider to the sensor builders prior to the experiment.
34 To detect these insiders, the researchers designed high-level architecture of a proof of concept system, and implemented and tested the system to detect the malicious insiders.
[Maybury, et. al., 2005]. In this process, they utilized the following:
A common Data Repository (CDR) that captured and anonymized
heterogeneous sensor input.
Multilevel monitoring that occurred at the packet level, system level, and
application level.
StealthWatch sensors that detected abnormal insider behavior on the
network such as scanning, file transfer, or internal network connections.
Distributed honeynets that acquired attacker properties, pre-attack
intensions, and potential attack strategies.
A real-time, top-down structural analysis that drawing upon functional
models of malicious insiders that mapped pre-attack indicators to models of
potential malicious insiders.
Traditional and non-traditional indicators (e.g., logs of network activity,
physical access, PBX, help desks), including non-digital sources, that were
fused bottom-up. [Maybury, et. al., 2005].
Sensor inputs were then exploited by a decision analysis component in order to detect potential malicious insiders. The researchers found that using these techniques, they were able to identify the malicious insiders. For instance, using StealthWatch allowed them to identify Jack within a day of his malicious activity. [Maybury, et. al., 2005]. The
Structured Analysis approach was also successful as it detected all three malicious insiders .
Pal was identified within two days of initiating his malicious behavior, and an alert was
35 issued six days later. Jill was put on the watch list even before her suspicious activity started, and an alert was issued for Jill four days later. Finally, an alert was issued for Jack six days after he initiated malicious behavior. [Maybury, et. al., 2005].
In summary, utilizing their approach and combining the use of sensors, the researchers were able to identify all malicious insiders. Two were detected within one week of their initiation of suspicious activity and the third was detected within two weeks.
[Maybury, et. al., 2005].
36 Chapter 3. Framework
3.1 Overview
Present-day hackers and organized crime groups exploit networks and systems of financial organizations faster than Cyber-Practitioners can defend these networks, and this is the case in both the public and private sectors. The current Financial Services Sector’s
Cybersecurity strategy is dependent upon signature-based tools, the vulnerabilities of which are frequently exploited by the attackers. Therefore, an “attacker needs to change one line of malicious code and the most current signature-based intrusion detection and prevention systems will miss the new attack. As a result, we are reacting to a constantly changing threat vector.” [Shariati, 2014].
The Financial Services Sector has multiple Human Assets that can serve as a potential source of Vulnerability. These Human Assets include employees, contractors, visitors, and third-party vendors. Additionally, it should be noted that there is no single security solution for the Financial Services Sector. There are, however, common elements of a security architecture, which the Financial Services Sector should consider when developing its security plan. This research offers a new Cybersecurity architecture that will assist the Financial Services Sector in reducing Cyber-Attacks by narrowing the window of opportunity for attackers to compromise an enterprise’s assets.
3.2 Framework Architecture
As mentioned previously, current security practices are reactive. The purpose of this proposed security architecture is to change the Financial Services Sector’s security
37 posture from the current state into a near-future state by continuously monitoring the organization’s assets such as employees and equipment.
The Dynamic Detecting Cybersecurity Management Framework (Dynamic
Framework) is a system with the capabilities that ensure alignment between the business functionality and Cybersecurity mission – reducing risk by protecting the CIA - of an enterprise in the Financial Services Sector. The Dynamic Framework system was designed based on three functional Controls as shown in Figure 19. These Controls will help reduce the impact (Low, Medium and High) of the risk on the CIA. The three functional Controls are:
1. Preventive Controls - are types of Controls that will prevent the occurrence
of unwanted Cyber-Events. Controls such as Firewall, Security Awareness
Training (SAT), and security guards will be considered Preventive
Controls.
2. Detective Controls - are types of Controls that will monitor and identify
unwanted Cyber-Events after they have occurred. System monitoring,
Intrusion Detection Systems (IDS), Anti-Virus (AV), and motion detectors
are examples of Detective Controls.
3. Corrective Controls - are types of Controls that will remedy an incident and
restore the system or process back to the normal operating state prior to a
Cyber-Event. Operating System (OS) upgrades, restoring data from
backups, vulnerability scanning, and vulnerability mitigation are Corrective
Controls.
38
Figure 19: Dynamic Framework System Controls.
The Dynamic Framework system has two components:
1. A back-end server with the Administrative Access Dashboard Control (AADC),
which requires proper administrative authentication for access (Appendix 2).
2. A front-end client agent, which is a software application that must be run on a
client mobile device, desktop, or other compatible device.
The Dynamic Framework system was designed based on three access controls:
Authentication, Authorization, and Auditing (AAA). Authentication is the process of verifying the identity of each user claiming to have the permission of using an enterprise’s resource(s). Authorization consists of specific permissions that a particular authenticated user has, given her/his authenticated identity. Auditing entails collecting information about the activities of a user while using organizational resources that s/he is authorized to use.
Furthermore, the Dynamic Framework system has four modules as shown in Figure
20.
39
Figure 20: Dynamic Framework System Modules.
3.3 Dynamic Framework Pre-Conditions
While the Dynamic Framework system seeks to protect an enterprise’s assets, it is important to note that there are certain pre-conditions and requirements that need to be implemented in advance to ensure the Dynamic Framework system is working effectively.
Generally, seven domains of a typical IT infrastructure are recognized. [Gibson, 2015].
Figure 21 shows the seven domains. Additionally, the Researcher posits that the mobile domain and the Bring Your Own Device (BYOD) concept have combined to become the de-facto eighth domain of IT. Since the mobile domain and the BYOD concept have been added to an organization’s environment, a proper Mobile Device Management (MDM) technology solution and policy should be utilized by the enterprise before the Dynamic
Framework system is implemented.
40
Figure 21: Seven Domains of IT with an Additional New Domain. [Gibson, 2015].
The Dynamic Framework system will function most effectively only when other security technology domains such as access control, network security, software development security, Public Key Infrastructure (PKI), cryptography, security architecture, operational security, disaster recovery planning, Firewall, and physical security are all in place, and are properly protecting the eight domains. Administrative Controls such as security policies, security training, and education should also be in effect. The Dynamic
Framework system is an additional Control in the Layered Security approach to protect an enterprise’s assets, and could be considered a new domain of security. See Figure 22 for details.
41
Figure 22: Layered Security with the Dynamic Framework System.
Furthermore, the Dynamic Framework System architecture is mapped to the five function areas of NIST’s RF: Identify, Protect, Detect, Respond, and Recover as shown in
Figure 23.
42
Figure 23: Dynamic Framework System Architecture mapped to NIST’s RF.
3.4 Dynamic Framework System Modules
1. Identity Management Module (IM) – the IM module provides credentials and
access to users based on their job title, requirements, and location. It delivers access
according to Role-Based Access Control (RBAC) and Rule-Based Access Control
(RB-RBAC). Essentially, all users have a default level of access to the enterprise
assets based on RBAC. If users need further access to additional resources or zones
not granted by RBAC, RB-RBAC will permit the system administrator or data
custodian to provide the necessary authorization and access.
2. Access Management Module (AM) – this module will authenticate user credentials,
such as user ID and password, and will authorize access to appropriate resources.
It will also ensure that users with the appropriate credentials have access to the
permitted physical sites and zones.
43 3. Privilege Management Module (PM) – this module enforces policies, procedures,
standards, and technologies that were configured into the back-end server based on
the enterprise’s internal policies and procedures. Furthermore, it manages
credential revocation and session monitoring. Sessions and activities of users using
enterprise resources will be monitored based on RBAC and RB-RBAC
configurations.
4. Detecting Management Module (DM) – This automated next-generation active
sensor module is the heart of the Dynamic Framework system. The AADC
establishes authorized zones according to RBAC configurations for users based on
their job title. This is achieved through synchronizing the wireless Access Points
(AP) to the back-end server. The DM then effectively monitors an enterprise’s
assets by providing a user with authorized access to the enterprise’s wireless AP
utilizing the front-end client agent located on the user’s mobile device(s) and the
Radio-Frequency Identification (RFID) sensor of the user’s badge. By providing
the enterprise with real-time information about threat profiles, which are the users
(regardless of their internal or external status), the enterprise will have the necessary
capability to use Cyber Analytics for predictive security intelligence by monitoring
users’ typical use of the enterprise’s assets. Further, it provides situational
awareness of the enterprise’s “Cyber Hygiene” in real-time based on continuous
monitoring of the users and their movement in the facilities and zones, and has the
potential to establish Cyber-Resiliency. Reporting is another feature of automated
sensing, which would work with the BYOD. This methodology is consistent with
the risk-based Framework for Improving Critical Infrastructure Cybersecurity.
44 Figure 23 illustrates how the Dynamic Framework system’s sensing mechanism
can secure the Financial Services Sector.
3.5 Identity Management (IM) Module
The Dynamic Framework system’s process, which is on-premises, begins with streamlining the management of identities, and it has two types of identities as illustrated in Figure 24:
1- User Identities 2- Device Identities
Figure 24: Dynamic Framework System Identities.
1. User Identities are in four groups shown in Figure 25:
45 Figure 25: Dynamic Framework System User Groups.
a. Internal Privileged Users (IPU) – Users who went through the routine hiring
procedures, are part of the enterprise, and require access to internal
resources such as desktop computers, printers, laptops, or VoIP phones.
These IPUs should be categorized and given the appropriate access levels
based on RBAC and RB-RBAC to use only known and predetermined
enterprise resources as business needs dictate.
b. External Privileged Users (EPU) – Users of the enterprise that are given
privilege to access the system(s) of the enterprise remotely or externally for
the purposes of working on business functions. These are predetermined
users who will have access to the system, a specific enterprise resource, and
at specific times as determined by RBAC and RB-RBAC.
c. Internal Guest Users (IGU) – Users such as contractors, customers, and
guests who are given privilege to access the system(s) of the enterprise
while visiting the enterprise as the duration of their task mandates.
d. External Guest Users (EGU) – Users such as contractors, customers, and
guests who are given privilege to access the system(s) of the enterprise
remotely for specific times.
2. Device Identities are in two groups, seen in Figure 26:
a- Internal Registered b- External Registered Devices (IRD) Devices (ERD)
Figure 26: Dynamic Framework System Device Identities.
46 a. Internal Registered Devices (IRD) – IRDs are assets that belong to, or are
owned by, the enterprise. These assets can include, but are not limited to,
desktop computers, printers, laptops, or VoIP phones. Internal Registered
Devices should be assigned to an IPU for the purposes of work as business
needs dictate. Each IRD will be furnished with an asset ID tag belonging
to the enterprise in order to enable inventory and auditing.
b. External Registered Devices (ERD) – Assets that belong to, or are owned
by, the enterprise that are being assigned to EPUs for a specific time only
as determined by RB-RBAC. Each user can only fit in one category
concurrently (i.e., either an IPU or an EPU).
3.6 Access Management (AM) Module
The Dynamic Framework system’s administrator will enter IRD and ERD into the
Dynamic Framework system’s AADC. As a result, this will “white list” the IRDs and the
ERDs and will allow the users to authenticate their credentials in accordance with a predefined and authorized list of approved devices and configuration settings within the
Dynamic Framework system’s AADC.
3.7 Privilege Management (PM) Module
The PM Module functions similarly to a Certificate Authority (CA), which is responsible for issuing and revoking Digital Certificates (Certificates). After IM and AM have been completed, using the information provided, the Dynamic Framework system will generate a Certificate (Appendix 3) granting the users the appropriate privileges. The structure of this Certificate is based on X.509 version 3, and it has a token component, which stores the relevant identifying information for authentication. All of the IRDs and
47 ERDs will contain certain information, such as the Media Access Control (MAC) address, location, and enterprise asset tag number that will be a part of the certificate generated by the Dynamic Framework system.
Thereafter, a multifactor process establishes the authentication procedure. To be properly authenticated, the IPU needs to satisfy all of the conditions below by providing:
1. User ID and password (something they know);
2. User Registered Mobile Device (RMD) (something they have);
3. User smart access card (something they have); and
4. Default Location Zone (LZ) (somewhere they are).
The RMD includes information that has been added to the Dynamic Framework system.
This information, which has previously been “white listed” by the system administrator on the AADC, consists of:
1. Mobile number;
2. International Mobile Station Equipment Identity (IMEI) number, which is a unique
15 decimal digit number assigned to all mobile devices; and
3. RMD’s Media Access Control (MAC) address.
After successful authentication, the Dynamic Framework system’s asset management authorization list will determine which resources (assets) the users will be allowed to access, and what privileges they will have on the asset.
3.8 Detecting Management (DM) Module
The Dynamic Framework system’s process begins when the enterprise hires new employees and assigns the new employees credentials, which include a smart badge equipped with an RFID, along with other security credentials the organization typically
48 uses (e.g., tokens, ID, password). The Dynamic Framework system will also require the enterprise to assign an RMD to each user. Alternatively, the Dynamic Framework system’s process will potentially allow the users to use their own device, or the enterprise-issued device based on the enterprise’s MDM policy. This requires the user to load the front-end client agent on his/her device(s). Additionally, the Dynamic Framework system utilizes
Quick Response (QR) Code to help an enterprise become more efficient in implementing the process. See Appendix 2.
3.8.1 Registration Process
The Dynamic Framework system assigns the employees IPU status with RBAC and
RB-RBAC based on their job titles and requirements respectively. Figure 27 illustrates the process of provisioning new users with the appropriate privileges and zones in the enterprise environment. Role-Based Access Control assigns permission based on competency, authority, responsibility, and zone access. Rule-Based Access Control uses specifically configured rules to access a resource such as a network drive, website, file, folder, or printer, among other things.
The rules also specify the privileges the employees will have, such as “read,”
“write,” “execute,” “allow,” and “deny,” and enable users to access additional zones in accordance with their job requirements. With RB-RBAC, users will meet a predefined set of rules, established through the certificate process explained above, combined with a User
ID and password. This will essentially add the new employee, or the IPU, to the Dynamic
Framework system’s IM database. This status will differ depending on an employee’s roles and duties within the enterprise.
49
Figure 27: Dynamic Framework Registration Process.
Traditional Cybersecurity was about perimeter control, and it was assumed that the internal network was trusted while networks outside the organization were untrustworthy.
As enterprises have grown and their networks have become more complex, it has become necessary to segment different portions of the internal network based on sensitivity to the risk that is imposed by or upon other parts of the network. The Dynamic Framework system’s DM module will assign a zone to each IPU, based on the IPU’s assigned location within the authorized zones inside the enterprise facility, and the IPUs will be authenticated using wireless APs, and allowed to move from one zone to another. See Appendix 4 for visualization. All the zones for each IPU are predetermined in the Dynamic Framework
50 system’s AADC. This will not allow any IPU to access any IRD in the zones in which the
IPU is not authorized. Should they attempt to access IRD’s in prohibited zones, the system will raise a flag.
At this point, employees can access authorized zones and move around freely within the facility. Additionally, through the IM, AM, and PM modules, the DM module will enable the IPU to connect to only his/her predetermined assets, such as desktop, printer, VoIP phone, or laptop, using the assets’ MAC address, IP address, and other unique identifying information.
Since the IPU and IRD credentials are mapped in the Dynamic Framework system to each unique user, and since the Dynamic Framework system will communicate with the enterprise’s MDM technology system, when the IPU physically enters the premises or facilities of the enterprise using his/her badge, the MDM will recognize and add the user’s mobile device to the MDM server and wireless APs. Once inside the facilities, the RMD uses Bluetooth technology to connect to the RFID on the badge. This will result in multi- factor authentication, and will require the IPU’s Bluetooth and badge to remain within the range of one another to ensure functionality. At this stage the Dynamic Framework system has started to monitor the user and his/her device(s) within the enterprise, hence reducing or limiting the risks to the enterprise.
Each IPU will constantly authenticate himself/herself to the system. Additiona lly, since the enterprise can create multiple zones within a facility, and can leverage APs for the creation of these zones, movements of the IPU within the enterprise’s facilities will be continuously monitored using the wireless APs.
51 Further, one’s responsibilities, duties, and department will limit access to each zone. As such, if an IPU is in a zone in which s/he is not authorized to be, the combination of the RMD, badge, and AP will recognize the IPU as not within his/her appropriate zone, and will suspend his/her privileges until the IPU returns to his/her proper zone or until s/he requests access to additional zones. This will also reduce the risks posed to the enterprise by ensuring that users or IPUs cannot access unauthorized devices within an enterprise using their credentials.
3.9 Framework Outcome
In today’s security environment, very little attention is paid to accountability.
Having said that, through the Dynamic Framework system, a continuous monitoring capability has been added to the Defense in Depth approach of the enterprise’s security posture. This will improve asset visibility in real-time, provide the Chief Security Officer
(CSO) with more information in real-time, and will enable him/her to determine how the enterprise’s resources are being used, thereby allowing the enterprise to hold individua ls accountable for any malicious activity involving organizational assets.
3.10 Supporting the Dynamic Framework.
The Dynamic Framework system was discussed and fine-tuned by Subject Matter
Experts (SMEs). Based on the SMEs’ feedback, this proactive security approach, which is lacking in today’s Cybersecurity industry, will complement the current Cybersecurity practices, and will add an additional layer of security to an enterprise’s security posture.
For more details on the SME process see Chapter 4.
52 Chapter 4. Methodology
4.1 Overview and Research Approach
For this research it is essential to understand the Cybersecurity postures, needs, and
Vulnerabilities of various enterprises and organizations in the industry and government.
Yet, given the sensitive and often confidential nature of Cybersecurity postures, it is next to impossible to find the necessary information about these organizations’ Cybersecurity postures through traditional research. In order to collect adequate and accurate information, the Researcher conducted personal interviews with Subject Matter Experts
(SMEs) and provided them with a questionnaire.
4.2 Background of Subject Matter Experts
The SMEs selected for the interviews for this research were specifically chosen for their expertise in the fields fundamental to the proposed model of this research, such as mobile security, end point security, forensics, enterprise network architecture, and
Cybersecurity auditing and compliance. Of all of the SMEs 70% were males and 30% females. In addition, their academic degrees are as follows: 20% hold Bachelor of Science degrees, 60% possess Master of Science degrees, and 20% hold Doctor of Philosophy degrees.
Furthermore, the SMEs’ job sectors are as follows: 20% work in the public sector
(e.g., NIST, NCCoE) and 80% are employed in the private sector (e.g., financial, defense industry, and Information Technology). All of the SMEs had over ten years of experience, with 40% having less than 25 years, and 60% over 25 years. For a detailed breakdown of
53 the SMEs’ demographics, see Figure 28. Lastly, many of the SMEs hold security clearances, and all of them have significant professional experience.
90% 80% 80% 70% 70% 60% 60% 60% MALE PRIVATE 50% 50% MS >25
YRS FINANCIAL 40% 40% 30% 20% 30%
30% INFORMATION 20% 20% TECHNOLOGY 20% 20% >10 YRS
FEMALE DEFENSE BUBLIC 10% BS PHD 0% SEX EDUCATION JOB SECTOR LEVEL OF SECTOR EXPERIENCE
Figure 28: SME Demographics.
Many of the selected SMEs were selected due to their close ties and consulting experience with the private sector - in particular the Financial Services Sector - and various government agencies. While the SMEs did not reveal any confidential information regarding their work, their experience with hundreds of banks and other organizations in the Financial Services Sector has provided them with a wealth of non-confidentia l information that they relayed to the Researcher, which has proven to be fundamental for this research.
Additionally, under EO 13636 it is mandatory for NIST to take a lead in formulating the best Cybersecurity practices and working with various sectors to improve the national
54 Cybersecurity posture. Accordingly, this research relies on the professional knowledge of
SMEs from NIST’s National Cybersecurity Center of Excellence (NCCOE).
It is important to note that some of the SMEs interviewed for this research have a general knowledge of Cybersecurity while others have an expertise in a specific field or sector such as the Financial Services Sector. Therefore, the questions posed to each SME varied based on his/her subject-specific expertise.
4.3 Data Quantification
Based on the current state of the Cybersecurity industry, it is generally accepted that users are the weakest link in security. Accordingly, the SMEs and the Researcher agreed that users are a threat to an enterprise. Hence, in order to accurately gauge the degree of risk facing the various industries of the SMEs, the Researcher established two categories of constants: (1) Threat(s), and (2) Vulnerabilities. The first category, Threat(s), consists of the number of employees in the SME’s environment. The second category,
Vulnerabilities, consists of the number of devices used by the employees. For more information concerning the Threat Scale and the Vulnerability Scale, see Table 2 and Table
3, respectively.
Table 2: Threat Scale – Number of Users
Threat Scale Number of Users
1 1-100
2 101-500
3 501-1000
4 1001+
55
Table 3: Vulnerability Scale – Number of IRD and ERD
Vulnerability Scale Number of IRD and ERD
5 1-100: low vulnerability
10 101-1000: medium vulnerability
20 1001-10,000: high vulnerability
30 10,001+: very high vulnerability
Prior to the interview, the Researcher presented the SMEs with two items. First, he presented two matrices based on NIST 800-30. See Table 4 for the Risk Matrix, and see
Table 5 for the Impact Matrix. Second, he shared the Dynamic Framework system, how it was built, and how it functioned. This enabled the SMEs to study the components of the
Dynamic Framework system, understand how the Researcher categorized risk and impact, and consider if and how the implementation of the Dynamic Framework system could reduce the risks facing their industry.
Table 4: Risk Matrix
Risk Value Definition Threat event could have a negligible effect 0: very low on enterprise’s operations, assets, and individuals. Threat source could have a limited effect 1: low on enterprise’s operations, assets and individuals. Threat source could have a serious effect 2: moderate on enterprise’s operations, assets, and individuals Threat source could have a severe effect on 3: high enterprise’s operations, assets, and individuals
56 Table 5: Impact Matrix
Impact Value Definition The exploit of a Vulnerability would be negligible for an enterprise. The impact is not of concern to enterprise operations, 0: very low productivity and CIA losses, however the appropriate countermeasures plan or controls are fully implemented in different areas of an enterprise and to a moderate extent effective. The exploit of a Vulnerability would be limited and generally acceptable for an enterprise. The impact is minimum to enterprise 1: low operations, productivity and CIA losses; however the appropriate countermeasures plan or controls are fully implemented in different areas of an enterprise and to a moderate extent effective. The exploit of a Vulnerability would be marginally acceptable for an enterprise. The impact has certain enterprise operations, 2: moderate productivity and CIA losses; furthermore the enterprise’s operations would be noticeably compromised. The appropriate countermeasures plan or controls are partially implemented in different areas of an enterprise and to a moderate extent effective. The exploit of a Vulnerability would be unacceptable for an enterprise. The impact has significant enterprise operations, 3: high productivity and CIA losses; furthermore the ability to continue the enterprise’s operations would be significantly compromised. The appropriate countermeasures plan or controls are not implemented in different areas of the enterprise. 4.4 Interview Process
As indicated in the previous section (4.2 Background of Subject Matter Experts), the Researcher selected specific individuals from various private sector and public sector backgrounds to interview for this research. Thereafter, the Researcher proceeded with the interview in two steps: the first step was to schedule and complete the confidentiality form
(Appendix 6); the second step was the actual interview process, which was conducted using a pool of questions. This pool contains questions that cover all the domains within a security environment. Figure 29 illustrates a detailed process for using the pool of questions. To see the pool of questions, see Appendix 7.
57
Figure 29: Pool of Question Process.
From this pool (about 631), the Researcher developed nine categories of Controls
(asset management, physical security, communications security, operations security, access control, incident response, business continuity, compliancy, and wireless security).
The reason the Researcher chose nine categories of Controls is that those nine categories cover the Dynamic Framework system’s design.
From those nine categories, and based on the SMEs backgrounds, the Researcher asked industry-specific questions chosen carefully from the pool. The Researcher selected and presented the questions to the SMEs based on three categories of functional Controls on which the Dynamic Framework system was designed: preventive, detective, and corrective. From each of the three categories of functional Controls five random questions were presented to the SMEs. Since there were ten SMEs and each was asked five questions from each category (three categories in total), a total of 150 different questions were asked.
58 The questions asked covered the three functional Controls, however, since each SME worked in an environment unique to himself/herself, the Researcher, based on his own expertise, tailored the questions for each SME. For additional details regarding the areas of questions within each categories, see Appendix 5.
Based on the SMEs review of the Dynamic Framework system prior to the interview, the Researcher then asked if the implementation of the Dynamic Framework system would reduce the impact and risk in the SMEs’ industries, to which the SMEs provided a simple “yes” or “no” response. Furthermore, the Researcher performed descriptive statistics (e.g., frequency distribution) by using SPSS 23 for all of the ten
SMEs’ answers. For a detailed breakdown of the SMEs’ answers, see Table 6.
Additionally, for demographic information on the SMEs, see Appendix 10.
Table 6: Frequency Table
Frequency Percent Gender Male 7 70.0 Female 3 30.0 Education Bachelor of Science Degrees 2 20.0 Master of Science Degrees 6 60.0 Doctor of Philosophy degrees 2 20.0 Job Sector Public Sector 2 20.0 Private Sector 8 80.0 Yes or No No 2 20.0 Yes 8 80.0 Experience Over 10 Years Experience/Less 4 40.0 than 25 Years Over 25 Years Experience 6 60.0
59 Sector Financial 5 50.0 Information Technology 3 30.0 Defense 2 20.0
The Researcher also performed frequency distribution analysis to measure the relationship between the SMEs’ answers and the SMEs’ demographics by using SPSS 23.
Table 7 illustrates the results of this analysis. A frequency analysis is the most appropriate method for measuring the relationship between the variables. Six male SMEs and two female SMEs said “yes.” Seven SMEs in the private sector said “yes,” and one SME in the public sector said “yes.” Further, five SMEs who had over 25 years of experience said
“yes.” Three SMEs, who had over 10 years of experience and less than 25 years of experience, also said “yes.”
Table 7: Frequency Analysis
Yes or No No Yes Gender Male Count 1 6 % within Sex 14.3% 85.7% % within Yes or 50.0% 75.0% No Female Count 1 2 % within Sex 33.3% 66.7% % within Yes or 50.0% 25.0% No Total Count 2 8 % within Sex 20.0% 80.0% % within Yes or 100.0% 100.0% No Job Sector Public Sector Count 1 1 % within Job 50.0% 50.0% Sector
60 % within Yes or 50.0% 12.5% No Private Sector Count 1 7 % within Job 12.5% 87.5% Sector % within Yes or 50.0% 87.5% No Total Count 2 8 % within Job 20.0% 80.0% Sector % within Yes or 100.0% 100.0% No Experience Over 10 Years Count Experience/Less 1 3 than 25 Years % within 25.0% 75.0% Experience % within Yes or 50.0% 37.5% No Over 25 Years Count 1 5 Experience % within 16.7% 83.3% Experience % within Yes or 50.0% 62.5% No Total Count 2 8 % within 20.0% 80.0% Experience % within Yes or 100.0% 100.0% No Sector Financial Count 0 5 % within Sector 0.0% 100.0% % within Yes or 0.0% 62.5% No Information Count 1 2 Technology % within Sector 33.3% 66.7% % within Yes or 50.0% 25.0% No
61 Defense Count 1 1 % within Sector 50.0% 50.0% % within Yes or 50.0% 12.5% No Total Count 2 8 % within Sector 20.0% 80.0% % within Yes or 100.0% 100.0% No
During the interview process, additional areas and questions related to this research were explored. Some of the SMEs also suggested modifications to the design of the
Dynamic Framework system in order to make the system more effective and end-user friendly. The Researcher has incorporated the SMEs’ suggested modifications, such as
Access Point (AP) connection in to the final design of the Dynamic Framework system.
The interviews were conducted in person. Most of the interviews occurred in the offices of the SMEs. Given the sensitive nature of some of the SMEs professions, however, some interviews took place in a formal setting at other locations.
4.5 Creation and Selection of Questions
This dissertation relies primarily on qualitative responses and research. The questions presented to the SMEs were based on the Researcher’s expertise in
Cybersecurity, his recognition and knowledge of known Vulnerabilities, other areas of weaknesses in various enterprises, and finally, the literature reviews conducted for this research. The Researcher has extensive professional and academic experiences in the
Cybersecurity industry. Further, the Researcher worked with the NCCoE and helped with the creation of NIST SP 1800-5B, “NIST Cybersecurity Practice Guide Financial Services:
62 IT Asset Management,” released in 2015. The SMEs were willing to share, explore and discuss the Vulnerabilities in the Cybersecurity field with the Researcher.
4.6 Ethical Considerations
Prior to the interview, the Researcher provided the SMEs with an “Interview
Participant Consent and Confidentiality Form” (Appendix 6), which the SMEs signed. This form establishes mutual confidentiality between the Researcher and the SMEs regarding all matters discussed.
As mentioned in the form, the names, job titles, and signatures of the SMEs will not be part of this research document due to confidentiality and ethical considerations. The
Researcher will keep this confidential information on file for three years. Furthermore, during the interview, no specific questions were asked or answered about the SMEs’ organization in order to avoid a conflict of interest and/or sharing of confidential information.
4.7 Subject Matter Experts’ Confidence in the Dynamic Framework System
This chapter has provided the SMEs’ feedback and confidence in implementing the
Dynamic Framework system and its capabilities to reduce the risk on the CIA.
Furthermore, the Researcher has reviewed the current state of security within the Financial
Services Sector, which serves as the core of this research, as well as within a “generic enterprise.” The following chapter provides the current state of Cybersecurity in the
Financial Services Sectors.
63 Chapter 5: Current State of Cybersecurity and Data Analysis
5.1 Overview
This research recognizes that the current Cybersecurity practices are insufficient to prevent a Cyber-Attack, respond to a Cyber-Attack, and, most importantly, remain resilient during a Cyber-Attack. Based on the literature review, the questionnaire provided to
Subject Matter Experts (SMEs), the data and information collected through interviews with the SMEs, and the Researcher’s Cybersecurity knowledge, it is a fact that in today’s global
Cyber-Society the weakest link in security is humans.
The purpose of the Dynamic Framework system is to recommend a new and near- future Cyber-Ecosystem (CE), which an enterprise can use to improve its security posture.
Using this Dynamic Framework system will also enable the enterprise to develop a healthier Cyber Hygiene (CH) by implementing a technology that, through continuous monitoring of the enterprise’s assets, will make the weakest link in security the strongest.
5.2 Data Collection and Analysis
As discussed in Chapter 4, the Researcher collected qualitative survey through the
Interview process. The Researcher provided the SMEs the Dynamic Framework system prior to their interview. Before the interview, the Researcher and the SMEs had a brief discussion to clarify any questions the SMEs may have had about the Dynamic Framework system. The Researcher presented the qualitative survey to the SMEs, qualitative survey was then converted to quantitative data with the help of the SMEs and using the risk and impact matrices. Based on the SMEs experience and expertise, they assisted the
64 Researcher in quantifying the actual risk (using the risk and impact matrices discussed in
Chapter 4) both before and after the implementation of the Dynamic Framework system.
During the interview process, Researcher, with the SMEs collaboration and input, quantified the risk level prior and after the implementation of Dynamic Framework system.
The risk calculation process for the three categories of functional Controls (preventive, detective, and corrective) was at follows:
1. The highest value that any SME can have in the risk matrix is a three (3) – high.
2. The highest value that any SME can have in the impact matrix is a three (3) – high.
3. The Researcher multiplied the two to attain the total, which is 9. This value was
attained by multiplying the highest value of risk by the highest value of impact.
4. Thereafter, that value was multiplied by five (5) because each category (preventive,
detective, and corrective) has only five questions. This can result in a total value of
45.
5. The total risk level from each category based on the feedback of the SMEs is then
divided by the baseline (highest potential value of 45), thereby arriving at the
percentage of the total risk level for that category before the implementation of the
Dynamic Framework.
6. Steps 1-5 are then repeated using new values after the implementation of
the Dynamic Framework system.
The quantitative data, which is presented and analyzed below, shows the percentage of total risk level before and after the implementation of the Dynamic Framework System in each of the SMEs’ unique environments. This was calculated using the achieved score as a percentage of the maximum score of 135.
65
Figure 30: Previous Total Risk vs. Future Total Risk Levels After Implementation of the Dynamic
Framework System.
Since the Dynamic Framework system was built on the three categories of preventive, detective, and corrective, the Researcher also measured the risk level reduction within each category in each of the SMEs’ unique environments.
Examining the results suggests a total reduction of risk after the implementation of the Dynamic Framework system in each category of the functional Controls. All SMEs reported a reduced level of risk in each category (see Figure 31). For more details, see
Appendix 9.
66
Figure 31: Previous Total Risk vs. Future Total Risk in Three Categories of Functional Controls.
For understanding how the SMEs and Researcher achieved and converted the numbers used for the data analysis, see Appendix 8 for a sample of the dialogue between the Researcher and SMEs. As Appendix 9 illustrates, implementing the Dynamic
Framework system will reduce the total risk to an enterprise anywhere from 10 percent to
42 percent.
5.3 Financial Services Sector Cyber Taxonomy
There is no “perfect” solution for combating the Cyber-Attacks deployed against the Financial Services Sector. One of the best ways for the Financial Services Sector to manage and mitigate the risks of Cyber-Attacks is to establish Cyber-Resiliency in its critical systems. To have Cyber-Resiliency, a system must be able to fulfill its primary function(s) – even if an attack compromises the system - until the system is returned to a secure state. [DSB, 2012]. To properly understand the security posture of the Financial
67 Services Sector, it is necessary to thoroughly examine the sector’s taxonomy. See Figure
32.
Figure 32: Financial Services Sector’s Cyber Taxonomy.
5.4 Current Cyber Strategies
There are two strategies for establishing Cyber-Resiliency: (1) proactive techniques, and (2) reactive techniques. Proactive techniques are used to prevent Cyber-
68 Attacks preemptively, while reactive techniques are employed in response to a Cyber-
Attack. [Goldman et al., 2011].
Proactive techniques for establishing Cyber-Resiliency include establishing system isolation or containment, introducing diversity and randomness into the environment, and ensuring data and system integrity and availability. Containment tactics will help reduce the attack surface and the potential destruction that can be caused by a Cyber-Attack.
Reactive techniques consist of deception, dynamic reconfiguration, and dynamic reconstitution. Deception tools, such as honeypots, are used to deliberately misdirect the attacker(s). Honeypots are an isolated system on the target environment that allow for analysis of the attackers methods and tools. Another reactive technique is dynamic reconstitution, which serves as a redundancy by having fault tolerant assets in place.
Essentially, if one critical system breaks down, dynamic reconstitution ensures that there is another system to replace it. [Goldman et al., 2011].
5.5 Current Security Architecture and Capabilities
Given the nature of the Financial Services Sector, as well as its assets, this Sector must make resources available to both its clients and its privileged users at all times. The access available to clients and privileged users will vary depending on the specific enterprise’s policies, procedures, and protocols. The proposed security architecture set forth in this research is applicable regardless of the times at which access is granted by the enterprise to clients and privileged users. Furthermore, Figure 33 shows the typical organizational architecture in the Financial Services Sector.
The architecture shown in Figure 33 provides the typical “rear-view-mirror” picture of an enterprise’s network security utilized during the enterprise’s routine operation. This
69 architecture is very capable at telling the security team what has happened to the enterprise’s network, but it lacks the ability to see beyond the current state of security, and is unable to predict threats as they may evolve.
Figure 33: Rear-View-Mirror Picture of an Enterprise’s Network Security.
Current reactive Cybersecurity practices and methodologies are, at best, marginally effective, but are generally insufficient to prevent sophisticated Cyber-Attacks.
Additionally, “Implementing countermeasures against the next generation’s Stuxnet and
Flame requires an intelligent security model that includes a multi-faceted approach.”
[Shariati, 2014].
70 5.6 Attack Vector
An Attack Vector (AV) is a path or tool that a threat uses in order to gain access to a device, system, or network. Upon gaining access, the threat can use the AV to launch attacks against, gather information from, or deliver malicious items to those devices, systems, or networks. [Mateski et al., 2012].
Cyber-Attacks normally follow a process that begins with reconnaissance and ends with exploitation, disruption, or destruction. Figure 34 shows the phases of a Cyber-
Attack. [Coleman, 2012].
Figure 34: Cyber-Attack Process. [Coleman, 2012].
Cyber attackers use various AV tactics, tools, and technologies to launch a Cyber-
Attack, whether to collect information or to exploit an enterprise’s Vulnerabilities. This
71 research argues that if the Financial Services Sector implements the Dynamic Framework system, the Sector can interrupt the kill chain and reduce the risk of Cyber-Attacks.
5.7 Security Domain Categories
The security categories for this research were classified into several domains. Prior to the interview process, the Researcher categorized enterprise Vulnerabilities based on his research, SME’s expertise and literature reviews. During the qualitative survey and the interview process described above, the information was collected and categorized into domains:
1. Risk Management (RM) – Continuous assessment of threats, Vulnerabilities and
the impact on an enterprise’s data and asset Confidentiality, Integrity and
Availability.
2. Network Security (NS) – The need to continuously protect the security and
functionality of an enterprise’s IT.
3. Asset Management Security (AMS) – An enterprise can reliably and accurately
track each of its assets such as desktops, laptops, printers, and other assets and the
use of the asset at any given time.
4. Identity Management (IM) – Management of the users’ identities such as internal
users, external users, contractors, and guests with different levels of access control.
5. Enterprise Resumption (ER) – Continuous operation of an enterprise’s networks
after an adverse Cyber-Event. NIST 800-61 (2011) has defined four stages for
computer security incident handling: (1) Preparation, (2) Detection and analysis,
(3) Containment, eradication, and recovery, and (4) Post incident activity.
72 6. Security Audit (SA) – Ensures the integrity of an enterprise’s assets and that only
authorized devices and users can access an enterprise’s resources.
7. Forensic – Analyzing the deep root cause of an incident, and being able to collect
information for forensic investigation for an internal and external crime.
5.8 Security Analysis
The Researcher organized the above domains based on an enterprise’s
Vulnerabilities as indicated by the SMEs, Cybersecurity best practices, and the Risk
Framework (RF). Thereafter, the domains were analyzed based on the tools, resources, and historical data such as Cyber-Attacks and insider threats compromising an enterprise’s assets.
After properly organizing the domains, the Researcher analyzed the collected information to determine whether an enterprise could reduce the risk of existing
Vulnerabilities by implementing the proposed Framework; i.e., whether the risk to the enterprise was reduced if the enterprise could accurately determine its state of security as well as the state of its employees and their devices in real-time.
5.9 Outcome Overview
During these interviews, one essential element that was established was that the current Cybersecurity practices in industry – specifically in the Financial Services Sector
– are wholly inadequate. After the interview, in which the Researcher explained and reviewed the Dynamic Framework system proposed by this research, all ten SMEs indicated that their industry could, and was willing to, deploy the proposed Dynamic
Framework system to improve its Cybersecurity.
73 Chapter 6. Conclusions and Future Research
6.1 Research Conclusions
Aligning an enterprise Cybersecurity infrastructure with the business goals starts with the protection of the enterprise’s assets, operations, and data. This is an on-going challenge that enterprises will have to accept. Moreover, people, processes, and technology need to work together to achieve this enterprise security vision and strategies.
The goal of this research was to secure sufficient evidence to illustrate the
Cybersecurity practices and frameworks being used today in organizations are inadequate and to recommend a new and near-future Dynamic Framework system to improve the security posture of an enterprise. There is no foolproof solution to combat Cyber-Attacks; however, by using a security principle of Defense in Depth and a continuous monitoring strategy, an enterprise should be able to reduce its risk of Cyber-Attacks.
The outcome of this research was the development of the Dynamic Framework.
This Dynamic Framework with its system’s capabilities, operating in parallel with other layers of security, will allow an enterprise to have a current or real-time “state” of its users and devices. While this Dynamic Framework system does not monitor the content and behavior of users, future research may further focus on that area. The Dynamic Framework system, with its four modules (IM, AM, PM, and DM) will increase security and identify potential sources of malicious activity within an enterprise. Furthermore, the Dynamic
Framework system provides forensics and auditing capabilities in case of an attack against, or compromise of, an enterprise’s systems.
74 6.2 Future Research
Two potential areas of future research include: 1) evaluating the automated behavior analysis tools on monitoring the user’s activities on the use of computers and social media while using the enterprise assets; and 2) building a proof of concept of the
Dynamic Framework system.
75 Appendix 1: Threat Agents and Some of Their Capabilities
Cyber Players Capabilities References 5th-Dimension Cyber DDOS, Electromagnetic pulse http://defensetech.org/2008/05/27/ru Army weapons (non-nuclear), ssias-cyber-forces/ embedded Trojan Horse, compromised counterfeit http://www.foxnews.com/tech/2014/ computer software, advanced 03/09/ukraine-computers-targeted- dynamic exploitation by-aggressive-snake-virus/ capabilities, wireless data communications jammers, http://en.ria.ru/world/20131106/184 cyber logic bombs, computer 557118/US-Puts-Alleged-Russian- viruses and worms, cyber data Hackers-on-FBI-Most-Wanted- collection exploits, computer List.html and networks reconnaissance tools Al Qassam Cyber DDOS, Dirtjumper, Intranet http://online.wsj.com/news/articles/ Fighters, Quds Force hacking (NMCI), Shamoon SB10001424127887324734904578 virus, Mahdi virus 244302923178548
http://www.alston.com/Files/Publica tion/dc282435-c434-42a2- afe738af660dc82a/Presentation/Pub licationAttachment/2c3bb5d8-b035- 4d03-8e3c390c2da3751d/Cyber- Alert-Evolving-DDOS-Attacks.pdf
http://www.infowars.com/navy- describes-iran-hack-attack-as- obama-prepares-cybersecurity- framework/ Anonymous Identity theft, Phishing http://www.arifyildirim.com/ilt510/ (LulzSec) peter.ludlow.pdf
http://www.theguardian.com/techno logy/lulzsec Atomaker & Hasturk Identity theft, Phishing, http://www.haaretz.com/jewish- sabotage world/jewish-world-news/1.571542 Chaos Computer Club DDOS https://www.wired.com/2013/12/fig ht-spies-says-chaos-computer-club/ Cult of the Dead Cow Identity theft, Phishing http://www.arifyildirim.com/ilt510/ peter.ludlow.pdf Cyber Hundred DDOS, website defacement http://bits.blogs.nytimes.com/2014/ 03/04/cyberattacks-rise-as-ukraine- crisis-spills-on-the-internet/?_r=0 Cyber-Spy Unit DDOS http://www.cso.com.au/article/5299 53/12gbps_australian_ddos_amongs t_year_worst_google_arbor_visualis e_attacks/ Derp Identity theft, Phishing, http://www.bbc.co.uk/news/technol sabotage ogy-25559048 GCHQ DDOS http://rt.com/news/gchq-ddos- attacks-anonymous-670/
76 Hamas Cyber warfare, cyber espionage http://wanabehuman.blogspot.com/2 012/01/middle-east-cyber-hacking- heats-up.html Hasman Hackers Website hacking/defacement http://www.datareign.com/pakistan- massive-cyber-attack-on-india-mtnl- website-hacked-malware-bsnl- database.html Indian Cyber DDOS, cyber espionage, http://www.hacksurfer.com/articles/ Army/Indishell Operation Hangover india-vs-pakistan-specter-of-cyber- cold-war-in-the-subcontinent Iranian Cyber Army Cyber warfare, cyber espionage http://www.rferl.org/content/iran_sa (Iranian Revolutionary ys_it_welcomes_hackers_who_wor Guard) k_for_islamic_republic/2330495.ht ml Islamic Cyber Resistance Cyber warfare, cyber espionage http://www.bitdefender.com/securit Group y/hackers-leak-israel-army-data-to- (Hezbollah) avenge-hezbollah-death.html Izz ad-Din al-Qassam Identity theft, Phishing, http://www.nydailynews.com/news/ Cyber Fighters sabotage national/mideast-hackers-disrupt- websites-u-s-banks-anti-islam-film- shutdowns-article-1.1170284 North Korea (Unit 121) DDOS, cyber espionage http://www.theguardian.com/world/ 2013/oct/16/north-korean-cyber- warfare-south-korea
http://www.reuters.com/article/2013 /07/16/net-us-korea-cyber- idUSBRE96F0A920130716 Pal Anonymous Cyberattacks, cyber espionage http://www.al- monitor.com/pulse/originals/2014/0 2/gaza-hackers-cyberwarfare- israel.html# People’s Liberation Army DDOS, BIOS attack, malware http://intelreport.mandiant.com/Man Unit 61398 (China) and cyber warfare arsenal, diant_APT1_Report.pdf cyber espionage, various Trojan Horses http://www.reuters.cm/article/2014/ 03/05/us-cyber-ddos- idUSBREA240XZ20140305
http://www.mcafee.com/us/threatce nter/operation-aurora.aspx
http://www.businessinsider.com/nsa -says-foiled-china-cyber-plot-2013- 12
http://intelreport.mandiant.com/
http://www.securitychallenges.org.a u/TOCs/vol7no2.html RedHack Identity theft, Phishing http://digitalintifada.blogspot.com/2 013/05/the-famous-turkish-hacking- group.html Russian Business Cyber warfare, cyber http://www.fatalsystemerrorbook.co Network espionage, sabotage m/pdf/Bizuel_onRBN.pdf (KGB cooperation)
77 http://mag.newsweek.com/2014/02/ 14/russia-tests-total-surveillance- sochi-olympics.html Syrian Electronic Army Cyber warfare, cyber espionage http://www.forbes.com/sites/andygr eenberg/2014/02/20/how-the-syrian- electronic-army-hacked-us-a- detailed-timeline/ Team Injector Identity theft, Phishing, http://thehackernews.com/2010/12/t sabotage eam-injector-hack-into-exploit- db.html Telecomix Identity theft, Phishing http://www.theguardian.com/techno logy/2011/jul/07/telecomix-arab- spring The Realm Wank Worm http://www.theage.com.au/articles/2 003/05/24/1053585748340.html Unknowns Identity theft, Phishing, http://www.foxnews.com/tech/2012/ sabotage 05/03/new-unknowns-hacking- group-hits-nasa-air-force-european- space-agency/ Unit 8200 Database hacking, Flame virus http://www.reuters.com/article/2009 /12/15/us-security-israel- cyberwarfare- idUSTRE5BE30920091215
http://www.washingtonpost.com/wo rld/national-security/us-israel- developed-computer-virus-to-slow- iranian-nuclear-efforts-officials say/2012/06/19/gJQA6xBPoV_stor y.html Xploiter Crew Website hacking/defacement http://www.tech.com.pk/2013/09/fer edal-customs-service-and.html
78 Appendix 2: Dynamic Framework System Administrative Dashboard
79 Appendix 3: Certificate
Dynamic Framework System Certificate Example
By Behnam Shariati
Version 1.7
The Dynamic Framework Digital Certificate (Certificate) structure is based on
X.509v3, and has a software security Token (Token) section. The X.509 Token class is being used in the Dynamic Framework system’s Certificate, and this Token has a unique identifier, which will increase its flexibility in containing various information, including
MAC addresses (this is shown in red). As long as the Certificate Parser (CP) recognizes such Tokens, there are no limitations in information that can be passed and checked in
Tokens. This enables the Dynamic Framework system’s Certificate structure to be very adaptable to the various needs of an enterprise, and it works in a similar fashion to a Public
Key Infrastructure (PKI) pair of certificates. This allows checking for a variety of custom information.
It is important to note that the samples provided here are simply to aid the reader by illustrating the structure of the public, private and root keys. The samples are not based on real data, nor representing the actual size.
80 Root Public/Private (Dynamic Framework system) Human readable version: Certificate Info: Version=3.0 Type= Public, Private Serial Number=44973 Valid From: Sep 15, 2015 Valid To: Sep 15, 2017 Issuer: Name=GW Corporation State=MD Country=US Subject: Name=GW Corporation State=MD Country=US Tokens: MAC=01-23-45-67-89-AB-12-34-56-78-9A-BC Created for = Behnam Shariati (example of new employee/user) Key Info: Algorithm=RSA Encryption RSA Public Key= Modulus (2048 bit): 30:82:01:33:02:01:00:30:82:01:03:06:07:2a:86:48: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f RSA Private Key= Modulus (2048 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66 ce:3d:02:01:30:81:f7:02:01:01:30:2c:06:07:2a:86: 48:ce:3d:01:01:02:21:00:ff:ff:ff:ff:00:00:00:01: 00:00:00:00:00:00:00:00:00:00:00:00:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:30:5b:04:20:ff:ff:ff:ff: 00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:bc:e6:fa:ad:a7: 17:9e:84:f3:b9:ca:c2:fc:63:25:51:02:01:01:04:27: 30:25:02:01:01:04:20:29:35:3c:ae:9b:75:20:91:0a Signature: Algorithm=SHA265WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:68:9f
81 Front-end client agent private Certificate (loaded on to RMD for each user) Human readable version: Certificate Info: Version=3.0 Type= Public, Private Serial Number=44973 Valid From: Sep 15, 2015 Valid To: Sep 15, 2017 Issuer: Name=GW Corporation State=MD Country=US Subject: Name=GW Corporation State=MD Country=US Tokens: MAC=01-23-45-67-89-AB-12-34-56-78-9A-BC Created for = Behnam Shariati (example of new employee/user) Key Info: Algorithm=RSA Encryption RSA Public Key= Modulus (2048 bit): 30:82:01:33:02:01:00:30:82:01:03:06:07:2a:86:48: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f RSA Private Key= Modulus (2048 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66 ce:3d:02:01:30:81:f7:02:01:01:30:2c:06:07:2a:86: 48:ce:3d:01:01:02:21:00:ff:ff:ff:ff:00:00:00:01: 00:00:00:00:00:00:00:00:00:00:00:00:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:30:5b:04:20:ff:ff:ff:ff: 00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:bc:e6:fa:ad:a7: 17:9e:84:f3:b9:ca:c2:fc:63:25:51:02:01:01:04:27: 30:25:02:01:01:04:20:29:35:3c:ae:9b:75:20:91:0a Signature: Algorithm=SHA265WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:68:9f
82 Root Certificate (for verification) Human readable version: Certificate Info: Version=3.0 Type= Public, Private Serial Number=44973 Valid From: Sep 15, 2015 Valid To: Sep 15, 2017 Issuer: Name=GW Corporation State=MD Country=US Subject: Name=GW Corporation State=MD Country=US Tokens: MAC=01-23-45-67-89-AB-12-34-56-78-9A-BC Created for = Behnam Shariati (example of new employee/user) Key Info: Algorithm=RSA Encryption RSA Public Key= Modulus (2048 bit): 30:82:01:33:02:01:00:30:82:01:03:06:07:2a:86:48: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f RSA Private Key= Modulus (2048 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66 ce:3d:02:01:30:81:f7:02:01:01:30:2c:06:07:2a:86: 48:ce:3d:01:01:02:21:00:ff:ff:ff:ff:00:00:00:01: 00:00:00:00:00:00:00:00:00:00:00:00:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:30:5b:04:20:ff:ff:ff:ff: 00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:bc:e6:fa:ad:a7: 17:9e:84:f3:b9:ca:c2:fc:63:25:51:02:01:01:04:27: 30:25:02:01:01:04:20:29:35:3c:ae:9b:75:20:91:0a Signature: Algorithm=SHA265WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:68:9f
83 Appendix 4: Dynamic Framework System Configuration in an
Enterprise
84 Appendix 5: Three Categories of Controls
Preventive Controls Questions Area:
- Risk Assessment - Access Control - Data Security - Protective Technology - Information Protection Processes and Procedures
Detective Controls Questions Area:
- Security Continuous Monitoring - Detection Processes - Audit and Accountability - Unauthorized wireless access - Remote access
Corrective Controls Questions Area:
- Recovery Planning - Vulnerability Mitigation - Forensic - Incident Response - Disaster Recovery
85 Appendix 6: Interview Participant Consent and Confidentiality Form
Project: Dissertation Research
Topic: A Continuous Monitoring Framework to Manage Cybersecurity in an Enterprise
Researcher: Behnam Shariati, Doctoral Candidate, [George Washington University] ______
I, [Name of Expert], agree to be interviewed by the above Researcher in order to provide information relevant to the topic described above. I understand that all the information will be treated to preserve my anonymity and reported in the research document only in aggregate form or with all identifiable attributes masked.
I, [Name of Expert], further agree that all questions asked by the Researcher, as well as the technological framework and modules discussed during the interview process are the intellectual property of the Researcher, are strictly confidential, and shall not be disclosed in any matter or form, directly or indirectly, to any person or entity under any circumstances.
Signed______Date______
86 Appendix 7: Pool of Questions
QUESTIONS
Management commitment Has top management's direction on information security been established? Is top management’s (e.g. an executive or board-level director) commitment to information security demonstrated? Is control over information security provided by a high-level working group, committee or equivalent body? Information Security Functions Are staff agreements established, which specify information security responsibilities?
Are key security responsibilities incorporated into staff contracts? Are information security responsibilities taken into account when applicants are screened for employment? Local Security Coordination Are individuals appointed to coordinate information security arrangements locally?
Are local security coordinators competent to carry out their security responsibilities?
Security Policy Is there a comprehensive, documented information security policy? Is the information security policy communicated to all individuals with access to the enterprise’s information and systems? Is there an information security policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? If yes, does the policy contain: Risk assessment? Risk management? Security awareness training/education? Business continuity? Consequences for non-compliance with corporate policies? Responsibilities for information security management? Acceptable use? Access control? Application security? Change control? Clean desk? Computer and communication systems access and use? Data handling? Desktop computing? Disaster recovery? Email? Constituent accountability? Encryption? Exception process?
87 Information classification? Internet/Intranet access and use? Mobile computing? Network security? Operating system security? Personnel security and termination? Physical access? Policy maintenance? Remote access? Security incident and privacy event management? Secure disposal? Social media, social networking? Vulnerability management? Have the policies been reviewed in the last 12 months? If yes, did the review include: Feedback from interested parties? Results of independent reviews? Policy compliance? Changes that could affect the approach to managing information security? Reported information security incidents? Recommendations provided by relevant authorities? Records management? Is there a process to approve exceptions to the policy? Does security own the approval process? Is the information security policy communicated? If yes, is it communicated to: Full time constituents? Part time constituents? Contractors? Is there a vendor management program? Does the vendor management program include an individual or group responsible for capturing, maintaining and tracking subcontractor information security issues? If yes, is there: Risk rating of the issue (e.g., H/M/L, 1-5, etc.)? Documented corrective action or remediation plan? Target remediation date? On-going communication with subcontractor to discuss status of remediation? Escalation procedure if the remediation date is not met? Sign-off when remediation is fully implemented? Reporting on remediation? If yes, does it include: Identification of stakeholders? Reporting frequency?
Security Awareness Are staff made aware of the key elements of information security and why it is needed? Are personal information security responsibilities understood? Are specific activities undertaken, such as security awareness programs, to promote security awareness? Security Education Are IT staff educated/trained to develop and apply security controls?
88 Are business users educated/trained in how to run systems correctly? Security Classification Has a security classification scheme been established?
Is the security classification scheme based on the criticality of information and systems in use? Is the security classification scheme based on the sensitivity of information and systems in use? Risk analysis/assessment Are formal information risk analyses carried out for critical systems and environments? Does the information risk analysis determine risk by performing a business impact assessment and a threat and vulnerability analysis? Do the results of the risk analysis include a clear, documented identification of key risks, an assessment of the potential business impact of each risk, and recommendations for the actions required to reduce risks to acceptable levels? Does the risk analysis process help to identify special security controls (e.g., encryption for sensitive information), evaluate the costs of implementing security controls, and determine the limitations of security controls?
Confidentiality requirements Does the organization assess the impact of business information being disclosed to unauthorized individuals? Integrity Requirements Does the organization assess the impact of business information being accidentally corrupted or deliberately manipulated? Availability Requirements Does the organization assess the impact of business information being unavailable? Security Architecture Is an ‘information security architecture’ established to implement consistent, simple-to-use security functionality across multiple computer systems? Does the ‘information security architecture’ enable standard security controls to be applied throughout the enterprise? Host System Configuration Are host systems configured to function as required? Are host systems configured to prevent unauthorized or incorrect updates? Workstation Configuration Are workstations purchased from a list of approved suppliers?
Are workstations tested prior to use? Are workstations supported by maintenance arrangements? Are workstations protected by physical controls? Do workstations 'time-out' after a period of inactivity? Asset management Are proven, reliable and approved computer systems used? Do computer systems meet today's security requirements? Is essential information about hardware and software (e.g. unique identifiers, version numbers and physical locations) recorded in inventories? Physical Protection
89 Are buildings that house critical IT facilities physically protected against accident or attack? Is physical access to buildings that house critical IT facilities restricted to authorized individuals? Is critical computer equipment and documentation protected against theft? Is there a physical security program? Is there a documented physical security policy approved by management, communicated to constituents and an owner assigned to maintain and review the policy? Are reasonable physical security and environmental controls present in the building/data center that contains Scoped Systems and Data? If yes, does it include: Signage to identify the operations of the facility (data center)? Other tenants using the building? Access restricted and logs kept of all access? Electronic system (key card, token, fob, biometric reader etc.) to control access? Cipher locks (electronic or mechanical) to control access within or to the facility? If yes, is there a process to: Change the code(s) at least every 90 days? Change the code(s) when an authorized individual is terminated or transferred to another role? Security guards that provide onsite security services? Perimeter physical barrier (such as fence or walls)? Entry and exit doors alarmed (forced entry, propped open) and/or monitored by security guards? A mechanism to prevent tailgating / piggybacking? External lighting? Lighting on all doors? Exterior doors with external hinge pins? Windows with contact or break alarms on all windows? CCTV with video stored at least 90 days? Fluid or water sensor? Air conditioning and humidity controls? Heat detection? Smoke detection? Fire suppression? Multiple power feeds? Multiple communication feeds? Physical access control procedures? If yes, is there: Segregation of duties for issuing and approving access to the facility (keys, badge, etc.)? Access reviews at least every six months? Collection of access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require access? A process to report lost or stolen access cards / keys? Are visitors permitted in the facility? If yes, are they required to: Sign in and out? Provide a government issued ID? Be escorted through secure areas? Wear badge distinguishing them from employees? Are visitor logs maintained for at least 90 days?
90 Is there a loading dock at the facility? If yes, is there: Any other tenants using the loading dock? A security guards at each point of entry? Smoke detector? Fire alarm? Fire suppression? CCTV and the video stored for at least 90 days? Restricted access and logs kept of all access? Is there a battery/UPS room? If yes, does it contain: Hydrogen sensors? Monitored fire alarm? Fire suppression system? CCTV and the video stored for at least 90 days? Restricted access and logs kept of all access? Does UPS support N+1? Is there a generator or generator area? If yes, is there: A fuel supply readily available to ensure uninterrupted service? Adequate capacity to supply power for at least 48 hours? Restricted access and logs kept of all access? CCTV and the video stored for at least 90 days? Is there a mailroom that handles Scoped Data? If yes, is access: Restricted access and logs kept of all access? CCTV and the video stored for at least 90 days? Is there a media library to store Scoped Data? If yes, is access: Restricted and logs kept of all access? CCTV and the video stored for at least 90 days? Is there a separate room for telecom equipment? If yes, is access: Monitored with CCTV and the video stored for 90 days? Restricted and logs kept of all access? Do the Scoped Systems and Data reside in a data center? If yes, is there: Fluid or water sensor? Air conditioning? Heat detection? Smoke detection? Vibration alarm / sensor? Monitored fire alarm? Fire suppression (e.g., dry, chemical, wet pipe)? Multiple power feeds? Multiple communication feeds? Are there generator(s)? Is access to the data center restricted and logs kept of all access? Badge readers at points of entry? Locked doors requiring a key or PIN at points of entry? Access request procedures? Segregation of duties for issuing and approving access? Access reviews conducted at least every six months? Is there a mechanism to thwart tailgating / piggybacking into the data center?
91 Are there security guards at points of entry? Do the security guards monitor security systems and alarms? Are visitors permitted in the data center? Are they required to sign in and out of the data center? Are they escorted within the data center? Are all entry and exit points to the data center alarmed? Are there alarm motion sensors monitoring the data center? Is access to the Data center monitored with CCTV and the video stored for at least 90 days? Walls extending from true floor to true ceiling? Windows or glass walls along the perimeter? Do the Scoped Systems and Data reside in a caged environment within a data center? If yes, is there a: Lock requiring a key or PIN used at points of entry? Process for requesting access? Segregation of duties for granting and storage of access devices (badges, keys, etc.)? List maintained of personnel with cards / keys to the caged environment? Process to report lost access cards / keys? Process to review access to the cage at least every six months? Process to collect access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer requires access? Are visitors permitted in the caged environment? If yes, are they: Required to sign in and out? Escorted? Monitored with CCTV and the video stored for at least 90 days? Do the Scoped Systems and Data reside in a locked cabinet? If yes, is there: Shared cabinets? Restricted access and logs kept of all access? Access request procedures? Segregation of duties for issuing, approving access and storing devices (badges, keys, etc.)? A list of personnel with cards / keys to the cabinet? A process to report lost access cards / keys? Collection access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer requires access? Cabinets monitored with CCTV and the video stored for at least 90 days? Is there a policy on using locking screensavers on unattended system displays or locks on consoles within the data center? Is there a procedure for equipment removal from the data center? Is there a preventive maintenance or current maintenance contracts for: UPS system? Security system? Generator? Batteries? Monitored fire alarm? Fire suppression systems? HVAC? Are the following tested:
92 UPS system - annually? Security alarm system - annually? Fire alarms - annually? Fire suppression system - annually? Generators - monthly? Generators full load tested - monthly? Resilience Are systems supported by alternative or duplicate facilities? Are sensitive applications run on dedicated systems? Configuring Network Devices Are network devices configured to function as required? Are network devices configured to prevent unauthorized or incorrect updates? Access Control Is access to information and systems restricted to authorized individuals? Do access control arrangements restrict access to only approved system capabilities? Are unique user IDs and passwords used for accessing the system? Can a user ID and password contain personal information (SSN, access level, admin of the user)? Is an inactive user ID deleted or disabled within 30 days? Can a user ID and password be shared? Is there a process to grant and approve access to a systems Does access to systems include a formal request and management approval? Are approved requests for granting access logged, archived and maintained? Is system access limited: Time of day? Physical location? Network subnet? Are user access rights reviewed at least every thirty days Are access control rights reviewed when a constituent changes roles? Are reviews of privileged systems conducted to ensure unauthorized privileges have not been obtained? Are privileged user access rights reviewed at least quarterly? Are changes to privileged user access rights logged? Are there logon banners for all systems access? Upon logon failure, does the error message describe the cause of the failure to the user (Invalid password, invalid user ID, etc.)? Is multi-factor authentication deployed for systems access Do all users have a unique user ID when accessing applications? Do inactive workstation lock within 15 minutes? Do inactive sessions timeout within 15 minutes?
Do access control authorizations restrict access to only approved system?
Are electronic systems used to transmit, process or store Scoped Systems and Data? Is there an access control policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?
93 Does access control on applications, operating systems, databases, and network devices ensure users have least privilege?
Are passwords required to access systems transmitting, processing or storing Scoped Systems and Data? Is there a password policy for systems that transmit, process or store Scoped Systems and Data that has been approved by management and communicated to appropriate constituents? If yes, does it include: Keep passwords confidential? Not keep a record of passwords (paper, software file or handheld device)? Change passwords when there is an indication of possible system or password compromise? Change passwords at regular intervals? Change temporary passwords at first logon? Not include passwords in automated logon processes? (stored in a macro or function key)? Terminate or secure active sessions when finished? Logoff terminals, PC or servers when the session is finished? Lock (using key lock or equivalent control) when systems are unattended? Prohibit users from sharing passwords? Are strong passwords required on systems transmitting, processing storing Scoped Systems and Data? Are password files and application system data stored in different file systems? Are user ID and passwords communicated/distributed via separate media (e-mail and phone)? Are new constituents issued random initial single use passwords? Do temporary passwords expire within 10 days? Is a user’s identity verified prior to resetting a password? Are vendor default passwords removed, disabled or changed prior to placing the device or system into production? Is password reset authority restricted to authorized persons and/or an automated password reset tool? User authorization Are users authorized before access privileges are granted? Is there a process to ensure timely action relating to requesting, establishing, issuing, suspending and closing of user accounts? Are users authenticated before access is granted to target systems? Are 'high-risk' users authenticated by using strong authentication mechanisms before access is granted? Firewalls Is network traffic routed through a firewall, prior to being allowed access to target systems?
Sign-on process Are users subject to a rigorous 'sign-on' process before they gain access to target systems? Event logging Are logs of key events maintained? Are logs of key events reviewed periodically? Are logs of key events protected against unauthorized change?
94 System / Network monitoring Are computer systems monitored to identify potential security breaches? Does system monitoring include scanning host systems for known vulnerabilities? Does system monitoring include checking whether powerful utilities/commands have been disabled on attached host systems? Does system monitoring include checking for the existence and configuration of unauthorized wireless networks?
Patch management Is there a strategy for patch management? Is there a document patch management process? Is the patch management process supported by a management framework?
Intrusion detection Are intrusion detection mechanisms applied to critical systems (e.g. using HIDS)? Are intrusion detection mechanisms applied to networks (e.g. using NIDS)? Incident management Is there a documented incident management process? Are incidents recorded? Are the security implications of incidents - and any remedial action - reviewed? Is there an emergency response process to enable a fast and effective response to serious attacks? Does the emergency response process outline the actions to be taken in the event of a serious attack? Is the emergency response process supported by an emergency response team?
Is there an Incident Management program? Is there a documented policy for incident management that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Is there a formal Incident Response Plan. If yes, does it include: Reporting procedure for an information security event? Escalation procedure? An Incident / Event Response team with defined roles and response related qualifications available 24x7x365? Procedures to collect and maintain a chain of custody for evidence during incident investigation? Feedback process to ensure those reporting information security events are notified of the results after the issue has been dealt with and closed? Event reporting mechanism to support the reporting action, and to list all necessary actions in case of an information security event? Actions to be taken in the event of an information security event? Formal disciplinary process for dealing with those who commit a security breach? Process for assessing and executing client and third party notification requirements (legal, regulatory, and contractual)? Postmortem to include root cause analysis and remediation plan, provided to leadership?
95 Is there an identification of incident process? If yes, does it include: Unauthorized physical access? Information system failure or loss of service? Malware activity (anti-virus, worms, Trojans)? Denial of service? Errors resulting from incomplete or inaccurate business data? Breach or loss of confidentiality? System exploit? Unauthorized logical access or use of system resources? Containment? Remediation? Notification of stakeholders? Tracking? Repair? Recovery? Feedback and lessons learned? Unique, specific, applicable data breach notification requirements, including timing of notification (HIPAA/HITECH, state breach laws, client contracts)? Annual testing of the procedures? Are the following considered Information Security events: Loss of service (equipment or facility)? System malfunction or overload? Human error? Non-compliance with policy or guidelines? Breach of physical security arrangement? Uncontrolled system change? Malfunction of software or hardware? Access violation? Physical asset loss or theft? Forensic investigations Is there a process for dealing with incidents that require forensic investigation? Are there processes to ensure that evidence is preserved?
External access/connections Are external connections individually identified? Are external connections approved by the data owner? Sign-on Process Are users subject to a rigorous 'sign-on' process before they gain access to target systems?
Wireless access Is wireless access authorized only from approved locations? Is wireless access encrypted? Is wireless access protected using a VPN (Virtual Private Network)?
Remote working Are personal computers used by staff working in remote locations protected by physical and logical controls?
96 Are personal computers used by staff working in remote locations protected from viruses and malicious mobile code? Is there a remote access policy Is split tunneling or bridged internet connections allowed by policy and/or technical control? Only company owned equipment is permitted to connect remotely Is Management approval necessary for remote access ? Are remote users prevented from copying data to remote devices? Are encrypted communications required for all remote connections? Is multi-factor authentication required for remote access? Are personal computers used by staff working in remote locations purchased from a list of approved suppliers? Are personal computers used by staff working in remote locations tested prior to use? Are personal computers used by staff working in remote locations supported by maintenance arrangements? Are personal computers used by staff working in remote locations protected by physical and logical controls? Are personal computers used by staff working in remote locations protected from viruses and malicious mobile code? Cryptography Are cryptographic solutions used to protect the confidentiality of sensitive information? Are cryptographic solutions used to preserve the integrity of critical information? Are cryptographic solutions used to confirm the identity of the originator of information? Are cryptographic keys managed tightly (e.g. to protect them against unauthorized access or destruction)? Public key infrastructure Where a Public Key Infrastructure (PKI) is used, is it protected by ‘hardening’ the underlying operating system(s)? Where a public key infrastructure (PKI) is used, is it protected by restricting access to Certification Authorities?
Business continuity Are business continuity plans developed? Are business continuity plans supported by contingency arrangements?
Security audit/review Do security audits/reviews provide the system “owner,” and top management, with an independent assessment of the security status of the system? Are security audits/reviews performed on a regular basis? Are security audits/reviews independent?
Security monitoring Is the condition of the information security of the enterprise monitored periodically? Is the condition of the information security of the enterprise periodically reported to top management?
Roles and Responsibilities Is ‘ownership’ of critical information and systems assigned to capable individuals?
97 Are the responsibilities of 'owners' clearly defined and accepted? Are responsibilities for key security tasks assigned to individuals who are capable of performing them? Are users organized to minimize the risk of theft, fraud, error and unauthorized changes to information (e.g. by supervision of activities, prohibition of lone working and segregation of duties)? Are the duties of staff running computer systems segregated from those developing systems? Has reliance on key individuals been minimized (e.g. by automating tasks, ensuring complete and accurate documentation, and arranging alternative cover for key positions)?
Risk Management Are formal information risk analyses carried out for critical systems and environments? Does the information risk analysis determine risk by performing a business impact assessment and a threat and vulnerability analysis? Do the results of the risk analysis include a clear, documented identification of key risks, an assessment of the potential business impact of each risk, and recommendations for the actions required to reduce risks to acceptable levels? Does the risk analysis process help to identify special security controls (e.g. encryption for sensitive information), evaluate the costs of implementing security controls, and determine the limitations of security controls? Are the results of the risk analysis, including any residual risk, communicated to and signed- off by the owner?
Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program? if yes, does it include: A risk assessment, conducted within the last 12 months? Risk Governance? Range of assets to include: people, processes, data and technology? Range of threats to include: malicious, natural, accidental, business changes (transaction volume)? Risk scoping? Risk context? Risk training plan? Risk evaluation criteria? Risk scenarios? If yes: Have scenarios been created for a variety of events with a range of possible threats that could impact the range of assets? Do the scenarios include threat types impacting all assets resulting in business impact? Ownership, action plan, response plan, management update? Are controls identified for each risk classified as: preventive, detective, corrective, predictive (technical or administrative controls)? Installation and Network Design Are systems designed with sufficient capacity to cope with predicted information processing requirements? Are systems protected by using a range of in-built security controls?
Network Documentation
98 Are networks supported by accurate and up-to-date documentation? Third Party Access Are third parties who have access to target systems uniquely identified?
Is third party access subject to a risk analysis?
Is third party access approved?
Is third party access supported by contracts?
Back Up Are back-ups of essential information and software taken?
Are back-ups of essential information and software taken on a regular basis, according to a defined cycle? In the event of an emergency, can essential information or software be restored within critical timescales? Change Management Is there a documented change management process? Are changes tested prior to being applied to the 'live environment'?
Are changes reviewed to ensure they do not compromise security? Emergency Fixes Are emergency fixes tested? Are emergency fixes reviewed? Are emergency fixes applied in accordance with documented standards/procedures?
Malicious Mobile Code Protection Are enterprise-wide arrangements established to protect against malicious mobile code?
Virus Protection Are virus protection arrangements established?
Do virus protection arrangements cover servers?
Do virus protection arrangements cover workstations (including laptops?) Is virus protection software kept up-to-date?
Special Controls Are voice network facilities (e.g. telephone exchanges) monitored regularly?
Is access to voice network facilities restricted?
Information Privacy Has responsibility for managing information privacy been established? Are security controls for handling personally identifiable information applied?
99 Does the organization comply with legal and regulatory requirements for information privacy?
Email Are e-mail systems supported by a security policy?
Are e-mail systems supported by security awareness activities? Are standards/procedures established for the protection of e-mail systems? Are e-mail systems protected by technical security controls?
Instant Messaging Is there a policy governing the use of instant messaging?
Are the security features of instant messaging applications deployed?
Are the security elements of instant messaging infrastructure configured? Web-Enabled Application Are specialized technical controls applied to web-enabled applications?
Electronic Commerce Is there a process to ensure that information security is incorporated into electronic commerce initiatives? Are the security risks of electronic commerce systems evaluated?
Are processes in place to ensure security is not sacrificed for the sake of speed?
Outsourcing Is there a process to govern the selection and management of outsourced contractors?
Are outsourcing arrangements supported by documented agreements specifying security requirements? Quality Assurance Is quality assurance of key security activities performed during the development lifecycle? Development Methodologies and Environment Are development activities carried out in accordance with a documented system development methodology? Are system development activities performed in specialized development environments, isolated from the live environment? Are system development activities protected against disruption and disclosure of information? System Design/Build Are information security requirements for the system under development considered when designing the system? Are system build activities (including coding and package customization) carried out in accordance with industry good practice?
100 Are system build activities performed by individuals with adequate skills/tools?
Are system build activities inspected to identify unauthorized modifications or changes, which may compromise security controls? Testing Are all elements of a system tested before it is promoted to the live environment?
Are acceptance tests conducted in an isolated area that simulates the live environment?
Are test results documented, checked against expected results, approved by users and signed- off by the owner? Installation Process Are new systems installed in the live environment in accordance with a documented installation process? Post-Implementation Review Are post-implementation reviews conducted for all new systems? Specifications of Requirements Are business requirements (including those for information security) agreed and documented before commencing detailed design? Are business requirements signed-off by the relevant business, IT and Security Managers?
General Security Controls Are the full range of general security controls considered when designing the system under development? Application Controls Are the full range of application controls (e.g. control over input, processing and output) considered when designing the system under development? Are required security controls identified?
Handling Information Is additional protection provided for applications that involve handling sensitive material or transferring sensitive information? Is sensitive information held on data storage media (including magnetic tapes, disks, printed results, and stationery) protected against corruption, loss or disclosure?
System Promotion Criteria Are rigorous criteria met before new systems are promoted into the live environment? Acquisition Are security requirements considered when acquiring computer systems?
Are security deficiencies in computer systems identified? Are robust and reliable computer systems acquired? Are adequate software licenses acquired for planned use?
3rd Party Services/Subservice Organization Please identify all 3rd party services or subservice organizations Organizational Security
101 Is there a respondent information security function responsible for security initiatives? If yes, does it include: Creation, review and approve of information security policies? Review the effectiveness of information security policy implementation? Manage assignment of specific roles and responsibilities for information security? Develop and maintain an overall strategic security plan? Consistent implementation of information security across different parts of the respondent's organization? Review and monitor information security / privacy incidents or events? Monitor significant changes in the exposure of information assets? Contacts with information security special interest groups, specialist security forums, or professional associations? Identify and document instances of non-compliance with security policies? Identify key Information Technology roles? Do external parties have access to Scoped Systems and Data or processing facilities? If yes, is: Access prohibited prior to a risk assessment being conducted? A risk assessment performed on third parties? A controls assessment performed on third parties? Agreements in place when customers access Scoped Systems and Data? Does management require the use of confidentiality or non-disclosure agreements for all third parties? If yes, do they contain: Ownership of information, trade secrets and intellectual property? Permitted use of confidential information, and granting of rights to the signatory to use information? Process for notification and reporting of unauthorized disclosure or confidential information breaches? Expected actions to be taken in case of a breach of this agreement? Are there contracts with third party service providers who have access to Scoped Systems and Data ? If yes, do they include: Non-Disclosure Agreement? Confidentiality Agreement? Media handling? Requirement of an awareness program to communicate security standards and expectations? Responsibilities regarding hardware and software installation and maintenance? Clear reporting structure and agreed reporting formats? Clear and specified process of change management? Notification of change? Process to address any identified issues? Access control policy? Breach notification? Description of the product or service to be provided? Description of the information to be made available along with its security classification? SLAs? Audit reporting? Ongoing monitoring?
102 A process to regularly monitor to ensure compliance with security standards? Onsite review? Right to audit? Right to inspect? Problem reporting and escalation procedures? Business resumption responsibilities? Indemnification/liability? Privacy requirements? Dispute resolution? Choice of venue? Data ownership? Ownership of intellectual property? Involvement of the third party with subcontractors? Security controls these subcontractors need to implement? Termination/exit clause?
103 Appendix 8: Sample Interview Dialogue
Key: R: Researcher SME: Subject Matter Expert
R: We will be covering the physical security, access controls, and asset management of most organizations today. Based on your expertise, do you think current access control tools and technologies restrict access to only approved systems for the users?
SME: No. Most users can and will access other systems in the organization.
R: Do you see this as a vulnerability for an insider threat?
SME: Yes
R: What level of risk do you consider this to be?
SME: (Refers to risk matrix) Moderate Level of risk and some cases maybe high.
R: Acknowledging a Moderate level of risk, where would you put the impact level based on that particular risk? (Refers to impact level matrix).
SME: (Refers to impact matrix), 3 - High.
R: Base on your experience, are facilities that host critical IT components physically protected against insider threats?
SME: Yes.
R: What level of risk would you consider the taking of any intellectual property or any equipment from the facility/organization without authorization?
SME: (Refers to risk matrix) low level of risk.
R: Acknowledging a low level of risk, where would you put the impact level based on that particular risk? (Refers to impact matrix).
SME: (Refers to impact matrix), 2 - Moderate.
R: Based on your expertise, do you think most organization implement an automated asset inventory discovery tool for all their physical devices and systems?
SME: Not at all.
R: What level of risk do you consider this to be?
104
SME: (Refers to risk matrix) 3 - High.
R: Acknowledging a high level of risk, where would you put the impact level based on that particular risk? (Refers to impact matrix).
SME: (Refers to impact matrix), 3 - High.
R: How quickly do you think organizations can isolate the Cyber-attack?
SME: Currently most organization will find out about a cyber-attack in two hundred days.
R: What level of risk do you consider this to be?
SME: (Refers to risk matrix) 3 - High.
R: Acknowledging a high level of risk, where would you put the impact level based on that particular risk? (Refers to impact matrix).
SME: (Refers to impact matrix), 3 - High.
R: Having wireless Access Points (APs) is standard in most organizations?
SME: Yes.
R: In most organizations, what level of security we will find for APs?
SME: Guest wireless, with a low security and available to all.
R: What level of risk do you consider for this?
SME: (Refers to risk matrix) 3 - High.
R: Acknowledging a high level of risk, where would you put the impact level based on that particular risk? (Refers to impact matrix).
SME: (Refers to impact matrix), 3 - High.
R: Having reviewed the Dynamic Framework system, will implementing this system in any enterprise reduce the risk level it faces?
SME: Yes, however, it may require some modification in order to fit in government agencies. R: If your risk level decreases, would your impact level decrease as well?
SME: Yes.
105 Appendix 9: Results
SME1
35% 30% 30% 25% 25% 22% 20% 15% 12% 11% 10% 6% 5% 0% Previous Future Previous Future Previous Future PreventivePreventive Detective Detective Corrective Corrective
106
SME2 30% 26% 25% 20% 18% 15% 15% 10% 10% 6% 5% 5% 0% Previous Future Previous Future Previous Future Preventive Preventive Detective Detective Corrective Corrective
107
SME3
35% 30% 30% 25% 19% 20% 14% 15% 8% 10% 6% 5% 2% 0% Previous Future Previous Future Previous Future Preventive Preventive Detective Detective Corrective Corrective
108
SME4 20% 15% 15% 12% 10% 6% 5% 0% 1% 1% 0% Previous Future Previous Future Previous Future Preventive Preventive Detective Detective Corrective Corrective
109
SME5 25% 22% 21% 20% 17% 15% 10% 5% 3% 0% 0% 0% Previous Future Previous Future Previous Future Preventive Preventive Detective Detective Corrective Corrective
110
SME6 9% 8% 8% 7% 6% 5% 5% 4% 3% 2% 2% 1% 1% 1% 0% 0% Previous Future Previous Future Previous Future Preventive Preventive Detective Detective Corrective Corrective
111
SME7
15% 12% 10% 10%
5% 3% 3% 1% 2% 0% Previous Future Previous Future Previous Future Preventive Preventive Detective Detective Corrective Corrective
112
SME8 16% 14% 14% 12% 10% 8% 6% 6% 4% 2% 1% 2% 0% 0% 0% Previous Future Previous Future Previous Future Preventive Preventive Detective Detective Corrective Corrective
113
SME9 25% 22% 20% 15% 10% 7% 5% 3% 0% 0% 0% 0% Previous Future Previous Future Previous Future Preventive Preventive Detective Detective Corrective Corrective
114
SME10 20% 18% 14% 15% 10% 8% 4% 5% 2% 0% 0% Previous Future Previous Future Previous Future Preventive Preventive Detective Detective Corrective Corrective
115 Appendix 10: Demographics of SMEs
116
117
118 References
Bass, Tim. “Intrusion Detection Systems and Multisensor Data Fusion.” Communications of the ACM 43.3 (2000): 99-105. Web. 30 June 2016.
Cloppert, M. “Security Intelligence: Attacking the Cyber Kill Chain,” SANS Digital Forensics & Incident Response, October 14, 2009.
Coleman, K. (2012). Aggression in Cyberspace. In S. Jasper (Ed.), Conflict and Cooperation in the Global Commons: A Comprehensive Approach for International Security. Washington, D.C.: Georgetown University Press.
Cyber Glossary. (2013). Retrieved May 14, 2015, from http://niccs.us-cert.gov/glossary.
Encyclopedia. (2016). Retrieved February 18, 2016, from http://www.pcmag.com/encyclopedia.
Federal Bureau of Investigation. 2010. “Cyber Theft Ring.” Last modified April 8, 2015.
Federal Bureau of Investigation. 2014. “GameOver Zeus Botnet Disrupted: Collaborative Effort Among International Partners.” Last modified April 7, 2015.
Federal Bureau of Investigation. 2014. “GameOver Zeus (GOZ) Malware and Botnet Architecture.” Last modified April 7, 2015.
FireEye, Inc. “The Advanced Cyber Attack Landscape.” 2013.
Gibson, D. (2015). Managing Risk in Information Systems; Second Edition. Jones and Bartlett Learning.
Goldman, H., McQuaid, R., & Picciotto, J. (2011). Cyber Resilience for Mission Assurance. Institute of Electrical and Electronics Engineers. Paper presented at the 2011 IEEE International Conference on Technologies for Homeland Security (HST), Bedford, MA.
International Telecommunication Union. 2015. “Definition of Cybersecurity.” Last modified April 7, 2015. Accessed January 7, 2015.
Mandiant, “APT1 Exposing One of China’s Cyber Espionage Units,” 2013.
Mateski, M., Trevino, C. M., Veitch, C. K., Michalski, J., Harris, M., Maruoka, S., Frye, J. (2012). Cyber Threat Metrics. Albuquerque, NM: Sandia National Laboratories.
119 Maybury, Mark, Penny Chase, Brant Cheikes, Dick Brackney, Sara Matzner, Tom Hetherington, Brad Wood, Conner Sibley, Jack Martin, Tom Longstaff, Lance Spitzner, Jed Haile, John Copeland, and Scott Lewandowski. (2005). Analysis and Detection of Malicious Insiders. MITRE Corporation. Paper presented at the 2005 International Conference on Intelligence Analysis, McLean, VA.
McCumber, J. 2004. Assessing and Managing Security Risk in IT Systems: A Structured Methodology. Auerbach Publications.
National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity. 2014. Retrieved from
National Institute of Standards and Technology, NIST-SP 800-30: Guide for Conducting Risk Assessments. 2012.
National Institute of Standards and Technology, NIST-SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View. 2011.
National Institute of Standards and Technology. NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. 2013.
National Institute of Standards and Technology. NIST Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide. 2012.
NATO Cooperative Cyber Defence Center of Excellence (CCDCOE). Cyber Definitions. 2014.
“NSA chief says U.S. infrastructure highly vulnerable to cyber attack,” Reuters, June 11, 2013.
Obama, B. Executive Order no. 13636. 2013. 78 Federal Register 11739.
Obama, B. “Remarks by the President on Securing Our Nation’s Cyber Infrastructure,” May 29, 2009. Washington, D.C.
Panetta, L. “Defending the Nation from Cyber Attack,” Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security Address, October 11, 2012, New York, New York.
Perera, D. “Gallagher: NIST framework could improve federal agency cybersecurity programs,” FierceGovernmentIT, February 19, 2014.
Recorded Future: Creating an Insightful World. 2013. “Deconstructing the Al-Qassam Cyber Fighters Assault on US Banks.” Last modified April 7, 2015.
120
Schmitt, M. N. (2013). Tallinn Manual on the International Law Applicable to Cyber Warfare: Prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence. New York, NY: Cambridge University Press.
Shariati, B. “Cybersecurity Operations Strategy,” United States Cybersecurity Magazine 1, no. 4 (2014).
Shenk, J. “SANS Eighth Annual 2012 Log and Event Management Survey Results: Sorting Through the Noise,” SANS Institute (May 2012).
Sherwood, J., Clark, A., and Lynas, D. 2005. Enterprise Security Architecture: A Business-Driven Approach. CRC Press.
“The Cop on the Cyber Beat,” The Wall Street Journal, June 27, 2011.
The New York State Department of Financial Services, Report on Cyber-Security in the Banking Sector, New York, NY, 2014.
U.S. Congress H.R.3162, Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001. 2001.
U.S. Department of Defense. Department of Defense Strategy for Operating in Cyberspace, 2011.
U.S. Department of Defense. Defense Science Board (DSB) Task Force. (January 2013). Resilient Military Systems and the Advanced Cyber Threat.
U.S. Department of Homeland Security. Banking and Finance Sector-Specific Plan An Annex to the National Infrastructure Protection Plan, 2010.
U.S. Department of Homeland Security, ICS-CERT Monitor Incident Response Activity, January-April 2014.
U.S. Department of Homeland Security, ICS-CERT Monitor Incident Response Activity, November-December 2015.
U.S. Department of Homeland Security. NIPP 2013: Partnering for Critical Infrastructure Security and Resilience, 2013.
Vasumathi, D. and Krishnam, M. T. 2012. “Network Based Anti-virus technology for Real-time scanning,” IJCSI International Journal of Computer Science Issues, vol. 9, issue 4, no. 2 (July 2012).
121 Whitman, M. E., Mattord, H. J., and Mackey, D. 2012. Guide to Network Security. Cengage Learning.
122