An Interdisciplinary Introduction

Index

See OMB and, 82, 83–84 2-factor authentication, 57, 295, 296 Paperwork Reduction Act, 82 9/11/2001. September 11, 2001 supply chain security, 166, 170 60-Day Cyberspace Policy Review, 100–101, 130, 259 active responses to threats, 207–208, 237–238 256-bit encryption, 193 acts of law, 263 300A and 300B reports, 170 actual cost (AC), 152–154, 156, 299–300, 302 414s (hackers), 6 ACWP (actual cost of work performed), 152 1930s IT infrastructure, 185 “adequate security,” 171 1940s IT infrastructure, 75 Administrative Procedure Act (APA), 266 1950s IT infrastructure, 75–76, 185¬ advanced notices of proposed rulemaking (ANPR), 260, 1960s cybersecurity issues, 4, 76–77, 95 266 1970s cybersecurity issues, 5, 179 advanced persistent threats (APTs), 203–204, 276,- 277 1980s cybersecurity issues, 4–9, 77–81, 82, 185 Advanced Research Projects Agency (ARPA), 4 1990s cybersecurity issues, 9, 81–90, 223–225, 276 Advanced Research Projects Agency Network (AR 2000s cybersecurity issues, 9, 89, 90–101, 220, 276 agenciesPANET), 4, 179 A2010s cybersecurity issues, 10, 101–104, 221–222, 276 African Network Information Centre (AfriNIC), 278 A circulars. See under civilian.audits, 241 See civilian agencies OMB budgets, 260 AC (actual cost), 152–154, 156, 299–300, 302 acceptable levels of risk, 36 classified/unclassified protective markings, 79 acceptable quality level (AQL), 145 compliance standards, 168–169 accepting risks, 16, 20, 22, 60–61 creation of, 266 access codes, 236 cybersecurity policy role, 69–70 access points, 233, 258 Federal Register rules publication, 260 accessibility of systems intelligence.FISMA requirements, See intelligence 97–98, agencies 171 corporate systems, 233 impact on projects, 123 health care systems, 224 military. See mainframe computers, 76 inter-agency cooperation, 87 vs.network access points, 233, 258 Defense Department physical sites, 236 operational planning model, 124 security, 22 procurement responsibilities,See 83 account number access, 273 publicpartnerships hearings, 266–267 accounting, 148–149, 230 public-private partnerships. private-public accounting machines, 185 accreditation (IT systems), 171–172 regulations, role in, 265–268 acquisitionsaccuracy of warnings, and procurement 112 regulatory agencies, 265–266 acquisition program baseline (APB), 142 supervision of, 74 top-down analysis, 50–52 acquisition documents, 143–148 aggravated identity theft, 273 acquisition phase, 143–148 agriculture as critical infrastructure, 96 Brooks Act, 76–77 alerts“ahead of schedule” variances, 155, 298–299 CIOs and, 83–84 Air Force, 71, 72 compliance, 168–169 GSA and, 77 as cybersecurity capability, 203, 207 Index (A) 427

as high-level requirement, 136 capital, 149, 150, 169–170 National Cyber Alert System, 94 corporate, 234 trusted Internet connections example, 139 critical, 31–33, 61 warning systems, 110–113,a 122–123, 136, 203, 207 FISMA compliance, 170–172 Allen, William T., 217 GAO labeling system, 31–33 alternative hypotheses (H ), 39, 49, 291 assistantidentifying, to the president 160–161 for homeland security and alternative scenarios, 119–120, 138 assistance as high-level requirement, 136 ambiguity in survey design, 288 assumptions amendments, bills, 262, 263 counterterrorism, 100 American Recovery and Reinvestment Act, 225, 241 American Registry for Internet Numbers (ARIN), 278 risk determination and, 33 anomaliesanalyzing threats, 104, 136, 203, 206–207 in risk management framework, 16, 20, 21 Anil, Suleyman, 101, 283 spear phishing survey, 42 in survey design, 288 corporate detection, 237–238 asymmetrical warfare, 6 DHS monitoring case study, 162–163 atomic“at rest” energy. encryption, See nuclear 194 facilities network detection, 203, 206 atomic bombs/nuclear arms, 6, 7 simulating, 206–207 anonymity, 279, 281 attachments (email), 195, 235 Anonymous, 19 attacksalerts. and See exploits, alerts 195–196 ANPR (advance notice of proposed rulemaking), 260, active/passive responses, 207–208, 237–238 266 antivirusAntarctica, software 278 anomalies and, 162–163, 203, 206–207, 237–238 Anti-Referral Payments Law, 217 BGP, 191–192 botnets, 198 corporate obligations and, 220 brute force, 193 informing internal information, 162 buffer overflow, 201 in internal monitoring, 205 code injection, See201 McAfee, 115 crashing and recovery, 201 TJX data breach and, 227 data breaches. data breaches as warning system, 207 denial of service, 198, 203, 204, 275 APA (Administrative Procedure Act), 266 DHS monitoring case study, 162–163 APB (acquisition program baseline), 142 DNS cache poisoning, 200 APNIC (Asia-Pacific Network Information Centre), 279 factors aiding in, 202 appeals and appeals courts, 268 growth in 2000s, 99 APT (advanced persistent threat), 203–204, 276, 277 history of, 275–276 AQL (acceptable quality level), 145 insider threats, 200, 233 ARIN (American Registry for Internet Numbers), 278 malware, 195, 196, 271 Army, 71, 72 - man in the middle, 198–199 ARPA (Advanced Research Projects Agency), 4 phishing/spear phishing, 41–46, 197–198 ARPANET (Advanced Research Projects Agency Net private sector breaches, 213 work), 4, 179 private sector plans, 211–212 arraignments, 274 SEC disclosures, 229 Asia, 279 simulating, 206–207, 234–235 Asia-Pacific Network Information Centre (APNIC), 279 threat signature technology, 99–100 assembly language, 180–181 time before discovery, 281 assessing plans,See 120 warnings.types of, 187 See warning systems assessing threats.results, 120–121See threat assessment unknown vulnerabilities, 201–202 assetsassessing risks. risk assessments zero-day exploits, 201–202 attribution for attacks, 190, 195, 281 428 Index

audits, 240 big picture, senior managers and, 115, 116 agencies, 241 bills, legislative, 261–263 corporate policies, 239–241 binary code, 180, 193 financial, 167 binary dependent variables, 292 FTC consent agreements, 226 BJR (business judgment rule), 219 health care systems, 173, 224 Black Hand, 276 internal/external, 166–168, 239–241 black hole servers, 204 IT, 167, 173 blackouts, 92 monitoring functions and, 204 “Blueprint for a Secure Cyber Future,” 130, 259 risk assessment, 240 boards of directors Sarbanes-Oxley Act, 230 business judgment rule, 219 technical, 167 duty of care, 215–219 types of, 166–168 liability, 218 Australia, 279 obligations, 221–222 authentication tokens, 213 role in company, 214 authority, transnational, 281–282 role in cybersecurity, 211–212, 214, 231–232 authorization, 133, 134–135, 139 as senior managers, 110 automatic alert systems, 112 Border Gateway Protocol (BGP), 187, 188, 190–192, Automatic Data Processing Act (Brooks Act), 76–77, 80, 198–199 83 botnets, 198 availability, threats to, 187 bottom-up assessments (PWS), 145 avoiding risks, 16, 20, 60, 61 Bottom-Up Review report (BUR), 130, 259 awareness campaigns, 207, 224 boy genius hackers, 5–6, 27 BAzerbaijan, 277 brokerage firms, 228 Brooks, Jack, 76 Brooks Act, 76–77, 80, 83 BAC (budget at completion), 157, 300, 301, 302 brute force attacks, 193 back-ups, off-site, 236 budget at completion (BAC), 157, 300, 301, 302 backbones, 4, 188 budgeted cost of work performed (BCWP), 153 backwards engineering (op models), 141 budgeted cost of work scheduled (BCWS), 152 badges, 236 budgets bail, 274 APBs, 142 bandwagon fallacy, 249 comparing projects, 157–158, 298–302 banking and finance systems congressional control, 74 criminal information access, 271, 273 CONOPS and, 138 as critical infrastructure, 86, 87 as constraints, 21 cyber threats, 87 developing, 120, 149–152 Estonian attacks, 101 EVM development of, 149–152 GLB Financial Modernization Act, 222–223 EVM indexes, 298–302 Sarbanes-Oxley Act, 168, 230 EVM management, 148 TJX breach losses, 220, 226–227, 272 manager’s role, 117 written security plans, 223 OMB control, 84 baselines, establishing, 160–161, 171 over or under status, 156 BCWP (budgeted cost of work performed), 153 in proposed legislation, 262 BCWS (budgeted cost of work scheduled), 152 trade-offs in risk management, 23 behavioral detection, 206, 233 understanding, 150–152 “behind schedule” status, 163, 298–299 buffer overflow attacks, 201 best practices, 103, 304 bulk power systems, 229–230See BGP (Border Gateway Protocol), 187, 188, 190–192, BUR (Bottom-Up Review report), 130, 259 198–199 Bureau of the Budget. OMB (Office of Management biases, 288, 289 and Budget) Index (B-C) 429

catastrophes. See disasters

Bush administration causation vs. CNCI founding, 99–101 “catastrophic” label (GAO), 31–33 critical infrastructure directives, 95–97 correlation, 57 E-Government Act, 97–98 CD-ROM drives, 182 Executive Orders, 257 CDs, 185 See FISMA act, 97–98 Central Asia, 279 Homeland Security history, 90–99 Central Intelligence Agency. CIA HSPDs, 95-97 central processing units (CPUs), 181 national security instruments, 255 CEOs (chief executive officers) presidential power expansion, 129–130 business judgment rule, 219 Sarbanes-Oxley Act, 168, 230 cybersecurity role, 211–212, 215, 232 business continuity plans, 238 duty of care, 215–219 Business Corporation Law of New York State (NY BCL), liability, 218 216 certificates (HTTPS), 194 business interruptionSee private insurance, sector 238 certification (IT systems), 171–172 business judgment rule (BJR), 219 “CF Disclosure Guidance: Topic No. 2,” 229 businesses. CFAA (Computer Fraud and Abuse Act), 8–9, 270–272 Cbylaws, corporate, 214 changes,CFR (Code identifying of Federal Regulations), 172, 268 challenge questions, 295, 296

C++, 181 evolution of threats, 105 CAATs (computer-assisted audit techniques), 167 in file data, 195 cable companies, 188 monitoring risks, 62–63, 64 Californiacache, 184 risk management framework, 16, 20 cache poisoning, 200 charging criminals, 274 Charter Pacific Bank, 222 data breach laws, 227–228 charters, corporate, 214 electrical grid attacks, 276 Chechnya, 276 cameras, activating, 102 checklists, going beyond, 66 Canada, 278 chi square test, 291 See capabilities chief executive officers (CEOs), 211–212, 215–219, 232 capability-based planning, 136–137 chief information officers. CIOs (chief information capability gaps, 133–134, 135, 137, 139 officers) CONOPS, 137–140 Chief Information Officers Council (CIO Council), 84, defining for monitoring systems, 159 256 examples, 26–27, 202–208 chief information security officers (CISOs), 232 identifying for threat assessment, 25 chief infrastructure assurance officers (CIAOs), 89 identifying in PWSs, 145 child prodigy hackers, 5–6, 27 mission needs statements, 133–134 China, 37, 276 op models, 141 CIA (Central Intelligence Agency), 72, 73, 77, 90, 91 organizational needs, 118–119 CIAO (Critical Infrastructure Assurance Office), 89, translating goals into, 114 94–95 capability-based planning, 136–137 CIAOs (chief infrastructure assurance officers), 89 See capability gaps, 133–134, 135, 137, 139 CICGalso (Critical critical Infrastructureinfrastructure Coordination Group), 87 capacitors, 185 CIKR (critical infrastructure and key resources), 97. capital, 109 Capital Asset Plan and Business Case (Exhibit 300), CIO Council, 84, 256 169–170 CIOs (chief information officers), 59 capital assets, 149, 150, 169–170 business judgment rule, 219 Caremark International lawsuit, 216–219 cybersecurity role, 83–84, 211–212, 215, 232 Caribbean region, 278, 279 duty of care, 215–219 430 Index

See

FISMA compliance, 171 code breaking agencies. NSA liability, 218 code injection, 201 CISOs (chief information security officers), 232 Code of Federal Regulations (CFR), 172, 268 civilianCitigroup, agencies 218–219 coefficient of determination, 292 citizen concerns, military information control, 80 Cold War, 3–4, 76, 78 collaboration, as high-level requirement, 136 Brooks Act responsibilities, 77 color-coding project status, 165 capability-based planning, 136–137 .com domains, 192 CONOPS, 137–140 command and control attacks, 196 cybersecurity role, 69–71, 73 commenting on proposed rules, 266 DHS as, 95 Commerce Department, 77, 89, 98, 278 Einstein 3 monitoring, 100 Committee of Sponsoring Organizations (COSO),See also 239 net- EVM accounting and, 148 committees, congressional, 262 FISMA requirements and, 98 communication pathways, 185, 240–241. mission needs statements, 126–127 works See also national cybersecurity threats management, 8 communication systems, 85, 87, 96 op models, 140–142 companies.communications, See private intercepting, sector 272. attacks; tensions with military, 70, 71, 78–81, 104–105 data breaches CIWG (Critical Infrastructure Working Group), 86 claims processors, 225 completion dates (POA&M documents), 147–148 classified information compliance, 167 CNCI declassification, 101 audits, 166–168 criminal information access to, 270 compliance officers, 167 document markings, 79 corporate employees, 235 early cybersecurity policies, 8 Exhibit 300, 169–170 NSA classified computer systems, 80 federal CIOs role, 84 NSA SBU IT, 81 federal practices, 168–169 personal computer security, 78 FISMA requirements, 170–172 Clintonclassified administration technology, 81 HIPAA example, 172–174 Clinger-Cohen Act of 1996, 83–84, 126, 168–169 internal controls, 239–240 monitoring risks, 62–63, 64, 204 CIO Council, 84 noncompliance consequences, 172 cybersecurity and terrorism, 85–90 operational planning model, 125 executive orders, 256 operational requirements documents, 140 national security instruments, 74, 86–90, 255, 261 post-breach reports, 237 Presidential Decision Directives, 74, 86–90, 255, 261 risk management framework, 16, 20 Y2K preparations, 89 “Compliance and Reporting” block, 125 closed-ended questions, 288 compliance officers, 167 See cloud providers, 202, 219–222 - components (hardware), 181, 182–183 CMS (continuous monitoring system), 122–123 Comprehensive National Cybersecurity Initiative. CNCI (Comprehensive National Cybersecurity Initia CNCI tive), 111 compromised systems, 195 history of, 99–102 computer-assisted audit techniques (CAATs), 167 mission requirements in, 130 Computer Fraud and Abuse Act (CFAA), 8–9, 270–272 partial declassification, 101, 257 Computer Readiness Team (US-CERT), 94, 122–123, TIC initiative, 258 259 warnings capability, 110 computer science, 179–180 Coast Guard, 71 Computer Security Act of See1987, 79, 80–81 Coast Guard Intelligence, 72 computers, 180 COBIT (Control Objectives for Information and Related attacks and exploits. attacks Technology), 239–240 cryptographic technologies, 193–195 Index (C) 431

cybersecurity operation capabilities, 202–208 in consequence equation, 31 federal standards for, 169 corporate governance and, 216 history of, 179 direct/indirect, 30 mainframes, 75–76 identifying, 38 personalmemory, 184–185computers. See illustrated, 38 multiple processors, 182 increases in, 33 procurement. See acquisitions PCs and procurement metrics, 33 processors, 181–182 in PRA risk management, 47 in risk assessment, 23, 47 programs, 181–182 in risk determination, 36 protected, 272 in risk equation, 23 research systems, 4 constraintsin risk management framework, 16, 20 as systems, 182–184 Constitution, 250, 251, 262, 268 vulnerabilities, 200–202 Concept of Operations (CONOPS), 137–140 in CONOPS, 137–140 conditional events (probability), 48–49 identifying, 140 conference committees, 263See internal/external, 123 confidencecustomer intervals information; (statistics), personal 291 information containingin risk threatsmanagement framework, 16, 20, 21–22 confidential information. classified information; user-friendly websites and, 58, 59

Congressconfidentiality breaches, 187 as capability, 203 configuration, network, 201, 237 “contain” task in risk management, 15 corporate policies, 237 agency creation, 266 risk responses, 61 agency supervision, 74 continuity plans, 238 authority, 260 contractors.continuous monitoring See system (CMS), 122–123 Congressional Research Service, 264–265 contracting officers, 146–147 cybersecurity policy role, 69–70 vendors/contractors federal regulations, 265–268 contracts, 238 GAO information, 264 control activities (businesses), 240 - legislation process, 261–263 control environments (businesses), 240 military/civilian security control policies, 71 Control Objectives for Information and Related Technol mission requirements, 127, 128 ogy (COBIT), 239–240 power of the purse, 260 convenience sampling, 289 proposed bills and law research, 264 Convention on Cybercrime, 284 research sources, 250–251, 264 coordination role (management) response to NSDD-145, 80–81 failures of, 123 as senior managers, 110 managingfunctions, vs.115–117 Congressional Record, 263, 264 as high-level requirement, 136 Congressional Research Service (CRS), 264–265 doing, 113–114 CONOPS (Concept of Operations), 137–140 Coreflood virus, 198 consent agreements, 226, 227 corporations.Corporate Finance See private Division sector (SEC), 228 consequence assessments, 30–33 correlationcorporate governance, vs. 213–215 in consequence equation, 31 DHS monitoring case study, 161–162 causation, 57 metrics, 33 COSO (Committee of Sponsoring Organizations), 239 model corporate cyber program, 232, 234 costsCost Performance Index (CPI), 157, 299–300, 301, 302 consequences,assessing. See23, 30consequence assessments cost variances (CVs), 155–158, 163–164 analyzing threats/vulnerabilities, 33–37 attack simulations, 235 assigning values to, 35–37 in budgets, 150–152 432 Index

cost variances, 155–157, 163–164 blackouts, 92 data breaches, 9, 220, 221, 229, 236 CIKR (critical infrastructure and key resources), 97 DHS monitoring case study, 160–161 communication systems, 85, 87, 96 District Design case study, 151–154 electrical grid, 85, 87 IGCE estimates, 146–147 emergency services, 87 objective and threshold values, 142–143 Energy Department management, 96 op models, 140–142 food systems, 96 wormSony PlayStation damage estimates, breach, 2219 identifying critical infrastructure, 95–97 TJX data breach, 220 Internet, 275 See also espionage; in policy formation, 74 Councilintelligence of Europe, agencies 284 power plants, 229–230 counterintelligence, 99–102, 281. private sector ownership, 85 See also plans; strategies sectors of, 96 counterterrorism review of policies, 100–101 transportation systems, 85, 87, 96 courtscourses of action, 135. water systems, 87, 96 Court of Appeals, 268 Y2K preparations, 89 See Critical Infrastructure Coordination Group (CICG), 87 international, 282 critical“Critical infrastructure Infrastructure protection. Identification, See also Prioritization, critical infra and- U.S. judicial branch of government structureProtection,” components 95–97 CPI (Cost Performance Index), 157, 299–300, 301, 302 CPU (central processing unit), 181 credit and debit cards board of directors role, 231–232 criminal information access, 273 CIWG review, 86 liability for breaches, 219–222 corporate policies, 235 personal information sales, 222 Critical Infrastructure Assurance Office, 89 prosecutions for breaches, 272 Critical Infrastructure Protection Board, 92–93, 257 Sony PlayStation Network breach, 221–222 Critical Infrastructure Working Group, 86 criminalTJX dataacts. breach, See also 220, 226–227, 272 Cybersecurity ActSee of 2012, 103 credit reporting agencies, 228 DHS responsibilities, 18, 90–91, 93–95, 96, 97, 104 attacks; data breaches executive orders. EOs Computer Fraud and Abuse Act, 270–272 National Coordinator for Security, Infrastructure Federal crimes, 269–270 Protection and Counter-Terrorism, 88 federal prosecution process, 273–275 National Infrastructure Advisory Council, 93 identity theft, 219, 270, 271, 273 National Infrastructure Assurance Council, 87 criminals.international See issues, 282 National Infrastructure Protection Center, 89–90, crimeWiretap groups Act, 272 94–95, 261 hackers; nation-state hackers; organized National Infrastructure Protection Council, 93–94 critical assets National Infrastructure Protection Plan, 18, 87, 94, crisis management, DHS role in, 95 96, 97, 104 National Policy for Infrastructure Protection, 87 consequence assessments, 31 NSC (National Security Council), 87, 93 GAO labeling system, 31–33 - nationalOffice of securityInfrastructure instruments. Protection, See national94, 131 security removing, 61 Officeinstruments of National Infrastructure Assurance, 87 “Critical Foundations: Protecting America’s Infrastruc tures,” 86–87 Critical Infrastructure Assurance OfficeSee (CIAO), also critical89, policies, 74, 87–90 infrastructure94–95 protection President’s Commission on Critical Infrastructure critical infrastructure components, 85. Protection, 86–87, 255, 256 private sector ownership, 85, 105 agriculture, 96 public-private partnerships, 70, 85, 87–88, 105 banking and finance systems, 86, 87 sentencing and, 275 Index (C-D) 433

Y2K preparations, 89 objective values, 142–143See Critical Infrastructure Protection Board, 92–93, 257 sector differences, 127 Critical Infrastructure Working Group (CIWG), 86 cybersecurity managers. program/project managers “critical” label (GAO), 31–33 cybersecurity operation capabilities, 202–208 criticality, defined, 31 Cyberspace Policy Review, 100–101, 130, 259 cryptologicalCRS (Congressional agencies. Research See Service), 264–265 Dcyclical nature of management, 121 cryptographic technologies, 193–195 damages NSA customerCS&C (Office information of Cybersecurity and Communications), 94, 122, 131 attacks, 196 business data breaches, 212 banks selling, 222 examples, 26–27 business’s duty towards, 212–213 identifying in threat assessment, 25 criminal access to, 271, 273 lethality, 25, 26–27 FTC and, 225–228 mitigating, 237 leak example, 55–60 model corporate cyber program, 232 Sony PlayStation Network, 221–222 risk tolerances, 22 statistical models for risk, 292–296 data, 180 TJX data breach, 220, 226–227, 272 analyzing traffic, 206–207 CVs (cost variances), 155–158, 163–164 backing up, 236 Cyber Defense Policy (NATO), 283 - business transactions, 212–213 cyber intrusions, defined, 195 cryptographic technologies, 193–195 “Cyber Security Incident Reporting and Response Plan encryption, 235–236 ning,” 230 monitoring, 203–205 cyber security incident response plans, 230 packet analyzers, 204 cyber warfare removal/exfiltration, 196 Estonia, 101 data breaches history of, 275–276 business implications, 212–213 Olympic GamesSee also program, computer 102 science; federal costs of, 9, 220, 221, 229, 236 government;UN and, 283 legislation; policies; private sector; Federal Trade Commission and, 225–228 cybersecurity. HIPAA, 223–225 international issues, 282 research; risk management liability for, 219–222 capabilities, 202–208 notifications, 236–237 facets of, 11–13 sentencing penalties, 275 global issues in, 275–284 Sony PlayStation Network, 221–222 history of issues, 3–10 TJX case study, 220, 226–227, 272 model corporate framework, 231–238 types of violations, 187 risks in cyberspace, 15–17 databases, 212–213 Cybersecurity Act of 2012, 102–103 DCA (Defense Communications Agency), 4 cybersecurity coordinator (White House), 101, 103, 259 DDoS attacks (distributed denial-of-service), 10, 198 cybersecurity insurance, 61–62 DEA (Drug EnforcementSee Administration), 72 cybersecurity management framework deadlines, project, 135 best practices, 125 debit cards. credit and debit cards capability-based planning, 136–137 decision-making process, 117–121 civilian agencies, 136–142 declassification of CNCI, 101 congressional/presidential input, 128–131 decryption, 193 CONOPS and op Models, 137–142 defense, as high-level requirement, 136 DHS framework, 125–126 Defense Communications Agency (DCA), 4 high-level requirements, 132–136 Defense Department mission needs statements, 126–127, 132–136 agencies and commands, 71–73 434 Index

ARPANET, 4 risk transfer, 61 CNCI directives, 99 threat shifting, 28 computer procurement, 77 threats, 25 FISMA and, 98 vulnerabilities/vulnerability assessments, 29 on Homeland Security Council, 91 DIA (Defense Intelligence Agency), 71 ISAC participation, 90 Digital Equipment Corporation, 5 managing national cybersecurity threats, 8 digital signatures (domains), 192 planning, programming, budgeting and execution, directivesdirect consequences, defined, 30 127 direct relationships (logit models), 56 WBS budgeting, 150 presidential. See presidential directives Defense Information Systems Agency, 4 disastersdefined, 304 Defense Intelligence Agency (DIA), 72 departmentsDelaware Court of government.of Chancery, 217,See 219 - Denial of Service (DoS) attacks, 198, 203, 204, 275 “catastrophic” label, 31–33 names of specific de risk management models and, 17 partments (Defense Department, DHS, EPA, etc.) threats resulting from, 233 dependent variables (modeling), 56, 292, 293, 294 as unintentional threats, 26 dependent variables (research), 247 disclosures, 228–229, 237 descriptive research, 248 disjoint events (exclusive events), 48–49 detailed technical guidance, 304 disseminating information, as capability, 159 detection, as high-level requirement, 136 distributed denial-of-service attacks (DDoS), 10, 198 DHS (Department of Homeland Security) distribution attacks, 196 agencies collected under, 93–95, 131 district courts, 268 capability-based planning, 136–137 District Design case study Critical Infrastructure Protection Board, 93 budgeting, 149–154 cybersecurity agencies in, 94 cost variances, 156–157 cybersecurity management framework, 125–126 EVM indexes, 298–302 cybersecurity policies,See 97 introduction, 149 cybersecurity reports, 130–131 schedule variances, 155, 158 DHS Risk Lexicon. DHS Risk Lexicon division (voting), 263 EVM systems, 148, 158–164 DNS cache poisoning, 200 expanded scope of government and, 129 DNS (Domain Name System), 188, 192, 277, 278 FISMA and, 102–103, 258 DNSSEC (Domain Name System Security Extensions), founding of, 90–91 192 vs. guidance statements, 130 document classification, 79 infrastructure protection, 93, 104 “doing,” managing, 113–114 military and intelligence agencies, 71–73 domain name registries, 192 mission needs statements, 130–131, 133 Domain Name System (DNS), 188, 192, 277, 278 monitoring system case study, 158–164 Domain Name System Security Extensions (DNSSEC), National Infrastructure Protection Plan, 18, 96, 97 192 “National Strategy to Secure Cyberspace,” 95 DoS (denial of service), 198, 203, 204, 275 National Vulnerability Database, 201 downloading files, 235 program managers, 127 drones, 276 Strategic Plan, 259 Drug Enforcement Administration, 72 structure of, 131 duty of care, 215–222, 238 TIC mandate, 258 EDVDs, 185 warning systems challenges, 112 DHS Risk Lexicon consequences, 30 E-Government Act of 2002, 97, 171 game theory, 56 EA (enterpriseSee architecture), 169 likelihood, 37 EAC (estimate at completion), 157, 301–302 risk assessment, 23 Earned Value. EV (earned value) Index (E) 435

earned value management. See

EVM (earned value “Enterprise Risk Management-Integrated Framework,” management) 239 ecological fallacy, 249 - enterprise servers, 185 economic incentives, 87, 103, 145 Environmental Protection Agency (EPA), 47 EDGAR (Electronic Data Gathering, Analysis, and Re EOP (Executive Office of the President) educatingtrieval), users.229 See training information management functions, 82 .edu domains, 192 National Security Council, 253 effectiveness OMB role, 253–254 effective dates (regulations), 267 OSTP technical advice, 254, 259 research sources, 254 monitoring risks, 62–63, 64 executive orders, 256–258 risk management framework, 16, 20 Federal Register, 259 warning systems, 112 OMB memoranda, 258–259 electricalEinstein 3 grid program, 99–100, 101 OSTP memoranda, 259 Eisenhower administration, 3–4 national security instruments, 255 White House strategy/guidance, 259 California attacks, 276 structure of, 252–253 as critical infrastructure, 85, 87 EOs (executive orders), 256–257, 304 damage and consequences, 32 as authorization, 134 Northeast Blackout, 2003, 92 Bush post-9/11 orders, 90–93, 257 power plants, 229–230 Clinton’s infrastructure protection, 86–87, 256 Electricity Sector Information Sharing and Analysis EO 13010 (PCCIP), 256 Center (ES ISAC), 230 - EO 13011 (CIO Council), 256 Electronic Communications Privacy Act, 270, 272 EO 13228 (Homeland Security), 90–91, 257 Electronic Data Gathering, Analysis, and Retrieval (ED EO 13231 (Cyberspace Security), 92–93, 257 emailGAR), 229 EO 13636 (Critical Infrastructure), 104, 256 electronic voting systems, 263 Federal Register listing, 260 functions of, 74, 256–257 attachments, 195, 235 mission requirements and, 127–130 corporate policies, 235 equationsEPA (Environmental Protection Agency), 47 phishing attacks, 41–46, 197–198 epistemology, 247 testing vulnerability to, 41–46 threats to, 87 consequence equation, 31 as vulnerability, 200 Cost Performance Index, 299–300 EMC Corporation, 212–213 cost variances, 155–157 emergency corporate policies, 237 estimate at completion, 157, 301–302 emergency services, 87, 224See also users estimate to complete, 300, 301 encryptionEmerging Security Challenges Division (NATO), 283 logistic regression equation, 294, 295 employees, 200, 233, 235. logit model, 292 risk equation, 23–25, 34–35 corporate data, 220, 235–236 Schedule Performance Index, 299 methods, 193–194 schedule variances, 154–155 NSA responsibilities, 73 total risk equation, 35 Sony PlayStation breach, 221 errorsvariance percentages, 157–158 TJX data breach, 227 ERM (enterprise risk management), 239 websites, 194 See also electrical grid Energy Department, 72, 87, 96 of omission, 26 energy systems, 87, 96, 229–230. survey design, 288–290 enforcement of law and regulations, 269 espionageES ISAC (Electricity Sector Information Sharing and Enron, 168, 230 Analysis Center), 230 enterprise architecture (EA), 169 enterprise risk management (ERM), 239 attribution, 281 436 Index

corporate, 233 national security instruments, 255 early network threats, 4, 5 White House strategy and guidance, 259 Flame worm, 102, 276 research sources, 250–251 monitoring for, 204 role in cybersecurity law, 69–70 in threat spectrum, 28 structure, 252–253 estimate at completion (EAC), 157, 301–302 National Security Council, 253 estimate to complete (ETC), 157, 300, 301, 302 Office of Science and Technology Policy, 254 Estonia, 101, 275, 276, 283 OMB, 253–254 ETC (estimate to complete), 157, 300, 301, 302 Executive Office memoranda,See 128 ethical hackers, 208 Executive Office of the President, 82, 252–260 Europe, 279, 283, 284 executive orders. EOs (executive orders) European Network and Information Agency, 37 exfiltration, 196 EV (earned value) Exhibit 300 reports, 169–170 cost variances, 156 experimental research, 247 CPI equations, 299–300 experts, RFIsSee and, 143–144 District Design case study, 152–154 explanatory research, 248 EAC equations, 302 exploits. attacks and exploits ETC equations, 300, 301 exploratory research, 248 as percentages, 157–158 Explorer 1, 3 schedule variances, 154–155 external audits, 166–168, 240 SPI equations, 298–299 external constraints, 123 evaluation criteria (RFPs), 146–147 external information gathering, 162 event tree analysis, 49–52 external project information, 119 events in probability analysis, 48–52 external risks, 240 evidence, 281 external threats, 28 EVM (earned value management), 148–149 extortion, 272 budgets, 149–152 Fextrapolation in research, 40 comparing projects, 157–158 DHS monitoring system case study, 158–164 forecasting, 300–302 F-test, 291 indexes, 298–302 Facebook phishing attacks, 197 primary metric breakdown, 153–154 failed projects, 122–123 red, yellow, and green status, 165 false flagging operations, 281 tracking projects (variances), 154–157 false positives, 206 variances as percentages, 157–158 FASA V (Federal Acquisition Streamlining Act), 169 work breakdown structure, 146, 148, 160 fault tree analysis, 50–52, 53, 54 EVM forecasting, 300–302 favorable variances, 155, 156, 158, 298, 299–300 EVM indexes, 298–302 FBI (Federal Bureau of Investigation), 72, 90, 91 EVM primary metric breakdown, 153–154 See also FDA (Food and Drug Administration), 265–266 exclusivepresidents events (probability), 48–49 FedCIRC (Federal Computer Incident Response Center), executive branch of government, 251–252. 94–95 Federal Acquisition Streamlining Act (FASA V), 169 cybersecurity coordinator, 101 Federal Bureau of Investigation, 72, 90, 91 Executive Office of the President, 82, 252–260 federalFederal courts.Computer See Incident Response Center (FedCIRC), Federal Register, 260 94–95 federal regulations, 265–268 judicial branch of government mission requirements, 127, 128–131 federalFederal governmentEmergency Management Agency (FEMA), 93 policy documents, 254 Federalagencies. Energy See Regulatory Commission (FERC), 230 executive orders, 256–258 OMB memoranda, 258–259 names of specific agencies (CIA, FBI, OSTP memoranda, 259 etc.) Index (F-G) 437

Cold War and technology development, 3–4 as vulnerabilities, 30 compliance, 168–169 FISMA (Federal Information Security Management Act) criminal computer access penalties,See 271 research as authorization, 134 cybersources attack capabilities, 37 compliance and reporting, 170–172 departments.cybersecurity Seeresearch documents. establishment of, 258 focus on government resources, 97–98 names of specific departments OMB’s oversight, 102–103, 129 (Defense Department,See DHS, etc.) - requirements, 169 earlyment hackers’ threats, 5–6 scope of, 129 executive branch. executive branch of govern Flame worm, 102, 276 flood hazards, 236 expandedSee scope of, 129 floor debates, 263 growth and information needs, 75 FNR (Federal Network Resilience division), 94 legislation,judiciary. history judicial of. branch See legislation of government focus groups in research, 40 as largest U.S. informationSee Congress agency, 81–82 FOIA (Freedom of Information Act), 79 Food and Drug Administration (FDA), 265–266 legislative branch. food systems, 96See managerial roles, 110 forecasting (EVM), 300–302See also policies.military, Seeintelligence, and civilian agencies, 69–73 foreignissues hackers. nation-state hackers regulations.personal computer See regulations security, 77–81 formulas.foreign relations, See equations 270. global cybersecurity policies (Federal) See also tensions related to cybersecurity, 70, 71, 78–81,See forward selection (modeling), 294 104–105 frameworks, 125. cybersecurity management federalFederal legalInformation system. SecuritySee Management Act. framework; risk management frameworks FISMA framing risks, 19 judicial branch of government assumptions, 19, 21 federalFederal regulations.Network Resilience See regulations division (FNR), 94 constraints, 19, 21–22 Federal Register, 260, 266 illustrated, 16 priorities, 19, 23 Federal Sentencing Guidelines, 274–275 risk management and, 20 Federal Trade Commission Act (FTCA), 226 risk management framework, 16, 17, 18, 19–23 Federal Trade Commission (FTC), 225–228 risk tolerance, 19, 22 FEMA (Federal Emergency Management Agency), 93 trade-offs, 19, 23 FERC (Federal Energy Regulatory Commission), 230 France’s cyber defenses, 37 final events (probability analysis), 51 fraud, 271 final rules (regulations),See 260, 267 fraud scrubs, 222 final total costs, 300–302 freedom issues, 282 finance systems. banking and finance systems Freedom of Information Act (FOIA), 79 financial audits, 167 FTC consent agreements, 226 Financial Privacy Rule, 223 FTC (Federal Trade Commission), 225–228 “FIPS 200 Minimum Security Requirements for Federal FTCA (Federal Trade Commission Act), 226 Information and Information Systems,” 174 FTE (full-time equivalent), 160, 161 fire hazards, 236 funds.functions See (line and staff), 115–117 firewalls, 30 “Funding Information Systems Investments,” 83 corporate networks, 220 G budgets; resources DHS monitoring case study, 162 internal monitoring, 205 phishing attacks and, 198 game theory, 55, 56 role in cybersecurity, 204 GAO (Government Accountability Office), 33 TJX data breach, 227 asset criticality labeling system, 31–33 438 Index

capability definitions, 203 responses to RFPs, 147–148 functions, 264 tensions over control, 78–80 internal monitoring tools, 205 GUI (graphical user interface), 182 proposed federal regulations, 267 guidance, defined, 304 US-CERT failure, 122–123 guidance statements (DHS), 130–131 warning notification, 111 “Guide for the Security Certification and Accreditation gap analysis, 133–134, 135,See 137, 139 of Federal Information Systems” (NIST SP 800-37), GB (gigahertz), 182 172 General Accounting Office. GAOSee Hguilty pleas, 274 general counsel (corporate), 211–212 a General Services Administration. GSA genetic fallacy, 249 H (alternative hypotheses), 39, 49, 291 Georgia, 277 hackers German cyber defenses, 37 attribution, 190, 195, 281 gigahertz (GB), 182 boy genius, 5–6, 27 GLB Financial Modernization Act, 222–223 Computer Fraud and Abuse Act, 270–272 global cybersecurity issues, 275–277 criminal prosecution, 270–272 attribution problems, 281 ethical hackers, 208 Council of Europe, 284 federal crimes, 269–270 foreign relations, 270 federal prosecution process, 273–275 IETF, 192, 278–279, 280 history of, 3–10, 275–276 Internet coordination, 277–279 identity theft, 219, 270, 271, 273 lack of transnational authority, 281–282 nation-state.international Seeissues, 281–282 NATO and, 283–284 monitoring for, 204See goalsUnited Nations efforts, 283 nation-state hackers globalized supply chains, 166, 170 organized crime. organized crime groups personal information breaches, 219–222 CONOPS, 138 prosecution of, 6, 9, 268–275 establishing, 118–119 strength of, 57, 295, 296 failure to establish, 123 in threat spectrum, 28 missions, 114 types of attacks, 187 operational planning model, 124 Wiretap Act, 272 reviewing plans against, 120–121 hard drives, 182, 185 Gonzalez, Albert, 272 hardware, 181 “good faith efforts,” 217–218 insecurity of, 202 “goodness of fit,” 292 procurement.IT systems, 185 See acquisitions and procurement Google, 190, 198, 276 See physical security, 236 .gov domains, 192 harms. See damages Government Accountability Office. GAO securing, 220 GPS tracking devices, 269 Gramm-Leach-Bliley Financial Modernization Act (GLB), hashing, 194–195 - 222–223 Health and Human Services Department, 172, 225, 241 grand juries, 273 Health Information Technology for Economic and Clini graphical user interface (GUI), 182 cal Health Act (HITECH), 225, 241 Great Worm (Morris), 8–9, 270 health insurance companies, 225 green project status, 165 Health Insurance Portability and Accountability Act GSA (General Services Administration) (HIPAA), 172–174, 223–225, 241 Brooks Act procurement, 77 healthcare fraud, 217 functions of, 73 healthcare provider security, 223–225 procurement role, 83 healthcare records, 172–174, 219–222, 223–225 project management/acquisition phase, 143 Heartland Payment Systems, 272 Index (H-I) 439

high-level directives, 127, 128–131, 132–136 attackers (attribution), 190, 195, 281 high-level requirements (HLRs), 132–137 critical infrastructure, 95–97 higher courts, 268 threats, 205–208 higher-order languages, 181 identity theft, 219, 270, 271, 273 HIPAA (Health Insurance Portability and Accountability Identity Theft Penalty Enhancement Act, 270, 273 Act), 172–174, 223–225, 241 IDS (intrusion detection system), 30 HITECH (Health Information Technology for Economic corporate implementation, 237–238 oand Clinical Health Act), 225, 241 DHS monitoring case study, 162 HLRs (high-level requirements), 132–137 internal monitoring, 205 H (null hypotheses),See 39, 49, 290, 291 role in cybersecurity operations, 204 “holes,” patching, 195 signatures and, 206 Homeland Security. DHS vulnerabilities, 30 Homeland Security Act of 2002, 93–95, 129,See 134, 261 warning systems, 111, 207 Homeland Security Council, 91 IETF (Internet Engineering Task Force), 192, 278–279, Homeland Security Presidential Directives. HSPDs 280 honeypots, 207, 237 IGCE (independent government cost estimate), 146– “the hopper,” 261 147 hops, 190 See also Congress ignoring attacks, 207 hosts, 185 IGs (inspectors general), 171 House of Representatives, 261–263. illegal wiretaps, 272 HRA (human reliability analysis), 53 IMP (integrated master plan), 148, 149, 168 HSA (Homeland Security Act of 2002), 93–95, 129, 134, impact, 31 261 identifying for projects, 123 HSPDs (Homeland Security Presidential Directives) identifying in CONOPS, 140 Bush administration, 255 identifying in MNS, 136 HSPD-7 (Homeland Security Presidential Directive “improbable” events, 15–16 7), 7, 95–97, 104, 129, 257 IMS (integrated master schedule), 148, 149, 168 HSPD-23 (Homeland Security Policy Directive 23), in-house monitoring, 204–205 99–102, 257 “in motion” encryption, 194, 198 HTTP protocol, 194 “in the wild” vulnerabilities, 201–202 HTTPS protocol, 194 incentives, 87, 103, 145 “Human Capital” block, 125 incorporation, 214 human error, 41–46, 53, 200, 233 independent events (probability), 48–49 hypotheseshuman reliability analysis (HRA), 53 independent government cost estimate (IGCE), 146– human rights groups, 279 147 independent variables (modeling), 56, 292, 293, 294 creating, 248, 249 independent variables (research), 247 cybersecurity research, 246 indicators (variables), 47, 53 designing, 39 indictments, 273 examples, 39 indirect consequences, 30See also espionage null and alternative, 39, 49, 290, 291 industries.indirect relationships See private (logit sector models), 56 I quantitative testing, 49 industrial espionage, 28.

inferior courts, 268 IANA (Internet Assigned Numbers Authority), 277 information and communications technology (ICT), 166 IBM personal computers, 4–5 information resourcesassurance, 72 ICANN (Internet Corporation for Assigned Names and information auditing, 240–241 Numbers), 192, 277–278, 279 identifyingICT (information and communications technology), 166 data.CIWG See review, data 86 ideal levels of risk, 36 cybersecurity and, 70, 71 440 Index

researching.government’s See growth research in, 81–82 methods; research sourc- dependency, 275 internales and external, 119 diagrammed, 186 DNS system, 192 encryption methods, 193–195 information security, 97, 166, 170–172 global management of, 275 information sharing, 89–90, 103, 223, 230 growth of, 186–187 Information Sharing and Analysis Center (ISAC), 89–90, history of, 179, 185–187 230 IANA/ICANN/IETF, 277–280 information sharing policies, 223 insecurity of, 202 informationInformation technology.Systems Audit See and Control Association operations of, 188–189 (ISACA), 240 origins of, 4 IT systems protocols, 189–190 information technology audits, 167 structure of, 187–188 - Information Technology Management Reform Act Internet Assigned Numbers Authority (IANA), 277 infrastructure.(Clinger-Cohen), See critical83–84, infrastructure126, 168–169 Internet Corporation for Assigned Names and Num information warriors, 28 bers (ICANN), 192, 277–278, 279 Internet EngineeringSee Task Force (IETF), 192, 278–279, initiating events (probability analysis), 50 280 Initiative #3 (CNCI), 99 Internet Protocol. IPv4; IPv6; TCP/IP insider threats, 200, 233 Internet Protocol Security (IPSec), 279 inspectors general (IGs), 171 Internet service providers (ISPs), 188, 202, 204 insurance, 61–62, 238 interstate commerce crimes, 271 integrated master plan (IMP), 148, 149, 168 interviews, 40, 288 intelligenceintegrated master agencies schedule (IMS), 148, 149, 168 intrusion“An Introductory detection Resource systems. Guide See for Implementing - integrity of data, 187 the HIPAA Security Rule” (NIST 800-66), 174 intrusion prevention systems. See IDS (intrusion detec- CNCI directives, 99–102 tion system) FISMA requirements and, 98 investment IPS (intrusion pre ISAC participation, 90 vention system) military and civilian, 71–73 monitoring civilian networks, 100 duty of care, 215–219 intention (threat assessment), 25–26 justifying, 133, 135–136 “Inter-Intra-Agency Requirements” block, 124 SEC disclosures and, 229 intercepting communications, 272 investment advisors, 228 interdependencies (IMS), 148 IP addresses, 189–190 interim final rules, 267 BGP functions, 190–192 internal audits, 166–168, 239–241, 240 DDoS attacks, 198 internal constraints, 123 DNS and, 192, 278 “Internal Control-Integrated Framework,” 239 DNS cache poisoning, 200 internal controls, 230, 239–241 faking, 191–192 internal information gathering, 162 global Internet management, 277–279 internal monitoring, 204–205 human-readable, 192 internal project information, 119 translating, 188 internal risks, 240 vulnerabilities, 190 internationalinternal systems issues. (corporate), See 218 IP (Internet Protocol)(TCP/IP), 187, 188, 189 internal threats, 28 IP (Office of Infrastructure Protection), 94, 131 global cybersecurity issues IPS (intrusion prevention system) International Strategy for Cyberspace, 259 cybersecurity operations role, 204 Internet Einstein 3, 99–100 attacks and exploits, 195–202 internal monitoring, 205 BGP connections, 190–192 signatures and, 206 Index (I-L) 441

as warning system, 207 Kjustification section (MNS), 134, 135–136 IPSec (Internet Protocol Security), 279 IPv4 (Internet Protocol version 4), 189, 279 IPv6 (Internet Protocol version 6), 189, 279 Kennedy administration, 95 Iran keyboards, 181 offensive cyber capabilities, 37 keys (encryption), 193, 271 DDoS attacks, 10, 198 kiddy hackers, 5–6, 27 drones, 276 known exploit signatures, 206 Flame virus, 102, 276 known vulnerabilities, 201 Stuxnet virus, 10, 102, 275–276 LKosovo, 276 ISAC (Information Sharing and Analysis Center), 89–90,- 230 ISACA (Information Systems Audit and Control Associa L-3 security breach, 213 - tion), 240 labor, 109, 125, 146 ISPs (Internet service providers), 188, 202, 204 LACNIC (Latin America and Caribbean Network Infor Israel, 10, 37, 102, 276 mation Centre), 279 “IT Capital Asset Summary,” 170 LANs (local area networks), 188 IT systems, 18 laptops, 182, 183 audits, 167, 173 Latin America and Caribbean Network Information best practices, 126 Centre See(LACNIC), also legislation 279 Clinger-Cohen Act, 126 law enforcement agencies, 89–90, 202, 236–237, 281 communication pathways, 185 laws, 69. corporate assessments, 233 legallawsuits, system. 216–219, See 220, 221–222 corporate governance and, 216 leading questionsSee (surveys), also 288 costs, 160 judicial branch of government Exhibit 300 reports, 169–170 legislation, 304. specific acts of law (Brooks Act, hardware in, 185 Computer Security Act, etc.) health care providers, 224 CIWG review, 86 internal controls, 239–240 compliance, 167 procurement, 83 congressional process, 261–263 repairing, 237 Congress’s mandates, 251, 260 software in, 185 crafting, 74 Sony PlayStation breach, 221 cybersecurity and, 69–70, 261 standards for, 169 federal regulations and, 265–268 systems in, 185 government agencies/branches, 70–74 J vulnerabilities, 30 history of cyber law origins (1945-1984), 74–77 control conflict (1984-1995), 77–81 Java, 181 cyber developments (1995-2001), 81–90 judicial branch of government, 268–270 Homeland Security (2001-2008), 90–98 CFAA rulings, 270–272 CNCI/cyber warfare (2008-present), 99–102 cybersecurity role, 250–251, 269–270 recent developments, 102–104 federal criminal process, 273–275 impact on projects, 123 federal regulations and, 267–268 law, defined, 69 identity theft rulings, 273 mission requirements and, 127, 128 Justice Department, 72, 90 passing bills into law, 261–263 structure of, 268–269 private sector regulations, 222–230 Wiretap Act rulings, 272 protecting personal information,See Congress212 judicial precedent, 269 state laws, 227–228 jurisdiction, 269–270, 281–282 legislative branch of government. Justice Department, 72, 90 lethality, 25, 26–27 442 Index

leveraging technologies, 159 measurable outcomes, 117 liabilities operational planning model, 124–125 data breaches, 219–222 strategies and plans, 114–115 duty of care, 217–218 types of, 109–110See Library of Congress, 264–265 US-CERT failure case study, 122–125 Lieberman, Joseph, 102–103See also managing risks. risk management lifetimes (programs), 133, 135, 136 “marginal” label (GAO), 31–33 likelihood, 37, 38, 59. probability Marine Corps, 71 line functions, 116 Marine Corps Intelligence, 72 linear regression models, 292 mark-up sessions, 262 local area networks (LANs), 188 material costs, 146 local threats, 233 “material information” disclosures, 229 logicLockheed decision Martin, processes, 213 55 mathematical risks, 53–55 logging attacks, 207 MB (megahertz), 182 McAfee Inc., 114, 115 logical fallacies, 249 McVeigh, Timothy, 85 logistic regression equation for probabilities, 294, 295 measurements.MD5 (message digest See metrics hash), and 194–195 measurements logistic regression (logit), 56–57 “Measurement” block, 125 See also logit models, 56–57, 292–293 logs, 236 medical records, 172–174, 219–225. HIPAA Los Alamos National Laboratory, 6 Medicare and Medicaid fraud, 217 lower-order programming languages, 180–181 megahertz (MB), 182 MLulz Security (LulzSec), 19 metricsmemory, and 182, measurements 184–185 M memoranda. See message digest hash (MD5), 194–195

OMB DHS monitoring case study, 163 machine code, 180–181 establishing, 118–119, 123 magnetic badges, 236 EVM accounting, 148 magnitude of risk, 37, 47 EVM measurements, 151–154 mainframe computers, 75–76, 185 failure to establish, 123 malware, 195, 196, 271 FISMA requirements, 171 man in the middle attacks, 198–199 identifying in MNS, 135 “manage” task (risk management), 15 metrics, defined, 117 management and acquisition phase (Op Model), op models, 140–142 143–148 See also operational planning models, 125 “Managementsenior managers of Information Resources,” 83 plan outcomes, 117 managers, 113. program/project managers; in PWSs, 145 qualitative research, 40 compliance and reporting, 166–174 red, yellow, and green status, 165 constraints, 123–124 reviewing plans against, 120–121 coordinating functions, 115–117See - risk research questions, 39 corporations, 214–215 WBS tasks, 150 cybersecurity framework. cybersecurity man milestonesmicrophone activation, 102 agement framework Middle East, 279 in cybersecurity operations, 202 cyclical nature of management, 121 DHS monitoring case study, 160 decision-making processes, 117–121 identifying, 135 earned value management, 148–165 IMS depiction, 148 functions of, 109–110 military.operational See also requirements documents, 140 managinggoals/missions vs. and, 114–115 POA&M documents, 147–148 management and acquisition, 143–148 Defense Department doing, 113–114 agencies and commands, 71–73 Index (M-N) 443

CNCI directives, 99 cybersecurity operations, 203–205 FISMA requirements and, 98 DHS case study, 158–164 role in cybersecurity, 69–71 effectiveness, 62–63, 64 tensions over control, 70, 71, 78–81, 104–105 as high-level requirement, 136 minicomputers, 185 identifying changes in environment, 62–63, 64 missionminimum needs operational statement. values, See 142 internal monitoring, 204–205 misconfiguration, 201 obligations, 221–222 MNS policy monitoring, 205–206 missions, 109 risk management framework, 16, 17, 18, 20 driving projects, 123 tool list, 205 operational planning model, 124–125 Monte Carlo analysis, 53–55 strategies and plans, 114, 115 Morris, Robert Tappan, 8–9, 270 mistakes of logic, 249 Morris worm, 8–9, 270 mitigating damages, 237 mortgage crisis, 218–219 mitigating risks motherboards, 181, 182 federal CIOs role, 84 multi-core processors, 182 as high-level requirement, 136 multiple-choice questions, 288–289, 290 risk levels and, 36 multiple processors, 182 in risk management framework, 16, 20 multivariate statistical analysis, 53–55, 58–60 risk responses, 60, 61 Nmutually-exclusive events (probability), 48–49 Mitnick, Kevin, 5–6 MNS (mission needs statement) authorization section, 134–135 NASA (National Aeronautics and Space Administration), capabilities in, 133–134 47 capability gaps, 133–134 Natanz nuclear facility, 10 courses of action, 135 nation-state hackers developing, 126–127 early cyber spying, 6 high-level input sources, 131, 132–136 international cyber defense capabilities, 37 high-level requirements, 132–137 international law enforcement, 281–282 justification section, 134, 135–136 levels of risk and, 35 lifetimes, 135 monitoring for, 204 outcomes, 135 threat assessments, 27 translating into capabilities, 132–133 National Aeronautics and SpaceSee Administration (NASA), model corporate cybersecurity program, 231 47 board of directors, 231–232 nationalNational coordinatorBureau of Standards. for security, infrastructure NIST protec- business continuity plans, 238 National Communications System, 94, 95 CEO and CIO roles, 232 education and training, 235 tion and counter-terrorism, 88 encryption, 235–236 National Cyber Security Center, 130 - intrusion detection systems, 237–238 National Cyber Security Division (NCSD), 122 penetration testing, 234–235 National Cybersecurity and Communications Integra physical security, 236 tion Center (NCCIC), 94, 122 response program, 236–237 National Cybersecurity Council, 103 risk assessment, 232–234 National Geospatial Intelligence Agency, 72 vendor management, 238 National Infrastructure Advisory Council, 93 written plans, 234 National Infrastructure Assurance Council, 87 monitoring internal controls, 241 National Infrastructure Protection Council (NIPC), monitoring risks 89–90, 94–95, 261 Citigroup lawsuit, 218–219 National Infrastructure Protection Plan (NIPP), 18,See 87, compliance, 62–63, 64 94, 96, 97, 104 corporate implementation, 237–238 National Institute for Standards and Technology. corporate responsibilities, 218 NIST 444 Index

national intelligence workers, 28 BGP connections, 190–192 National Nuclear Security Agency (NNSA), 41–46 - civilian network monitoring, 100 National Policy for Infrastructure Protection, 87 CNCI protections, 99–102 National Policy on Telecommunications and Automat continuous monitoring systems, 122–123 ed Information Systems Security (NSDD-145), 7–8, cybersecurity operation capabilities, 202–208 78–80 denial of serviceSee attacks, 198, 203, 204, 275 National Protection and Programs Directorate (NPPD), early policy decisions, 7–8 94, 122, 131 firewalls. firewalls National Reconnaissance Office, 72 FISMA protection, 97 nationalNational securityScience Foundation, 4 honeypots, 207, 237 National Science Foundation Network (NSFNET), 4 ISP access to, 188 civilian vs. liability for data breaches, 219–222 board of directors role in, 231–232 monitoring case study, 158–164 personal computers military cybersecurity and, 5 control, 70, 71 types of, 188 criminal information access, 270 vulnerabilities, 200–202 zombie networks, 198 procurement function and, 77 Network Security Deployment division (NSD), 94 sentencing and, 275 New Deal agencies, 75 threat spectrum, 28 See New York state law, 216 National Security Act, 253 New Zealand, 279 National Security Agency. NSA Nichols, Terry, 85 National Security Council (NSC), 74, 87, 93, 253 NIPC (National Infrastructure Protection Center), National Security Decision Directives (NSDDs), 7–8, 89–90, 94–95, 261 78–80 NIPP (National Infrastructure Protection Plan), 94, 96 national security instruments, 74, 255See Clinton administration commissions, 87 as authorization, 134 DHS goals in, 97 National Security Policy Directives. NSPDs DHS risk management, 18 “National Strategy to Secure Cyberspace,” 95 Office of Infrastructure Protection, 94, 131 National Vulnerability Database (NVD), 201 replacing, 104 NATO Computer Incident Response Capability (NCIRC), NIST (National Institute for Standards and Technology) 283–284 compliance, 171 - NATO (North Atlantic Treaty Organization), 101, 276, functions of, 73 283–284 “Guide for the Security Certification and Accredita Navy tion of Federal Information Systems,” 171–172 attacks on, 276 IT vulnerabilities list, 30 Office of Naval Intelligence, 71, 72 NIST 800-53 (Recommended Security Controls for NCCIC (National Cybersecurity and Communications Federal Information Systems and Organizations), Integration Center), 94, 122 174 NCIRC (NATO Computer Incident Response Capability), NIST 800-66 (An Introductory Resource Guide for 283–284 Implementing the HIPAA Security Rule), 174 - NCSD (National Cyber Security Division), 122 NVD (National Vulnerability Database), 201 negative relationships (logit models), 56 “Recommended Security Controls for Federal Infor “negligible” label (GAO), 31–33 mation Systems and Organizations,” 174 NERC (North American Electric Reliability Corporation), risk management frameworks, 18, 98 229–230 security practices role, 80 NERC Standard CIP-008-4, 230 Nixon administration, 253–254 Netherlands’ cyber defenses, 37 NNSA (National Nuclear Security Agency), 41–46 network cards, 182 non-experimental research, 247–248 networks non-volatile memory, 184, 185 altering configuration during attacks, 207, 237 noncompliance consequences, 172 anomalies, 162–163, 203, 206–207, 237–238 North American Electric Reliability Corporation (NERC), Index (N-O) 445

229–230 objective values (management), 142–143 North Atlantic Treaty Organization (NATO), 101, 276, objectives, 138, 146 283–284 OCIA (Office of Cyber and Infrastructure Analysis), 94, Northeast Blackout, 2003, 92 131 Norway, 4 ODNI (Office of the Director of National Intelligence), 72 “Not Applicable” answers, 288 off-site back-ups, 236 not-mutually exclusiveSee also alerts; events warning (probability), systems 48–49 OEC (Office of Emergency Communications), 94 notice and comment period, 266–267 Office of Cyber and Infrastructure Analysis (OCIA), 94, notifications. 131 as capability, 203 Office of Cybersecurity and Communications (CS&C), costs of, 236 94, 122, 131 as passive response, 207 Office of E-Government and Information Technology, state laws, 227–228 254 See NPPD (National Protection and Programs Directorate), Office of Emergency Communications (OEC), 94 94, 122, 131 Office of Homeland Security. DHS NRC (US Nuclear Regulatory Commission), 47, 53 Office of Information and RegulatorySee Affairs, 82, 254 NSA (National Security Agency) Office of Infrastructure Protection (IP), 94, 131 civilian/military control tensions, 78–81 Office of Management and Budget. OMB classified computer systems and, 80 Office of National Infrastructure Assurance, 87 Einstein 3 program, 99–100 Office of Science and Technology Policy (OSTP), 254, founding of, 128 259 role in cybersecurity, 71–73 Office of the Director of National Intelligence (ODNI), 72 NSC (National Security Council), 74, 87, 93, 253 Office of the National CounterintelligenceSee Executive NSD (Network Security Deployment division), 94 (ONCIX), 72 NSDD-145 (National Policy on Telecommunications OHS (Office of Homeland Security). DHS and Automated Information Systems Security), 7–8, OIRA (Office of Information and Regulatory Affairs), 82, 78–80 254 NSFNET (National Science Foundation Network), 4 Oklahoma City bomb, 85–86, 256 NSPDs (National Security Policy Directives) Olympiccirculars Games cyberwar program, 102 Bush administration, 255 OMB (Office of Management and Budget) CNCI, 99–102 NSPD-54 (National Security Policy Directive), A-11 (capital assets), 149, 150 nuclear99–102, facilities 130, 257 A-130 (information resource management), 83, nuclear arms, 6, 7 172 Exhibit 300 reports, 169–170 criminal information access, 270 FISMA compliance, 98, 171 human reliability in management, 53 FISMA oversight, 102–103, 129 PRA risk management, 47 functions of, 73 virus attacks, 102,o 276 information management, 82–84 Nuclear Regulatory Commission (USNRC), 47, 53 IT system requirements, 169–170 null hypotheses (H ), 39, 49, 290, 291 memoranda, 258–259 NVD (National Vulnerability Database), 201 M-08-05 (trusted Internet connections), NY BCL (Business Corporation Law of New York State), 138–139 O 216 M-10-28 (DHS responsibilities), 103, 257, 258–259 M-97-02 (funding information systems), 83 Obama administration role of, 253–254 - cybersecurity initiatives and policies, 98–104 TIC mandate, 22, 138–139, 258 Cyberspace Policy Review, 130 ONCIX (Office of the National Counterintelligence Exec executive orders, 104, 256 utive), 72 national security instruments, 104, 255 online retailer examples, 55–60, 292–296 446 Index

passwords online surveys, 289–290 passive responses to threats, 207–208, 237–238 ontology, 246–247 op models (operating models), 142, 143–148, 160 brute force attacks, 193 open-ended questions, 288, 290 corporate data, 220 open standards organizations, 279 corporate policies, 235 operating models (op models), 142, 143–148, 160 corporate systems, 233 Operation Aurora, 276 logit analysis, 295, 296 operational planning models, 124–125 selling, 271 operational processes (CONOPS), 138 strong passwords, 57, 220, 235 operational requirements document (ORD), 140 as vulnerabilities, 200 opting out (financial information), 223 wireless systems, 227 oral communications, 272 patches, 195, 200, 227 ORD (operational requirements document), 140 Patriotic Hacker attacks, 276 - “Organizational Capital” block, 124–125 Payment Card Industry Data Security Standards, 221 organizational structure, 123 PCCIP (President’s Commission on Critical Infrastruc organizations, 109 ture Protection), 86–87, 255, 257 impacts of structures, 123 PCs (personal computers) top-down analysis, 50–52 attacks and exploits, 195–202 organized crime groups, 19 changes in national security and, 77–81 levels of risk and, 35 criminal information access, 271 prosecution, 268–275 cybersecurity operation capabilities, 202–208 risk determination example, 36 early federal policies, 7–8 risk management outline, 20 early years of, 4–5 threat assessment, 25, 26–27 FISMA protection, 97 in threat spectrum, 28 in IT infrastructure, 185 OSTP (Office of Science and Technology Policy), 254, protected computers, 272 259 systems, 182–184 outcomesOSTP Resource Library, 254 virus attacks, 102 “Other” answers, 288 vulnerabilities, 200–202 See also nationalworms, security 8–9 instrument in CONOPS, 140 PDDs (Presidential Decision Directives), 74. defining, 135 measurable, 117 Clinton administration, 74, 255 in op models, 140–142 PDD-63 operational planning model, 124 critical infrastructure protection, 87–90 in PWSs, 145 energy information sharing, 230 regression modeling, 56 HSA elements of, 261 success and, 120 Oklahoma City response, 255 oversightover budget status, 156, 163 replacement of, 257 overriding vetoes, 263 performancepenetration testing, 234–235 percentages (comparing projects), 157–158 congressional, 74 corporate failure, 215–219 APBs, 142 P duty of care, 217 objective and threshold values, 142–143 red, yellow, and green status, 165 performance-based acquisitions, 145–146 p-values, 291 “performance measurement report,” 170 Pacific Bell, 5 personalperformance computers. work statements See (PWS), 144, 145–146 packet analyzers (sniffers), 204, 272 personalperiod of informationperformance (POP), 155, 164 packets, 187, 188–189 PCs Paperwork Reduction Act (PRA), 82, 254 participants in CONOPS, 138 bank sales of, 222 Index (P) 447

civilian vs. business’s duty towards, 212–213 DHS frameworks, 95 military cybersecurity control, 70, 71 FISMA requirements, 98 criminal computer access, 271 history of cybersecurity, 70–74 criminal information access, 273 origins (1945-1984), 7–9, 74–81 customer information leak example, 55–60 control conflict (1984-1995), 77–81 liability for breaches, 219–222 cyber development (1995-2001), 81–90 phishing attacks, 197–198 Homeland Security (2001-2008), 90–98 protected health information, 173 CNCI/cyber warfare (2008-present), 99–102 Sony PlayStation Network breach, 221–222 recent developments, 102–104 spear phishing attacks, 41–46 sentencing, 274 TJX data breach, 220, 226–227, 272 policy directives, 304 personal interviews, 40, 288 policy monitoring, 205–206 PHI (protected health information), 173, 225 POP (period of performance), 155, 164 phishing attacks, 41–46, 197–198 powerpopulation, grid. 41,See 289–290electrical grid phone companies, 188 positive relationships (logit models), 56 phone surveys, 40 - plannedphysical value.security, See 236 power plants, 229–230 plan of action and milestones (POA&M), 147–148 PPBE (planning, programming, budgeting and execu PV (planned value) tion), 127 planning, programming, budgeting and execution PPDs (Presidential Policy Directives), 255 (PPBE), 127 PRA (Paperwork Reduction Act), 82, 254 plans, 114–115 PRA (probabilistic risk assessment) alternative scenarios, 119–120 event tree analysis, 49–52 assessing, 120 fault tree analysis, 50–52, 53, 54 capability-based planning, 136–137 human reliability analysis, 53 choosing, 120 logistic regression equation, 294, 295 CONOPS, 137–140 Monte Carlo analysis, 53–55 executing, 120 quantitative risk determination, 47–48 measurable outcomes, 117 precedents, judicial, 269 op models, 140–142 predicting leaks, 58–60 operational planning model, 124–125 predicting threats, 206–207 POA&M documents, 147–148 predictive analysis, 206–207 See also - plausible deniability, 281 preponderance of evidence, 281 plea bargains, 274 presidential directives, 74, 129. executive or POA&M (plan of action and milestones), 147–148 ders; national security instruments; HSPDs policiesPoindexter, John, 7–8, 78–81, 98 mission requirements and, 127, 128–130 point system (sentencing), 274–275 Presidential Policy Directives (PPDs), 255 presidentsPPD-21, 104 as authorization, 134 Presidential Study Directives (PSDs), 255 federal.compliance, See 167 in CONOPS, 138, 140 agency creation, 266 policies (federal) agency supervision, 74 impact on projects, 123 bill signing or vetoing,See 263 internal controls, 239–240 cybersecurity policySee role, 69–70 mission needs statements and, 128–130 Executive Office of. EOP policy directives, 304 executive orders. EOs policy monitoring, 205–206 as first responders, 251, 252 policies (federal), 69 military or civilian security control policies, 71 agencies involved in, 70–74 mission requirements, 127, 128–131See also crafting, 74 national security instruments, 74 cybersecurity and, 69–70 presidential directives, 74, 129. executive Cyberspace Policy Review, 100–101 orders; national security instruments; HSPDs 448 Index

scope of power, 128–130 - security roles, 231–232 as senior managers, 110 strategy questions, 211–213See President’s Commission on Critical Infrastructure Pro proactive safeguards, 220, 231 tection (PCCIP), 86–87, 255, 256 probabilistic risk assessment. PRA (probabilistic President’s Council on Year 2000 Conversion, 89 risk assessment) prioritiesprimary consequences, defined, 30 probability printers, 182, 183 calculating, 35–37 illustrated, 38 See also privacyFISMA issues requirements, 171 logistic regression equation, 295–296 risk management framework, 16, 20, 21, 23 PRA risk management, 47. PRA civilian vs. predicting leaks with statistical analysis, 58–60 bank sales of personal information, 223 probability distribution, 48 military cybersecurity control, 70, 71 probability sampling, 290 court cases, 269 probability theory, 48–49 IPv6 and, 279 quantitative risk determination, 48–49 policy formation, 74 values, 54 Privacy Rule (HIPAA), 224 probable cause, 273 private corporation governance, 213–215 procurement.procedures, 114, See 167 acquisitions and procurement private-public partnerships processors, 181–182 board of directors role, 231–232 critical infrastructure protection, 70, 85, 87–88, “Products and Services” block, 124 105 professional auditors, 241 DHS agencies charged with, 94, 96 program/project managers, 110, 113 DHS strategies, 259 comparing projects, 157–158 incentives for, 87, 103, 145 compliance and reporting, 166–174 National Infrastructure Assurance Council, 87 CONOPS, 137–140 outlining shared threats, 87, 99 defining capabilities, 136 policy formation, 74 DHS cybersecurity programs, 127 privatepost sector 9/11, 92–93 earned value management, 148–165, 298–302 threats to critical infrastructure, 87 forecasting, 300–302 function coordination, 115–116 business interruption insurance, 238 high-level requirement analysis, 132 corporate governance, 213–222 management and acquisition, 143–148 critical infrastructure owned by, 85 mission needs statements, 126–127 cyber incident reports, 103 objective and threshold values, 142–143 cybersecurity overview, 211–213 op models, 140–142 duty of care, 213–222 tracking projects, 153–157 electrical grid, 229–230 programs.warning See system software example, 110–113 HIPAA compliance, 172–174 programming languages,See 180–181 incentives for partnerships, 87, 103, 145 internal audits and controls, 239–241 project managers. program/project managers legislative requirements, 222–230 proposed bills, 261–264 liabilities, 213–222 proposed rules, 260, 266 partnerships.model cybersecurity See programs, 231–238 prosecution of cybercriminals, 6, 9, 268–275 NSDD-145 computer security issues, 8 prosecutors, 273 private-public partnerships protectionprotected computers, 272 policy formation, 74 protected health information (PHI), 173, 224 protecting critical infrastructure, 70, 85–88, 105 risk management strategies, 212 infrastructure.as capability, 203 See critical infrastructure protection Sarbanes-Oxley Act and, 230 as high-level requirement, 136 SEC disclosures, 228 Index (P-R) 449

networks, 97, 99–102 Reagan administration, 7–8, 74, 78–80, 128 PCs, 97 reason, mistakes of, 249 personal information, 173 reasonable doubt, 274 - protected computers, 272 reckless behavior, 271 protective markings, 79 “Recommended Security Controls for Federal Informa protocol identifier assignments, 277 tion Systems and Organizations” (NIST SP 800-53), protocols, 188, 189–190, 277 174 PSDs (Presidential Study Directives), 255 reconciliation, 263 public corporation governance, 213–215 reconnaissance attacks, 196 public hearings, 260, 262, 266See - recovery from attacks publicships image, 212 business continuity plans, 238 public-private partnerships. private-public partner as capability, 203 corporate policies, 237 PV (planned value) “National Strategy to Secure Cyberspace,” 95 District Design case study, 152–154 red project status, 165 percentages, 157–158 reducing risk (capability), 159 schedule variances, 154–155 regional Courts of Appeals, 268 SPI equations, 299 Regional Internet Registries (RIRs), 278–279 QPWS (performance work statement), 144, 145–146 registries (Internet addresses), 278–279 - regression modeling, 56, 291, 292, 294–295 regulations, 265–266, 304 Quadrennial Homeland Security Review report to Con Code of Federal Regulations, 268 gress (QHSR), 130, 259 compliance, 167 qualitative risk determination, 37–46 Congressional and Judicial roles in, 267–268 quantitative risk determination, 37–39, 47 creating, 266–267 event tree analysis, 49–52 Federal Register publication, 260 fault tree analysis, 50–52, 53, 54 impact on projects, 123 human reliability analysis, 53 regulatory agencies, 236–237 Monte Carlo analysis, 53–55 reliability, 39 online retailer example, 55–60 reliability standards (NERC), 230 statisticalprobabilistic modeling, risk assessment, 55 47–48 reliability tests, 249 questionnaires.probability Seebasics, survey 48–49 designs Reno, Janet, 86 questions reportsrental botnets, 198 repairing systems, 237

advanced research methods/sources, 284–286 audits, 166–168 computer technical fundamentals review, 208 corporate policies, 235, 237 cybersecurity law and policy review, 105–107 DHS cybersecurity reports, 130–131 cybersecurity management review, 174–176 energy grid cybersecurity, 230 private sector cybersecurity review, 242–243 Exhibit 300, 169–170 qualitative research questions, 39–41 federal government practices, 168–169 research questions, 247 FISMA requirements, 170–172 risk determination review, 65–66 health care system breaches, 225 R risk research questions, 38–39 internal controls, 239–240 operational planning model, 125 Sarbanes-Oxley Act, 230 radio signal badges, 236 Requests for Comments (RFCs), 279 RAM (random access memory), 182, 184–185 requests for information (RFIs), 143–144 random sampling, 290 researchrequests forquestions proposals (RFPs), 144–148 ratings agencies, 228 research methods, 245–249 re-engineering backwards, 141 450 Index

creating, 247 cybersecurity insurance, 61–62 dependency on Internet, 275 as high-level requirement, 136 risk research, 38–39 mitigation, 60, 61 spear phishing attack vulnerabilities, 41–46 risk management framework, 16, 17, 18, 20 researchstatistical sources modeling, 56 risk responses, defined, 60 survey design, 288–296 transfer, 16, 20, 60, 61–62 unacceptable risks, 22 Code of Federal Regulations (CFR), 268 response rates (surveys), 42 Council of Europe, 284 responsibilities in CONOPS, 138, 140 executive branch, 251–260, 254 restitution to victims, 273 executive orders, 256–258 results, assessing, 120–121 Federal Register, 260 reviewing warnings, 112 OMB memoranda, 258–259 RFCs (Requests for Comments), 279 OSTP memoranda, 259 RFIs (requests for information), 143–144 national security instruments, 255 RFPs (requests for proposals), 144–148 White House strategy and guidance, 259 Ridge, Tom, 90 GAO website, 264 RIPE NCC (Réseaux IP Européens Network Coordination government documents, 249–251 Centre), 279 Internet Engineering Task Force, 279 RIRsassessing. (Regional SeeInternet Registries), 278–279 legislative, 264–265 risk, 17 Congressional Record, 264 determination. risk See assessments Congressional Research Service, 264–265 framing.benefits of,See 64 proposed bills and law, 264 risk determination NATO, 283–284 framing risks THOMAS.gov, 264 graphing, 33 United Nations, 283 management.internal audits, See 167 - research subjects, 248 levels of, 33–37 resourcesRéseaux IP Européens Network Coordination Centre responding to. See risk management; risk manage (RIPE NCC), 279 ment frameworks responding to risks as constraints, 21 risk equation, 23 decision-making process, 121 risk formula, 23–33 identifying in MNS, 135 severity, 37, 47 impact on projects, 123 tolerances, 16, 20, 21, 22 management and acquisition phase, 143–148 unacceptable, 22 POA&M documents, 147–148 risk assessments, 23–24 risk monitoring and, 63 audits, 240 time and money, 150–152 Cybersecurity Act, 103 trade-offs in risk management, 23 DHS monitoring case study, 161–162, 164 responding to attacks FISMA requirements, 97–98See active responses, 207–208, 237–238 model corporate cyber program, 232–234 containing threats, 61 risk determination and. risk determination corporate plans, 234, 236–237 risk equation, 23–24, 34–35 NATO teams, 284 risk management framework, 16, 17, 18, 20 passive responses, 207–208, 237–238 risk-based decisions, 19, 98 presidents as first responders, 251, 252 risk determination, 33–37 types of responses, 207–208 methodologies, 37–39 responding to risks quadrant diagram, 36 acceptance, 16, 20, 36, 60–61 qualitative methods, 37–46 avoidance, 60, 61 quantitative methods, 37–39, 47–60 as capability, 203 review questions, 65–66 Index (R-S) 451

risk assessmentSee in, 33 schedulesSchedule Performance Index (SPI), 157, 298–299 risk equation, 23–25, 34–35 schedule variances (SVs), 154–158, 163–164 risk framing. framing risks risk management, 15–17 acquisition performance baselines, 142 consequence assessment, 30–33 delays in, 163–164 federal agency roles in, 83–84 DHS monitoring case study, 160 frameworks, 16, 18 Integrated Master Schedules, 148, 149 health care systems, 224 manager’s role, 117 operational planning model, 125 objective and threshold values, 142–143 organized crime example, 20 variances, 154–155 plans, 15 Schmidt, Howard A., 101 presidential directives for, 96 “Scientific Integrity,” 259 private sector strategies, 212 scientific issues, 259 process, 18–19 scientific methods, 248 risk, defined, 17 screen locks, 235 risk assessment, 23–33 search warrants, 272 risk determination, 33–60 SEC (Securities and Exchange Commission), 228–229,- risk formula, 23–33 237 risk framing, 19–23 SECIR (Stakeholder Engagement and Cyber Infrastruc risk managers, 26 ture Resilience division), 94 SEC guidelines, 228–229 Secret Service, 90, 93 strategies, not checklists, 66 sector-specific agencies (SSAs), 96 threat assessment, 25–28 sectors in management framework, 127 threat shifting, 28 secure hash algorithm (SHA-2), 194–195 vulnerability assessment, 29–30 SecurID data breach, 198, 212–213 risk management frameworks, 16, 17, 18, 20 securitySecurities and Exchange Commission (SEC), 228–229, risk managementSee plans, 15 237vs. risk research questions, 38–39 risk responses. responding to risks accessibility, 22 risk tolerances, 16, 20, 21, 22 certification and accreditation, 171–172 roles (CONOPS), 138, 140 OMB role in, 82 Roosevelt administration, 75, 128 security even correlation tools, 205 root server management, 277 Security Rule (HIPAA), 224 routers, 182, 183, 185, 187, 188, 190–192, 198–199 self-administered surveys, 40, 41–46, 288 routing attacks through other countries, 282 Senate, 261–263 routing tables, 190 senior managers, 110, 113, 115, 116 RSA SecurID breach, 198, 212–213 sensitive but unclassified information, 8, 78, 79, 233 rules, 205–206, 266 sensitive-but-unclassified information technology (SBU Russian-Chechen conflict, 276 sentencingIT), 81 Russian Federation, 279 sensitive information, 233 SRussian-Georgian conflict, 277 CFAA offenses, 270–272 cyber criminals, 269 Safeguards Rule, 223 guidelines, 274–275 sample populations, 41, 289–290 September 11, 2001 Sarbanes-Oxley Act (SOX), 168, 230 - executive orders after, 257 satellites, 3 reorganizations after, 90 SBU IT (sensitive-but-unclassified information technol risk planning after, 15–16 ogy), 81 scope of presidential power and, 129 Scalia, Antonin, 269 sequences of events, 50 scanning systems, 201, 205 servers, 185, 204, 220 452 Index

spies. See espionage

service providers (ISPs), 188, 202, 204 severity of attacks, 207 sponsors, bills, 261 severity of risk, 37, 47 spoofed websites, 198 SHA-2 (secure hash algorithm), 194–195 Sputnik, 3 shared threats, 28, 87, 88 SSAs (sector-specific agencies), 96, 104 shareholders, 213, 214, 215–219, 221–222 staff functions, 116 shunning attacks, 207 staffing in models, 125 signaturessignal intelligence, 72 Stakeholder Engagement and Cyber Infrastructure signature-based tools, 99–100, 205, 206, 237–238 Resilience division (SECIR), 94 stakeholders, 138, 140, 160 digital, for DNS, 192 standard deviations, 291 IDS/IPS tools, 206 standards, 304 internal monitoring, 205 state attorneys general, 220 known exploits, 206 state court jurisdictions, 269–270 threat signature technology, 99–100, 237–238 State Department, 72 simulating attacks, 206–207, 234–235 state laws, 227–228 SME (subject matter expert), 161 statements of objectives (SOOs), 144, 146 sniffers (packet analyzers), 204, 272 statements of work (SOWs), 144 social engineering attacks, 235 statistical modeling, 290–292 social media phishing attacks, 197 Monte Carlo analysis, 53–55 Socialantivirus. Security See numbers, antivirus 273 software online retailer probability example, 55–60 software, 182 predicting leaks, 58–60 quantitative risk determination, 55 exploits, 195 regressionSee modeling, also legislation 56 IDS/IPS tools, 206 “statistically significant,” 290, 291 insecurity of, 202 statutes, 304. in IT systems, 185 steps (op models), 141 malware, 195, 196, 271 stock, 213–214, 228–229, 238 programs, defined, 181 stock values, 212 signature-based tools, 99–100, 205, 206, 237–238 storage, 184–185 vulnerabilities, 200–202 strategic objectives in models, 124 Sony PlayStation Network, 221–222 “Strategic Risk Management” block, 125 SOOs (statements of objectives), 144, 146 strategies, 114, 115 South Ossetia,See 277 also alternative scenarios, 119–120 sovereignty, 282 capability-based planning, 136–137 Soviet Union. Russian Federation choosing, 120 Cold War, 3, 76, 78 CONOPS, 138 computer security and, 78 executing, 120 Sputnik, 3 mission needs statement, 133 SOWs (statements of work), 144 - operational planning model, 124–125 SOX (Sarbanes-Oxley Act), 168, 230 strengths in models, 124–125 SP 800-37 (Guide for the Security Certification and Ac strong passwords, 57, 220, 235 creditation of Federal Information Systems), 171 Stuxnet, 10, 37, 275–276 space allocation (ICANN), 277 subject matter experts (SMEs), 161 Space Race, 3 subprime mortgage crisis, 218–219 spam filters, 197 supercomputing centers,See also 4 - Speaker of the House, 262 supplyment chains, 166, 170 spear phishing attacks, 41–46, 197–198 Supreme Court, 268. judicial branch of govern Special Advisor for Cyberspace Security, 93, 257, 259 speed of processors, 182 survey designs, 288–299 SPI (Schedule Performance Index), 157, 298–299 building models, 293–296 Index (S-T) 453

logit models, 292–293 mission needs statements, 133 NNSA example, 41–46 model corporate program, 232–233 qualitative risk determination, 39–41 threat environments, 133 response rates, 42 threat shifting, 28 sample populations, 289–290 threat signature technology, 99–100 statistical models, 290–292 threats,assessing. 23, 25 See threat assessment SVs (schedule variances), 154–158, 163–164 analyzingSee consequences/vulnerabilities, 33–37 symbols, fault tree, 52, 53 Syria, 276 attacks. attacks and exploits systems, computer, 140, 182–184, 185, 195 corporate governance and, 216 Tsystems of systems, 182–184, 187 critical infrastructure focus, 87 espionage, 4 evolution in, 105 t-test, 291 growthexternal, in, 28 99 target audiences, 111, 112, 113 factors aiding in, 202 “targeted and actionable” warnings, 112–113 targets, 25, 27, 190, 202 identifying, 38, 133, 205–208 tasks, 120, 148, 150 - increases in, 33 Taves, Kenneth H., 222–223 insider, 200, 233 TCP/IP (Transmission Control Protocol/Internet Proto internal, 28 col), 187, 188, 189 malware, 195, 196, 271 technical audits, 167 risk assessment and, 23 tensionstechnical guidance, 304 in risk determination, 36 telephone surveys, 40 in risk equation, 23 in risk management framework, 16, 20 between military and civilian control, 70, 71, shared, 8, 87 78–81, 104–105 signature technology, 99–100, 205, 206, 237–238 terrorismbetween security and freedom, 282 simulating, 206–207 terminating sessions, 207 spectrum, illustrated, 28 worms.threat environments, See worms 133 aggravated identity theft, 273 threat shifting, 28 board of directors role in prevention, 231–232 counterterrorism reviews, 100–101 threshold values, 142–143 international issues, 281 TIC Access Providers, 22 monitoring for, 204 TIC (Trusted Internet Connection), 22, 138–139, 141, Oklahoma City, 1995, 85–86 258 September 11th, 2001, 15–16, 129 time in budgets, 150–152 in threat spectrum, 28 time-out tries, 295, 296 World Trade Center, 1993, 85 timelines, 120 testingtest groups, 247 TJ Maxx, 220 test statistics, 290 TJX data breach, 220, 226–227, 272 TLDs (top level domains), 192 FISMA requirements, 98 tokens, security, 213 hypotheses, 248–249 tolerances, risk, 16, 20, 21, 22 penetration testing, 234–235 top-down analysis, 50–52 risk research questions, 39 top level domains (TLDs), 192 threattheories assessment (cybersecurity research), 246 total risk equation, 35 THOMAS.gov, 264 tracking projects atypical variances, 302 components, 25–28 comparing projects, 157–158 DHS monitoring case study, 161–162 EVM budgeting, 153–158 454 Index

EVM indexes, 298–300 Internet number registry, 278 over budget status, 163 Stuxnet virus, 10, 102, 275–276 trade-offsred, yellow, and green status, 165 United States v. Jones, 269 variances, significance of, 165 units of analysis, 248, 249 unknown vulnerabilities, 201–202 risk management framework, 16, 20, 21, 23 updating tools, 238 trainingsecure websites, 59 U.S. Attorneys, 273, 274 trade secrets, 233 U.S. Computer Readiness Team (US-CERT), 122–123 U.S. Cyber Command, 73 corporate programs, 235 US-CERT (U.S. Computer Readiness Team), 122–123 costs, 160 usersUSB memory sticks, 185 education as capability, 159 “useful life,” defined, 149 FISMA requirements, 98 health care systems, 224 behavioral detection, 206 transnationaltransferring risks, issues. 16, See 20, 60, 61–62 in cybersecurity operations, 202 Transmission Control Protocol (TCP/IP), 187, 188, 189 numbers of, in modeling, 57, 295, 296 global cybersecurity issues user-friendly websites, 58, 59 transparency in corporate governance, 215 as vulnerabilities, 200 transportation systems, 85, 87, 96 USNRC (Nuclear Regulatory Commission), 47, 53 travel costs, 146, 160 VUSSC (United States Sentencing Commission), 274 Treasury Department, 72 treaties, 284 trial courts, 268 validity tests, 249 trial-out tries, 295, 296 values (binary code), 180 trials, 274 variables Trojan horses, 196 logit models, 292 Truman administration, 128 PRA risk management, 47 trust, customers, 220, 238 regression modeling, 56 trust protocols, 179, 188, 191–192, 198–199 research, 248 Trusted Internet Connection (TIC), 22, 138–139, 141, test statistics, 291 258 variances (EVM) Trusted Internet Connections Initiative, 138–139, 258 vs.atypical, 302 Twitter phishing attacks, 197 comparing projects, 157–158 UTyco, 230 EVM indexes, 298 favorable/unfavorable, 155, 156, 158, 298, 299– 300 unacceptable risks, 22 percentages, 157–158 unauthorized access, 9 significance of, 165 unclassified information, 79 understanding, 154–158 unconstitutional regulations, 267–268 variance triangle, 156 under budget status, 156 vendors/contractors undesired events (probability analysis), 51 compliance, 168 unfavorable variances, 155, 156, 158, 298, 299–300 cybersecurity operations, 202 unintentional threats, 25–26 health care systems, 224 United Kingdom cyber defenses, 37 IMS documents, 148 United Nations cybersecurity efforts, 283 POA&M documents, 147–148 Unitedgovernment. State Sentencing See Commission (USSC), 274 policies for managing, 238 Unitedgovernment States agencies. See under PWS documents, 145 Federal government RFIs and, 143–144 agency names (i.e., RFP responses, 147–148 Defense Department, EPA) security breaches, 213 Index (V-Z) 455

selection, 147–148 as capability, 203, 207 vetoingSOO documents, 146 effectiveness, 112 threats resulting from, 233 as high-level requirement, 136 importance of warnings, 111 bills, 263 management, 110–113 regulations, 267 too many warnings, 112, 113 virusvictims, software. 273, 275 See antivirus software US-CERT failure, 122–123 virusesviolating policies, 205–206 water systems,See 87, 96 WBS (work breakdown structure), 146, 148, 160 weaknesses. vulnerabilities capabilities, 196 websites See Coreflood virus, 198 cyber attacks, 276 criminal prosecution, 271 District Design. District Design case study Flame, 102, 276 DNS cache poisoning, 200 government efforts to focus on, 87 encrypting, 194 Stuxnet, 10, 102, 275–276 fraudulent credit card usage, 222 viva voce, 263 history of, 185–186See also voicemail hacking, 5 phishing attacks, 197–198 volatile memory, 184–185 White House, 259, 276. EOP; presidents volunteer sampling, 289–290 wide area networks (WANs), 188 voting, 263 WiFi networks, 198, 227 vulnerabilities, 23, 195–196 wireless systems, 198, 227 analyzing threats/consequences, 33–37 Wiretap Act, 272 assessing, 23, 29–30, 161–162, 232, 233 work breakdown structure (WBS), 146, 148, 160 BGP, 191–192 Working Group on Web Security, 280 complexity of systems and, 184 World Summit on the Information Society (WSIS), 283 corporate governance and, 216 World Trade Center attacks databases of, 201 1993, 85 DHS monitoring case study, 161–162 2001, 15–16, 90–99, 129, 257 hash detection methods, 195 wormsWorld Wide Web, 9, 185–186 human, known, and unknown, 200–202 WorldCom, 168, 230 identifying, 38 increases in, 33 capabilities, 196 Internet, 179 criminal prosecution, 271 IP addresses, 190 Flame, 102, 276 mainframes, 76 Morris, 8–9, 270 “National Strategy to Secure Cyberspace,” 95 Stuxnet, 10, 102, 275–276 personal computers, 78–80 written cybersecurity plans, 234 public-private shared research, 87 YWSIS (World Summit on the Information Society), 283 risk determination, 36 risk equation, 23 risk management framework, 16, 20 Y2K preparations, 89 trust protocols and, 188 Zyellow project status, 165 vulnerability assessments, 23, 29–30, 161–162, 232, W233 z-test, 291 zero-day exploits, 195, 201–202, 206 WANs (wide area networks), 188 zombie networks, 198 War Games, 6 Warner Amendment, 81 warning systems, 110–113