Why Web Application Firewall (WAF)  Cisco Web Application Firewall Overview  Network Deployment Examples  GUI Demo  Q&A

Total Page:16

File Type:pdf, Size:1020Kb

Why Web Application Firewall (WAF)  Cisco Web Application Firewall Overview  Network Deployment Examples  GUI Demo  Q&A Protecting Web Applications with Web Application Firewall Ong Poh Seng Data Center Architect [email protected] Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Agenda Why Web Application Firewall (WAF) Cisco Web Application Firewall Overview Network Deployment Examples GUI Demo Q&A Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Off the press … more than 45 million credit and debit card numbers have been stolen from its IT systems … Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 Focus of today’s attacks 75% of Attacks Focused Here Custom Web Applications Customized Packaged Apps Internal and 3rd Party Code Business Logic & Code Web Application Database Servers Servers Servers Operating Operating Operating Systems Systems Systems Network IDS Network Firewall IPS No magic signatures or patches for your custom PHP script Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 The Payment Card Industry (PCI) Data Security Standard 1. Install and maintain a firewall configuration to Build and protect data Maintain a 2. Do not use vendor-supplied defaults for system Secure Network passwords and other security parameters 3. Protect stored data Protect Cardholder Data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a 5. Use and regularly update anti-virus software Vulnerability Management 6. Develop and maintain secure systems Program and applications 7. Restrict access to data by business Implement need-to-knowSection 6.5: develop secure web apps, cover Strong Access 8. Assign a unique preventionID to each person of withOWASP vulnerabilities Control computer access Measures 9. RestrictSection physical 6.6:access Ensure to cardholder all web-facing data apps are Regularly 10. Track and monitorprotected all access to against network known attacks using Monitor and Test resources and cardholdereither of data the following methodsNo change with Networks 11. Regularly test security systems• secure and codingprocesses practices PCI 1.2! Maintain an • installing a Web App FW Information 12. Maintain a policy that addresses Security Policy information security Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 What sort of attacks are we talking about? http://www.owasp.org How widespread these attacks are Top 10 Source: WhiteHat Security, 2007 Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 Why Not Fix Current Applications? Every 1000 lines of code averages 15 critical security defects (US Dept of Defense) The average business app has 150,000-250,000 lines of code (Software Magazine) The average security defect takes 75 minutes to diagnose and 6 hours to fix (5-year Pentagon Study) Even if you consider those figures are exaggerated (positively or negatively) the cost of fixing applications is prohibitive WAF always a very financially sound option! Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 Question? Which of the following are some examples of the PCI DSS requirements? A. Install a Web B. Need for Anti -Virus Application Firewall update C. Encrypt transmission D. Prevention of OWASP of cardholder data vulnerabilities Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 Product Overview Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 SDN Secured Data Center: big picture and where does ACE WAF play? Data Center Edge Web Access Apps and Storage Mgmt • Firewall & IPS • Web Security Database • Data Encryption • Tiered Access • DOS Protection • Application Security • XML, SOAP, AJAX •In Motion • Monitoring & • App Protocol Inspection • Application Isolation Security •At Rest Analysis • Web Services Security • Content Inspection • XDoS Prevention • Stored Data • Role-Based • VPN termination • SSL • App to App Security Access Control Access • Email & Web Access Encryption/Offload • Server Hardening • Segmentation • AAA Access control • Server Hardening Control ACE ACS IronPort ACE WAAS E-Mail Security WAF CSA CSM Tier 1/2/3 CSA-MC MDS Storage CW-LMN IronPort w/SME ACE Web Security WAF Application ASA CSA Servers Cat6K CSA CSA MARS FWSM CSA ACE WAF Web Servers IronPort Database Tape/Off-site Web Security Servers Backup Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 ACE Web Application Firewall (WAF) Drop-in solution for PCI Compliance , Virtual App Patching , Data Loss Prevention Secure – Deep packet protection of the most common vulnerabilities Fast – Processes 3,000+ TPS and 10,000+ concurrent connections Drop-in - Does not require recoding applications, deployable in under an hour PCI 6.5/6.6 compliance is just a few clicks away Available Now! Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 Not Just Signatures - Comprehensive Security Active Security Message Content Search and Replace Signature-Based Inspection Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 Network Deployment Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 ACE WAF Network Deployment WAF deploys as a full reverse proxy Must have load balancer for HA, failover (ACE is great for this!) Always performs source NAT on traffic –HTTP header insert exposes source IP to server ACE WAF can optionally terminate SSL –No client cert validation without AXG license Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 Clustering: Separate Manager 2 or more appliances running Firewall component 1 appliance running Manager component Firewall Manager Firewall Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 Perimeter security: One-armed proxy •Traffic passes through ACE twice •Easy to insert into existing ACE deployment •Allows for fail-open or fail-closed configuration Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16 Perimeter Security: Two-armed proxy Public VIP: 63.90.156.60 10.30.1.1 Internet ACE 10.30.1.151 10.30.1.152 Web Application Application Consumers Switch ACE WAFs 10.20.1.1 10.20.1.151 10.20.1.152 VIP: 10.20.1.200 10.10.1.1 ACE 10.10.1.1010.10.1.11 10.10.1.12 Application Switch •Different contexts on same physical ACE Web Application can be used on both sides Providers •Best practice when backend is multiple hops from ACE WAF, need DMZ separation Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17 One-armed: Terminate SSL at ACE Each flow carries request and corresponding response •Request in direction of arrow •Response in opposite direction Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18 One-armed: Terminate SSL at ACE XML Gateway Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 Alternative Network Deployment Model AXG Web WWW1 Application HTTP Firewall Internet Full Reverse WWW2 Proxy External HTTP and XML Web Services WWW3 Consumers Portal Portal WWW WWW DNS Points to AXG WAF when Asked for WWWx The AXG Web Application Firewall is a full reverse proxy. In other words, you can have the DNS server point to the IP address of the AXG to represent the actual Web server. At that point, the AXG accepts all requests destined to the Web server, filters them, and sends them out. The response comes back to the WAF as well for total control of the session. Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20 WAF GUI Demo Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21 Cisco ACE Web Application Firewall Summary Full-featured Web application firewall with integrated XML firewall Extend protection for traditional HTML-based Web applications to modern XML- enabled Web services applications. Access enforcement Secure applications from unauthorized access with AAA enforcement mechanism Positive and Negative security enforcement Enjoy the best of both worlds by keeping bad traffic patterns out and allowing only good traffic through. Human assisted learning Deploy policies and profiles in monitoring mode to prevent application downtime due to false positives typical in an automated learning environment. Policy-based provisioning Achieve increased developer productivity and ease of deployment with sophisticated GUI, rollback, and versioning capabilities. Defense-in-Depth Should Include a Web Application Firewall that Can Quickly, Effectively, and Cost-Effectively Block Attacks at Layers 5–7. Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22 Q and A Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23 Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24.
Recommended publications
  • A Study of Android Application Security
    A Study of Android Application Security William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri Systems and Internet Infrastructure Security Laboratory Department of Computer Science and Engineering The Pennsylvania State University enck, octeau, mcdaniel, swarat @cse.psu.edu { } Abstract ingly desire it, markets are not in a position to provide security in more than a superficial way [30]. The lack of The fluidity of application markets complicate smart- a common definition for security and the volume of ap- phone security. Although recent efforts have shed light plications ensures that some malicious, questionable, and on particular security issues, there remains little insight vulnerable applications will find their way to market. into broader security characteristics of smartphone ap- In this paper, we broadly characterize the security of plications. This paper seeks to better understand smart- applications in the Android Market. In contrast to past phone application security by studying 1,100 popular studies with narrower foci, e.g., [14, 12], we consider a free Android applications. We introduce the ded decom- breadth of concerns including both dangerous functional- piler, which recovers Android application source code ity and vulnerabilities, and apply a wide range of analysis directly from its installation image. We design and exe- techniques. In this, we make two primary contributions: cute a horizontal study of smartphone applications based on static analysis of 21 million lines of recovered code. We design and implement a Dalvik decompilier, • Our analysis uncovered pervasive use/misuse of person- ded. ded recovers an application’s Java source al/phone identifiers, and deep penetration of advertising solely from its installation image by inferring lost and analytics networks.
    [Show full text]
  • Best Practices: Use of Web Application Firewalls
    OWASP Papers Program Best Practice: Use of Web Application Firewalls Best Practices: Use of Web Application Firewalls Version 1.0.4, March 2008, English translation 25. May 2008 Author: OWASP German Chapter with collaboration from: Maximilian Dermann Mirko Dziadzka Boris Hemkemeier Achim Hoffmann Alexander Meisel Matthias Rohr Thomas Schreiber OWASP Papers Program Best Practice: Use of Web Application Firewalls Abstract Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself – and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to support developers, project managers and security testers in the development and operation of secure web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters. One of the criteria for meeting the security standard of the credit card industry currently in force (PCI DSS - Payment Card Industry Data Security Standard v.1.1) for example, is either a regular source code review or the use of a WAF. The document is aimed primarily at technical decision-makers, especially those responsible for operations and security as well as application owners (specialist department, technical application managers) evaluating the use of a WAF.
    [Show full text]
  • Opentext Product Security Assurance Program
    The Information Company ™ Product Security Assurance Program Contents Objective 03 Scope 03 Sources 03 Introduction 03 Concept and design 04 Development 05 Testing and quality assurance 07 Maintain and support 09 Partnership and responsibility 10 Privavy and Security Policy 11 Product Security Assurance Program 2/11 Objective The goals of the OpenText Product Security Assurance Program (PSAP) are to help ensure that all products, solutions, and services are designed, developed, and maintained with security in mind, and to provide OpenText customers with the assurance that their important assets and information are protected at all times. This document provides a general, public overview of the key aspects and components of the PSAP program. Scope The scope of the PSAP includes all software solutions designed and developed by OpenText and its subsidiaries. All OpenText employees are responsible to uphold and participate in this program. Sources The source of this overview document is the PSAP Standard Operating Procedure (SOP). This SOP is highly confidential in nature, for internal OpenText consumption only. This overview document represents the aspects that are able to be shared with OpenText customers and partners. Introduction OpenText is committed to the confidentiality, integrity, and availability of its customer information. OpenText believes that the foundation of a highly secure system is that the security is built in to the software from the initial stages of its concept, design, development, deployment, and beyond. In this respect,
    [Show full text]
  • The OWASP Application Security Program Quick Start Guide
    Quick Start Guide The OWASP Application Security Program Quick Start Guide Five Days to Setting Up an Application Security Program Quickstart Guide About this Guide This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life- cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application. The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability. A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to: 1. The number of vulnerabilities present in an application 2. The time to fix vulnerabilities 3. The remediation rate of vulnerabilities 4. The time vulnerabilities remain open The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas. Audience The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.
    [Show full text]
  • 5 Things You Need to Know About a Web Application Firewall
    5 Things You Need to Know about a Web Application Firewall A NEUSTAR SECURITY SOLUTIONS EXCLUSIVE www.security.neustar 5 Things You Need to Know about a Web Application Firewall Table of Contents 1. What is a WAF? 03 2. Why Are Attackers Interested in Your Applications? 04 3. Why Do You Need a WAF? 05 4. Key Features to Expect from a WAF 06 5. Not All WAFs Are Equal 08 About Neustar 09 01 5 Things You Need to Know about a Web Application Firewall Web Application Firewall (WAF) is a priority item for IT professionals who are struggling to protect their customer facing and mission- critical applications. From SQL injection attacks to cleverly executed distributed denial of service (DDoS) attacks, attackers are enjoying success in areas where a WAF would otherwise stop their progression. But before you go out and buy a WAF service, here are five things you need to know. 5 Things You Need to Know about a Web Application Firewall What is a WAF? At its core, a Web Application Firewall (WAF) is responsible for inspecting the Hypertext Transfer Protocol (HTTP) request and responding based on predefined rules;processing preset actions against questionable HTTP/HTTPS requests identified during the inspection phase or the HTTP/HTTPS connection validity check; logging the malicious HTTP/HTTPS requests identified during the inspection; andmanaging visits to websites. Generally speaking, WAFs detect and protect web applications from attacks that try to exploit vulnerabilities. WAFs serve as a way to enhance the security perimeter by providing an additional barrier between attackers and your application layer.
    [Show full text]
  • Cybersecurity in a Digital Era.Pdf
    Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb.
    [Show full text]
  • CGSS DS US R2.Indd
    Gateway Content Anti-Virus Filtering Anti- ViewPoint Spyware Intrusion 24x7 Prevention Support SonicWALL Comprehensive Gateway Security Suite NETWORK SECURITY Complete Network Security in a Single Integrated Package Understanding network security can be complicated, but ensuring that your network is secure from malicious threats shouldn’t be. SonicWALL Comprehensive Security Suite (CGSS) removes the complexity associated with choosing a host of add-on security services by integrating all the network security services required for total protection into a convenient, aff ordable package that turns any SonicWALL network security appliance into a complete solution. Available on E-Class NSA, NSA and TZ Series network security appliances, SonicWALL CGSS keeps your network safe from viruses, spyware, worms, Trojans, intrusion attacks and other online threats. As soon as new threats are identified and often before software vendors ■ Complete network can patch their software, the SonicWALL security solutions are automatically updated with security solution signatures that protect against these threats and stop attacks before they can make their way into your network, ensuring you have around-the-clock protection. Your SonicWALL solution ■ Gateway anti-virus, anti-spyware and also has the ability to manage internal access to inappropriate, unproductive and potentially intrusion prevention illegal Web content with comprehensive content filtering. Finally, this powerful services ■ Application Firewall bundle also includes around-the-clock technical support, crucial firmware updates and real-time reporting capabilities. ■ Content filtering SonicWALL Comprehensive Security Suite includes the following: ■ 24x7 Support with ■ Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention and Application Firewall* Service firmware updates subscription ■ ViewPoint reporting ■ Content Filtering Service subscription – Premium Edition on E-Class NSA, NSA and software TZ 210/200/100 Series.
    [Show full text]
  • Digital Finance and Data Security
    Digital Finance and Data Security How Private and Secure Is Data Used in Digital Finance? September 2018 AUTHOR Patrick Traynor Acknowledgements Introduction 1 We gratefully acknowledge the Data Privacy and Security Issues in Online Lending 1 generous support provided by the Digital Finance Providers Evaluated 3 Center for Financial Inclusion at Accion, without which this work 1. Privacy Analysis 5 would not have been possible. We Methodology 5 would particularly like to thank Sonja Results 7 Kelly, Director of Research, and Pablo Antón Díaz, Research Manager, for not Conclusions 10 only helping us to work productively with security stakeholders around 2. Security Analysis 11 the world, but also for their tireless Methodology 11 efforts to ensure that these issues are Results 17 prioritized and addressed. Conclusions 25 We also wish to thank Jasmine Bowers, Kevin Butler, and Imani 26 Sherman of the University of Florida, 3. Terms of Service Analysis all of whom made significant contributions to the successful 4. Conclusions and Recommendations 28 completion of this work. Annex A Word Count vs. Average Reading Grade Level of Privacy Policies 30 Annex B Digital Lenders Evaluated and Analyses Performed 32 Notes 33 Introduction Data Privacy and Security Issues Amounts and loan maturities vary from very in Online Lending short-term “nano” loans of a few dollars to Mobile phones and networks are transforming medium-term small business loans of a few the world of finance, creating opportunities hundred or some thousands of dollars. Some for widespread financial inclusion, especially companies have grown to substantial — even among neglected regions and groups.
    [Show full text]
  • Top 10 Cyber Crime Prevention Tips
    Top 10 Cyber Crime Prevention Tips 1. Use Strong Passwords Use different user ID / password combinations for different accounts and avoid writing them down. Make the passwords more complicated by combining letters, numbers, special characters (minimum 10 characters in total) and change them on a regular basis. 2. Secure your computer o Activate your firewall Firewalls are the first line of cyber defense; they block connections to unknown or bogus sites and will keep out some types of viruses and hackers. o Use anti-virus/malware software Prevent viruses from infecting your computer by installing and regularly updating anti-virus software. o Block spyware attacks Prevent spyware from infiltrating your computer by installing and updating anti- spyware software. 3. Be Social-Media Savvy Make sure your social networking profiles (e.g. Facebook, Twitter, Youtube, MSN, etc.) are set to private. Check your security settings. Be careful what information you post online. Once it is on the Internet, it is there forever! 4. Secure your Mobile Devices Be aware that your mobile device is vulnerable to viruses and hackers. Download applications from trusted sources. 5. Install the latest operating system updates Keep your applications and operating system (e.g. Windows, Mac, Linux) current with the latest system updates. Turn on automatic updates to prevent potential attacks on older software. 6. Protect your Data Use encryption for your most sensitive files such as tax returns or financial records, make regular back-ups of all your important data, and store it in another location. 7. Secure your wireless network Wi-Fi (wireless) networks at home are vulnerable to intrusion if they are not properly secured.
    [Show full text]
  • Trojans and Malware on the Internet an Update
    Attitude Adjustment: Trojans and Malware on the Internet An Update Sarah Gordon and David Chess IBM Thomas J. Watson Research Center Yorktown Heights, NY Abstract This paper continues our examination of Trojan horses on the Internet; their prevalence, technical structure and impact. It explores the type and scope of threats encountered on the Internet - throughout history until today. It examines user attitudes and considers ways in which those attitudes can actively affect your organization’s vulnerability to Trojanizations of various types. It discusses the status of hostile active content on the Internet, including threats from Java and ActiveX, and re-examines the impact of these types of threats to Internet users in the real world. Observations related to the role of the antivirus industry in solving the problem are considered. Throughout the paper, technical and policy based strategies for minimizing the risk of damage from various types of Trojan horses on the Internet are presented This paper represents an update and summary of our research from Where There's Smoke There's Mirrors: The Truth About Trojan Horses on the Internet, presented at the Eighth International Virus Bulletin Conference in Munich Germany, October 1998, and Attitude Adjustment: Trojans and Malware on the Internet, presented at the European Institute for Computer Antivirus Research in Aalborg, Denmark, March 1999. Significant portions of those works are included here in original form. Descriptors: fidonet, internet, password stealing trojan, trojanized system, trojanized application, user behavior, java, activex, security policy, trojan horse, computer virus Attitude Adjustment: Trojans and Malware on the Internet Trojans On the Internet… Ever since the city of Troy was sacked by way of the apparently innocuous but ultimately deadly Trojan horse, the term has been used to talk about something that appears to be beneficial, but which hides an attack within.
    [Show full text]
  • NIST SP 800-163 Rev.1
    NIST Special Publication 800-163 Revision 1 Vetting the Security of Mobile Applications Michael Ogata Josh Franklin Jeffrey Voas Vincent Sritapan Stephen Quirolgico This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-163r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-163 Revision 1 Vetting the Security of Mobile Applications Michael Ogata Vincent Sritapan Software and Systems Division Office of Science and Technology Information Technology Laboratory U.S. Department of Homeland Security Josh Franklin* Stephen Quirolgico Applied Cybersecurity Division Office of the Chief Information Officer Information Technology Laboratory U.S. Department of Homeland Security Jeffrey Voas *Former employee; all work for this Computer Security Division publication was done while at NIST Information Technology Laboratory This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-163r1 April 2019 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems.
    [Show full text]
  • Civilians in Cyberwarfare: Conscripts
    Civilians in Cyberwarfare: Conscripts Susan W. Brenner* with Leo L. Clarke** ABSTRACT Civilian-owned and -operated entities will almost certainly be a target in cyberwarfare because cyberattackers are likely to be more focused on undermining the viability of the targeted state than on invading its territory. Cyberattackers will probably target military computer systems, at least to some extent, but in a departure from traditional warfare, they will also target companies that operate aspects of the victim nation’s infrastructure. Cyberwarfare, in other words, will penetrate the territorial borders of the attacked state and target high-value civilian businesses. Nation-states will therefore need to integrate the civilian employees of these (and perhaps other) companies into their cyberwarfare response structures if a state is to be able to respond effectively to cyberattacks. While many companies may voluntarily elect to participate in such an effort, others may decline to do so, which creates a need, in effect, to conscript companies for this purpose. This Article explores how the U.S. government can go about compelling civilian cooperation in cyberwarfare without violating constitutional guarantees and limitations on the power of the Legislature and the Executive. * NCR Distinguished Professor of Law and Technology, University of Dayton School of Law. ** Associate, Drew, Cooper & Anding, P.C., Grand Rapids, Michigan. 1011 1012 Vanderbilt Journal of Transnational Law [Vol. 43:1011 TABLE OF CONTENTS I. INTRODUCTION .............................................................
    [Show full text]