A CONTINUOUS MONITORING FRAMEWORK TO MANAGE CYBERSECURITY AGAINST INSIDER THREATS by Behnam Shariati M.S. in Engineering Management, May 1998, The George Washington University A Dissertation submitted to The Faculty of The School of Engineering and Applied Science of The George Washington University in partial fulfillment of the requirements for the degree of Doctor Philosophy August 31, 2016 Dissertation directed by E. L. Murphree Jr. Professor Emeritus of Engineering Management and Systems Engineering The School of Engineering and Applied Science of The George Washington University certifies that Behnam Shariati has passed the Final Examination for the degree of Doctor of Philosophy as of August 15, 2016. This is the final and approved form of the dissertation. A CONTINUOUS MONITORING FRAMEWORK TO MANAGE CYBERSECURITY AGAINST INSIDER THREATS Behnam Shariati Dissertation Research Committee: E. L. Murphree, Professor Emeritus of Engineering Management and Systems Engineering, Dissertation Director Thomas Andrew Mazzuchi, Professor of Engineering Management and Systems Engineering and of Decision Sciences, Committee Member Shahram Sarkani, Professor of Engineering Management and Systems Engineering, Committee Member Bhagirath Narahari, Professor of Computer, Committee Member Michael J. Stone, Senior Security Engineer, NIST/ National Cybersecurity Center of Excellence, Committee Member ii Acknowledgment First and foremost, I would like to express the deepest appreciation to everyone in my committee. I would like to gratefully and sincerely thank Dr. Murphree for his guidance, understanding and patience. His mentorship was paramount in completing this dissertation. I also would like to express my deepest gratitude to Dr. Mazzuchi for his support and encouragement throughout my studies. Without his incredible leadership and timely wisdom this dissertation would not have been possible. In addition, my appreciation to Dr. Sarkani, Dr, Narahari and Mr. Stone for having served on my committee, their thoughtful questions and suggestions were valued gratefully. This dissertation is dedicated to memory of my parents, you are in my heart and... Tamom Shod. Also special thanks to Kayko, yes it did happened. To the most important individuals in my life, A1 & A2 sometimes in the future you may read this work, so you should know this; that I never give up and I hope you both do the same and never give up in life and follow your dreams (Eshghe mani). I would also like to wish my deepest and sincere appreciation to RRR, who was instrumental in getting me started and without his help I wouldn’t have been successful, I am sincerely grateful Robert. I dreamt of this day when I was sixteen years old, it has been a long journey but it has finally concluded successfully. Thank you all. iii Abstract of Dissertation A CONTINUOUS MONITORING FRAMEWORK TO MANAGE CYBERSECURITY AGAINST INSIDER THREATS In today’s “Cyber-Society,” an enterprise faces numerous Cybersecurity challenges as Cybercriminals, hackers, and insider threats constantly threaten to compromise the Confidentiality, Integrity, and Availability (CIA) of the enterprise’s assets and data. This research presents a Dynamic Framework system that has a proactive security concept as opposed to the traditional reactive approach. This Dynamic Framework system minimizes the risks that Cybercriminals, hackers, and insider threats pose to an enterprise’s CIA. The Dynamic Framework system is mapped to the National Institute of Standards and Technology’s (NIST) Risk Framework (RF), is designed based on three functional Controls (Preventive, Detective and Corrective), enables an enterprise to develop a healthier Cyber Hygiene (CH) through continuous monitoring of its assets, and is capable of ensuring a proper alignment between the business functionality and Cybersecurity missions of an enterprise. Furthermore, although the Dynamic Framework system was developed based the Financial Services Sector’s vulnerabilities, its functionality applies to all enterprises. This research recognizes that the current Cybersecurity practices are insufficient to prevent a Cyber-Attack, respond to a Cyber-Attack, and, most importantly, remain resilient during a Cyber-Attack. The purpose of the Dynamic Framework system is to recommend a new and near-future Cyber-Ecosystem (CE), which an enterprise in the Financial Services Sector, or other sectors, can use to improve its security posture. iv Table of Contents Acknowledgment ...................................................................................................................................... iii Abstract of Dissertation ....................................................................................................................... iii Table of Contents ........................................................................................................................................ v List of Figures............................................................................................................................................. vii List of Tables.................................................................................................................................................ix List of Abbreviations ................................................................................................................................ x List of Terms/Glossary..........................................................................................................................xv Chapter 1. Introduction .......................................................................................................................... 1 1.1 Overview ............................................................................................................................................... 1 1.2 Research Contributions.................................................................................................................. 5 1.3 Significance .......................................................................................................................................... 6 1.4 Limitations .........................................................................................................................................11 1.5 Organization of the Document ..................................................................................................12 Chapter 2. Literature Review ........................................................................................................... 14 2.1 Overview .............................................................................................................................................14 2.2 Executive Order 13636 – Improving Critical Infrastructure Cybersecurity.........14 2.3 Current Cybersecurity Practices in Industry ......................................................................16 2.4 The NICE - Financial Services Sector-Specific Plan ..........................................................19 2.4.1 Sector-Specific Agency ..............................................................................................................20 2.4.2 Sector Goals and Objectives......................................................................................................21 2.4.3 Asset, System, and Network Identification............................................................................22 2.4.4 The Financial Services Sector Vulnerabilities ......................................................................24 2.5 NIST Special Publication 800-53 Revision 4 .......................................................................25 2.5.1 Applicability..................................................................................................................................27 2.6 Framework for Improving Critical Infrastructure Cybersecurity ............................28 2.6.1 Framework Core...........................................................................................................................29 2.6.2 Framework Implementation Tiers............................................................................................31 2.6.3 Framework Profile .......................................................................................................................31 2.6.4 Applicability..................................................................................................................................32 2.7 Review of Current Situational Awareness ...........................................................................32 2.8 Importance of Situational Awareness in Cybersecurity ................................................34 Chapter 3. Framework ......................................................................................................................... 37 3.1 Overview .............................................................................................................................................37 3.2 Framework Architecture .............................................................................................................37 3.3 Dynamic Framework Pre-Conditions.....................................................................................40 3.4 Dynamic Framework System Modules ..................................................................................43 3.5 Identity Management (IM) Module .........................................................................................45