StudyDaddy Computer Science Much of the security efforts of the past have been centered around prevention and protection. The increasing sophistication of cyber-attacks have shown that no controls are 100% effective, and some co

Much of the security efforts of the past have been centered around prevention and protection. The increasing sophistication of cyber-attacks have shown that no controls are 100% effective, and some co

1 Copyright © 2012, Elsevier Inc. All Rights Reser ved Chapter 7 Discretion Cyber Attacks Protecting National Infrastructure, 1 st ed. 2 • Proprietary information will be exposed if discovered by hackers • National infrastructure protection initiatives most prevent leaks – Best approach: Avoid vulnerabilities in the first place – More practically: Include a customized program focused mainly on the most critical information Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Introduction 3 • A trusted computing base (TCB) is the totality of hardware, software, processes, and individuals considered essential to system security • A national infrastructure security protection program will include – Mandatory controls – Discretionary policy • A smaller, less complext TCB is easier to protect Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Trusted Computing Base 4 Fig. 7.1 – Size comparison issues in a trusted computing base Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion 5 • Managing discretion is critical; questions about the following should be asked when information is being considered for disclosure – Assistance – Fixes – Limits – Legality – Damage – Need Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Trusted Computing Base 6 • Security through obscurity is often maligned and misunderstood by security experts – Long -term hiding of vulnerabilities – Long -term suppression of information • Security through obscurity is not recommended for long -term protection, but it is an excellent complementary control – E.g., there’s no need to publish a system’s architecture – E.g., revealing a flaw before it’s fixed can lead to rushed work and an unnecessary complication of the situation Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Security Through Obscurity 7 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Fig. 7.2 – Knowledge lifecycle for security through obscurity 8 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Fig. 7.3 – Vulnerability disclosure lifecycle 9 • Information sharing may be inadvertent, secretive, or willful • Government most aggressive promoting information sharing • Government requests information from industry for the following reasons – Government assistance to industry – Government situational awareness – Politics • Government and industry have conflicting motivations Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Information Sharing 10 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Fig. 7.4 – Inverse value of information sharing for government and industry 11 • Adversaries regularly scout ahead and plan before an attack • Reconnaissance planning levels – Level #1: Broad, wide -reaching collection from a variety of sources – Level #2: Targeted collection, often involving automation – Level #3: Directly accessing the target Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Information Reconnaissance 12 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Fig. 7.5 – Three stages of reconnaissance for cyber security 13 • At each stage of reconnaissance, security engineers can introduce information obscurity • The specific types of information that should be obscured are – Attributes – Protections – Vulnerabilities Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Information Reconnaissance 14 • Layering methods of obscurity and discretion adds depth to defensive security program • Even with layered obscurity, asset information can find a way out – Public speaking – Approved external site – Search for leakage Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Obscurity Layers 15 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Fig. 7.6 – Obscurity layers to protect asset information 16 • Governments have been successful at protecting information by compartmentalizing information and individuals – Information is classified – Groups of individuals are granted clearance • Compartmentalization defines boundaries, which helps guides decisions • Private companies can benefit from this model Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Organizational Compartments 17 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Fig. 7.7 – Using clearances and classifications to control information disclosure 18 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion Fig. 7.8 – Example commercial mapping of clearances and classifications 19 • To implement a national discretion program will require – TCB definition – Reduced emphasis on information sharing – Coexistence with hacking community – Obscurity layered model – Commercial information protection models Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 7 – Discretion National Discretion Program

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!