Cyber Attacks Protecting National Infrastructure, 1st ed.

• Situational awareness is the real-time understanding within an organization of its security risk posture

• Awareness of security posture requires consideration of the following – Known vulnerabilities

– Security infrastructure

– Network and computing architecture

– Business environment

– Global threats

– Hardware and software profiles

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

Introduction

3

Fig. 10.1 – Optimal period of system usage for cyber security

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

4

• Factoring in all elements of situational awareness should create an overview of current security risk

• Descriptors such as high, medium, and low are too vague to be helpful

• Security risk levels should be linked with actionable items

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

Introduction

5

Fig. 10.2 – Rough dashboard estimate of cyber security posture

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

6

Fig. 10.3 – Security posture changes based on activity and response

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

7

Detecting Infrastructure Attacks

• No security task is more difficult and complex than the detection of an ongoing attack

• Many tools for detecting attack, yet none comprehensive or foolproof

• Determination of risk level is a fluid process

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

8

Fig. 10.4 – Attack confidence changes based on events

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

9

Managing Vulnerability Information

• Situational awareness for national infrastructure protection requires a degree of attention to daily trivia around vulnerability information

• Practical heuristics for managing vulnerability information – Structured collection

– Worst case assumptions

– Nondefinitive conclusions

– Connection to all sources

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

10

Fig. 10.5 – Vulnerability management structure

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

11

Managing Vulnerability Information

• Three basic rules for managers – Always assume adversary knows as much or more about

your infrastructure

– Assume the adversary is always keeping vulnerability- related secrets from you

– Never assume you know everything relevant to the security of your infrastructure

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

12

Cyber Security Intelligence Reports

• Daily cyber security intelligence reports are standard in government agencies

• They would be useful in enterprise settings

• A cyber security intelligence report would include – Current security posture

– Top and new security risks

– Automated metrics

– Human interpretation

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

13

Cyber Security Intelligence Reports

• Tasks for creating a cyber security intelligence report – Intelligence gathering

– Interpretation and publication

– Dissemination and archiving

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

14

Fig. 10.6 – Cyber security intelligence report creation and dissemination

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

15

Risk Management Process

• Security risks must be tracked and prioritized

• Generally agreed upon approach to measuring risk associated with specific components begins with two estimations – Liklihood

– Consequences

• Actual numeric value of risk less important than overall relative risk

• A useful construct compares security risk against cost of recommended action

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

16

Fig. 10.7 – Risk versus cost decision path structure

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

17

Risk Management Process

• Increasing risks likely incur increased costs

• Summary of management considerations – Maintaining a prioritized list of security risks

– Justifying all decisions

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

18

Security Operations Centers

• The security operations center (SOC) is the most visible realization of real-time security situational awareness

• Most SOC designs begin with centralized model – a facility tied closely to operation

• A global dispersal of SOC resources is an around-the- clock real-time analysis of security threats

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

19

Fig. 10.8 – Security operations center (SOC) high-level design

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

20

• A national-level view of security posture will require consideration of the following – Commercial versus government information

– Information classification

– Agency politics

– SOC responsibility

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 0 –

A w

a re

n e s s

National Awareness Program