gsc: standardization advancing global communications 1 the new us-ccu cyber-security check list...
TRANSCRIPT
GSC: GSC: Standardization Advancing Standardization Advancing Global CommunicationsGlobal Communications
1
The New US-CCU Cyber-Security Check List
SOURCE: U.S. Cyber Consequences Unit (Submitted by TIA)
TITLE: The New US-CCU Cyber-Security Check List
AGENDA ITEM: Other Informational Input –User Cybersecurity Issue
CONTACT: Scott Borg, [email protected] gsc11_Userworkshop_04
gsc11_Userworkshop_04a1
gsc11_Userworkshop_04a2
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved.
U.S. Cyber Consequences UnitU.S. Cyber Consequences UnitGSC-11 Chicago 2006
The New US-CCU Cyber-Security The New US-CCU Cyber-Security
Check ListCheck List
Scott BorgScott Borg
Director and Chief EconomistDirector and Chief Economist
U.S. Cyber Consequences UnitU.S. Cyber Consequences Unit
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 3
GSC-11 Chicago 2006
Why are the old cyber-security check Why are the old cyber-security check lists in need of replacement? lists in need of replacement?
• • Previous check lists now go back several years Previous check lists now go back several years (The BS7799 was published in 1995!)(The BS7799 was published in 1995!)
• • Major, structural changes are hard to cover Major, structural changes are hard to cover adequately with a patchwork of piecemeal adequately with a patchwork of piecemeal supplements supplements
• • The last three or four years have been a period of The last three or four years have been a period of enormous change in cyber-security thinkingenormous change in cyber-security thinking
• • Many organizations that claim compliance with Many organizations that claim compliance with the previous check lists have huge vulnerabilitiesthe previous check lists have huge vulnerabilities
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 4
GSC-11 Chicago 2006
How has cyber-security changed?How has cyber-security changed?
• • New security focus is no longer just perimeter New security focus is no longer just perimeter defense, but monitoring and maintaining the defense, but monitoring and maintaining the proper functioning of internal processesproper functioning of internal processes
• • New attack goal is not just to cause denials of New attack goal is not just to cause denials of service, but to make systems divert or destroy service, but to make systems divert or destroy value or to discredit those systemsvalue or to discredit those systems
• • New approach to these problems is no longer just New approach to these problems is no longer just narrow and technical, but also broad and narrow and technical, but also broad and strategicstrategic
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 5
GSC-11 Chicago 2006
The Seven Motives for a Cyber-Attack (Borg Model)The Seven Motives for a Cyber-Attack (Borg Model)
1) To increase the value of an enterprise by damaging a competing enterprise.
2) To manipulate the value of a futures contract.
3) To divert the delivery of value to someone for whom it was not intended.
4) To make credible a coercive threat.
5) To advertise a business, cause, or movement.
6) To stop by direct intervention an activity perceived as destroying value.
7) To reduce an opponent’s defensive or destructive capabilities.
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 6
GSC-11 Chicago 2006
In the light of these cyber-attack motives, what In the light of these cyber-attack motives, what did the old check lists under-emphasize? did the old check lists under-emphasize?
• • Production processesProduction processes
• • Business processesBusiness processes
• • Economic liabilitiesEconomic liabilities
• • Attack strategies focusing on Attack strategies focusing on manipulationsmanipulations
• • On-site realitiesOn-site realities
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 7
GSC-11 Chicago 2006
What is the US-CCU Check List What is the US-CCU Check List offering to help remedy this situation?offering to help remedy this situation?
• • A fresh start, beginning from scratchA fresh start, beginning from scratch
• • Considerable amount of new contentConsiderable amount of new content
• • Simpler and more self-consistent frameworkSimpler and more self-consistent framework
• • Greater degree of guidance and granularityGreater degree of guidance and granularity
• • Inclusion of asterisked items that are much Inclusion of asterisked items that are much needed, but still difficult or expensive needed, but still difficult or expensive
• • Much closer fit to the economic prioritiesMuch closer fit to the economic priorities
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 8
GSC-11 Chicago 2006
Where has the new content come from? Where has the new content come from?
• • Walk-rounds and interviewsWalk-rounds and interviews
• • Cyber-security exercises and war gamesCyber-security exercises and war games
• • Red team tests and simulations (not just Red team tests and simulations (not just penetration testing, but manipulation testing)penetration testing, but manipulation testing)
• • Actual incidents (often not publicly reported)Actual incidents (often not publicly reported)
• • Business analyses of ways attackers could gainBusiness analyses of ways attackers could gain
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 9
GSC-11 Chicago 2006
What is the new framework for What is the new framework for organizing this content? organizing this content?
Six Simple, Intuitive Categories:Six Simple, Intuitive Categories:
I. HardwareI. Hardware
II. SoftwareII. Software
III. NetworksIII. Networks
IV. AutomationIV. Automation
V. HumansV. Humans
VI. SuppliersVI. Suppliers
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 10
GSC-11 Chicago 2006
Tacking Tacking Hardware Hardware VulnerabilitiesVulnerabilities
Avenue 1: Physical EquipmentAvenue 1: Physical Equipment
Avenue 2: Physical EnvironmentAvenue 2: Physical Environment
Avenue 3: Physical By-ProductsAvenue 3: Physical By-Products
The biggest existing hardware holes: The biggest existing hardware holes: Where physical and cyber overlap! I.e., where Where physical and cyber overlap! I.e., where physical actions lead to a cyber-vulnerability, or physical actions lead to a cyber-vulnerability, or where cyber actions lead to a physical where cyber actions lead to a physical vulnerability!vulnerability!
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 11
GSC-11 Chicago 2006
Tackling Tackling Software Software VulnerabilitiesVulnerabilities
Avenue 4: Identity AuthenticationAvenue 4: Identity Authentication
Avenue 5: Application PrivilegesAvenue 5: Application Privileges
Avenue 6: Input ValidationAvenue 6: Input Validation
Avenue 7: Appropriate Behavior PatternsAvenue 7: Appropriate Behavior Patterns
The biggest existing software holes: The biggest existing software holes: Where false data or inappropriate instructions Where false data or inappropriate instructions could be inserted internally, during what appear could be inserted internally, during what appear to be normal system activities!to be normal system activities!
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 12
GSC-11 Chicago 2006
Tackling Tackling Network Network VulnerabilitiesVulnerabilities
Avenue 8: Permanent Network ConnectionsAvenue 8: Permanent Network Connections
Avenue 9: Intermittent Network ConnectionsAvenue 9: Intermittent Network Connections
Avenue 10: Network MaintenanceAvenue 10: Network Maintenance
The biggest existing network holes:The biggest existing network holes:Where extra connections have been added for the Where extra connections have been added for the convenience of senior users without attention to convenience of senior users without attention to security or proper documentation!security or proper documentation!
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 13
GSC-11 Chicago 2006
Tackling Tackling Automation Automation VulnerabilitiesVulnerabilities
Avenue 11: Remote Sensors and Control SystemsAvenue 11: Remote Sensors and Control Systems
Avenue 12: Backup ProceduresAvenue 12: Backup Procedures
The biggest existing automation holes:The biggest existing automation holes:Where data or instructions can be inserted to Where data or instructions can be inserted to cause destruction or liabilities without any record cause destruction or liabilities without any record that the system has even been accessed!that the system has even been accessed!
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 14
GSC-11 Chicago 2006
Tackling Tackling Human Human VulnerabilitiesVulnerabilities
Avenue 13: Human Maintenance of Security Avenue 13: Human Maintenance of Security ProceduresProcedures
Avenue 14: Intentional Actions Threatening Avenue 14: Intentional Actions Threatening SecuritySecurity
The biggest existing human operator holes:The biggest existing human operator holes:Where the access vehicle seems too ubiquitous or Where the access vehicle seems too ubiquitous or too generally distributed to be used for a narrowly too generally distributed to be used for a narrowly targeted attack!targeted attack!
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 15
GSC-11 Chicago 2006
Tackling Tackling Supplier Supplier VulnerabilitiesVulnerabilities
Avenue 15: Internal Policies for Software Avenue 15: Internal Policies for Software DevelopmentDevelopment
Avenue 16: Policies for Dealing with External Avenue 16: Policies for Dealing with External VendorsVendors
The biggest supplier holes:The biggest supplier holes:Where the malicious code is produced by an Where the malicious code is produced by an insider and looks just like the legitimate code, but insider and looks just like the legitimate code, but references the wrong things and would be references the wrong things and would be triggered in the wrong circumstances!triggered in the wrong circumstances!
Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 16
GSC-11 Chicago 2006
U.S. Cyber Consequences UnitU.S. Cyber Consequences Unit
For more information contact:For more information contact:
Scott BorgScott Borg
[email protected]@usccu.us
Thank you!Thank you!
An independent research group, organized to protect
the confidential information of corporations while
providing reliable assessments of the strategic and
economic consequences of possible cyber-attacks