gsc: standardization advancing global communications 1 the new us-ccu cyber-security check list...

GSC: GSC: Standardization Advancing Standardization Advancing Global CommunicationsGlobal Communications

1

The New US-CCU Cyber-Security Check List

SOURCE: U.S. Cyber Consequences Unit (Submitted by TIA)

TITLE: The New US-CCU Cyber-Security Check List

AGENDA ITEM: Other Informational Input –User Cybersecurity Issue

CONTACT: Scott Borg, [email protected] gsc11_Userworkshop_04

gsc11_Userworkshop_04a1

gsc11_Userworkshop_04a2

mailto:[email protected]

Copyright © 2006 United States Cyber Consequences Unit. All rights reserved.

U.S. Cyber Consequences UnitU.S. Cyber Consequences UnitGSC-11 Chicago 2006

The New US-CCU Cyber-Security The New US-CCU Cyber-Security

Check ListCheck List

Scott BorgScott Borg

Director and Chief EconomistDirector and Chief Economist

U.S. Cyber Consequences UnitU.S. Cyber Consequences Unit

Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 3

GSC-11 Chicago 2006

Why are the old cyber-security check Why are the old cyber-security check lists in need of replacement? lists in need of replacement?

• • Previous check lists now go back several years Previous check lists now go back several years (The BS7799 was published in 1995!)(The BS7799 was published in 1995!)

• • Major, structural changes are hard to cover Major, structural changes are hard to cover adequately with a patchwork of piecemeal adequately with a patchwork of piecemeal supplements supplements

• • The last three or four years have been a period of The last three or four years have been a period of enormous change in cyber-security thinkingenormous change in cyber-security thinking

• • Many organizations that claim compliance with Many organizations that claim compliance with the previous check lists have huge vulnerabilitiesthe previous check lists have huge vulnerabilities


GSC-11 Chicago 2006

How has cyber-security changed?How has cyber-security changed?

• • New security focus is no longer just perimeter New security focus is no longer just perimeter defense, but monitoring and maintaining the defense, but monitoring and maintaining the proper functioning of internal processesproper functioning of internal processes

• • New attack goal is not just to cause denials of New attack goal is not just to cause denials of service, but to make systems divert or destroy service, but to make systems divert or destroy value or to discredit those systemsvalue or to discredit those systems

• • New approach to these problems is no longer just New approach to these problems is no longer just narrow and technical, but also broad and narrow and technical, but also broad and strategicstrategic


GSC-11 Chicago 2006

The Seven Motives for a Cyber-Attack (Borg Model)The Seven Motives for a Cyber-Attack (Borg Model)

1) To increase the value of an enterprise by damaging a competing enterprise.

2) To manipulate the value of a futures contract.

3) To divert the delivery of value to someone for whom it was not intended.

4) To make credible a coercive threat.

5) To advertise a business, cause, or movement.

6) To stop by direct intervention an activity perceived as destroying value.

7) To reduce an opponent’s defensive or destructive capabilities.


GSC-11 Chicago 2006

In the light of these cyber-attack motives, what In the light of these cyber-attack motives, what did the old check lists under-emphasize? did the old check lists under-emphasize?

• • Production processesProduction processes

• • Business processesBusiness processes

• • Economic liabilitiesEconomic liabilities

• • Attack strategies focusing on Attack strategies focusing on manipulationsmanipulations

• • On-site realitiesOn-site realities


GSC-11 Chicago 2006

What is the US-CCU Check List What is the US-CCU Check List offering to help remedy this situation?offering to help remedy this situation?

• • A fresh start, beginning from scratchA fresh start, beginning from scratch

• • Considerable amount of new contentConsiderable amount of new content

• • Simpler and more self-consistent frameworkSimpler and more self-consistent framework

• • Greater degree of guidance and granularityGreater degree of guidance and granularity

• • Inclusion of asterisked items that are much Inclusion of asterisked items that are much needed, but still difficult or expensive needed, but still difficult or expensive

• • Much closer fit to the economic prioritiesMuch closer fit to the economic priorities


GSC-11 Chicago 2006

Where has the new content come from? Where has the new content come from?

• • Walk-rounds and interviewsWalk-rounds and interviews

• • Cyber-security exercises and war gamesCyber-security exercises and war games

• • Red team tests and simulations (not just Red team tests and simulations (not just penetration testing, but manipulation testing)penetration testing, but manipulation testing)

• • Actual incidents (often not publicly reported)Actual incidents (often not publicly reported)

• • Business analyses of ways attackers could gainBusiness analyses of ways attackers could gain


GSC-11 Chicago 2006

What is the new framework for What is the new framework for organizing this content? organizing this content?

Six Simple, Intuitive Categories:Six Simple, Intuitive Categories:

I. HardwareI. Hardware

II. SoftwareII. Software

III. NetworksIII. Networks

IV. AutomationIV. Automation

V. HumansV. Humans

VI. SuppliersVI. Suppliers


GSC-11 Chicago 2006

Tacking Tacking Hardware Hardware VulnerabilitiesVulnerabilities

Avenue 1: Physical EquipmentAvenue 1: Physical Equipment

Avenue 2: Physical EnvironmentAvenue 2: Physical Environment

Avenue 3: Physical By-ProductsAvenue 3: Physical By-Products

The biggest existing hardware holes: The biggest existing hardware holes: Where physical and cyber overlap! I.e., where Where physical and cyber overlap! I.e., where physical actions lead to a cyber-vulnerability, or physical actions lead to a cyber-vulnerability, or where cyber actions lead to a physical where cyber actions lead to a physical vulnerability!vulnerability!


GSC-11 Chicago 2006

Tackling Tackling Software Software VulnerabilitiesVulnerabilities

Avenue 4: Identity AuthenticationAvenue 4: Identity Authentication

Avenue 5: Application PrivilegesAvenue 5: Application Privileges

Avenue 6: Input ValidationAvenue 6: Input Validation

Avenue 7: Appropriate Behavior PatternsAvenue 7: Appropriate Behavior Patterns

The biggest existing software holes: The biggest existing software holes: Where false data or inappropriate instructions Where false data or inappropriate instructions could be inserted internally, during what appear could be inserted internally, during what appear to be normal system activities!to be normal system activities!


GSC-11 Chicago 2006

Tackling Tackling Network Network VulnerabilitiesVulnerabilities

Avenue 8: Permanent Network ConnectionsAvenue 8: Permanent Network Connections

Avenue 9: Intermittent Network ConnectionsAvenue 9: Intermittent Network Connections

Avenue 10: Network MaintenanceAvenue 10: Network Maintenance

The biggest existing network holes:The biggest existing network holes:Where extra connections have been added for the Where extra connections have been added for the convenience of senior users without attention to convenience of senior users without attention to security or proper documentation!security or proper documentation!


GSC-11 Chicago 2006

Tackling Tackling Automation Automation VulnerabilitiesVulnerabilities

Avenue 11: Remote Sensors and Control SystemsAvenue 11: Remote Sensors and Control Systems

Avenue 12: Backup ProceduresAvenue 12: Backup Procedures

The biggest existing automation holes:The biggest existing automation holes:Where data or instructions can be inserted to Where data or instructions can be inserted to cause destruction or liabilities without any record cause destruction or liabilities without any record that the system has even been accessed!that the system has even been accessed!


GSC-11 Chicago 2006

Tackling Tackling Human Human VulnerabilitiesVulnerabilities

Avenue 13: Human Maintenance of Security Avenue 13: Human Maintenance of Security ProceduresProcedures

Avenue 14: Intentional Actions Threatening Avenue 14: Intentional Actions Threatening SecuritySecurity

The biggest existing human operator holes:The biggest existing human operator holes:Where the access vehicle seems too ubiquitous or Where the access vehicle seems too ubiquitous or too generally distributed to be used for a narrowly too generally distributed to be used for a narrowly targeted attack!targeted attack!


GSC-11 Chicago 2006

Tackling Tackling Supplier Supplier VulnerabilitiesVulnerabilities

Avenue 15: Internal Policies for Software Avenue 15: Internal Policies for Software DevelopmentDevelopment

Avenue 16: Policies for Dealing with External Avenue 16: Policies for Dealing with External VendorsVendors

The biggest supplier holes:The biggest supplier holes:Where the malicious code is produced by an Where the malicious code is produced by an insider and looks just like the legitimate code, but insider and looks just like the legitimate code, but references the wrong things and would be references the wrong things and would be triggered in the wrong circumstances!triggered in the wrong circumstances!


GSC-11 Chicago 2006

U.S. Cyber Consequences UnitU.S. Cyber Consequences Unit

For more information contact:For more information contact:

Scott BorgScott Borg

[email protected]@usccu.us

Thank you!Thank you!

An independent research group, organized to protect

the confidential information of corporations while

providing reliable assessments of the strategic and

economic consequences of possible cyber-attacks

gsc: standardization advancing global communications 1 the new us-ccu cyber-security check list...

Documents