1 / 16

The New US-CCU Cyber-Security Check List

gsc11_Userworkshop_04 gsc11_Userworkshop_04a1 gsc11_Userworkshop_04a2. The New US-CCU Cyber-Security Check List. The New US-CCU Cyber-Security Check List. Scott Borg Director and Chief Economist U.S. Cyber Consequences Unit.

gass
Download Presentation

The New US-CCU Cyber-Security Check List

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. gsc11_Userworkshop_04 gsc11_Userworkshop_04a1 gsc11_Userworkshop_04a2 The New US-CCU Cyber-Security Check List GSC: Standardization Advancing Global Communications

  2. The New US-CCU Cyber-Security Check List Scott Borg Director and Chief Economist U.S. Cyber Consequences Unit

  3. Why are the old cyber-security check lists in need of replacement? • Previous check lists now go back several years (The BS7799 was published in 1995!) • Major, structural changes are hard to cover adequately with a patchwork of piecemeal supplements • The last three or four years have been a period of enormous change in cyber-security thinking • Many organizations that claim compliance with the previous check lists have huge vulnerabilities

  4. How has cyber-security changed? • New security focus is no longer just perimeter defense, but monitoring and maintaining the proper functioning of internal processes • New attack goal is not just to cause denials of service, but to make systems divert or destroy value or to discredit those systems • New approach to these problems is no longer just narrow and technical, but also broad and strategic

  5. The Seven Motives for a Cyber-Attack (Borg Model) 1) To increase the value of an enterprise by damaging a competing enterprise. 2) To manipulate the value of a futures contract. 3) To divert the delivery of value to someone for whom it was not intended. 4) To make credible a coercive threat. 5) To advertise a business, cause, or movement. 6) To stop by direct intervention an activity perceived as destroying value. 7) To reduce an opponent’s defensive or destructive capabilities.

  6. In the light of these cyber-attack motives, what did the old check lists under-emphasize? • Production processes • Business processes • Economic liabilities • Attack strategies focusing on manipulations • On-site realities

  7. What is the US-CCU Check List offering to help remedy this situation? • A fresh start, beginning from scratch • Considerable amount of new content • Simpler and more self-consistent framework • Greater degree of guidance and granularity • Inclusion of asterisked items that are much needed, but still difficult or expensive • Much closer fit to the economic priorities

  8. Where has the new content come from? • Walk-rounds and interviews • Cyber-security exercises and war games • Red team tests and simulations (not just penetration testing, but manipulation testing) • Actual incidents (often not publicly reported) • Business analyses of ways attackers could gain

  9. What is the new framework for organizing this content? Six Simple, Intuitive Categories: I. Hardware II. Software III. Networks IV. Automation V. Humans VI. Suppliers

  10. Tacking Hardware Vulnerabilities Avenue 1: Physical Equipment Avenue 2: Physical Environment Avenue 3: Physical By-Products The biggest existing hardware holes: Where physical and cyber overlap! I.e., where physical actions lead to a cyber-vulnerability, or where cyber actions lead to a physical vulnerability!

  11. Tackling Software Vulnerabilities Avenue 4: Identity Authentication Avenue 5: Application Privileges Avenue 6: Input Validation Avenue 7: Appropriate Behavior Patterns The biggest existing software holes: Where false data or inappropriate instructions could be inserted internally, during what appear to be normal system activities!

  12. Tackling Network Vulnerabilities Avenue 8: Permanent Network Connections Avenue 9: Intermittent Network Connections Avenue 10: Network Maintenance The biggest existing network holes:Where extra connections have been added for the convenience of senior users without attention to security or proper documentation!

  13. Tackling Automation Vulnerabilities Avenue 11: Remote Sensors and Control Systems Avenue 12: Backup Procedures The biggest existing automation holes:Where data or instructions can be inserted to cause destruction or liabilities without any record that the system has even been accessed!

  14. Tackling Human Vulnerabilities Avenue 13: Human Maintenance of Security Procedures Avenue 14: Intentional Actions Threatening Security The biggest existing human operator holes:Where the access vehicle seems too ubiquitous or too generally distributed to be used for a narrowly targeted attack!

  15. Tackling Supplier Vulnerabilities Avenue 15: Internal Policies for Software Development Avenue 16: Policies for Dealing with External Vendors The biggest supplier holes:Where the malicious code is produced by an insider and looks just like the legitimate code, but references the wrong things and would be triggered in the wrong circumstances!

  16. U.S. Cyber Consequences Unit An independent research group, organized to protect the confidential information of corporations while providing reliable assessments of the strategic and economic consequences of possible cyber-attacks For more information contact: Scott Borg scott.borg@usccu.us Thank you!

More Related