Cyber Attacks
Protecting National Infrastructure, 1st ed.
Chapter 7
Discretion
Copyright © 2012, Elsevier Inc.
All Rights Reserved
1
• Proprietary information will be exposed if discovered
by hackers
• National infrastructure protection initiatives most
prevent leaks
Chapter 7 – Discretion
Introduction
– Best approach: Avoid vulnerabilities in the first place
– More practically: Include a customized program focused
mainly on the most critical information
Copyright © 2012, Elsevier Inc.
All rights Reserved
2
• A trusted computing base (TCB) is the totality of
hardware, software, processes, and individuals
considered essential to system security
• A national infrastructure security protection program
will include
Chapter 7 – Discretion
Trusted Computing Base
– Mandatory controls
– Discretionary policy
• A smaller, less complext TCB is easier to protect
Copyright © 2012, Elsevier Inc.
All rights Reserved
3
Copyright © 2012, Elsevier Inc.
All rights Reserved
Chapter 7 – Discretion
Fig. 7.1 – Size comparison issues in a
trusted computing base
4
• Managing discretion is critical; questions about the
following should be asked when information is being
considered for disclosure
–
–
–
–
–
–
Chapter 7 – Discretion
Trusted Computing Base
Assistance
Fixes
Limits
Legality
Damage
Need
Copyright © 2012, Elsevier Inc.
All rights Reserved
5
• Security through obscurity is often maligned and
misunderstood by security experts
Chapter 7 – Discretion
Security Through Obscurity
– Long-term hiding of vulnerabilities
– Long-term suppression of information
• Security through obscurity is not recommended for
long-term protection, but it is an excellent
complementary control
– E.g., there’s no need to publish a system’s architecture
– E.g., revealing a flaw before it’s fixed can lead to rushed
work and an unnecessary complication of the situation
Copyright © 2012, Elsevier Inc.
All rights Reserved
6
Copyright © 2012, Elsevier Inc.
All rights Reserved
Chapter 7 – Discretion
Fig. 7.2 – Knowledge lifecycle for
security through obscurity
7
Copyright © 2012, Elsevier Inc.
All rights Reserved
Chapter 7 – Discretion
Fig. 7.3 – Vulnerability disclosure
lifecycle
8
• Information sharing may be inadvertent, secretive, or
willful
• Government most aggressive promoting information
sharing
• Government requests information from industry for
the following reasons
Chapter 7 – Discretion
Information Sharing
– Government assistance to industry
– Government situational awareness
– Politics
• Government and industry have conflicting
motivations
Copyright © 2012, Elsevier Inc.
All rights Reserved
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
Chapter 7 – Discretion
Fig. 7.4 – Inverse value of information
sharing for government and industry
10
• Adversaries regularly scout ahead and plan before an
attack
• Reconnaissance planning levels
Chapter 7 – Discretion
Information Reconnaissance
– Level #1: Broad, wide-reaching collection from a variety of
sources
– Level #2: Targeted collection, often involving automation
– Level #3: Directly accessing the target
Copyright © 2012, Elsevier Inc.
All rights Reserved
11
Copyright © 2012, Elsevier Inc.
All rights Reserved
Chapter 7 – Discretion
Fig. 7.5 – Three stages of
reconnaissance for cyber security
12
• At each stage of reconnaissance, security engineers
can introduce information obscurity
• The specific types of information that should be
obscured are
Chapter 7 – Discretion
Information Reconnaissance
– Attributes
– Protections
– Vulnerabilities
Copyright © 2012, Elsevier Inc.
All rights Reserved
13
• Layering methods of obscurity and discretion adds
depth to defensive security program
• Even with layered obscurity, asset information can
find a way out
Chapter 7 – Discretion
Obscurity Layers
– Public speaking
– Approved external site
– Search for leakage
Copyright © 2012, Elsevier Inc.
All rights Reserved
14
Copyright © 2012, Elsevier Inc.
All rights Reserved
Chapter 7 – Discretion
Fig. 7.6 – Obscurity layers to protect
asset information
15
• Governments have been successful at protecting
information by compartmentalizing information and
individuals
Chapter 7 – Discretion
Organizational Compartments
– Information is classified
– Groups of individuals are granted clearance
• Compartmentalization defines boundaries, which
helps guides decisions
• Private companies can benefit from this model
Copyright © 2012, Elsevier Inc.
All rights Reserved
16
Copyright © 2012, Elsevier Inc.
All rights Reserved
Chapter 7 – Discretion
Fig. 7.7 – Using clearances and
classifications to control information
disclosure
17
Copyright © 2012, Elsevier Inc.
All rights Reserved
Chapter 7 – Discretion
Fig. 7.8 – Example commercial mapping
of clearances and classifications
18
• To implement a national discretion program will
require
–
–
–
–
–
Chapter 7 – Discretion
National Discretion Program
TCB definition
Reduced emphasis on information sharing
Coexistence with hacking community
Obscurity layered model
Commercial information protection models
Copyright © 2012, Elsevier Inc.
All rights Reserved
19
Creating Annotated Bibliographies
Based on APA Style
Annotated bibliographies are not specifically addressed in the Publication Manual of the
American Psychological Association (APA) (6th ed.).
We have taken the example given online at the OWL at Purdue* as the basis for formatting.
It is a good idea to take careful note of any directions given in your assignment, and to
check with your professor if you have specific questions.
Contents
1. Guidelines
2. Sample Annotated Bibliography
3. Standard Reference List/Bibliography
Guidelines
The following is a summary of things to know when creating an annotated bibliography based
on APA Style:
● The annotated bibliography consists of two elements
o Reference in current APA Style format
o Annotation
● The annotation will follow the reference on the next line. There is not an extra
space—double spacing is used throughout.
● An annotation is different from an abstract. It should have several sentences
summarizing the main points or ideas found in the item. It should then include
your own statement evaluating the quality of the item and/or relating the item to
your own research topic.
● For a longer annotated bibliography, it is appropriate to divide into sections or
topics, and to title those sections as seems fitting.
NOTE: These annotations are for illustrative purposes only and have no relationship to the
content of the sources.
*Purdue Online Writing Lab (OWL). (n.d.). Annotated bibliography samples. Retrieved from
https://owl.purdue.edu/owl/general_writing/common_writing_assignments/annotated
_bibliographies/annotated_bibliography_samples.html
Sample Annotated Bibliography
AICPA sets ethical standards for outsourcing. (2005). Journal of Accountancy, 199(1), 8.
Retrieved from http://www.journalofaccountancy.com/
This article presents the new standards for outsourcing developed by the AICPA ethics
committee. The standards are summarized, and a brief discussion is included of the
implications going forward for business and international trade. The authors indicate that
changes to the business community will be relatively minor. This is a helpful source for
getting an overview of the current ethics standards in outsourcing.
American Management Association. (2010). The AMA handbook of business writing.
New York, NY: Author.
The American Management Association has created its own guide for business writing.
Designed as a supplemental text to more thorough style guides such as APA, this guide
covers topics relating specifically to business, such as citing financials, formatting of
company reports, and professional approaches to information integrity in the workplace.
This is an indispensable work for anyone doing professional business writing.
Barthelemy, J., & Geyer, D. (2005). An empirical investigation of IT outsourcing versus
outsourcing in France and Germany. Information & Management, 42, 533-542.
doi:10.1016/j.im.2004.02.005
The authors present an investigation of IT outsourcing based on the combined results of a
survey administered to IT firms as well as statistical measures from domestic and French
or German firms. Their data covers a wide range of IT business unit types. However, the
lack of longitudinal data weakens their conclusion that the slower pace of French and
German IT outsourcing has had a long-term positive effect on business in those countries.
Standard Reference List / Bibliography
Here are the same sources, but formatted
as a standard reference list/bibliography for comparison
References
AICPA sets ethical standards for outsourcing. (2005). Journal of Accountancy, 199(1), 8.
Retrieved from http://www.journalofaccountancy.com/
American Management Association. (2010). The AMA handbook of business writing.
New York, NY: Author.
Barthelemy, J., & Geyer, D. (2005). An empirical investigation of IT outsourcing versus
outsourcing in France and Germany. Information & Management, 42, 533-542.
doi:10.1016/j.im.2004.02.005
Created by:
Will Keillor, October 2015
Revised by Earleen Warner, April 2019
Bethel University Library, St. Paul, MN
Purchase answer to see full
attachment