Cyber Attacks Protecting National Infrastructure, 1st ed. Chapter 7 Discretion Copyright © 2012, Elsevier Inc. All Rights Reserved 1 • Proprietary information will be exposed if discovered by hackers • National infrastructure protection initiatives most prevent leaks Chapter 7 – Discretion Introduction – Best approach: Avoid vulnerabilities in the first place – More practically: Include a customized program focused mainly on the most critical information Copyright © 2012, Elsevier Inc. All rights Reserved 2 • A trusted computing base (TCB) is the totality of hardware, software, processes, and individuals considered essential to system security • A national infrastructure security protection program will include Chapter 7 – Discretion Trusted Computing Base – Mandatory controls – Discretionary policy • A smaller, less complext TCB is easier to protect Copyright © 2012, Elsevier Inc. All rights Reserved 3 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 7 – Discretion Fig. 7.1 – Size comparison issues in a trusted computing base 4 • Managing discretion is critical; questions about the following should be asked when information is being considered for disclosure – – – – – – Chapter 7 – Discretion Trusted Computing Base Assistance Fixes Limits Legality Damage Need Copyright © 2012, Elsevier Inc. All rights Reserved 5 • Security through obscurity is often maligned and misunderstood by security experts Chapter 7 – Discretion Security Through Obscurity – Long-term hiding of vulnerabilities – Long-term suppression of information • Security through obscurity is not recommended for long-term protection, but it is an excellent complementary control – E.g., there’s no need to publish a system’s architecture – E.g., revealing a flaw before it’s fixed can lead to rushed work and an unnecessary complication of the situation Copyright © 2012, Elsevier Inc. All rights Reserved 6 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 7 – Discretion Fig. 7.2 – Knowledge lifecycle for security through obscurity 7 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 7 – Discretion Fig. 7.3 – Vulnerability disclosure lifecycle 8 • Information sharing may be inadvertent, secretive, or willful • Government most aggressive promoting information sharing • Government requests information from industry for the following reasons Chapter 7 – Discretion Information Sharing – Government assistance to industry – Government situational awareness – Politics • Government and industry have conflicting motivations Copyright © 2012, Elsevier Inc. All rights Reserved 9 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 7 – Discretion Fig. 7.4 – Inverse value of information sharing for government and industry 10 • Adversaries regularly scout ahead and plan before an attack • Reconnaissance planning levels Chapter 7 – Discretion Information Reconnaissance – Level #1: Broad, wide-reaching collection from a variety of sources – Level #2: Targeted collection, often involving automation – Level #3: Directly accessing the target Copyright © 2012, Elsevier Inc. All rights Reserved 11 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 7 – Discretion Fig. 7.5 – Three stages of reconnaissance for cyber security 12 • At each stage of reconnaissance, security engineers can introduce information obscurity • The specific types of information that should be obscured are Chapter 7 – Discretion Information Reconnaissance – Attributes – Protections – Vulnerabilities Copyright © 2012, Elsevier Inc. All rights Reserved 13 • Layering methods of obscurity and discretion adds depth to defensive security program • Even with layered obscurity, asset information can find a way out Chapter 7 – Discretion Obscurity Layers – Public speaking – Approved external site – Search for leakage Copyright © 2012, Elsevier Inc. All rights Reserved 14 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 7 – Discretion Fig. 7.6 – Obscurity layers to protect asset information 15 • Governments have been successful at protecting information by compartmentalizing information and individuals Chapter 7 – Discretion Organizational Compartments – Information is classified – Groups of individuals are granted clearance • Compartmentalization defines boundaries, which helps guides decisions • Private companies can benefit from this model Copyright © 2012, Elsevier Inc. All rights Reserved 16 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 7 – Discretion Fig. 7.7 – Using clearances and classifications to control information disclosure 17 Copyright © 2012, Elsevier Inc. All rights Reserved Chapter 7 – Discretion Fig. 7.8 – Example commercial mapping of clearances and classifications 18 • To implement a national discretion program will require – – – – – Chapter 7 – Discretion National Discretion Program TCB definition Reduced emphasis on information sharing Coexistence with hacking community Obscurity layered model Commercial information protection models Copyright © 2012, Elsevier Inc. All rights Reserved 19
Purchase answer to see full attachment