Copyright__2012_Elsevier_Inc_All_Rights_ReservedChapter

Chapter 5

Commonality

Cyber Attacks

Protecting National Infrastructure, 1st ed.

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Certain security attributes must be present in all aspects and areas of national infrastructure to ensure maximum resilience against attack
Best practices, standards, and audits establish a low-water mark for all relevant organizations
Audits must be both meaningful and measurable
Often the most measurable things aren’t all that meaningful

Chapter 5 – Commonality

Introduction

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Common security-related best practice standards
Federal Information Security Management Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Data Security Standard (PCI DSS)
ISO/IEC 27000 Standard (ISO27K)

Chapter 5 – Commonality

Introduction

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Fig. 5.1 – Illustrative security audits for two organizations

Chapter 5 – Commonality

Fig. 5.2 – Relationship between meaningful and measurable requirements

The primary motivation for proper infrastructure protection should be success based and economic
Not the audit score
Security of critical components relies on
Step #1: Standard audit
Step #2: World-class focus
Sometimes security audit standards and best practices proven through experience are in conflict

Chapter 5 – Commonality

Meaningful Best Practices for Infrastructure Protection

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Chapter 5 – Commonality

Fig. 5.3 – Methodology to achieve world-class infrastructure
protection practices

Four basic security policy considerations are recommended
Enforceable: Policies without enforcement are not valuable
Small: Keep it simple and current
Online: Policy info needs to be online and searchable
Inclusive: Good policy requires analysis in order to include computing and networking elements in the local nat’l infrastructure environment

Chapter 5 – Commonality

Locally Relevant and
Appropriate Security Policy

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Chapter 5 – Commonality

Fig. 5.4 – Decision process for security policy analysis

Create an organizational culture of security protection
Culture of security is one where standard operating procedures provide a secure environment
Ideal environment marries creativity and interest in new technologies with caution and a healthy aversion to risk

Chapter 5 – Commonality

Culture of Security Protection

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Chapter 5 – Commonality

Fig. 5.5 – Spectrum of organizational culture of security options

Organizations should be explicitly committed to infrastructure simplification
Common problems found in design and operation of national infrastructure
Lack of generalization
Clouding the obvious
Stream-of-consciousness design
Nonuniformity

Chapter 5 – Commonality

Infrastructure Simplification

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Chapter 5 – Commonality

Fig. 5.6 – Sample cluttered engineering chart

Chapter 5 – Commonality

Fig. 5.7 – Simplified engineering chart

How to simplify a national infrastructure environment
Reduce its size
Generalize concepts
Clean interfaces
Highlight patterns
Reduce clutter

Chapter 5 – Commonality

Infrastructure Simplification

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Key decision-makers need certification and education programs
Hundred percent end-user awareness is impractical; instead focus on improving security competence of decision-makers
Senior Managers
Designers and developers
Administrators
Security team members
Create low-cost, high-return activities to certify and educate end users

Chapter 5 – Commonality

Certification and Education

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Chapter 5 – Commonality

Fig. 5.8 – Return on investment (ROI) trends for security education

Create and establish career paths and reward structures for security professionals
These elements should be present in national infrastructure environments
Attractive salaries
Career paths
Senior managers

Chapter 5 – Commonality

Career Path and Reward Structure

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Companies and agencies being considered for national infrastructure work should be required to demonstrate past practice in live security incidents
Companies and agencies must do a better job of managing their inventory of live incidents

Chapter 5 – Commonality

Responsible Past Security Practice

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

Companies and agencies being considered for national infrastructure work should provide evidence of the following past practices
Past damage
Past prevention
Past response

Chapter 5 – Commonality

Responsible Past Security Practice

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

A national commonality plan involves balancing the following concerns
Plethora of existing standards
Low-water mark versus world class
Existing commissions and boards

Chapter 5 – Commonality

National Commonality Program

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

blog6

Get help from top-rated tutors in any subject.