Presentation is loading. Please wait.

Presentation is loading. Please wait.

GSC: Standardization Advancing Global Communications 1 The New US-CCU Cyber-Security Check List SOURCE:U.S. Cyber Consequences Unit (Submitted by TIA)

Published byClifford Sutton Modified over 9 years ago

Similar presentations

Presentation on theme: "GSC: Standardization Advancing Global Communications 1 The New US-CCU Cyber-Security Check List SOURCE:U.S. Cyber Consequences Unit (Submitted by TIA)"— Presentation transcript:

1 GSC: Standardization Advancing Global Communications 1 The New US-CCU Cyber-Security Check List SOURCE:U.S. Cyber Consequences Unit (Submitted by TIA) TITLE:The New US-CCU Cyber-Security Check List AGENDA ITEM:Other Informational Input –User Cybersecurity Issue CONTACT: Scott Borg, scott.borg@usccu.usscott.borg@usccu.us gsc11_Userworkshop_04 gsc11_Userworkshop_04a1 gsc11_Userworkshop_04a2

2 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. U.S. Cyber Consequences Unit GSC-11 Chicago 2006 The New US-CCU Cyber-Security Check List Scott Borg Director and Chief Economist U.S. Cyber Consequences Unit

3 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 3 GSC-11 Chicago 2006 Why are the old cyber-security check lists in need of replacement? Previous check lists now go back several years (The BS7799 was published in 1995!) Previous check lists now go back several years (The BS7799 was published in 1995!) Major, structural changes are hard to cover adequately with a patchwork of piecemeal supplements Major, structural changes are hard to cover adequately with a patchwork of piecemeal supplements The last three or four years have been a period of enormous change in cyber-security thinking The last three or four years have been a period of enormous change in cyber-security thinking Many organizations that claim compliance with the previous check lists have huge vulnerabilities Many organizations that claim compliance with the previous check lists have huge vulnerabilities

4 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 4 GSC-11 Chicago 2006 How has cyber-security changed? New security focus is no longer just perimeter defense, but monitoring and maintaining the proper functioning of internal processes New security focus is no longer just perimeter defense, but monitoring and maintaining the proper functioning of internal processes New attack goal is not just to cause denials of service, but to make systems divert or destroy value or to discredit those systems New attack goal is not just to cause denials of service, but to make systems divert or destroy value or to discredit those systems New approach to these problems is no longer just narrow and technical, but also broad and strategic New approach to these problems is no longer just narrow and technical, but also broad and strategic

5 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 5 GSC-11 Chicago 2006 The Seven Motives for a Cyber-Attack (Borg Model) 1) To increase the value of an enterprise by damaging a competing enterprise. 2) To manipulate the value of a futures contract. 3) To divert the delivery of value to someone for whom it was not intended. 4) To make credible a coercive threat. 5) To advertise a business, cause, or movement. 6) To stop by direct intervention an activity perceived as destroying value. 7) To reduce an opponent’s defensive or destructive capabilities.

6 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 6 GSC-11 Chicago 2006 In the light of these cyber-attack motives, what did the old check lists under-emphasize? Production processes Production processes Business processes Business processes Economic liabilities Economic liabilities Attack strategies focusing on manipulations Attack strategies focusing on manipulations On-site realities On-site realities

7 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 7 GSC-11 Chicago 2006 What is the US-CCU Check List offering to help remedy this situation? A fresh start, beginning from scratch A fresh start, beginning from scratch Considerable amount of new content Considerable amount of new content Simpler and more self-consistent framework Simpler and more self-consistent framework Greater degree of guidance and granularity Greater degree of guidance and granularity Inclusion of asterisked items that are much needed, but still difficult or expensive Inclusion of asterisked items that are much needed, but still difficult or expensive Much closer fit to the economic priorities Much closer fit to the economic priorities

8 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 8 GSC-11 Chicago 2006 Where has the new content come from? Walk-rounds and interviews Walk-rounds and interviews Cyber-security exercises and war games Cyber-security exercises and war games Red team tests and simulations (not just penetration testing, but manipulation testing) Red team tests and simulations (not just penetration testing, but manipulation testing) Actual incidents (often not publicly reported) Actual incidents (often not publicly reported) Business analyses of ways attackers could gain Business analyses of ways attackers could gain

9 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 9 GSC-11 Chicago 2006 What is the new framework for organizing this content? Six Simple, Intuitive Categories: Six Simple, Intuitive Categories: I. Hardware II. Software III. Networks IV. Automation V. Humans VI. Suppliers

10 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 10 GSC-11 Chicago 2006 Tacking Hardware Vulnerabilities Avenue 1: Physical Equipment Avenue 1: Physical Equipment Avenue 2: Physical Environment Avenue 2: Physical Environment Avenue 3: Physical By-Products Avenue 3: Physical By-Products The biggest existing hardware holes: Where physical and cyber overlap! I.e., where physical actions lead to a cyber-vulnerability, or where cyber actions lead to a physical vulnerability!

11 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 11 GSC-11 Chicago 2006 Tackling Software Vulnerabilities Avenue 4: Identity Authentication Avenue 4: Identity Authentication Avenue 5: Application Privileges Avenue 5: Application Privileges Avenue 6: Input Validation Avenue 6: Input Validation Avenue 7: Appropriate Behavior Patterns Avenue 7: Appropriate Behavior Patterns The biggest existing software holes: Where false data or inappropriate instructions could be inserted internally, during what appear to be normal system activities!

12 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 12 GSC-11 Chicago 2006 Tackling Network Vulnerabilities Avenue 8: Permanent Network Connections Avenue 8: Permanent Network Connections Avenue 9: Intermittent Network Connections Avenue 9: Intermittent Network Connections Avenue 10: Network Maintenance Avenue 10: Network Maintenance The biggest existing network holes: Where extra connections have been added for the convenience of senior users without attention to security or proper documentation!

13 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 13 GSC-11 Chicago 2006 Tackling Automation Vulnerabilities Avenue 11: Remote Sensors and Control Systems Avenue 11: Remote Sensors and Control Systems Avenue 12: Backup Procedures Avenue 12: Backup Procedures The biggest existing automation holes: Where data or instructions can be inserted to cause destruction or liabilities without any record that the system has even been accessed!

14 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 14 GSC-11 Chicago 2006 Tackling Human Vulnerabilities Avenue 13: Human Maintenance of Security Procedures Avenue 13: Human Maintenance of Security Procedures Avenue 14: Intentional Actions Threatening Security Avenue 14: Intentional Actions Threatening Security The biggest existing human operator holes: Where the access vehicle seems too ubiquitous or too generally distributed to be used for a narrowly targeted attack!

15 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 15 GSC-11 Chicago 2006 Tackling Supplier Vulnerabilities Avenue 15: Internal Policies for Software Development Avenue 15: Internal Policies for Software Development Avenue 16: Policies for Dealing with External Vendors Avenue 16: Policies for Dealing with External Vendors The biggest supplier holes: Where the malicious code is produced by an insider and looks just like the legitimate code, but references the wrong things and would be triggered in the wrong circumstances!

16 Copyright © 2006 United States Cyber Consequences Unit. All rights reserved. 16 GSC-11 Chicago 2006 U.S. Cyber Consequences Unit For more information contact: For more information contact: Scott Borg Scott Borg scott.borg@usccu.us scott.borg@usccu.usscott.borg@usccu.us Thank you! Thank you! An independent research group, organized to protect the confidential information of corporations while providing reliable assessments of the strategic and economic consequences of possible cyber-attacks

Download ppt "GSC: Standardization Advancing Global Communications 1 The New US-CCU Cyber-Security Check List SOURCE:U.S. Cyber Consequences Unit (Submitted by TIA)"

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.

Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works

Security Controls – What Works
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
1 July 08, 2010 Information Security Officer Meeting.

1 July 08, 2010 Information Security Officer Meeting.
Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google