| Foreword |
|
xxxix | |
| Acknowledgments |
|
xli | |
| Introduction |
|
xliii | |
| Part I: What Do You Want? |
|
|
Chapter 1 What's the Problem? |
|
|
3 | (22) |
|
|
|
3 | (1) |
|
|
|
4 | (1) |
|
1.1 Baking in Trustworthiness: Design-Time |
|
|
5 | (3) |
|
|
|
5 | (2) |
|
|
|
7 | (1) |
|
|
|
7 | (1) |
|
|
|
7 | (1) |
|
1.2 Operational Perspective: Basic Questions |
|
|
8 | (8) |
|
|
|
9 | (1) |
|
1.2.2 What Is the Nature of the Attack? |
|
|
10 | (2) |
|
1.2.3 What Is the Mission Impact So Far? |
|
|
12 | (1) |
|
1.2.4 What Is the Potential Mission Impact? |
|
|
13 | (1) |
|
|
|
13 | (1) |
|
|
|
13 | (1) |
|
1.2.7 What Are They Trying to Do? |
|
|
14 | (1) |
|
1.2.8 What Is the Attacker's Next Step? |
|
|
14 | (1) |
|
1.2.9 What Can I Do About It? |
|
|
15 | (1) |
|
1.2.10 What Are My Options and How Effective Will Each Option Be? |
|
|
15 | (1) |
|
1.2.11 How Will My Mitigation Actions Affect Operation? |
|
|
15 | (1) |
|
1.2.12 How Do I Better Defend Myself in the Future? |
|
|
15 | (1) |
|
1.3 Asymmetry of Cyberspace Effects |
|
|
16 | (2) |
|
|
|
16 | (1) |
|
|
|
17 | (1) |
|
|
|
17 | (1) |
|
|
|
17 | (1) |
|
|
|
18 | (1) |
|
|
|
18 | (1) |
|
1.4 The Cybersecurity Solution Landscape |
|
|
18 | (3) |
|
1.4.1 Information Assurance Science and Engineering |
|
|
19 | (1) |
|
1.4.2 Defensive Mechanisms |
|
|
20 | (1) |
|
1.4.3 Cybersensors and Exploitation |
|
|
20 | (1) |
|
1.4.4 Cyber Situation Understanding |
|
|
20 | (1) |
|
|
|
20 | (1) |
|
1.4.6 Cyber Command and Control |
|
|
21 | (1) |
|
1.4.7 Cyber Defense Strategy and Tactics |
|
|
21 | (1) |
|
1.5 Ounces of Prevention and Pounds of Cure |
|
|
21 | (1) |
|
|
|
22 | (1) |
|
|
|
22 | (3) |
|
Chapter 2 Cybersecurity Right-Think |
|
|
25 | (12) |
|
|
|
25 | (1) |
|
|
|
26 | (1) |
|
|
|
26 | (1) |
|
2.2 The Cybersecurity Trade-off: Performance and Functionality |
|
|
26 | (7) |
|
|
|
28 | (1) |
|
|
|
29 | (1) |
|
|
|
29 | (1) |
|
|
|
30 | (1) |
|
|
|
30 | (1) |
|
2.2.6 Quantity of Service or Product |
|
|
31 | (1) |
|
2.2.7 Quality of Service or Product |
|
|
31 | (1) |
|
2.2.8 Cost of Service or Product |
|
|
32 | (1) |
|
|
|
33 | (1) |
|
2.3 Theories of Security Come from Theories of Insecurity |
|
|
33 | (1) |
|
2.4 They Come at You Through the Weeds |
|
|
33 | (1) |
|
2.5 Top-Down Meets Bottom-Up |
|
|
34 | (1) |
|
2.6 Cybersecurity Is a Live Orchestra, Not a Recorded Instrument |
|
|
35 | (1) |
|
|
|
35 | (1) |
|
|
|
36 | (1) |
|
Chapter 3 Value and Mission: Know Thyself |
|
|
37 | (14) |
|
|
|
37 | (1) |
|
|
|
38 | (1) |
|
3.1 Focus on Mission and Value |
|
|
38 | (2) |
|
3.1.1 Avoid Concentrating Value |
|
|
39 | (1) |
|
3.1.2 Beware the Complacency of Trust |
|
|
39 | (1) |
|
3.2 Confidentiality: Value of Secrecy from Adversaries |
|
|
40 | (4) |
|
3.2.1 Acquired-Knowledge Secrets |
|
|
40 | (1) |
|
|
|
41 | (1) |
|
|
|
42 | (1) |
|
3.2.4 Means-of-Stealing-Secrets Secrets |
|
|
43 | (1) |
|
3.3 Confidentiality: Beware the Tyranny of Secrecy |
|
|
44 | (2) |
|
|
|
44 | (1) |
|
3.3.2 Secrecy Is Expensive |
|
|
44 | (1) |
|
3.3.3 Secrecy Can Be Self-Defeating |
|
|
45 | (1) |
|
3.3.4 Secrecy Is Self-Breeding |
|
|
45 | (1) |
|
3.3.5 Secrecy Creates a Form of Corrupting Power and Impediment to Operation |
|
|
46 | (1) |
|
3.4 Confidentiality: Changing the Value Proposition |
|
|
46 | (1) |
|
3.4.1 Minimize Secrecy and Dependency on Secrecy |
|
|
46 | (1) |
|
3.4.2 Minimize Impact of Loss of Secrecy |
|
|
47 | (1) |
|
3.5 Integrity: The Root of All Trustworthiness Value |
|
|
47 | (1) |
|
3.6 Availability: An Essential Yet Tenuous Value |
|
|
48 | (1) |
|
|
|
48 | (1) |
|
|
|
49 | (2) |
|
Chapter 4 Harm: Mission in Peril |
|
|
51 | (14) |
|
|
|
51 | (1) |
|
|
|
52 | (1) |
|
4.1 Focus on Strategic Risks |
|
|
52 | (2) |
|
4.1.1 What Is Strategic Risk? |
|
|
52 | (1) |
|
|
|
53 | (1) |
|
|
|
54 | (1) |
|
4.1.4 The Meaning of Focus |
|
|
54 | (1) |
|
4.2 Harm Is About Mission |
|
|
54 | (1) |
|
4.2.1 Elicitation of Harm |
|
|
55 | (1) |
|
4.2.2 Aggregating Harm Statements |
|
|
55 | (1) |
|
4.2.3 Representative Harm Lists |
|
|
55 | (1) |
|
4.3 Critical Asset Inventory: Data |
|
|
55 | (3) |
|
|
|
56 | (1) |
|
4.3.2 Data Value Spectrum |
|
|
56 | (1) |
|
4.3.3 Criticality Classes |
|
|
56 | (1) |
|
|
|
57 | (1) |
|
4.4 A Template for Exploring Mission Harm |
|
|
58 | (3) |
|
4.5 Harm Is in the Eye of the Beholder |
|
|
61 | (1) |
|
4.5.1 Gravity of Harm: Consensus |
|
|
61 | (1) |
|
4.5.2 Drawing Conclusions |
|
|
61 | (1) |
|
4.6 Sometimes Belief Is More Powerful than Truth |
|
|
61 | (1) |
|
|
|
62 | (1) |
|
4.6.2 Frustrating to Address: Life Is Unfair |
|
|
62 | (1) |
|
|
|
62 | (1) |
|
|
|
63 | (2) |
|
Chapter 5 Approximating Reality |
|
|
65 | (24) |
|
|
|
65 | (1) |
|
|
|
66 | (1) |
|
5.1 The Complexity of State: Why Model? |
|
|
66 | (1) |
|
5.2 Levels of Abstraction: At What Levels |
|
|
67 | (1) |
|
5.3 What to Model and Why |
|
|
68 | (3) |
|
|
|
68 | (1) |
|
|
|
69 | (1) |
|
|
|
70 | (1) |
|
5.3.4 Measures/Countermeasures |
|
|
70 | (1) |
|
5.4 Models Are Always Wrong, Sometimes Useful |
|
|
71 | (4) |
|
5.4.1 Incompleteness of Essentials |
|
|
71 | (1) |
|
|
|
72 | (1) |
|
|
|
73 | (2) |
|
|
|
75 | (5) |
|
|
|
75 | (2) |
|
|
|
77 | (2) |
|
5.5.3 Attacking the Views Themselves |
|
|
79 | (1) |
|
5.6 Defense Models Must Consider Failure Modes |
|
|
80 | (2) |
|
5.7 Assume Adversaries Know Defender's System |
|
|
82 | (1) |
|
5.8 Assume Adversaries Are Inside Defender's System |
|
|
83 | (1) |
|
|
|
84 | (1) |
|
|
|
85 | (4) |
| Part II: What Could Go Wrong? |
|
|
Chapter 6 Adversaries: Know Thy Enemy |
|
|
89 | (26) |
|
|
|
89 | (1) |
|
|
|
90 | (1) |
|
6.1 Know Your Adversaries |
|
|
91 | (4) |
|
|
|
91 | (1) |
|
|
|
92 | (1) |
|
6.1.3 Attacker Resources and Defender Resources |
|
|
92 | (1) |
|
|
|
93 | (1) |
|
|
|
93 | (1) |
|
|
|
94 | (1) |
|
6.2 Assume Smart Adversaries |
|
|
95 | (1) |
|
6.3 Assume Adversaries Don't Play Fair |
|
|
96 | (9) |
|
6.3.1 Going Around Security Controls |
|
|
96 | (1) |
|
6.3.2 Going Beneath Security Controls |
|
|
96 | (2) |
|
6.3.3 Attacking the Weakest Link |
|
|
98 | (1) |
|
6.3.4 Violating a Design Assumption |
|
|
99 | (1) |
|
6.3.5 Using Maintenance Modes |
|
|
100 | (1) |
|
6.3.6 Using Social Engineering |
|
|
100 | (1) |
|
6.3.7 Using Bribery and Blackmail to Subvert Insiders |
|
|
101 | (1) |
|
6.3.8 Taking Advantage of Temporary Bypasses |
|
|
101 | (1) |
|
6.3.9 Taking Advantage of Temporary Connections |
|
|
102 | (1) |
|
6.3.10 Taking Advantage of Natural System Failure |
|
|
103 | (1) |
|
6.3.11 Exploiting Bugs You Did Not Even Know You Had |
|
|
104 | (1) |
|
6.3.12 Compromising External Systems that a System Trusts |
|
|
104 | (1) |
|
6.4 Anticipate Attack Escalation |
|
|
105 | (1) |
|
|
|
106 | (3) |
|
|
|
107 | (1) |
|
6.5.2 Red Team Characteristics |
|
|
107 | (1) |
|
6.5.3 Other Types of Red Teams |
|
|
108 | (1) |
|
|
|
109 | (3) |
|
|
|
109 | (1) |
|
|
|
110 | (1) |
|
6.6.3 Purple Collaboration |
|
|
111 | (1) |
|
6.7 Red Team Work Factor: Measuring Difficulty |
|
|
112 | (1) |
|
|
|
113 | (1) |
|
|
|
113 | (2) |
|
Chapter 7 Forests of Attack Trees |
|
|
115 | (16) |
|
|
|
115 | (1) |
|
|
|
116 | (1) |
|
7.1 Attack Trees and Forests |
|
|
116 | (3) |
|
7.1.1 Attack Tree Structure |
|
|
116 | (1) |
|
7.1.2 Deriving Attack Scenarios |
|
|
117 | (1) |
|
7.1.3 From Trees to Forests |
|
|
118 | (1) |
|
7.2 System Failures Predict Cybersecurity Failures |
|
|
119 | (1) |
|
7.2.1 Inspirational Catastrophes |
|
|
119 | (1) |
|
|
|
119 | (1) |
|
|
|
120 | (1) |
|
7.3 Understanding Failure Is the Key to Success: The Five Whys |
|
|
120 | (1) |
|
|
|
120 | (1) |
|
7.3.2 Projecting Fishbones |
|
|
121 | (1) |
|
7.4 Forests Should Be Representative, Not Exhaustive |
|
|
121 | (2) |
|
7.5 Drive Each Attack Tree Layer by Asking How |
|
|
123 | (2) |
|
7.6 Go as Deep as Needed and No Deeper |
|
|
125 | (1) |
|
7.7 Beware of External Dependencies |
|
|
125 | (2) |
|
|
|
125 | (1) |
|
7.7.2 Information Dependency |
|
|
126 | (1) |
|
7.7.3 Creating Redundancy |
|
|
126 | (1) |
|
|
|
127 | (1) |
|
|
|
127 | (4) |
| Part III: What Are the Building Blocks of Mitigating Risk? |
|
|
Chapter 8 Countermeasures: Security Controls |
|
|
131 | (24) |
|
|
|
131 | (1) |
|
|
|
132 | (1) |
|
8.1 Countermeasures: Design to Purpose |
|
|
133 | (1) |
|
8.2 Ensure Attack-Space Coverage (Defense in Breadth) |
|
|
133 | (1) |
|
8.3 Defense in Depth and Breadth |
|
|
134 | (2) |
|
8.4 Multilevel Security, Trusted Code, Security Kernels |
|
|
136 | (4) |
|
8.4.1 Multilevel Security |
|
|
136 | (2) |
|
|
|
138 | (1) |
|
8.4.3 Security Kernel and the Reference Monitor |
|
|
138 | (2) |
|
8.5 Integrity and Type Enforcement |
|
|
140 | (3) |
|
8.5.1 Multilevel Integrity |
|
|
140 | (1) |
|
|
|
141 | (2) |
|
8.6 Cybersecurity Usability |
|
|
143 | (6) |
|
|
|
144 | (1) |
|
|
|
144 | (1) |
|
|
|
145 | (1) |
|
|
|
145 | (1) |
|
|
|
146 | (1) |
|
|
|
146 | (1) |
|
|
|
146 | (1) |
|
|
|
147 | (1) |
|
|
|
147 | (1) |
|
|
|
148 | (1) |
|
8.7 Deploy Default Secure |
|
|
149 | (1) |
|
|
|
149 | (3) |
|
8.8.1 Cost Always Matters |
|
|
149 | (1) |
|
8.8.2 Time-to-Deploy Matters |
|
|
150 | (1) |
|
8.8.3 Impact to Mission Matters |
|
|
150 | (1) |
|
|
|
151 | (1) |
|
8.8.5 Opportunity Cost Is a Key Part of Cost |
|
|
151 | (1) |
|
8.8.6 How Much to Invest in Cybersecurity |
|
|
151 | (1) |
|
8.8.7 Optimizing Zero-Sum Cybersecurity Budgets |
|
|
152 | (1) |
|
|
|
152 | (1) |
|
|
|
153 | (2) |
|
Chapter 9 Trustworthy Hardware: Bedrock |
|
|
155 | (12) |
|
|
|
155 | (1) |
|
|
|
155 | (1) |
|
|
|
156 | (2) |
|
9.2 Instruction Set Architectures |
|
|
158 | (1) |
|
9.3 Supervisors with Rings and Things |
|
|
158 | (1) |
|
9.4 Controlling Memory: Mapping, Capabilities, and Tagging |
|
|
159 | (3) |
|
|
|
160 | (1) |
|
|
|
160 | (2) |
|
|
|
162 | (1) |
|
|
|
162 | (1) |
|
|
|
162 | (1) |
|
|
|
162 | (1) |
|
9.5.3 Secure Bootstrapping |
|
|
163 | (1) |
|
9.6 Buses and Controllers |
|
|
163 | (1) |
|
|
|
164 | (1) |
|
|
|
164 | (3) |
|
Chapter 10 Cryptography: A Sharp and Fragile Tool |
|
|
167 | (22) |
|
|
|
167 | (1) |
|
|
|
168 | (1) |
|
10.1 What Is Cryptography? |
|
|
168 | (1) |
|
|
|
169 | (2) |
|
|
|
171 | (2) |
|
|
|
173 | (2) |
|
10.4.1 Transmission to Intended Recipients |
|
|
173 | (1) |
|
|
|
174 | (1) |
|
|
|
175 | (1) |
|
10.5 Public-Key Cryptography |
|
|
175 | (4) |
|
|
|
176 | (1) |
|
10.5.2 Certificates and Certificate Authorities |
|
|
177 | (1) |
|
10.5.3 Performance and Use |
|
|
178 | (1) |
|
10.5.4 Side Effect of Public-Key Cryptography |
|
|
179 | (1) |
|
|
|
179 | (3) |
|
|
|
182 | (2) |
|
|
|
182 | (1) |
|
|
|
182 | (2) |
|
10.8 Chinks in the Cryptographic Armor |
|
|
184 | (1) |
|
10.8.1 Quantum Cryptanalytics: Disruptive Technology |
|
|
184 | (1) |
|
|
|
185 | (1) |
|
10.9 Cryptography Is Not a Panacea |
|
|
185 | (1) |
|
10.10 Beware of Homegrown Cryptography |
|
|
186 | (1) |
|
|
|
186 | (1) |
|
|
|
187 | (2) |
|
Chapter 11 Authentication |
|
|
189 | (10) |
|
|
|
189 | (1) |
|
|
|
189 | (2) |
|
11.1 Entity Identification: Phase 1 of Authentication |
|
|
191 | (1) |
|
11.2 Identity Certification: Phase 2 of Authentication |
|
|
191 | (2) |
|
11.3 Identity Resolution: Phase 3 of Authentication |
|
|
193 | (1) |
|
11.4 Identity Assertion and Identity Proving: Phases 4 and 5 of Authentication |
|
|
194 | (1) |
|
11.5 Identity Decertification: Phase 6 of Authentication |
|
|
194 | (1) |
|
11.6 Machine-to-Machine Authentication Chaining |
|
|
195 | (1) |
|
|
|
196 | (1) |
|
|
|
196 | (3) |
|
|
|
199 | (26) |
|
|
|
199 | (1) |
|
|
|
200 | (1) |
|
|
|
200 | (10) |
|
12.1.1 Discretionary Access Control |
|
|
201 | (2) |
|
12.1.2 Mandatory Access Control |
|
|
203 | (2) |
|
|
|
205 | (1) |
|
12.1.4 Identity-Based Access Control |
|
|
206 | (1) |
|
12.1.5 Attribute-Based Access Control |
|
|
207 | (3) |
|
12.2 Attribute Management |
|
|
210 | (6) |
|
12.2.1 User Attributes and Privilege Assignment |
|
|
210 | (1) |
|
12.2.2 Resource Attribute Assignment |
|
|
211 | (1) |
|
12.2.3 Attribute Collection and Aggregation |
|
|
211 | (2) |
|
12.2.4 Attribute Validation |
|
|
213 | (2) |
|
12.2.5 Attribute Distribution |
|
|
215 | (1) |
|
12.3 Digital Policy Management |
|
|
216 | (4) |
|
12.3.1 Policy Specification |
|
|
216 | (1) |
|
12.3.2 Policy Distribution |
|
|
217 | (1) |
|
|
|
218 | (1) |
|
12.3.4 Policy Enforcement |
|
|
218 | (2) |
|
12.4 Authorization Adoption Schemas |
|
|
220 | (2) |
|
12.4.1 Direct Integration |
|
|
221 | (1) |
|
12.4.2 Indirect Integration |
|
|
221 | (1) |
|
12.4.3 Alternative Integration |
|
|
221 | (1) |
|
|
|
222 | (1) |
|
|
|
222 | (3) |
|
Chapter 13 Detection Foundation |
|
|
225 | (12) |
|
|
|
225 | (1) |
|
|
|
225 | (1) |
|
13.1 The Role of Detection |
|
|
226 | (1) |
|
13.2 How Detection Systems Work |
|
|
227 | (1) |
|
|
|
228 | (3) |
|
13.3.1 Attack Manifestation in Features |
|
|
229 | (1) |
|
13.3.2 Manifestation Strength |
|
|
229 | (1) |
|
13.3.3 Mapping Attacks to Features |
|
|
230 | (1) |
|
13.3.4 Criteria for Selection |
|
|
230 | (1) |
|
|
|
231 | (1) |
|
|
|
231 | (1) |
|
|
|
232 | (1) |
|
|
|
232 | (1) |
|
13.8 Attack Classification |
|
|
233 | (1) |
|
|
|
233 | (1) |
|
13.10 Know Operational Performance Characteristics for Sensors |
|
|
233 | (1) |
|
|
|
234 | (1) |
|
|
|
235 | (2) |
|
Chapter 14 Detection Systems |
|
|
237 | (20) |
|
|
|
237 | (1) |
|
|
|
238 | (1) |
|
14.1 Types of Detection Systems |
|
|
238 | (7) |
|
|
|
238 | (3) |
|
|
|
241 | (4) |
|
14.2 Detection Performance: False Positives, False Negatives, and ROCS |
|
|
245 | (6) |
|
|
|
245 | (3) |
|
14.2.2 Feature Extraction |
|
|
248 | (1) |
|
|
|
249 | (1) |
|
|
|
249 | (1) |
|
14.2.5 Attack Classification |
|
|
250 | (1) |
|
|
|
251 | (1) |
|
14.3 Drive Detection Requirements from Attacks |
|
|
251 | (1) |
|
|
|
252 | (3) |
|
|
|
252 | (1) |
|
|
|
252 | (1) |
|
14.4.3 Below Alert Threshold |
|
|
253 | (1) |
|
14.4.4 Improper Placement |
|
|
253 | (1) |
|
|
|
254 | (1) |
|
14.4.6 Successfully Attacked |
|
|
254 | (1) |
|
14.4.7 Blocked Sensor Input |
|
|
255 | (1) |
|
14.4.8 Blocked Report Output |
|
|
255 | (1) |
|
|
|
255 | (1) |
|
|
|
256 | (1) |
|
Chapter 15 Detection Strategy |
|
|
257 | (16) |
|
|
|
257 | (1) |
|
|
|
257 | (1) |
|
15.1 Detect in Depth and Breadth |
|
|
258 | (4) |
|
15.1.1 Breadth: Network Expanse |
|
|
258 | (2) |
|
15.1.2 Depth: Network Expanse |
|
|
260 | (1) |
|
15.1.3 Breadth: Attack Space |
|
|
261 | (1) |
|
15.1.4 Depth: Attack Space |
|
|
261 | (1) |
|
15.2 Herd the Adversary to Defender's Advantage |
|
|
262 | (1) |
|
|
|
263 | (1) |
|
|
|
264 | (1) |
|
|
|
264 | (2) |
|
15.5.1 Running Alerts to Ground |
|
|
264 | (1) |
|
15.5.2 Learning More About an Attack |
|
|
265 | (1) |
|
15.6 Enhancing Attack Signal and Reducing Background Noise |
|
|
266 | (4) |
|
15.6.1 Reducing the Noise Floor |
|
|
267 | (2) |
|
15.6.2 Boosting Attack Signal |
|
|
269 | (1) |
|
15.6.3 Lowering the Alert Threshold |
|
|
270 | (1) |
|
|
|
270 | (1) |
|
|
|
271 | (2) |
|
Chapter 16 Deterrence and Adversarial Risk |
|
|
273 | (14) |
|
|
|
273 | (1) |
|
|
|
273 | (1) |
|
16.1 Deterrence Requirements |
|
|
274 | (3) |
|
16.1.1 Reliable Detection: Risk of Getting Caught |
|
|
274 | (1) |
|
16.1.2 Reliable Attribution |
|
|
275 | (1) |
|
16.1.3 Meaningful Consequences |
|
|
276 | (1) |
|
16.2 All Adversaries Have Risk Thresholds |
|
|
277 | (1) |
|
16.3 System Design Can Modulate Adversary Risk |
|
|
277 | (2) |
|
16.3.1 Detection Probability |
|
|
278 | (1) |
|
16.3.2 Attribution Probability |
|
|
278 | (1) |
|
16.3.3 Consequence Capability and Probability |
|
|
278 | (1) |
|
16.3.4 Retaliation Capability and Probability |
|
|
279 | (1) |
|
|
|
279 | (1) |
|
16.4 Uncertainty and Deception |
|
|
279 | (1) |
|
|
|
279 | (1) |
|
|
|
280 | (1) |
|
16.5 When Detection and Deterrence Do Not Work |
|
|
280 | (1) |
|
|
|
281 | (1) |
|
|
|
282 | (5) |
| Part IV: How Do You Orchestrate Cybersecurity? |
|
|
Chapter 17 Cybersecurity Risk Assessment |
|
|
287 | (26) |
|
|
|
287 | (1) |
|
|
|
288 | (1) |
|
17.1 A Case for Quantitative Risk Assessment |
|
|
288 | (1) |
|
17.2 Risk as a Primary Metric |
|
|
289 | (1) |
|
|
|
290 | (2) |
|
|
|
290 | (1) |
|
|
|
291 | (1) |
|
|
|
291 | (1) |
|
|
|
292 | (1) |
|
17.4 Evaluate Defenses from an Attacker's Value Perspective |
|
|
292 | (1) |
|
17.5 The Role of Risk Assessment and Metrics in Design |
|
|
293 | (2) |
|
17.6 Risk Assessment Analysis Elements |
|
|
295 | (14) |
|
17.6.1 Develop Mission Model |
|
|
295 | (1) |
|
17.6.2 Develop System Model |
|
|
295 | (1) |
|
17.6.3 Develop Adversary Models |
|
|
296 | (1) |
|
17.6.4 Choose Representative Strategic Attack Goals |
|
|
297 | (1) |
|
17.6.5 Estimate Harm Using Wisdom of Crowds |
|
|
298 | (1) |
|
17.6.6 Estimate Probability Using Wisdom of Crowds |
|
|
299 | (2) |
|
17.6.7 Choose Representative Subset |
|
|
301 | (1) |
|
17.6.8 Develop Deep Attack Trees |
|
|
301 | (2) |
|
17.6.9 Estimate Leaf Probabilities and Compute Root |
|
|
303 | (2) |
|
17.6.10 Refine Baseline Expected Harm |
|
|
305 | (1) |
|
17.6.11 Harvest Attack Sequence Cut Sets => Risk Source |
|
|
306 | (2) |
|
17.6.12 Infer Attack Mitigation Candidates from Attack Sequences |
|
|
308 | (1) |
|
17.7 Attacker Cost and Risk of Detection |
|
|
309 | (1) |
|
|
|
309 | (1) |
|
|
|
309 | (1) |
|
|
|
309 | (1) |
|
|
|
310 | (3) |
|
Chapter 18 Risk Mitigation and Optimization |
|
|
313 | (18) |
|
|
|
313 | (1) |
|
|
|
313 | (2) |
|
18.1 Develop Candidate Mitigation Packages |
|
|
315 | (2) |
|
18.2 Assess Cost of Mitigation Packages |
|
|
317 | (3) |
|
|
|
317 | (1) |
|
|
|
318 | (2) |
|
18.3 Re-estimate Leaf Node Probabilities and Compute Root Node Probability |
|
|
320 | (3) |
|
18.4 Optimize at Various Practical Budget Levels |
|
|
323 | (3) |
|
18.4.1 Knapsack Algorithm |
|
|
323 | (2) |
|
18.4.2 Sensitivity Analysis |
|
|
325 | (1) |
|
|
|
326 | (1) |
|
|
|
327 | (1) |
|
|
|
327 | (1) |
|
|
|
328 | (3) |
|
Chapter 19 Engineering Fundamentals |
|
|
331 | (20) |
|
|
|
331 | (1) |
|
|
|
331 | (1) |
|
19.1 Systems Engineering Principles |
|
|
332 | (8) |
|
|
|
332 | (4) |
|
|
|
336 | (1) |
|
19.1.3 Conservation of Energy and Risk |
|
|
336 | (1) |
|
19.1.4 Keep It Simple, Stupid |
|
|
337 | (1) |
|
19.1.5 Development Process |
|
|
338 | (1) |
|
19.1.6 Incremental Development and Agility |
|
|
339 | (1) |
|
19.2 Computer Science Principles |
|
|
340 | (7) |
|
19.2.1 Modularity and Abstraction |
|
|
340 | (2) |
|
|
|
342 | (1) |
|
19.2.3 Time and Space Complexity: Understanding Scalability |
|
|
343 | (1) |
|
19.2.4 Focus on What Matters: Loops and Locality |
|
|
344 | (1) |
|
19.2.5 Divide and Conquer and Recursion |
|
|
345 | (2) |
|
|
|
347 | (1) |
|
|
|
348 | (3) |
|
Chapter 20 Architecting Cybersecurity |
|
|
351 | (18) |
|
|
|
351 | (1) |
|
|
|
351 | (1) |
|
20.1 Reference Monitor Properties |
|
|
352 | (3) |
|
20.1.1 Functional Correctness |
|
|
352 | (3) |
|
|
|
355 | (1) |
|
|
|
355 | (1) |
|
20.2 Simplicity and Minimality Breed Confidence |
|
|
355 | (1) |
|
20.3 Separation of Concerns and Evolvability |
|
|
356 | (1) |
|
20.4 Security Policy Processing |
|
|
356 | (4) |
|
20.4.1 Policy Specification |
|
|
357 | (1) |
|
20.4.2 Policy Decision Making |
|
|
358 | (2) |
|
20.4.3 Policy Enforcement |
|
|
360 | (1) |
|
20.5 Dependability and Tolerance |
|
|
360 | (5) |
|
20.5.1 Cybersecurity Requires Fail Safety |
|
|
360 | (1) |
|
20.5.2 Expect Failure: Confine Damages Using Bulkheads |
|
|
361 | (1) |
|
|
|
362 | (2) |
|
20.5.4 Synergize Prevention, Detect-Response, and Tolerance |
|
|
364 | (1) |
|
|
|
365 | (1) |
|
|
|
366 | (1) |
|
|
|
367 | (2) |
|
Chapter 21 Assuring Cybersecurity: Getting It Right. |
|
|
369 | (12) |
|
|
|
369 | (1) |
|
|
|
369 | (1) |
|
21.1 Cybersecurity Functionality Without Assurance Is Insecure |
|
|
370 | (1) |
|
21.2 Treat Cybersecurity Subsystems as Critical Systems |
|
|
371 | (1) |
|
21.3 Formal Assurance Arguments |
|
|
371 | (5) |
|
21.3.1 Cybersecurity Requirements |
|
|
372 | (2) |
|
21.3.2 Formal Security Policy Model |
|
|
374 | (1) |
|
21.3.3 Formal Top-Level Specification |
|
|
374 | (1) |
|
21.3.4 Security-Critical Subsystem Implementation |
|
|
375 | (1) |
|
21.4 Assurance-in-the-Large and Composition |
|
|
376 | (3) |
|
|
|
376 | (1) |
|
21.4.2 Trustworthiness Dependencies |
|
|
376 | (1) |
|
21.4.3 Avoiding Dependency Circularity |
|
|
377 | (1) |
|
21.4.4 Beware of the Inputs, Outputs, and Dependencies |
|
|
378 | (1) |
|
21.4.5 Violating Unstated Assumptions |
|
|
378 | (1) |
|
|
|
379 | (1) |
|
|
|
379 | (2) |
|
Chapter 22 Cyber Situation Understanding: What's Going On |
|
|
381 | (20) |
|
|
|
381 | (1) |
|
|
|
382 | (1) |
|
22.1 Situation Understanding Interplay with Command and Control |
|
|
382 | (1) |
|
22.2 Situation-Based Decision Making: The CODA Loop |
|
|
383 | (2) |
|
22.3 Grasping the Nature of the Attack |
|
|
385 | (4) |
|
22.3.1 What Vulnerability Is It Exploiting? |
|
|
385 | (1) |
|
22.3.2 Which Paths Are the Attacks Using? |
|
|
385 | (2) |
|
22.3.3 Are the Attack Paths Still Open? |
|
|
387 | (1) |
|
22.3.4 How Can the Infiltration, Exfiltration, and Propagation Paths Be Closed? |
|
|
388 | (1) |
|
22.4 The Implication to Mission |
|
|
389 | (3) |
|
|
|
391 | (1) |
|
22.4.2 Contingency Planning |
|
|
391 | (1) |
|
22.4.3 Nature and Locus Guiding Defense |
|
|
392 | (1) |
|
22.5 Assessing Attack Damages |
|
|
392 | (1) |
|
|
|
393 | (1) |
|
22.7 The State of Defenses |
|
|
393 | (3) |
|
22.7.1 Health, Stress, and Duress |
|
|
394 | (1) |
|
|
|
394 | (1) |
|
22.7.3 Configuration Maneuverability |
|
|
395 | (1) |
|
22.7.4 Progress and Failure |
|
|
396 | (1) |
|
22.8 Dynamic Defense Effectiveness |
|
|
396 | (1) |
|
|
|
397 | (1) |
|
|
|
398 | (3) |
|
Chapter 23 Command and Control: What to Do About Attacks |
|
|
401 | (28) |
|
|
|
401 | (1) |
|
|
|
402 | (1) |
|
23.1 The Nature of Control |
|
|
402 | (2) |
|
|
|
402 | (1) |
|
23.1.2 Speed Considerations |
|
|
403 | (1) |
|
|
|
403 | (1) |
|
23.2 Strategy: Acquiring Knowledge |
|
|
404 | (5) |
|
|
|
405 | (1) |
|
|
|
406 | (1) |
|
23.2.3 Vicarious Experience |
|
|
406 | (1) |
|
|
|
407 | (2) |
|
|
|
409 | (7) |
|
|
|
409 | (1) |
|
23.3.2 Courses of Action in Advance |
|
|
410 | (2) |
|
23.3.3 Criteria for Choosing Best Action |
|
|
412 | (3) |
|
23.3.4 Planning Limitations |
|
|
415 | (1) |
|
|
|
416 | (4) |
|
|
|
416 | (2) |
|
23.4.2 Role of Autonomic Control |
|
|
418 | (1) |
|
23.4.3 Autonomic Action Palette |
|
|
419 | (1) |
|
|
|
420 | (3) |
|
|
|
421 | (1) |
|
23.5.2 Don't Be Predictable |
|
|
422 | (1) |
|
23.5.3 Stay Ahead of the Attackers |
|
|
422 | (1) |
|
|
|
423 | (1) |
|
|
|
424 | (5) |
| Part V: Moving Cybersecurity Forward |
|
|
Chapter 24 Strategic Policy and Investment |
|
|
429 | (14) |
|
|
|
429 | (1) |
|
|
|
430 | (1) |
|
24.1 Cyberwar: How Bad Can Bad Get? |
|
|
430 | (4) |
|
|
|
432 | (1) |
|
|
|
432 | (1) |
|
24.1.3 Barriers to Preparation Action |
|
|
433 | (1) |
|
|
|
433 | (1) |
|
24.2 Increasing Dependency, Fragility, and the Internet of Things |
|
|
434 | (2) |
|
24.2.1 Societal Dependency |
|
|
434 | (1) |
|
24.2.2 Just-in-Time Everything |
|
|
435 | (1) |
|
24.2.3 The Internet of Things |
|
|
435 | (1) |
|
24.2.4 Propagated Weakness |
|
|
435 | (1) |
|
24.3 Cybersecurity in the Virtual World: Virtual Economy |
|
|
436 | (1) |
|
24.3.1 Booming Game Economy: Virtual Gold Rush |
|
|
436 | (1) |
|
24.3.2 Digital Currency Such as Bitcoin |
|
|
436 | (1) |
|
24.3.3 Virtual High-Value Targets |
|
|
436 | (1) |
|
24.3.4 Start from Scratch? |
|
|
437 | (1) |
|
24.4 Disinformation and Influence Operations: Fake News |
|
|
437 | (2) |
|
|
|
437 | (1) |
|
|
|
438 | (1) |
|
24.4.3 Polluting the Infosphere |
|
|
439 | (1) |
|
|
|
439 | (1) |
|
|
|
440 | (3) |
|
Chapter 25 Thoughts on the Future of Cybersecurity |
|
|
443 | (24) |
|
|
|
443 | (1) |
|
|
|
444 | (1) |
|
25.1 A World Without Secrecy |
|
|
444 | (2) |
|
|
|
445 | (1) |
|
25.1.2 Minimize Generation |
|
|
445 | (1) |
|
25.1.3 Zero-Secrecy Operations |
|
|
445 | (1) |
|
25.2 Coevolution of Measures and Countermeasures |
|
|
446 | (1) |
|
25.3 Cybersecurity Space Race and Sputnik |
|
|
447 | (3) |
|
25.3.1 Gaining the Ultimate Low Ground |
|
|
447 | (1) |
|
25.3.2 Stuxnet and the Cyberattack Genie |
|
|
447 | (1) |
|
25.3.3 Georgia and Hybrid Warfare |
|
|
448 | (1) |
|
25.3.4 Estonia and Live-Fire Experiments |
|
|
448 | (1) |
|
25.3.5 Responsibility for Defending Critical Information Infrastructure |
|
|
448 | (2) |
|
25.4 Cybersecurity Science and Experimentation |
|
|
450 | (4) |
|
25.4.1 Hypothesis Generation |
|
|
452 | (1) |
|
25.4.2 Experimental Design |
|
|
453 | (1) |
|
25.4.3 Experiment Execution |
|
|
453 | (1) |
|
25.5 The Great Unknown: Research Directions |
|
|
454 | (6) |
|
25.5.1 Hard Research Problems |
|
|
454 | (2) |
|
25.5.2 Are Cybersecurity Problems Too Hard? |
|
|
456 | (1) |
|
25.5.3 Research Impact and the Heilmeier Catechism |
|
|
456 | (3) |
|
25.5.4 Research Results Dependability |
|
|
459 | (1) |
|
25.5.5 Research Culture: A Warning |
|
|
459 | (1) |
|
25.6 Cybersecurity and Artificial Intelligence |
|
|
460 | (2) |
|
|
|
462 | (1) |
|
|
|
463 | (4) |
| Part VI: Appendix and Glossary Appendix Resources |
|
467 | (16) |
| Glossary |
|
483 | (40) |
| Index |
|
523 | |
Lisainfo e-raamatute kohta