Course Detail
Managing the Protection of Information Assets and Systems
Cyberwarfare : An introduction to information-age conflict. Porche, I. R. I. (2019); What every engi

Objectives

1. Understand key concepts of information and conflict
2. Identify the lifecycle of cyber operations
3. Understand the “cyber landscape” and the relevant actors in the space
4. Describe the key tenets of the legal aspects of cyber warfare
5. Distinguish between offensive and defensive cyber operations.


Takeaways

- Data: Facts, ideas, numbers, words, signals, and symbols without relationships.
- Information: Data with attributes and relationships.
- Knowledge: Inferences derived from relationships.
- Wisdom: Advanced knowledge and evaluated understanding.
- Info space, cyber space, social media.
- Flaw, vulnerability, exploit.
- Confidentiality, integrity, availability, non-repudiation, authentication.
- Cyber operations: attack, spy, defend, protect, collect, prepare, build.
- Kinetic attack, electronic attack, cyber-attack.

- Steps for offensive operations: identify vulnerability, gain and maintain access, deliver and execute payload.
- Attack surface and different types of access.
- Payload and its harmful intent.
- Attack phases: intrusion and attack.
- Passive reconnaissance, scanning, enumeration.
- Developing and delivering payloads.
- Exploitation steps and exfiltration.

- Asset, exposure, impact, risk, safeguards.
- Threat, threat actor, vulnerability.
- Risk equation: Risk = f(Threat, Vulnerability, Consequence).
- Types of consequences.
- Intent, capability, opportunity.
- Attractive, accessible, capable targets.
- Risk assessment and criticality analysis.
- Types of threat actors.
- Advanced persistent threat (APT) and script-kiddies.
- Malware types: viruses, worms, spyware, ransomware, rootkits, botnets.
- Risk management and mitigation.
- Asset value, exposure factor, single loss expectancy, annual loss expectancy.

- International law and conventions.
- Law of Armed Conflict (LOAC).
- LOAC (Law of Armed Conflict) has two overarching principles:
- Jus ad bellum: States need a good reason for using force or violence against each other.
- Jus in bello: When war is inevitable, human suffering should be minimized.
- Jus ad bellum is governed by the UN Charter, interpretations of the UN Charter, and customary international law.
- Jus in bello refers to rules governing behavior during war and is part of international humanitarian law (IHL).
- Acts not considered a use of force: Unfavorable trade decisions, space-based surveillance, boycotts, severance of diplomatic relations, etc.
- UN Security Council determines measures for restoring international peace.
- Attacks can be measured by destructiveness, intrusiveness, and target acceptability.
- Gray zone attacks include temporary attacks, attacks with plausible deniability, and those that don't clearly rise to the level of an act of war.
- The Tallinn Manual applies international law to operations in cyberspace, focusing on armed attacks and permitted cyber operations during armed conflict.
- US laws related to cyber operations: Title 10, 50, 18, Computer Fraud and Abuse Act (CFAA), PPD-41, Executive Order 12333.
- Attribution of attacks includes factors like motivation, financial support, physical location, aliases, IP, tradecraft, infrastructure, malware, and intent.
- Challenges in attribution include botnets, WHOIS data limitations, device proxies, and anonymizing networks like TOR.
- Attack steps: reconnaissance, gaining access, covering tracks.
- Tools used: Google-Fu, Google Dorks, Shodan, Censys, social engineering, scanning, enumeration, Nmap, Metasploit, SQL injection, XSS, watering hole attacks, JS injection, code injection, HTML injection, keylogging, exploit kits.
- Vulnerabilities in bridge and navigation systems: SATCOM, GPS, AIS, ECDIS.
- Confidentiality, integrity, and availability risks in maritime systems.
- Examples of attacks: pirates and drilling rigs, large ports and smugglers, A.P. Møller-Maersk and NotPetya.
- Attacks on bridge systems can occur through spearphishing.
- Securing SATCOM, proper segmentation and segregation, and traditional manual systems are recommended measures.

- Left: ICT/IT devices, hosts, network devices, operational technology (OT), industrial control systems (ICS), SCADA (used in water systems, critical infrastructure, Niagara, General Mills, Natanz).
- Characteristics of ICT: Speed, boundlessness, democracy, anonymity, growth, and dynamism.
- Trends in ICT: Digitization, miniaturization, mobility, efficiency.
- Overlapping ICT areas: Signal intelligence, inform and influence efforts, cyber operations, electronic warfare, spectrum management.
- Chapter 10 focuses on critical infrastructure (CI), which is a capable threat, accessible target, and vulnerable to exploitation.
- Lack of international norms on nation-state attacks and exploits on critical infrastructure.
- CI is controlled by IT-based industrial control systems (ICS) and command and control systems.
- Problems with CI: Interconnected to the internet, lacking basic cybersecurity protections, adoption of common computing devices and consumer-grade operating systems.
- Bad idea trends in CI: Network electronics, remote control, commercial off-the-shelf IT, open standards, wireless accessibility.
- Scenarios: Network co-opted and controlled by the internet, trusted insiders with credentials, tainted maintenance and software upgrades, infected websites frequented by employees.
- TTPs (Tactics, Techniques, and Procedures) in cyber attacks.
- ICS vulnerabilities: Spoofing, MITM attacks, replay attacks, traffic snooping, credential theft.
- Attacks: MITM attacks, replay attacks, injection attacks, backdoors.
- Hiding the C&C server: Anonymizing networks (TOR), legitimate-looking domain names, intermediate proxy servers, covert channels via email, social media, and public IP addresses.
- Types of malware: Droppers, wipers, recorders.
- Examples of attacks: Stuxnet, Maroochy Shire Sewage Attack, Havex, Shamoon, WannaCry, NotPetya.


- Motivation: Undermine confidence, foreign actors' access, attractive target.
- Key components: Storage facilities, polling places, vote tabulation, ICT, voting machines, voter registration databases, election process management.
- Complexities: Multiple voting methods, governance variation, limited staff, diverse laws.
- Election attack surface: Voting machines, voter registration databases, e-pollbooks, vote tally systems, election night reporting systems.
- Hacking demo: 2017 DEFCON and UM demonstrations, showcasing vulnerabilities in voting systems.
- Vulnerabilities: Voter data for sale, exploitation of e-poll books, front-end and back-end systems.
- Attack on 2016 US election: Russian involvement, spear-phishing, malware, backdoors, exfiltration, covering tracks.
- Mitigations: Paper voting, security culture, interconnect system, transparency, passwords and authentication, monitoring, vendor security.
Chapter 4: Risk and Preincident Preparation
- Risk identification and assessment: Host and network preparation, policies and procedures, incident response team, training.
- Critical assets and risks: Anything harmful to the company, risks evolve with changes.
- System characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis.
- Risk determination, control recommendations, results documentation, network preparation, vulnerability management.
- Internal risks and network synchronization for forensic investigations.
- Preparation for Advanced Persistent Threats (APTs) and signs of APT activity.
- Kill Chain stages of attacks and the importance of policy, procedures, and techniques (PPT).
- Addressing risks through Acceptable Use Policies (AUP), BYOD considerations, security policies, employee exit strategies.

Incident Response:
- Establish a Computer Incident Response Team (CIRT) as the point of contact.
- Create an incident response policy defining incidents, roles, and responsibilities.
- Develop a plan based on the incident response policy.
- Use metrics to assess the program and determine training needs.
- Define procedures detailing the step-by-step incident response process.
- Address incident-related information sharing through policy and procedures.
- Consult with legal, public affairs, and management for policy determination.
- Provide information to appropriate organizations such as US-CERT or ISAC.
- Consider outsourcing and ensure team members have appropriate skills.
- Determine services the team should offer, such as monitoring and education.

Response Team (RT):
- Facilitate technical assistance, eradication, and recovery.
- Maintain custody of evidence with chain-of-custody validation.
- Use a toolkit for evidence acquisition, including hardware and software.
- Document incident status, summary, actions taken, impact, evidence, etc.
- Conduct training on malware, lessons learned, and penetration testing.

NIST Recommendations:
- Implement formal security awareness documentation and training.
- Cover both technical, physical, and personal safeguards.
- Implement ways to shut down incidents, such as undercover measures or secure locks.
- Maintain an accurate time synchronization and a knowledge base of searchable information.

Incident Response Lifecycle:
- Preparation, detection/identification, containment, eradication, recovery.
- Profile networks and systems for normal behavior identification.
- Establish log retention policy and perform event correlation.
- Synchronize host clocks and maintain a searchable knowledge base.
- Run packet sniffers and have a backup plan in place.
- Maintain a chain of custody for evidence and report incidents to officials.

Digital Forensics (DF):
- Prepare for digital evidence collection, analysis, and reporting.
- Collect devices, document information, and duplicate hard drives.
- Analyze suspect machines and describe actions, tools, and procedures.
- Generate actionable reports and conduct postmortem analysis.

Cloud and Mobile Phone DF:
- Understand the CSP procedure and ensure event data availability.
- Determine the scope of the incident for cloud environments.
- Follow the DF lifecycle for mobile phone DF, considering challenges like new phone models and lack of standards.

Laws and Regulations:
- Statutory law, government-sponsored agencies, and common law.
- Computer Fraud and Abuse Act (CFAA) for computer fraud cases.
- Regulatory agencies like FCC and FTC addressing internet-related issues.
- CISO concerns include legislation, data handling, and secure sensitive data.
- HIPAA for health information protection and privacy practices.

PII and Privacy Laws:
- PII refers to elements that identify a specific individual.
- Sensitive PII includes credit card data, bank account numbers, etc.
- Good citizenry involves notice, choice, and consent.
- The FTC follows the Fair Information Practice Principles (FIPPs).
- US privacy laws include the Identity Theft and Assumption Deterrence Act, Gramm-Leach-Bliley Act (GLBA), FERPA, Privacy Act of 1974, Freedom of Information Act of 1996, etc.
- Other privacy laws and regulations include HIPAA, PCI DSS, SOX, FISMA, USA Patriot Act, ECPA, etc.
- Privacy laws address areas like student data protection, financial industry privacy, electronic communications, cybercrime, computer trespass, digital signatures, data retention, data destruction, etc.
- International privacy laws cover various aspects of data protection, human rights, and harmonization.

Data Classification and Roles:
- Data classification involves levels like confidential, private, public, proprietary.
- Data roles include owners, stewards/custodians, privacy officers, and users.

Data Destruction and Media Sanitization:
- Methods of data destruction include burning, shredding, pulping, pulverizing, degaussing, purging, and wiping.
- The CFAA aims to prevent unauthorized access to information.

Specific Privacy Laws:
- VPPA (Video Privacy Protection Act) is a strong privacy law.
- SB 1386 (California Senate Bill 1386) mandates notification of PII loss or disclosure.
- FCRA (Fair Credit Reporting Act) ensures consumers are informed of their rights.
- International privacy laws vary, with the US following an opt-out approach and the EU following an opt-in approach.

OECD and EU Data Protection:
- OECD discussions cover privacy issues and data protection.
- EU data protection directive blocks data transfers outside the EU.

Privacy and Data Protection:
- Safe Harbor is a self-regulation mechanism enforced through trade practice law.
- GDPR (General Data Protection Regulation) came into effect in 2018 and introduced new individual rights and the requirement for a Data Protection Officer (DPO).
- Canada has the Personal Information Protection and Electronic Data Act (PIPEDA), which governs the collection and use of personal information.

Privacy Practices and Assessments:
- Privacy-Enhancing Technologies (PET) include encryption, cookie cutters, and USB key encryption.
- Privacy policies and procedures ensure compliance across an organization.
- Privacy Impact Assessments (PIA) are structured approaches to evaluate privacy performance.
- Steps for a PIA include scoping, involving stakeholders, documenting contact with PII, reviewing legal requirements, identifying gaps, and producing a report.

Web Privacy:
- Cookies are small bits of text or data used on websites.

Bridge and Navigation System Vulnerabilities:
- SATCOM, GPS, AIS, and ECDIS are vulnerable areas in ship navigation systems.
- Vulnerabilities include hardcoded credentials, undocumented protocols, insecure protocols, GPS weaknesses, GPS jamming, GPS spoofing, and misidentifying GPS locations.

Risk Assessment and Security Concepts:
- Confidentiality ensures authorized access and prevents unauthorized access to assets.
- Annualized Loss Expectancy (ALE) is calculated as Single Loss Expectancy (SLE) multiplied by Annualized Rate of Occurrence (ARO).
- Watering hole is an attack exploiting unknown vulnerabilities.
- Criticality analysis determines vital system parts and assesses the consequences of loss.
- False is an unsystematic risk, while true is quantitative risk assessment.
- Various terms and concepts related to attacks, vulnerabilities, tactics, and security measures are mentioned.

Law and Conflict:
- Posse Comitatus limits the US Armed Forces' enforcement of domestic law.
- Jus in bello minimizes human suffering in war.
- Different terms related to peace time actions, trust, and principles of armed conflict are mentioned.

Cyber Kill Chain and Assets:
- Cyber kill chain stages involve reconnaissance, target selection, and more.
- Assets refer to resources or information needed for an organization's business.

Back to Home