CYB 4303, Critical Infrastructure Protection in Cybersecurity 1

Course Learning Outcomes for Unit VI Upon completion of this unit, students should be able to:

4. Examine cybersecurity challenges within critical infrastructure protection (CIP) in the United States. 4.3 Analyze cybersecurity measures.

6. Create components of a cybersecurity strategy in alignment with current national policies.

6.1 Describe the importance of cybersecurity policies.

Required Unit Resources

Chapter 7: Cyber Threats

In order to access the following resource, click the link below.

In the following document, read section 1: Background and Overview (pp. 1), and read section 2: ICS Defense-In-Depth Strategies (pp. 2–34).

Department of Homeland Security. (2016). Recommended practice: Improving industrial control system cybersecurity with defense-in-depth strategies. https://ics-cert.us- cert.gov/sites/default/files/recommended_practices/NCCIC_ICS- CERT_Defense_in_Depth_2016_S508C.pdf

Unit Lesson

Cybersecurity Cybersecurity refers to the protection of information and information technology assets exposed to the Internet. Cybersecurity not only applies to the nation’s critical infrastructures but also to personal computers, smart phones, and any other device that might contain or expose personal identifiable information (PII) to the Worldwide Web. For enterprises, cybersecurity has many implications. Organizations must safeguard customer information and organization private data and identify and prevent potential intrusions that might disable corporate information technology networks. In 2013, Presidential Executive Order (EO) 13636 mandated that the United States “enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber-environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” (The White House, Office of the Press Secretary, 2013, para. 2). As we have seen in previous units, security is contextual from organization to organization. Companies vary on their specific needs for cybersecurity, sophistication, and expectations. As an example, a small business does not need the same level of sophistication in security as a larger enterprise such as General Electric. Further, a large multinational oil company has different cybersecurity requirements than a health care provider does. The government’s approach to cybersecurity is quite different from those of individuals and enterprises. Local, state, and federal agencies must take into account their citizens, businesses, and government concerns regarding cybersecurity. Governmental agencies need to take into consideration national security threats that Internet attacks might present. In addition, as national physical infrastructures are increasingly linked to the Internet, the disruption that a cyberattack can cause is significant.

UNIT VI STUDY GUIDE

Cybersecurity

CYB 4303, Critical Infrastructure Protection in Cybersecurity 2

UNIT x STUDY GUIDE

Title

Similar to organizations, each government may have a different perspective regarding cybersecurity. Cyberattacks and vulnerabilities vary from country to country depending on geographical location and economic development. For example, in developed countries, the presence of high bandwidth is ubiquitous, facilitating easy access to security software, while in most emerging countries, unlimited access to the Internet is not present. Users pay more as their use increases. The limited availability of Internet access prevents users from downloading regular antivirus updates, making users more vulnerable to cyber threats.

Types of Cyberattacks Identity Theft Identity theft occurs when a thief assumes the victim’s identity in order to access and use the target’s information to access accounts and apply for credit, loans or other benefits. The thief accumulates massive debt or depletes the victim’s assets then moves on to another stolen identity. A person’s identity might be stolen through phishing, in which victims are tricked into providing PII such as account numbers, passwords, or social security numbers. This may also be done by invading an individual’s computer with spyware or malware. Phishing Phishing refers to the activity whereby a malicious individual concealed as a legitimate company or individual attempts to trick a person to provide PII such as login credentials or account information. This usually takes place through social engineering attempts. As an example, a person may get an email that appears to come from a trusted source like a friend, bank, or even the government. The email message may even have links to counterfeit versions of the entity’s website along with genuine graphics and company logos. During phishing attacks, a person may be asked to visit a fraudulent site to provide personal or account information providing the thieves with a means to get access to critical data. Malware/Spyware Malware (malicious software) is software engineered to invade or disrupt a victim’s computer. Malware takes many forms. It might be designed to destroy critical information, disrupt the computer’s performance, or spy and steal valuable PII. The latter is referred to as spyware. The most common types of malware are viruses and worms, which infect the victim’s computer, replicate, mutate, and spread to other devices in a computer network. Malware is spread from computer to computer using the communications network, email, or Internet links. Social Engineering Social engineering must be underscored as it may or may not involve technology. The most common security challenges come from the least technical sources, people. Social engineering tactics are solely based on exploiting human vulnerabilities. A key aspect of social engineering is trust; most individuals tend to trust other people, and this tendency can be exploited. As was noted above, phishing is a type of social engineering, but most types of social engineering are much less sophisticated. Examples include shoulder surfing, acquiring private information in an inconspicuous manner unbeknownst to the victim, and dumpster diving, searching for confidential information in discarded material. The most common types of social engineering attacks directly involve the victim or close friends or associates of the victim. The attackers generally use one of the following methods to get the victim to disclose confidential information:

• befriending the victim, building trust for the victim to share confidential information;

• persuading the victim that the circumstances are an emergency; the attacker makes the victim believe that he or she has made a mistake and that providing this information will help correct the situation;

• motivating the victim; the victim believes that divulging this information will benefit him or her;

• pressuring the victim by impersonating an individual with authority, often called diffusion of responsibility; the victim provides confidential information because he or she believes that someone else has approved this action; and

CYB 4303, Critical Infrastructure Protection in Cybersecurity 3

UNIT x STUDY GUIDE

Title

• gaining false trust by impersonating security personnel or computer personnel; the victim providing the information wants to be helpful.

The most common cyberattack mitigation strategies involve policy, infrastructure, awareness, and people (as in the case of social engineering). Organizations and individuals should create and implement sound security policies to deter security attacks. Personal policies would be to never send personal data such as user IDs and passwords via email. Organizational security policies might be to never reveal their employee account information to anyone, not even to a superior. Policies must have the infrastructure to support them along with security awareness training to mitigate social engineering vulnerabilities.

Organizational security is as good as its weakest link (Figure 1). Attackers decide on the time, place, and methods of the attack. Individuals, government agencies, and organizations must protect their assets against all forms of cyberattacks. Common threats such as worms, Trojan viruses, malware, spyware, and social engineering efforts can significantly damage an organization’s operations and public trust. Simpson et al. (2017) state that information technology departments are generally responsible for implementing defense strategies against cyber threats and that, in most cases, defense in depth is implemented. Defense in depth involves the implementation of prevention, detection, and responsive controls for security, both cyber based and physical (Simpson et al., 2017).

Cybersecurity Policy The purpose of security policies are to ensure secure and reliable electronic information environments so that information, data, equipment, and networks are secure; information is properly placed; and the operations of information security are feasible and effective. The creation and implementation of security policies must be company-wide and performed by executive management in fulfilling their fiduciary obligations (Simpson et al., 2017). Furthermore, management must put the infrastructure in place to implement, evaluate, and measure the effectiveness of the policy and the adherence of policy by employees. Again, as it is with the variation of attacks, policy evaluation methods must be relevant to each organization. An organization should evaluate security policies to ensure the actual information security policies and operations are in compliance with the organization’s corporate strategies and governance (as in the case of government agencies). Management should also review the feasibility and effectiveness of the actual operations of the organization. Most importantly, policies should be flexible enough to evolve and adapt along with technology. Policy solutions need to be responsive to new challenges. We do not want to develop a policy in 2019 that will be outdated in 2020. Simpson et al. (2017) remind us that regulatory compliance and standards must be part of policy formulation and evaluation for a sound information policy program. The Department of Homeland Security (DHS) along with the Federal Communications Commission (FCC) recommends that all companies create and maintain a robust set of policies to safeguard critical and confidential information. DHS recommends that cybersecurity policies follow good design and governance

CORE CONCEPT

Separation of Duties (SoD): Separation of duties is implemented to maintain the integrity of a security process. This is meant as an internal control to prevent error or fraud. The concept can also be called segregation of duties or separation of powers. An example would be a small business that requires two signatures for checks written over a certain amount. The idea is to have more than one person required to complete a specific task.

Figure 1: Security is as good as its weakest link. (Steidl, n.d.)

CYB 4303, Critical Infrastructure Protection in Cybersecurity 4

UNIT x STUDY GUIDE

Title

practices. The FCC published a Cybersecurity Planning Guide with recommendations of best practices for policy creation (Federal Communications Commission, n.d.).

Summary

Critical Infrastructure Key Resources (CIKRs) have become more dependent on networks and the Internet for day-to-day functionality. More critical is the understanding of the CIKRs’ interdependence between the various sectors, which presents a more complex ecosystem posing a ripple effect from sector to sector. As an example, if the electrical power is somehow affected by a cyberattack, the consequences of that attack will reverberate across other sectors dependent on the electrical power grid for their operations (e.g., the food industry, water distribution systems, transportation, banking and finance). However, as Figure 2 depicts, cyber-attacks are not the only ones affecting critical sectors; governmental policies, fluctuations in energy prices, or environmental constraints also have a ripple effect across most CIKRs.

Internet security problems are an evolving challenge. Criminal activities such as identity theft and online fraud are serious technological issues. Furthermore, the interconnectedness of CIKRs and the Internet in general poses a serious threat to national security interests. The implementation of policy and personnel security awareness training in organizations and governmental agencies will significantly minimize vulnerabilities and aid in deterring cybersecurity challenges.

References Federal Communications Commission. (n.d.). Cyber secuirty planning guide. Department of Homeland

Security.

CORE CONCEPT

For the security policy to be consistent, the policy evaluation, that is the actual interpretation of a policy rule, must be the same across the organization.

Figure 2 Cascading consequences of sector disruption (Pederson et al, 2006)

CYB 4303, Critical Infrastructure Protection in Cybersecurity 5

UNIT x STUDY GUIDE

Title

https://www.dhs.gov/sites/default/files/publications/FCC%20Cybersecurity%20Planning%20Guide_1. pdf

Pederson, P., Dudenhoeffer, D., Hartley, S., & Permann, M. (2006). Critical infrastructure interdependency

modeling: A survey of U.S. and international research [Report No. INL/EXT-06-11464]. http://cip.management.dal.ca/publications/Critical%20Infrastructure%20Interdependency%20Modelin g.pdf

Simpson, D., Jensen, V., & Rubing, A. (Eds.). (2017). The city between freedom and security: Contested

public spaces in the 21st century. https://ebookcentral.proquest.com

Steidl, J. (n.d.). Weakest link (ID 26138160) [Photograph]. Dreamstime. https://www.dreamstime.com/stock- photo-weakest-link-image26138160

The White House, Office of the Press Secretary (2013, Feb. 12). Executive order — Improving critical

infrastructure cybersecurity [Press Release]. https://www.whitehouse.gov/the-press- office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteDemy. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.