I had an important article published in Hakin9 On Demand magazine on January 15, 2013.
I was inspired to write
it because I knew that applying the concepts described in the article would
help make cyberspace a little safer. The
article explains how using a well-designed security compliance framework can
help an organization defend against the perils of cyberattacks and
cyberwarfare. As far as I know, no one
yet has been bold enough or knowledgeable enough to take the time to write such
an article for the general public. Note
that I did not receive any academic credit or even any compensation for writing
this article.
Article
Title:
Applying
a Security Compliance Framework to Prepare Your Organization for Cyberwarfare
and Cyberattacks
Article Link:
Cover
Photo Link:
The Simple Truths of this Article
1. Cyberwar is coming or
could be already here. All the signs and
news media coverage and publicly known actions of the U.S. Government confirm
it
2. If you use have an IT
infrastructure that is important to your business operations, you need to
protect your business from Cyberattacks and Cyberwarfare
3. There are many things
you can do, and things you cannot legally do if you are in the United States,
to protect your business from Cyberattacks and Cyberwarfare. Restrictions inside the U.S. Code, Title 10,
and other various cyber legislation strictly prohibit retaliation or going on
the offensive. But you can prepare and
protect yourself from cyberattacks.
4. In any organization,
Management Support is required to understand and allocate the resources to
defend against cyberattacks.
5. Understanding risk
identification, threats, vulnerabilities, controls, performing risk assessment,
and risk management are essential to becoming an effective protector of IT
assets.
6. Because of the complex
nature of most IT infrastructures and assets and how they integrate with an
organization's business operations, it is better to use some type of proven
framework with which to assure that all the important aspects of compliance and
infrastructure security have meet address and are being measured.
References:
Bousquet,
A. (2009). The Scientific Way of Warfare: Order and Chaos on the Battlefields
of Modernity. New York, NY: Columbia University Press.
Brewer,
D. and Nash, M. (2010). Insights into the ISO/IEC 27001 Annex
A. A paper written published by Dr.
David Brewer and Dr. Michael Nash to explain ISO 27001 and Risk Reduction in
Organizations. Retrieved from http://www.gammassl.co.uk/research/27001annexAinsights.pdf on March 10, 2011.
Bush, G.
W. (2008). Comprehensive National
Cybersecurity Initiative (CNCI).
Published by the White House January 2008. Retrieved from http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative on January 5, 2012.
Calder,
A. and Watkins, S. (2012). IT Governance:
An International Guide to Data Security and ISO27001/ISO27002, 5th edition. London, U.K.: IT Governance Press.
Carr, J.
(2012). Inside Cyber Warfare, second
edition. Sebastopol, CA: O’Reilly.
Clarke,
R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security
and What to Do About It. New York, NY: HarperCollins Publishers.
Crosston,
M. (2011). World Gone Cyber MAD: How
“Mutually Assured Debilitation” Is the Best Hope for Cyber Deterrence. An article published in the Strategic Studies
Quarterly, Spring 2011. Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf on October 10, 2012.
Czosseck,
C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare.
Washington, DC: IOS Press.
Edwards, M. and
Stauffer, T. (2008). Control System
Security Assessments. A technical paper
presented at the 2008 Automation Summit – A Users Conference, in Chicago.
Retrieved from http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
Fayutkin,
D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.org/journals/2167-0374/2167-0374-2-110.pdf on
September 30, 2012.
Freedman,
L. (2003). The Evolution of Nuclear
Strategy. New York, NY: Palgrave
Macmillan.
Gerwitz,
D. (2011). The Obama Cyberdoctrine:
tweet softly, but carry a big stick. An
article published at Zdnet.com on May 17, 2011.
Retrieved from http://www.zdnet.com/blog/government/the-obama-cyberdoctrine-tweet-softly-but-carry-a-big-stick/10400 on September 25, 2012.
Gjelten, T. (2010). Are 'Stuxnet' Worm Attacks
Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved
from http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet on December 20, 2011.
Gjelten, T. (2010). Stuxnet Computer Worm Has Vast
Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from http://www.npr.org/templates/story/story.php?storyId=130260413
on December 20, 2011.
Gjelten, T. (2011). Security Expert: U.S. 'Leading Force'
Behind Stuxnet. An article published at NPR.org on September 26, 2011.
Retrieved from http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force-
behind-stuxnet on December 20, 2011.
Gjelten, T. (2011). Stuxnet Raises 'Blowback' Risk In
Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
Goldman,
D. (2013). Nations prepare for cyber
war. An article published at CNN on
January 7, 2013. Retrieved from http://money.cnn.com/2013/01/07/technology/security/cyber-war/index.html?hpt=hp_c3 on January 7, 2013.
Hagestad,
W. T. (2012). 21st Century Chinese Cyberwarfare. Cambridgeshire,
U.K.: IT Governance.Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S.
National Security Secrets & Fears Revealed.
Bloomington, IN: Xlibris Corporation.
ISO.
(2005) “Information technology – Security techniques – Information security
management systems requirements”, ISO/IEC 27001:2005. Retrieved from http://www.ansi.org on
February 1, 2011.
Jaquith,
A. (2007). Security Metrics. Boston, MA:
Addison Wesley.
Kaplan,
F. (1983), The Wizards of Armageddon: The Untold Story of a Small Group of Men
Who Have Devised the Plans and Shaped the Policies on How to Use the Bomb. Stanford, CA: Stanford University Press.
Kerr, D.
(2012). Senator urges Obama to issue 'cybersecurity' executive order. An article published at Cnet.com on September
24, 2012. Retrieved from http://news.cnet.com/8301-1009_3-57519484-83/senator-urges-obama-to-issue-cybersecurity-executive-order/ on
September 26, 2012.
Kramer,
F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC:
National Defense University.
Langer, R.
(2010). A Detailed Analysis of the
Stuxnet Worm. Retrieved from http://www.langner.com/en/blog/page/6/ on December 20, 2011.
Libicki,
M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
Markoff,
J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for
Cyberspace. An article published in the
New York Times on June 28, 2009.
Retrieved from http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all on June 28, 2009.
Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks
target three major banks, using Muslim outrage as cover. An article published on September 22, 2012 at
Poltix.Topix.com. Retrieved from http://politix.topix.com/homepage/2214-iran-attacks-us-banks-in-cyber-war on September 22, 2012.
McBrie,
J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION AND CLOSING THE STANCE. A scholarly paper published by the USAWC
STRATEGY RESEARCH PROJECT. Retrieved
from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA423774 on September 30, 2012.
Obama,
B. H. (2012). Defense Strategic Guidance
2012 - Sustaining Global Leadership:
Priorities for 21st Century Defense.
Published January 3, 2012.
Retrieved from http://www.defense.gov/news/Defense_Strategic_Guidance.pdf on January 5, 2012.
Obama,
B.H. (2011). INTERNATIONAL STRATEGY for
Cyberspace. Published by the White House
on May 16, 2011. Retrieved from http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf on May 16, 2011.
Payne,
K. B. (2001). The Fallacies of Cold War Deterrence and a New Direction. Lexington, KY: The University of Kentucky
Press.
Pry, P.
V. (1999). War Scare: Russia and America on the Nuclear Brink. Westport, CT:
Praeger Publications.
Radcliff,
D. (2012). Cyber cold war: Espionage and warfare. An article published in SC Magazine,
September 4, 2012. Retrieved from http://www.scmagazine.com/cyber-cold-war-espionage-and-warfare/article/254627/ on September 7, 2012.
Saini,
M. (2012). Preparing for Cyberwar - A National Perspective. An article published on July 26, 2012 at the
Vivikanda International Foundation. Retrieved from http://www.vifindia.org/article/2012/july/26/preparing-for-cyberwar-a-national-perspective on October 14, 2012.
Sanger,
D. E. (2012). Confront and Coneal: Obama’s Secret Wars and Surprising Use of
America Power. New York, NY: Crown
Publishers.
Schmidt,
H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data
Security. N. Potomac, MD: Larstan Publishing, Inc.
Schmitt,
E. and Shanker, T. (2011). U.S. Debated
Cyberwarfare in Attack Plan on Libya. An
article published in the New York Times on October 17, 2011. Retrieved from http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html on October 17, 2011.
Slater,
W. F. (2013). ISO 27001 Resource
Page. Retrieved from http://billslater.com/iso27001 on
January 12, 2013.
Stiennon,
R. (2010). Surviving Cyber War. Lanham, MA: Government Institutes.
Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks
Expose Vulnerabilities. An article
published at BusinessWeek.com on September 28, 2012. Retrieved from
http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability
on September 30, 2012.
Technolytics.
(2012). Cyber Commander's eHandbook: The Weaponry and Strategies of Digital
Conflict, third edition. Purchased and downloaded on September 26, 2012.
The ISO
27000 Directory. (2012). An Introduction to ISO 27001, ISO 27002....ISO
27008. Retreived from http://www.27000.org/index.htmhttp://idcontent.bellevue.edu/content/CIT/cyber/615/compliance on December 7, 2012.
Turzanski,
E. and Husick, L. (2012). “Why Cyber Pearl Harbor Won't Be Like Pearl Harbor At
All...” A webinar presentation held by the Foreign Policy Research Institute
(FPRI) on October 24, 2012. Retrieved from http://www.fpri.org/multimedia/2012/20121024.webinar.cyberwar.html on October 25, 2012.
U.S.
Army. (1997). Toward Deterrence in the Cyber Dimension: A Report to the President's Commission on
Critical Infrastructure Protection.
Retrieved from http://www.carlisle.army.mil/DIME/documents/173_PCCIPDeterrenceCyberDimension_97.pdf on November 3, 2012.
U.S.
Department of Defense, JCS. (2006). Joint Publication (JP) 5-0, Joint Operation
Planning, updated on December 26, 2012.
Retrieved from http://www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on October 25, 2012.
Waters,
G. (2008). Australia and Cyber-Warfare.
Canberra, Australia: ANU E Press.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud
Computing Foundation
Project Manager / Program Manager
CYBR 650 Blog: http://cybr650.blogspot.com
slater@billslater.com
williamslater@gmail.com
Chicago, IL
United States of America
No comments:
Post a Comment