Index

#2-factor authentication, 57, 295, 2969/11/2001. See September 11, 200160-Day Cyberspace Policy Review, 100–101, 130, 259256-bit encryption, 193300A and 300B reports, 170414s (hackers), 61930s IT infrastructure, 1851940s IT infrastructure, 751950s IT infrastructure, 75–76, 185¬1960s cybersecurity issues, 4, 76–77, 951970s cybersecurity issues, 5, 1791980s cybersecurity issues, 4–9, 77–81, 82, 1851990s cybersecurity issues, 9, 81–90, 223–225, 2762000s cybersecurity issues, 9, 89, 90–101, 220, 2762010s cybersecurity issues, 10, 101–104, 221–222, 276

AA circulars. See under OMBAC (actual cost), 152–154, 156, 299–300, 302acceptable levels of risk, 36acceptable quality level (AQL), 145accepting risks, 16, 20, 22, 60–61access codes, 236access points, 233, 258accessibility of systems

corporate systems, 233health care systems, 224mainframe computers, 76network access points, 233, 258physical sites, 236vs. security, 22

account number access, 273accounting, 148–149, 230accounting machines, 185accreditation (IT systems), 171–172accuracy of warnings, 112acquisition program baseline (APB), 142acquisitions and procurement

acquisition documents, 143–148acquisition phase, 143–148Brooks Act, 76–77CIOs and, 83–84compliance, 168–169GSA and, 77

OMB and, 82, 83–84Paperwork Reduction Act, 82supply chain security, 166, 170

active responses to threats, 207–208, 237–238acts of law, 263actual cost (AC), 152–154, 156, 299–300, 302ACWP (actual cost of work performed), 152“adequate security,” 171Administrative Procedure Act (APA), 266advanced notices of proposed rulemaking (ANPR), 260,

266advanced persistent threats (APTs), 203–204, 276, 277Advanced Research Projects Agency (ARPA), 4Advanced Research Projects Agency Network (AR-

PANET), 4, 179African Network Information Centre (AfriNIC), 278agencies

audits, 241budgets, 260civilian. See civilian agenciesclassified/unclassified protective markings, 79compliance standards, 168–169creation of, 266cybersecurity policy role, 69–70Federal Register rules publication, 260FISMA requirements, 97–98, 171impact on projects, 123intelligence. See intelligence agenciesinter-agency cooperation, 87military. See Defense Departmentoperational planning model, 124procurement responsibilities, 83public hearings, 266–267public-private partnerships. See private-public

partnershipsregulations, role in, 265–268regulatory agencies, 265–266supervision of, 74top-down analysis, 50–52

aggravated identity theft, 273agriculture as critical infrastructure, 96“ahead of schedule” variances, 155, 298–299Air Force, 71, 72alerts

as cybersecurity capability, 203, 207

Index (A) 427

as high-level requirement, 136National Cyber Alert System, 94trusted Internet connections example, 139warning systems, 110–113, 122–123, 136, 203, 207

Allen, William T., 217alternative hypotheses (Ha), 39, 49, 291alternative scenarios, 119–120, 138ambiguity in survey design, 288amendments, bills, 262, 263American Recovery and Reinvestment Act, 225, 241American Registry for Internet Numbers (ARIN), 278analyzing threats, 104, 136, 203, 206–207Anil, Suleyman, 101, 283anomalies

corporate detection, 237–238DHS monitoring case study, 162–163network detection, 203, 206simulating, 206–207

anonymity, 279, 281Anonymous, 19ANPR (advance notice of proposed rulemaking), 260,

266Antarctica, 278Anti-Referral Payments Law, 217antivirus software

corporate obligations and, 220informing internal information, 162in internal monitoring, 205McAfee, 115TJX data breach and, 227

as warning system, 207APA (Administrative Procedure Act), 266APB (acquisition program baseline), 142APNIC (Asia-Pacific Network Information Centre), 279appeals and appeals courts, 268APT (advanced persistent threat), 203–204, 276, 277AQL (acceptable quality level), 145ARIN (American Registry for Internet Numbers), 278Army, 71, 72ARPA (Advanced Research Projects Agency), 4ARPANET (Advanced Research Projects Agency Net-

work), 4, 179arraignments, 274Asia, 279Asia-Pacific Network Information Centre (APNIC), 279assembly language, 180–181assessing plans, 120assessing results, 120–121assessing risks. See risk assessmentsassessing threats. See threat assessmentassets

capital, 149, 150, 169–170corporate, 234critical, 31–33, 61FISMA compliance, 170–172GAO labeling system, 31–33identifying, 160–161

assistance as high-level requirement, 136assistant to the president for homeland security and

counterterrorism, 100assumptions

risk determination and, 33in risk management framework, 16, 20, 21spear phishing survey, 42in survey design, 288

asymmetrical warfare, 6“at rest” encryption, 194atomic bombs/nuclear arms, 6, 7atomic energy. See nuclear facilitiesattachments (email), 195, 235attacks and exploits, 195–196

active/passive responses, 207–208, 237–238alerts. See alertsanomalies and, 162–163, 203, 206–207, 237–238BGP, 191–192botnets, 198brute force, 193buffer overflow, 201code injection, 201crashing and recovery, 201data breaches. See data breachesdenial of service, 198, 203, 204, 275DHS monitoring case study, 162–163DNS cache poisoning, 200factors aiding in, 202growth in 2000s, 99history of, 275–276insider threats, 200, 233malware, 195, 196, 271man in the middle, 198–199phishing/spear phishing, 41–46, 197–198private sector breaches, 213private sector plans, 211–212SEC disclosures, 229simulating, 206–207, 234–235threat signature technology, 99–100time before discovery, 281types of, 187unknown vulnerabilities, 201–202warnings. See warning systemszero-day exploits, 201–202

attribution for attacks, 190, 195, 281

audits, 240agencies, 241corporate policies, 239–241financial, 167FTC consent agreements, 226health care systems, 173, 224internal/external, 166–168, 239–241IT, 167, 173monitoring functions and, 204risk assessment, 240Sarbanes-Oxley Act, 230technical, 167types of, 166–168

Australia, 279authentication tokens, 213authority, transnational, 281–282authorization, 133, 134–135, 139automatic alert systems, 112Automatic Data Processing Act (Brooks Act), 76–77, 80,

83availability, threats to, 187avoiding risks, 16, 20, 60, 61awareness campaigns, 207, 224Azerbaijan, 277

BBAC (budget at completion), 157, 300, 301, 302back-ups, off-site, 236backbones, 4, 188backwards engineering (op models), 141badges, 236bail, 274bandwagon fallacy, 249banking and finance systems

criminal information access, 271, 273as critical infrastructure, 86, 87cyber threats, 87Estonian attacks, 101GLB Financial Modernization Act, 222–223Sarbanes-Oxley Act, 168, 230TJX breach losses, 220, 226–227, 272written security plans, 223

baselines, establishing, 160–161, 171BCWP (budgeted cost of work performed), 153BCWS (budgeted cost of work scheduled), 152behavioral detection, 206, 233“behind schedule” status, 163, 298–299best practices, 103, 304BGP (Border Gateway Protocol), 187, 188, 190–192,

198–199biases, 288, 289

big picture, senior managers and, 115, 116bills, legislative, 261–263binary code, 180, 193binary dependent variables, 292BJR (business judgment rule), 219Black Hand, 276black hole servers, 204blackouts, 92“Blueprint for a Secure Cyber Future,” 130, 259boards of directors

business judgment rule, 219duty of care, 215–219liability, 218obligations, 221–222role in company, 214role in cybersecurity, 211–212, 214, 231–232as senior managers, 110

Border Gateway Protocol (BGP), 187, 188, 190–192, 198–199

botnets, 198bottom-up assessments (PWS), 145Bottom-Up Review report (BUR), 130, 259boy genius hackers, 5–6, 27brokerage firms, 228Brooks, Jack, 76Brooks Act, 76–77, 80, 83brute force attacks, 193budget at completion (BAC), 157, 300, 301, 302budgeted cost of work performed (BCWP), 153budgeted cost of work scheduled (BCWS), 152budgets

APBs, 142comparing projects, 157–158, 298–302congressional control, 74CONOPS and, 138as constraints, 21developing, 120, 149–152EVM development of, 149–152EVM indexes, 298–302EVM management, 148manager’s role, 117OMB control, 84over or under status, 156in proposed legislation, 262trade-offs in risk management, 23understanding, 150–152

buffer overflow attacks, 201bulk power systems, 229–230BUR (Bottom-Up Review report), 130, 259Bureau of the Budget. See OMB (Office of Management

and Budget)

Index428

Index (B-C) 429

Bush administrationCNCI founding, 99–101critical infrastructure directives, 95–97E-Government Act, 97–98Executive Orders, 257FISMA act, 97–98Homeland Security history, 90–99HSPDs, 95-97national security instruments, 255presidential power expansion, 129–130Sarbanes-Oxley Act, 168, 230business continuity plans, 238Business Corporation Law of New York State (NY BCL),

216business interruption insurance, 238business judgment rule (BJR), 219businesses. See private sectorbylaws, corporate, 214

CC++, 181CAATs (computer-assisted audit techniques), 167cable companies, 188cache, 184cache poisoning, 200California

data breach laws, 227–228electrical grid attacks, 276

cameras, activating, 102Canada, 278capabilities

capability-based planning, 136–137capability gaps, 133–134, 135, 137, 139CONOPS, 137–140defining for monitoring systems, 159examples, 26–27, 202–208identifying for threat assessment, 25identifying in PWSs, 145mission needs statements, 133–134op models, 141organizational needs, 118–119translating goals into, 114

capability-based planning, 136–137capability gaps, 133–134, 135, 137, 139capacitors, 185capital, 109Capital Asset Plan and Business Case (Exhibit 300),

169–170capital assets, 149, 150, 169–170Caremark International lawsuit, 216–219Caribbean region, 278, 279

catastrophes. See disasters“catastrophic” label (GAO), 31–33causation vs. correlation, 57CD-ROM drives, 182CDs, 185Central Asia, 279Central Intelligence Agency. See CIAcentral processing units (CPUs), 181CEOs (chief executive officers)

business judgment rule, 219cybersecurity role, 211–212, 215, 232duty of care, 215–219liability, 218

certificates (HTTPS), 194certification (IT systems), 171–172“CF Disclosure Guidance: Topic No. 2,” 229CFAA (Computer Fraud and Abuse Act), 8–9, 270–272CFR (Code of Federal Regulations), 172, 268challenge questions, 295, 296changes, identifying

evolution of threats, 105in file data, 195monitoring risks, 62–63, 64risk management framework, 16, 20

charging criminals, 274Charter Pacific Bank, 222charters, corporate, 214Chechnya, 276checklists, going beyond, 66chi square test, 291chief executive officers (CEOs), 211–212, 215–219, 232chief information officers. See CIOs (chief information

officers)Chief Information Officers Council (CIO Council), 84,

256chief information security officers (CISOs), 232chief infrastructure assurance officers (CIAOs), 89child prodigy hackers, 5–6, 27China, 37, 276CIA (Central Intelligence Agency), 72, 73, 77, 90, 91CIAO (Critical Infrastructure Assurance Office), 89,

94–95CIAOs (chief infrastructure assurance officers), 89CICG (Critical Infrastructure Coordination Group), 87CIKR (critical infrastructure and key resources), 97. See

also critical infrastructureCIO Council, 84, 256CIOs (chief information officers), 59

business judgment rule, 219cybersecurity role, 83–84, 211–212, 215, 232duty of care, 215–219

FISMA compliance, 171liability, 218

CISOs (chief information security officers), 232Citigroup, 218–219citizen concerns, military information control, 80civilian agencies

Brooks Act responsibilities, 77capability-based planning, 136–137CONOPS, 137–140cybersecurity role, 69–71, 73DHS as, 95Einstein 3 monitoring, 100EVM accounting and, 148FISMA requirements and, 98mission needs statements, 126–127national cybersecurity threats management, 8op models, 140–142tensions with military, 70, 71, 78–81, 104–105

CIWG (Critical Infrastructure Working Group), 86claims processors, 225classified information

CNCI declassification, 101criminal information access to, 270document markings, 79early cybersecurity policies, 8NSA classified computer systems, 80NSA SBU IT, 81personal computer security, 78

classified technology, 81Clinger-Cohen Act of 1996, 83–84, 126, 168–169Clinton administrationCIO Council, 84cybersecurity and terrorism, 85–90executive orders, 256national security instruments, 74, 86–90, 255, 261Presidential Decision Directives, 74, 86–90, 255, 261Y2K preparations, 89closed-ended questions, 288cloud providers, 202, 219–222CMS (continuous monitoring system), 122–123CNCI (Comprehensive National Cybersecurity Initia-

tive), 111history of, 99–102mission requirements in, 130partial declassification, 101, 257TIC initiative, 258warnings capability, 110

Coast Guard, 71Coast Guard Intelligence, 72COBIT (Control Objectives for Information and Related

Technology), 239–240

code breaking agencies. See NSAcode injection, 201Code of Federal Regulations (CFR), 172, 268coefficient of determination, 292Cold War, 3–4, 76, 78collaboration, as high-level requirement, 136color-coding project status, 165.com domains, 192command and control attacks, 196commenting on proposed rules, 266Commerce Department, 77, 89, 98, 278Committee of Sponsoring Organizations (COSO), 239committees, congressional, 262communication pathways, 185, 240–241. See also net-

workscommunication systems, 85, 87, 96communications, intercepting, 272. See also attacks;

data breachescompanies. See private sectorcompletion dates (POA&M documents), 147–148compliance, 167

audits, 166–168compliance officers, 167corporate employees, 235Exhibit 300, 169–170federal CIOs role, 84federal practices, 168–169FISMA requirements, 170–172HIPAA example, 172–174internal controls, 239–240monitoring risks, 62–63, 64, 204noncompliance consequences, 172operational planning model, 125operational requirements documents, 140post-breach reports, 237risk management framework, 16, 20

“Compliance and Reporting” block, 125compliance officers, 167components (hardware), 181, 182–183Comprehensive National Cybersecurity Initiative. See

CNCIcompromised systems, 195computer-assisted audit techniques (CAATs), 167Computer Fraud and Abuse Act (CFAA), 8–9, 270–272Computer Readiness Team (US-CERT), 94, 122–123,

259computer science, 179–180Computer Security Act of 1987, 79, 80–81computers, 180

attacks and exploits. See attackscryptographic technologies, 193–195

Index430

Index (C) 431

cybersecurity operation capabilities, 202–208federal standards for, 169history of, 179mainframes, 75–76memory, 184–185multiple processors, 182personal computers. See PCsprocessors, 181–182procurement. See acquisitions and procurementprograms, 181–182protected, 272research systems, 4as systems, 182–184vulnerabilities, 200–202

Concept of Operations (CONOPS), 137–140conditional events (probability), 48–49conference committees, 263confidence intervals (statistics), 291confidential information. See classified information;

customer information; personal informationconfidentiality breaches, 187configuration, network, 201, 237Congress

agency creation, 266agency supervision, 74authority, 260Congressional Research Service, 264–265cybersecurity policy role, 69–70federal regulations, 265–268GAO information, 264legislation process, 261–263military/civilian security control policies, 71mission requirements, 127, 128power of the purse, 260proposed bills and law research, 264research sources, 250–251, 264response to NSDD-145, 80–81as senior managers, 110

Congressional Record, 263, 264Congressional Research Service (CRS), 264–265CONOPS (Concept of Operations), 137–140consent agreements, 226, 227consequence assessments, 30–33

in consequence equation, 31DHS monitoring case study, 161–162metrics, 33model corporate cyber program, 232, 234

consequences, 23, 30analyzing threats/vulnerabilities, 33–37assessing. See consequence assessmentsassigning values to, 35–37

in consequence equation, 31corporate governance and, 216direct/indirect, 30identifying, 38illustrated, 38increases in, 33metrics, 33in PRA risk management, 47in risk assessment, 23, 47in risk determination, 36in risk equation, 23in risk management framework, 16, 20

Constitution, 250, 251, 262, 268constraints

in CONOPS, 137–140identifying, 140internal/external, 123in risk management framework, 16, 20, 21–22user-friendly websites and, 58, 59

containing threatsas capability, 203“contain” task in risk management, 15corporate policies, 237risk responses, 61

continuity plans, 238continuous monitoring system (CMS), 122–123contracting officers, 146–147contractors. See vendors/contractorscontracts, 238control activities (businesses), 240control environments (businesses), 240Control Objectives for Information and Related Technol-

ogy (COBIT), 239–240convenience sampling, 289Convention on Cybercrime, 284coordination role (management)

failures of, 123functions, 115–117as high-level requirement, 136managing vs. doing, 113–114

Coreflood virus, 198Corporate Finance Division (SEC), 228corporate governance, 213–215corporations. See private sectorcorrelation vs. causation, 57COSO (Committee of Sponsoring Organizations), 239Cost Performance Index (CPI), 157, 299–300, 301, 302cost variances (CVs), 155–158, 163–164costs

attack simulations, 235in budgets, 150–152

cost variances, 155–157, 163–164data breaches, 9, 220, 221, 229, 236DHS monitoring case study, 160–161District Design case study, 151–154IGCE estimates, 146–147objective and threshold values, 142–143op models, 140–142Sony PlayStation breach, 221TJX data breach, 220worm damage estimates, 9

Council of Europe, 284counterintelligence, 99–102, 281. See also espionage;

intelligence agenciescounterterrorism review of policies, 100–101courses of action, 135. See also plans; strategiesCourt of Appeals, 268courts

international, 282U.S. See judicial branch of government

CPI (Cost Performance Index), 157, 299–300, 301, 302CPU (central processing unit), 181credit and debit cardscriminal information access, 273

liability for breaches, 219–222personal information sales, 222prosecutions for breaches, 272Sony PlayStation Network breach, 221–222TJX data breach, 220, 226–227, 272

credit reporting agencies, 228criminal acts. See also attacks; data breaches

Computer Fraud and Abuse Act, 270–272Federal crimes, 269–270federal prosecution process, 273–275identity theft, 219, 270, 271, 273international issues, 282Wiretap Act, 272

criminals. See hackers; nation-state hackers; organized crime groups

crisis management, DHS role in, 95critical assets

consequence assessments, 31GAO labeling system, 31–33removing, 61

“Critical Foundations: Protecting America’s Infrastruc-tures,” 86–87

Critical Infrastructure Assurance Office (CIAO), 89, 94–95

critical infrastructure components, 85. See also critical infrastructure protection

agriculture, 96banking and finance systems, 86, 87

blackouts, 92CIKR (critical infrastructure and key resources), 97communication systems, 85, 87, 96electrical grid, 85, 87emergency services, 87Energy Department management, 96food systems, 96identifying critical infrastructure, 95–97Internet, 275in policy formation, 74power plants, 229–230private sector ownership, 85sectors of, 96transportation systems, 85, 87, 96water systems, 87, 96Y2K preparations, 89

Critical Infrastructure Coordination Group (CICG), 87“Critical Infrastructure Identification, Prioritization, and

Protection,” 95–97critical infrastructure protection. See also critical infra-

structure componentsboard of directors role, 231–232CIWG review, 86corporate policies, 235Critical Infrastructure Assurance Office, 89Critical Infrastructure Protection Board, 92–93, 257Critical Infrastructure Working Group, 86Cybersecurity Act of 2012, 103DHS responsibilities, 18, 90–91, 93–95, 96, 97, 104executive orders. See EOsNational Coordinator for Security, Infrastructure

Protection and Counter-Terrorism, 88 National Infrastructure Advisory Council, 93National Infrastructure Assurance Council, 87National Infrastructure Protection Center, 89–90,

94–95, 261National Infrastructure Protection Council, 93–94National Infrastructure Protection Plan, 18, 87, 94,

96, 97, 104National Policy for Infrastructure Protection, 87NSC (National Security Council), 87, 93Office of Infrastructure Protection, 94, 131Office of National Infrastructure Assurance, 87national security instruments. See national security

instruments policies, 74, 87–90President’s Commission on Critical Infrastructure

Protection, 86–87, 255, 256private sector ownership, 85, 105public-private partnerships, 70, 85, 87–88, 105sentencing and, 275

Index432

Index (C-D) 433

Y2K preparations, 89Critical Infrastructure Protection Board, 92–93, 257Critical Infrastructure Working Group (CIWG), 86“critical” label (GAO), 31–33criticality, defined, 31CRS (Congressional Research Service), 264–265cryptographic technologies, 193–195cryptological agencies. See NSACS&C (Office of Cybersecurity and Communications),

94, 122, 131customer information

banks selling, 222business’s duty towards, 212–213criminal access to, 271, 273FTC and, 225–228leak example, 55–60Sony PlayStation Network, 221–222statistical models for risk, 292–296TJX data breach, 220, 226–227, 272

CVs (cost variances), 155–158, 163–164Cyber Defense Policy (NATO), 283cyber intrusions, defined, 195“Cyber Security Incident Reporting and Response Plan-

ning,” 230cyber security incident response plans, 230cyber warfare

Estonia, 101history of, 275–276Olympic Games program, 102UN and, 283

cybersecurity. See also computer science; federal government; legislation; policies; private sector; research; risk management

capabilities, 202–208facets of, 11–13global issues in, 275–284history of issues, 3–10model corporate framework, 231–238risks in cyberspace, 15–17

Cybersecurity Act of 2012, 102–103cybersecurity coordinator (White House), 101, 103, 259cybersecurity insurance, 61–62cybersecurity management framework

best practices, 125capability-based planning, 136–137civilian agencies, 136–142congressional/presidential input, 128–131CONOPS and op Models, 137–142DHS framework, 125–126high-level requirements, 132–136mission needs statements, 126–127, 132–136

objective values, 142–143sector differences, 127

cybersecurity managers. See program/project managerscybersecurity operation capabilities, 202–208Cyberspace Policy Review, 100–101, 130, 259cyclical nature of management, 121

Ddamages

attacks, 196business data breaches, 212examples, 26–27identifying in threat assessment, 25lethality, 25, 26–27mitigating, 237model corporate cyber program, 232risk tolerances, 22

data, 180analyzing traffic, 206–207backing up, 236business transactions, 212–213cryptographic technologies, 193–195encryption, 235–236monitoring, 203–205packet analyzers, 204removal/exfiltration, 196

data breachesbusiness implications, 212–213costs of, 9, 220, 221, 229, 236Federal Trade Commission and, 225–228HIPAA, 223–225international issues, 282liability for, 219–222notifications, 236–237sentencing penalties, 275Sony PlayStation Network, 221–222TJX case study, 220, 226–227, 272types of violations, 187

databases, 212–213DCA (Defense Communications Agency), 4DDoS attacks (distributed denial-of-service), 10, 198DEA (Drug Enforcement Administration), 72deadlines, project, 135debit cards. See credit and debit cardsdecision-making process, 117–121declassification of CNCI, 101decryption, 193defense, as high-level requirement, 136Defense Communications Agency (DCA), 4Defense Department

agencies and commands, 71–73

ARPANET, 4CNCI directives, 99computer procurement, 77FISMA and, 98on Homeland Security Council, 91ISAC participation, 90managing national cybersecurity threats, 8planning, programming, budgeting and execution,

127WBS budgeting, 150

Defense Information Systems Agency, 4Defense Intelligence Agency (DIA), 72Delaware Court of Chancery, 217, 219Denial of Service (DoS) attacks, 198, 203, 204, 275departments of government. See names of specific de-

partments (Defense Department, DHS, EPA, etc.)dependent variables (modeling), 56, 292, 293, 294dependent variables (research), 247descriptive research, 248detailed technical guidance, 304detection, as high-level requirement, 136DHS (Department of Homeland Security)

agencies collected under, 93–95, 131capability-based planning, 136–137Critical Infrastructure Protection Board, 93cybersecurity agencies in, 94cybersecurity management framework, 125–126cybersecurity policies, 97cybersecurity reports, 130–131DHS Risk Lexicon. See DHS Risk LexiconEVM systems, 148, 158–164expanded scope of government and, 129FISMA and, 102–103, 258founding of, 90–91guidance statements, 130infrastructure protection, 93, 104military and intelligence agencies, 71–73mission needs statements, 130–131, 133monitoring system case study, 158–164National Infrastructure Protection Plan, 18, 96, 97“National Strategy to Secure Cyberspace,” 95National Vulnerability Database, 201program managers, 127Strategic Plan, 259structure of, 131TIC mandate, 258warning systems challenges, 112

DHS Risk Lexiconconsequences, 30game theory, 56likelihood, 37risk assessment, 23

risk transfer, 61threat shifting, 28threats, 25vulnerabilities/vulnerability assessments, 29

DIA (Defense Intelligence Agency), 71Digital Equipment Corporation, 5digital signatures (domains), 192direct consequences, defined, 30direct relationships (logit models), 56directives

defined, 304presidential. See presidential directives

disasters“catastrophic” label, 31–33risk management models and, 17threats resulting from, 233as unintentional threats, 26

disclosures, 228–229, 237disjoint events (exclusive events), 48–49disseminating information, as capability, 159distributed denial-of-service attacks (DDoS), 10, 198distribution attacks, 196district courts, 268District Design case study

budgeting, 149–154cost variances, 156–157EVM indexes, 298–302introduction, 149schedule variances, 155, 158

division (voting), 263DNS cache poisoning, 200DNS (Domain Name System), 188, 192, 277, 278DNSSEC (Domain Name System Security Extensions),

192document classification, 79“doing,” vs. managing, 113–114domain name registries, 192Domain Name System (DNS), 188, 192, 277, 278Domain Name System Security Extensions (DNSSEC),

192DoS (denial of service), 198, 203, 204, 275downloading files, 235drones, 276Drug Enforcement Administration, 72duty of care, 215–222, 238DVDs, 185

EE-Government Act of 2002, 97, 171EA (enterprise architecture), 169EAC (estimate at completion), 157, 301–302Earned Value. See EV (earned value)

Index434

Index (E) 435

earned value management. See EVM (earned value management)

ecological fallacy, 249economic incentives, 87, 103, 145EDGAR (Electronic Data Gathering, Analysis, and Re-

trieval), 229.edu domains, 192educating users. See trainingeffective dates (regulations), 267effectiveness

monitoring risks, 62–63, 64risk management framework, 16, 20warning systems, 112

Einstein 3 program, 99–100, 101Eisenhower administration, 3–4electrical grid

California attacks, 276as critical infrastructure, 85, 87damage and consequences, 32Northeast Blackout, 2003, 92power plants, 229–230

Electricity Sector Information Sharing and Analysis Center (ES ISAC), 230

Electronic Communications Privacy Act, 270, 272Electronic Data Gathering, Analysis, and Retrieval (ED-

GAR), 229electronic voting systems, 263email

attachments, 195, 235corporate policies, 235phishing attacks, 41–46, 197–198testing vulnerability to, 41–46threats to, 87as vulnerability, 200

EMC Corporation, 212–213emergency corporate policies, 237emergency services, 87, 224Emerging Security Challenges Division (NATO), 283employees, 200, 233, 235. See also usersencryption

corporate data, 220, 235–236methods, 193–194NSA responsibilities, 73Sony PlayStation breach, 221TJX data breach, 227websites, 194

Energy Department, 72, 87, 96energy systems, 87, 96, 229–230. See also electrical gridenforcement of law and regulations, 269Enron, 168, 230enterprise architecture (EA), 169enterprise risk management (ERM), 239

“Enterprise Risk Management-Integrated Framework,” 239

enterprise servers, 185Environmental Protection Agency (EPA), 47EOP (Executive Office of the President)

information management functions, 82National Security Council, 253OMB role, 253–254OSTP technical advice, 254, 259research sources, 254

executive orders, 256–258Federal Register, 259OMB memoranda, 258–259OSTP memoranda, 259national security instruments, 255White House strategy/guidance, 259

structure of, 252–253EOs (executive orders), 256–257, 304

as authorization, 134Bush post-9/11 orders, 90–93, 257Clinton’s infrastructure protection, 86–87, 256EO 13010 (PCCIP), 256EO 13011 (CIO Council), 256EO 13228 (Homeland Security), 90–91, 257EO 13231 (Cyberspace Security), 92–93, 257EO 13636 (Critical Infrastructure), 104, 256 Federal Register listing, 260functions of, 74, 256–257mission requirements and, 127–130

EPA (Environmental Protection Agency), 47epistemology, 247equations

consequence equation, 31Cost Performance Index, 299–300cost variances, 155–157estimate at completion, 157, 301–302estimate to complete, 300, 301logistic regression equation, 294, 295logit model, 292risk equation, 23–25, 34–35Schedule Performance Index, 299schedule variances, 154–155total risk equation, 35variance percentages, 157–158

ERM (enterprise risk management), 239errors

of omission, 26survey design, 288–290

ES ISAC (Electricity Sector Information Sharing and Analysis Center), 230

espionageattribution, 281

corporate, 233early network threats, 4, 5Flame worm, 102, 276monitoring for, 204in threat spectrum, 28

estimate at completion (EAC), 157, 301–302estimate to complete (ETC), 157, 300, 301, 302Estonia, 101, 275, 276, 283ETC (estimate to complete), 157, 300, 301, 302ethical hackers, 208Europe, 279, 283, 284European Network and Information Agency, 37EV (earned value)

cost variances, 156CPI equations, 299–300District Design case study, 152–154EAC equations, 302ETC equations, 300, 301as percentages, 157–158schedule variances, 154–155SPI equations, 298–299

evaluation criteria (RFPs), 146–147event tree analysis, 49–52events in probability analysis, 48–52evidence, 281EVM (earned value management), 148–149

budgets, 149–152comparing projects, 157–158DHS monitoring system case study, 158–164forecasting, 300–302indexes, 298–302primary metric breakdown, 153–154red, yellow, and green status, 165tracking projects (variances), 154–157variances as percentages, 157–158work breakdown structure, 146, 148, 160

EVM forecasting, 300–302EVM indexes, 298–302EVM primary metric breakdown, 153–154exclusive events (probability), 48–49executive branch of government, 251–252. See also

presidentscybersecurity coordinator, 101Executive Office of the President, 82, 252–260Federal Register, 260federal regulations, 265–268mission requirements, 127, 128–131policy documents, 254

executive orders, 256–258OMB memoranda, 258–259OSTP memoranda, 259

national security instruments, 255White House strategy and guidance, 259

research sources, 250–251role in cybersecurity law, 69–70structure, 252–253

National Security Council, 253Office of Science and Technology Policy, 254OMB, 253–254

Executive Office memoranda, 128Executive Office of the President, 82, 252–260executive orders. See EOs (executive orders)exfiltration, 196Exhibit 300 reports, 169–170experimental research, 247experts, RFIs and, 143–144explanatory research, 248exploits. See attacks and exploitsexploratory research, 248Explorer 1, 3external audits, 166–168, 240external constraints, 123external information gathering, 162external project information, 119external risks, 240external threats, 28extortion, 272extrapolation in research, 40

FF-test, 291Facebook phishing attacks, 197failed projects, 122–123false flagging operations, 281false positives, 206FASA V (Federal Acquisition Streamlining Act), 169fault tree analysis, 50–52, 53, 54favorable variances, 155, 156, 158, 298, 299–300FBI (Federal Bureau of Investigation), 72, 90, 91FDA (Food and Drug Administration), 265–266FedCIRC (Federal Computer Incident Response Center),

94–95Federal Acquisition Streamlining Act (FASA V), 169Federal Bureau of Investigation, 72, 90, 91Federal Computer Incident Response Center (FedCIRC),

94–95federal courts. See judicial branch of governmentFederal Emergency Management Agency (FEMA), 93Federal Energy Regulatory Commission (FERC), 230federal government

agencies. See names of specific agencies (CIA, FBI, etc.)

Index436

Index (F-G) 437

Cold War and technology development, 3–4compliance, 168–169criminal computer access penalties, 271cyber attack capabilities, 37cybersecurity research documents. See research

sourcesdepartments. See names of specific departments

(Defense Department, DHS, etc.)early hackers’ threats, 5–6executive branch. See executive branch of govern-

mentexpanded scope of, 129growth and information needs, 75judiciary. See judicial branch of governmentas largest U.S. information agency, 81–82legislation, history of. See legislationlegislative branch. See Congressmanagerial roles, 110military, intelligence, and civilian agencies, 69–73personal computer security, 77–81policies. See policies (Federal)regulations. See regulationstensions related to cybersecurity, 70, 71, 78–81,

104–105Federal Information Security Management Act. See

FISMAfederal legal system. See judicial branch of governmentFederal Network Resilience division (FNR), 94Federal Register, 260, 266federal regulations. See regulationsFederal Sentencing Guidelines, 274–275Federal Trade Commission Act (FTCA), 226Federal Trade Commission (FTC), 225–228FEMA (Federal Emergency Management Agency), 93FERC (Federal Energy Regulatory Commission), 230final events (probability analysis), 51final rules (regulations), 260, 267final total costs, 300–302finance systems. See banking and finance systemsfinancial audits, 167Financial Privacy Rule, 223“FIPS 200 Minimum Security Requirements for Federal

Information and Information Systems,” 174fire hazards, 236firewalls, 30

corporate networks, 220DHS monitoring case study, 162internal monitoring, 205phishing attacks and, 198role in cybersecurity, 204TJX data breach, 227

as vulnerabilities, 30FISMA (Federal Information Security Management Act)

as authorization, 134compliance and reporting, 170–172establishment of, 258focus on government resources, 97–98OMB’s oversight, 102–103, 129requirements, 169scope of, 129

Flame worm, 102, 276flood hazards, 236floor debates, 263FNR (Federal Network Resilience division), 94focus groups in research, 40FOIA (Freedom of Information Act), 79Food and Drug Administration (FDA), 265–266food systems, 96forecasting (EVM), 300–302foreign hackers. See nation-state hackersforeign relations, 270. See also global cybersecurity

issuesformulas. See equationsforward selection (modeling), 294frameworks, 125. See also cybersecurity management

framework; risk management frameworksframing risks, 19

assumptions, 19, 21constraints, 19, 21–22illustrated, 16priorities, 19, 23risk management and, 20risk management framework, 16, 17, 18, 19–23risk tolerance, 19, 22trade-offs, 19, 23

France’s cyber defenses, 37fraud, 271fraud scrubs, 222freedom issues, 282Freedom of Information Act (FOIA), 79FTC consent agreements, 226FTC (Federal Trade Commission), 225–228FTCA (Federal Trade Commission Act), 226FTE (full-time equivalent), 160, 161functions (line and staff), 115–117“Funding Information Systems Investments,” 83funds. See budgets; resources

Ggame theory, 55, 56GAO (Government Accountability Office), 33

asset criticality labeling system, 31–33

capability definitions, 203functions, 264internal monitoring tools, 205proposed federal regulations, 267US-CERT failure, 122–123warning notification, 111

gap analysis, 133–134, 135, 137, 139GB (gigahertz), 182General Accounting Office. See GAOgeneral counsel (corporate), 211–212General Services Administration. See GSAgenetic fallacy, 249Georgia, 277German cyber defenses, 37gigahertz (GB), 182GLB Financial Modernization Act, 222–223global cybersecurity issues, 275–277

attribution problems, 281Council of Europe, 284foreign relations, 270IETF, 192, 278–279, 280Internet coordination, 277–279lack of transnational authority, 281–282NATO and, 283–284United Nations efforts, 283

globalized supply chains, 166, 170goals

CONOPS, 138establishing, 118–119failure to establish, 123missions, 114operational planning model, 124reviewing plans against, 120–121

Gonzalez, Albert, 272“good faith efforts,” 217–218“goodness of fit,” 292Google, 190, 198, 276.gov domains, 192Government Accountability Office. See GAOGPS tracking devices, 269Gramm-Leach-Bliley Financial Modernization Act (GLB),

222–223grand juries, 273graphical user interface (GUI), 182Great Worm (Morris), 8–9, 270green project status, 165GSA (General Services Administration)

Brooks Act procurement, 77functions of, 73procurement role, 83project management/acquisition phase, 143

responses to RFPs, 147–148tensions over control, 78–80

GUI (graphical user interface), 182guidance, defined, 304guidance statements (DHS), 130–131“Guide for the Security Certification and Accreditation

of Federal Information Systems” (NIST SP 800-37), 172

guilty pleas, 274

HHa (alternative hypotheses), 39, 49, 291hackers

attribution, 190, 195, 281boy genius, 5–6, 27Computer Fraud and Abuse Act, 270–272criminal prosecution, 270–272ethical hackers, 208federal crimes, 269–270federal prosecution process, 273–275history of, 3–10, 275–276identity theft, 219, 270, 271, 273international issues, 281–282monitoring for, 204nation-state. See nation-state hackersorganized crime. See organized crime groupspersonal information breaches, 219–222prosecution of, 6, 9, 268–275strength of, 57, 295, 296in threat spectrum, 28types of attacks, 187Wiretap Act, 272

hard drives, 182, 185hardware, 181

insecurity of, 202IT systems, 185physical security, 236procurement. See acquisitions and procurementsecuring, 220

harms. See damageshashing, 194–195Health and Human Services Department, 172, 225, 241Health Information Technology for Economic and Clini-

cal Health Act (HITECH), 225, 241health insurance companies, 225Health Insurance Portability and Accountability Act

(HIPAA), 172–174, 223–225, 241healthcare fraud, 217healthcare provider security, 223–225healthcare records, 172–174, 219–222, 223–225Heartland Payment Systems, 272

Index438

Index (H-I) 439

high-level directives, 127, 128–131, 132–136high-level requirements (HLRs), 132–137higher courts, 268higher-order languages, 181HIPAA (Health Insurance Portability and Accountability

Act), 172–174, 223–225, 241HITECH (Health Information Technology for Economic

and Clinical Health Act), 225, 241HLRs (high-level requirements), 132–137Ho (null hypotheses), 39, 49, 290, 291“holes,” patching, 195Homeland Security. See DHSHomeland Security Act of 2002, 93–95, 129, 134, 261Homeland Security Council, 91Homeland Security Presidential Directives. See HSPDshoneypots, 207, 237“the hopper,” 261hops, 190hosts, 185House of Representatives, 261–263. See also CongressHRA (human reliability analysis), 53HSA (Homeland Security Act of 2002), 93–95, 129, 134,

261HSPDs (Homeland Security Presidential Directives)

Bush administration, 255HSPD-7 (Homeland Security Presidential Directive

7), 7, 95–97, 104, 129, 257HSPD-23 (Homeland Security Policy Directive 23),

99–102, 257HTTP protocol, 194HTTPS protocol, 194“Human Capital” block, 125human error, 41–46, 53, 200, 233human reliability analysis (HRA), 53human rights groups, 279hypotheses

creating, 248, 249cybersecurity research, 246designing, 39examples, 39null and alternative, 39, 49, 290, 291quantitative testing, 49

IIANA (Internet Assigned Numbers Authority), 277IBM personal computers, 4–5ICANN (Internet Corporation for Assigned Names and

Numbers), 192, 277–278, 279ICT (information and communications technology), 166ideal levels of risk, 36identifying

attackers (attribution), 190, 195, 281critical infrastructure, 95–97threats, 205–208

identity theft, 219, 270, 271, 273Identity Theft Penalty Enhancement Act, 270, 273IDS (intrusion detection system), 30

corporate implementation, 237–238DHS monitoring case study, 162internal monitoring, 205role in cybersecurity operations, 204signatures and, 206vulnerabilities, 30warning systems, 111, 207

IETF (Internet Engineering Task Force), 192, 278–279, 280

IGCE (independent government cost estimate), 146–147

ignoring attacks, 207IGs (inspectors general), 171illegal wiretaps, 272IMP (integrated master plan), 148, 149, 168impact, 31

identifying for projects, 123identifying in CONOPS, 140identifying in MNS, 136

“improbable” events, 15–16IMS (integrated master schedule), 148, 149, 168in-house monitoring, 204–205“in motion” encryption, 194, 198“in the wild” vulnerabilities, 201–202incentives, 87, 103, 145incorporation, 214independent events (probability), 48–49independent government cost estimate (IGCE), 146–

147independent variables (modeling), 56, 292, 293, 294independent variables (research), 247indicators (variables), 47, 53indictments, 273indirect consequences, 30indirect relationships (logit models), 56industrial espionage, 28. See also espionageindustries. See private sectorinferior courts, 268information and communications technology (ICT), 166information assurance, 72information auditing, 240–241information resources

CIWG review, 86cybersecurity and, 70, 71data. See data

government’s growth in, 81–82internal and external, 119researching. See research methods; research sourc-

esinformation security, 97, 166, 170–172information sharing, 89–90, 103, 223, 230Information Sharing and Analysis Center (ISAC), 89–90,

230information sharing policies, 223Information Systems Audit and Control Association

(ISACA), 240information technology. See IT systemsinformation technology audits, 167Information Technology Management Reform Act

(Clinger-Cohen), 83–84, 126, 168–169information warriors, 28infrastructure. See critical infrastructureinitiating events (probability analysis), 50Initiative #3 (CNCI), 99insider threats, 200, 233inspectors general (IGs), 171insurance, 61–62, 238integrated master plan (IMP), 148, 149, 168integrated master schedule (IMS), 148, 149, 168integrity of data, 187intelligence agencies

CNCI directives, 99–102FISMA requirements and, 98ISAC participation, 90military and civilian, 71–73monitoring civilian networks, 100

intention (threat assessment), 25–26“Inter-Intra-Agency Requirements” block, 124intercepting communications, 272interdependencies (IMS), 148interim final rules, 267internal audits, 166–168, 239–241, 240internal constraints, 123“Internal Control-Integrated Framework,” 239internal controls, 230, 239–241internal information gathering, 162internal monitoring, 204–205internal project information, 119internal risks, 240internal systems (corporate), 218internal threats, 28international issues. See global cybersecurity issuesInternational Strategy for Cyberspace, 259Internet

attacks and exploits, 195–202BGP connections, 190–192

dependency, 275diagrammed, 186DNS system, 192encryption methods, 193–195global management of, 275growth of, 186–187history of, 179, 185–187IANA/ICANN/IETF, 277–280insecurity of, 202operations of, 188–189origins of, 4protocols, 189–190structure of, 187–188

Internet Assigned Numbers Authority (IANA), 277Internet Corporation for Assigned Names and Num-

bers (ICANN), 192, 277–278, 279Internet Engineering Task Force (IETF), 192, 278–279,

280Internet Protocol. See IPv4; IPv6; TCP/IPInternet Protocol Security (IPSec), 279Internet service providers (ISPs), 188, 202, 204interstate commerce crimes, 271interviews, 40, 288“An Introductory Resource Guide for Implementing

the HIPAA Security Rule” (NIST 800-66), 174intrusion detection systems. See IDS (intrusion detec-

tion system)intrusion prevention systems. See IPS (intrusion pre-

vention system)investment

duty of care, 215–219justifying, 133, 135–136SEC disclosures and, 229

investment advisors, 228IP addresses, 189–190

BGP functions, 190–192DDoS attacks, 198DNS and, 192, 278DNS cache poisoning, 200faking, 191–192global Internet management, 277–279human-readable, 192translating, 188vulnerabilities, 190

IP (Internet Protocol)(TCP/IP), 187, 188, 189IP (Office of Infrastructure Protection), 94, 131IPS (intrusion prevention system)

cybersecurity operations role, 204Einstein 3, 99–100internal monitoring, 205signatures and, 206

Index440

Index (I-L) 441

as warning system, 207IPSec (Internet Protocol Security), 279IPv4 (Internet Protocol version 4), 189, 279IPv6 (Internet Protocol version 6), 189, 279Iran

offensive cyber capabilities, 37DDoS attacks, 10, 198drones, 276Flame virus, 102, 276Stuxnet virus, 10, 102, 275–276

ISAC (Information Sharing and Analysis Center), 89–90, 230

ISACA (Information Systems Audit and Control Associa-tion), 240

ISPs (Internet service providers), 188, 202, 204Israel, 10, 37, 102, 276“IT Capital Asset Summary,” 170IT systems, 18

audits, 167, 173best practices, 126Clinger-Cohen Act, 126communication pathways, 185corporate assessments, 233corporate governance and, 216costs, 160Exhibit 300 reports, 169–170hardware in, 185health care providers, 224internal controls, 239–240procurement, 83repairing, 237software in, 185Sony PlayStation breach, 221standards for, 169systems in, 185vulnerabilities, 30

JJava, 181judicial branch of government, 268–270

CFAA rulings, 270–272cybersecurity role, 250–251, 269–270federal criminal process, 273–275federal regulations and, 267–268identity theft rulings, 273Justice Department, 72, 90structure of, 268–269Wiretap Act rulings, 272

judicial precedent, 269jurisdiction, 269–270, 281–282Justice Department, 72, 90

justification section (MNS), 134, 135–136

KKennedy administration, 95keyboards, 181keys (encryption), 193, 271kiddy hackers, 5–6, 27known exploit signatures, 206known vulnerabilities, 201Kosovo, 276

LL-3 security breach, 213labor, 109, 125, 146LACNIC (Latin America and Caribbean Network Infor-

mation Centre), 279LANs (local area networks), 188laptops, 182, 183Latin America and Caribbean Network Information

Centre (LACNIC), 279law enforcement agencies, 89–90, 202, 236–237, 281laws, 69. See also legislationlawsuits, 216–219, 220, 221–222leading questions (surveys), 288legal system. See judicial branch of governmentlegislation, 304. See also specific acts of law (Brooks Act,

Computer Security Act, etc.)CIWG review, 86compliance, 167congressional process, 261–263Congress’s mandates, 251, 260crafting, 74cybersecurity and, 69–70, 261federal regulations and, 265–268government agencies/branches, 70–74history of cyber law

origins (1945-1984), 74–77control conflict (1984-1995), 77–81cyber developments (1995-2001), 81–90Homeland Security (2001-2008), 90–98CNCI/cyber warfare (2008-present), 99–102recent developments, 102–104

impact on projects, 123law, defined, 69mission requirements and, 127, 128passing bills into law, 261–263private sector regulations, 222–230protecting personal information, 212state laws, 227–228

legislative branch of government. See Congresslethality, 25, 26–27

leveraging technologies, 159liabilities

data breaches, 219–222duty of care, 217–218

Library of Congress, 264–265Lieberman, Joseph, 102–103lifetimes (programs), 133, 135, 136likelihood, 37, 38, 59. See also probabilityline functions, 116linear regression models, 292local area networks (LANs), 188local threats, 233Lockheed Martin, 213logging attacks, 207logic decision processes, 55logical fallacies, 249logistic regression equation for probabilities, 294, 295logistic regression (logit), 56–57logit models, 56–57, 292–293logs, 236Los Alamos National Laboratory, 6lower-order programming languages, 180–181Lulz Security (LulzSec), 19

MM memoranda. See OMBmachine code, 180–181magnetic badges, 236magnitude of risk, 37, 47mainframe computers, 75–76, 185malware, 195, 196, 271man in the middle attacks, 198–199“manage” task (risk management), 15management and acquisition phase (Op Model),

143–148“Management of Information Resources,” 83managers, 113. See also program/project managers;

senior managerscompliance and reporting, 166–174constraints, 123–124coordinating functions, 115–117corporations, 214–215cybersecurity framework. See cybersecurity man-

agement frameworkin cybersecurity operations, 202cyclical nature of management, 121decision-making processes, 117–121earned value management, 148–165functions of, 109–110goals/missions and, 114–115management and acquisition, 143–148managing vs. doing, 113–114

measurable outcomes, 117operational planning model, 124–125strategies and plans, 114–115types of, 109–110US-CERT failure case study, 122–125

managing risks. See risk management“marginal” label (GAO), 31–33Marine Corps, 71Marine Corps Intelligence, 72mark-up sessions, 262material costs, 146“material information” disclosures, 229mathematical risks, 53–55MB (megahertz), 182McAfee Inc., 114, 115McVeigh, Timothy, 85MD5 (message digest hash), 194–195“Measurement” block, 125measurements. See metrics and measurementsmedical records, 172–174, 219–225. See also HIPAAMedicare and Medicaid fraud, 217megahertz (MB), 182memory, 182, 184–185message digest hash (MD5), 194–195metrics and measurements

DHS monitoring case study, 163establishing, 118–119, 123EVM accounting, 148EVM measurements, 151–154failure to establish, 123FISMA requirements, 171identifying in MNS, 135metrics, defined, 117op models, 140–142operational planning models, 125plan outcomes, 117in PWSs, 145qualitative research, 40red, yellow, and green status, 165reviewing plans against, 120–121risk research questions, 39WBS tasks, 150

microphone activation, 102Middle East, 279milestones

DHS monitoring case study, 160identifying, 135IMS depiction, 148operational requirements documents, 140POA&M documents, 147–148

military. See also Defense Departmentagencies and commands, 71–73

Index442

Index (M-N) 443

CNCI directives, 99FISMA requirements and, 98role in cybersecurity, 69–71tensions over control, 70, 71, 78–81, 104–105

minicomputers, 185minimum operational values, 142misconfiguration, 201mission needs statement. See MNSmissions, 109

driving projects, 123operational planning model, 124–125strategies and plans, 114, 115

mistakes of logic, 249mitigating damages, 237mitigating risks

federal CIOs role, 84as high-level requirement, 136risk levels and, 36in risk management framework, 16, 20risk responses, 60, 61

Mitnick, Kevin, 5–6MNS (mission needs statement)

authorization section, 134–135capabilities in, 133–134capability gaps, 133–134courses of action, 135developing, 126–127high-level input sources, 131, 132–136high-level requirements, 132–137justification section, 134, 135–136lifetimes, 135outcomes, 135translating into capabilities, 132–133

model corporate cybersecurity program, 231board of directors, 231–232business continuity plans, 238CEO and CIO roles, 232education and training, 235encryption, 235–236intrusion detection systems, 237–238penetration testing, 234–235physical security, 236response program, 236–237risk assessment, 232–234vendor management, 238written plans, 234

monitoring internal controls, 241monitoring risks

Citigroup lawsuit, 218–219compliance, 62–63, 64corporate implementation, 237–238corporate responsibilities, 218

cybersecurity operations, 203–205DHS case study, 158–164effectiveness, 62–63, 64as high-level requirement, 136identifying changes in environment, 62–63, 64internal monitoring, 204–205obligations, 221–222policy monitoring, 205–206risk management framework, 16, 17, 18, 20tool list, 205

Monte Carlo analysis, 53–55Morris, Robert Tappan, 8–9, 270Morris worm, 8–9, 270mortgage crisis, 218–219motherboards, 181, 182multi-core processors, 182multiple-choice questions, 288–289, 290multiple processors, 182multivariate statistical analysis, 53–55, 58–60mutually-exclusive events (probability), 48–49

NNASA (National Aeronautics and Space Administration),

47Natanz nuclear facility, 10nation-state hackers

early cyber spying, 6international cyber defense capabilities, 37international law enforcement, 281–282levels of risk and, 35monitoring for, 204threat assessments, 27

National Aeronautics and Space Administration (NASA), 47

National Bureau of Standards. See NISTNational Communications System, 94, 95national coordinator for security, infrastructure protec-

tion and counter-terrorism, 88National Cyber Security Center, 130National Cyber Security Division (NCSD), 122National Cybersecurity and Communications Integra-

tion Center (NCCIC), 94, 122National Cybersecurity Council, 103National Geospatial Intelligence Agency, 72National Infrastructure Advisory Council, 93National Infrastructure Assurance Council, 87National Infrastructure Protection Council (NIPC),

89–90, 94–95, 261National Infrastructure Protection Plan (NIPP), 18, 87,

94, 96, 97, 104National Institute for Standards and Technology. See

NIST

national intelligence workers, 28National Nuclear Security Agency (NNSA), 41–46National Policy for Infrastructure Protection, 87National Policy on Telecommunications and Automat-

ed Information Systems Security (NSDD-145), 7–8, 78–80

National Protection and Programs Directorate (NPPD), 94, 122, 131

National Reconnaissance Office, 72National Science Foundation, 4National Science Foundation Network (NSFNET), 4national security

board of directors role in, 231–232civilian vs. military cybersecurity control, 70, 71criminal information access, 270personal computers and, 5procurement function and, 77sentencing and, 275threat spectrum, 28

National Security Act, 253National Security Agency. See NSANational Security Council (NSC), 74, 87, 93, 253National Security Decision Directives (NSDDs), 7–8,

78–80national security instruments, 74, 255

as authorization, 134 National Security Policy Directives. See NSPDs“National Strategy to Secure Cyberspace,” 95National Vulnerability Database (NVD), 201NATO Computer Incident Response Capability (NCIRC),

283–284NATO (North Atlantic Treaty Organization), 101, 276,

283–284Navy

attacks on, 276Office of Naval Intelligence, 71, 72

NCCIC (National Cybersecurity and Communications Integration Center), 94, 122

NCIRC (NATO Computer Incident Response Capability), 283–284

NCSD (National Cyber Security Division), 122negative relationships (logit models), 56“negligible” label (GAO), 31–33NERC (North American Electric Reliability Corporation),

229–230NERC Standard CIP-008-4, 230Netherlands’ cyber defenses, 37network cards, 182networks

altering configuration during attacks, 207, 237anomalies, 162–163, 203, 206–207, 237–238

BGP connections, 190–192civilian network monitoring, 100CNCI protections, 99–102continuous monitoring systems, 122–123cybersecurity operation capabilities, 202–208denial of service attacks, 198, 203, 204, 275early policy decisions, 7–8firewalls. See firewallsFISMA protection, 97honeypots, 207, 237ISP access to, 188liability for data breaches, 219–222monitoring case study, 158–164types of, 188vulnerabilities, 200–202zombie networks, 198

Network Security Deployment division (NSD), 94New Deal agencies, 75New York state law, 216New Zealand, 279Nichols, Terry, 85NIPC (National Infrastructure Protection Center),

89–90, 94–95, 261NIPP (National Infrastructure Protection Plan), 94, 96

Clinton administration commissions, 87DHS goals in, 97DHS risk management, 18Office of Infrastructure Protection, 94, 131replacing, 104

NIST (National Institute for Standards and Technology)compliance, 171functions of, 73“Guide for the Security Certification and Accredita-

tion of Federal Information Systems,” 171–172IT vulnerabilities list, 30NIST 800-53 (Recommended Security Controls for

Federal Information Systems and Organizations), 174

NIST 800-66 (An Introductory Resource Guide for Implementing the HIPAA Security Rule), 174

NVD (National Vulnerability Database), 201“Recommended Security Controls for Federal Infor-

mation Systems and Organizations,” 174risk management frameworks, 18, 98security practices role, 80

Nixon administration, 253–254NNSA (National Nuclear Security Agency), 41–46non-experimental research, 247–248non-volatile memory, 184, 185noncompliance consequences, 172North American Electric Reliability Corporation (NERC),

Index444

Index (N-O) 445

229–230North Atlantic Treaty Organization (NATO), 101, 276,

283–284Northeast Blackout, 2003, 92Norway, 4“Not Applicable” answers, 288not-mutually exclusive events (probability), 48–49notice and comment period, 266–267notifications. See also alerts; warning systems

as capability, 203costs of, 236as passive response, 207state laws, 227–228

NPPD (National Protection and Programs Directorate), 94, 122, 131

NRC (US Nuclear Regulatory Commission), 47, 53NSA (National Security Agency)

civilian/military control tensions, 78–81classified computer systems and, 80Einstein 3 program, 99–100founding of, 128role in cybersecurity, 71–73

NSC (National Security Council), 74, 87, 93, 253NSD (Network Security Deployment division), 94NSDD-145 (National Policy on Telecommunications

and Automated Information Systems Security), 7–8, 78–80

NSFNET (National Science Foundation Network), 4NSPDs (National Security Policy Directives)

Bush administration, 255CNCI, 99–102NSPD-54 (National Security Policy Directive),

99–102, 130, 257nuclear arms, 6, 7nuclear facilities

criminal information access, 270human reliability in management, 53PRA risk management, 47virus attacks, 102, 276

Nuclear Regulatory Commission (USNRC), 47, 53null hypotheses (Ho), 39, 49, 290, 291NVD (National Vulnerability Database), 201NY BCL (Business Corporation Law of New York State),

216

OObama administration

cybersecurity initiatives and policies, 98–104Cyberspace Policy Review, 130executive orders, 104, 256national security instruments, 104, 255

objective values (management), 142–143objectives, 138, 146OCIA (Office of Cyber and Infrastructure Analysis), 94,

131ODNI (Office of the Director of National Intelligence), 72off-site back-ups, 236OEC (Office of Emergency Communications), 94Office of Cyber and Infrastructure Analysis (OCIA), 94,

131Office of Cybersecurity and Communications (CS&C),

94, 122, 131Office of E-Government and Information Technology,

254Office of Emergency Communications (OEC), 94Office of Homeland Security. See DHSOffice of Information and Regulatory Affairs, 82, 254Office of Infrastructure Protection (IP), 94, 131Office of Management and Budget. See OMBOffice of National Infrastructure Assurance, 87Office of Science and Technology Policy (OSTP), 254,

259Office of the Director of National Intelligence (ODNI), 72Office of the National Counterintelligence Executive

(ONCIX), 72OHS (Office of Homeland Security). See DHSOIRA (Office of Information and Regulatory Affairs), 82,

254Oklahoma City bomb, 85–86, 256Olympic Games cyberwar program, 102OMB (Office of Management and Budget)

circularsA-11 (capital assets), 149, 150A-130 (information resource management), 83,

172Exhibit 300 reports, 169–170FISMA compliance, 98, 171FISMA oversight, 102–103, 129functions of, 73information management, 82–84IT system requirements, 169–170memoranda, 258–259

M-08-05 (trusted Internet connections), 138–139

M-10-28 (DHS responsibilities), 103, 257, 258–259

M-97-02 (funding information systems), 83role of, 253–254TIC mandate, 22, 138–139, 258

ONCIX (Office of the National Counterintelligence Exec-utive), 72

online retailer examples, 55–60, 292–296

online surveys, 289–290ontology, 246–247op models (operating models), 142, 143–148, 160open-ended questions, 288, 290open standards organizations, 279operating models (op models), 142, 143–148, 160Operation Aurora, 276operational planning models, 124–125operational processes (CONOPS), 138operational requirements document (ORD), 140opting out (financial information), 223oral communications, 272ORD (operational requirements document), 140“Organizational Capital” block, 124–125organizational structure, 123organizations, 109

impacts of structures, 123top-down analysis, 50–52

organized crime groups, 19levels of risk and, 35prosecution, 268–275risk determination example, 36risk management outline, 20threat assessment, 25, 26–27in threat spectrum, 28

OSTP (Office of Science and Technology Policy), 254, 259

OSTP Resource Library, 254“Other” answers, 288outcomes

in CONOPS, 140defining, 135measurable, 117in op models, 140–142operational planning model, 124in PWSs, 145regression modeling, 56success and, 120

over budget status, 156, 163overriding vetoes, 263oversight

congressional, 74corporate failure, 215–219duty of care, 217

Pp-values, 291Pacific Bell, 5packet analyzers (sniffers), 204, 272packets, 187, 188–189Paperwork Reduction Act (PRA), 82, 254participants in CONOPS, 138

passive responses to threats, 207–208, 237–238passwords

brute force attacks, 193corporate data, 220corporate policies, 235corporate systems, 233logit analysis, 295, 296selling, 271strong passwords, 57, 220, 235as vulnerabilities, 200wireless systems, 227

patches, 195, 200, 227Patriotic Hacker attacks, 276Payment Card Industry Data Security Standards, 221PCCIP (President’s Commission on Critical Infrastruc-

ture Protection), 86–87, 255, 257PCs (personal computers)

attacks and exploits, 195–202changes in national security and, 77–81criminal information access, 271cybersecurity operation capabilities, 202–208early federal policies, 7–8early years of, 4–5FISMA protection, 97in IT infrastructure, 185protected computers, 272systems, 182–184virus attacks, 102vulnerabilities, 200–202worms, 8–9

PDDs (Presidential Decision Directives), 74. See also national security instrument

Clinton administration, 74, 255 PDD-63

critical infrastructure protection, 87–90energy information sharing, 230HSA elements of, 261Oklahoma City response, 255replacement of, 257

penetration testing, 234–235percentages (comparing projects), 157–158performance

APBs, 142objective and threshold values, 142–143red, yellow, and green status, 165

performance-based acquisitions, 145–146“performance measurement report,” 170performance work statements (PWS), 144, 145–146period of performance (POP), 155, 164personal computers. See PCspersonal information

bank sales of, 222

Index446

Index (P) 447

business’s duty towards, 212–213civilian vs. military cybersecurity control, 70, 71criminal computer access, 271criminal information access, 273customer information leak example, 55–60liability for breaches, 219–222phishing attacks, 197–198protected health information, 173Sony PlayStation Network breach, 221–222spear phishing attacks, 41–46TJX data breach, 220, 226–227, 272

personal interviews, 40, 288PHI (protected health information), 173, 225phishing attacks, 41–46, 197–198phone companies, 188phone surveys, 40physical security, 236plan of action and milestones (POA&M), 147–148planned value. See PV (planned value)planning, programming, budgeting and execution

(PPBE), 127plans, 114–115

alternative scenarios, 119–120assessing, 120capability-based planning, 136–137choosing, 120CONOPS, 137–140executing, 120measurable outcomes, 117op models, 140–142operational planning model, 124–125POA&M documents, 147–148plausible deniability, 281plea bargains, 274POA&M (plan of action and milestones), 147–148

Poindexter, John, 7–8, 78–81, 98point system (sentencing), 274–275policies

as authorization, 134compliance, 167in CONOPS, 138, 140federal. See policies (federal)impact on projects, 123internal controls, 239–240mission needs statements and, 128–130policy directives, 304policy monitoring, 205–206

policies (federal), 69agencies involved in, 70–74crafting, 74cybersecurity and, 69–70Cyberspace Policy Review, 100–101

DHS frameworks, 95FISMA requirements, 98history of cybersecurity, 70–74

origins (1945-1984), 7–9, 74–81control conflict (1984-1995), 77–81cyber development (1995-2001), 81–90Homeland Security (2001-2008), 90–98CNCI/cyber warfare (2008-present), 99–102recent developments, 102–104

sentencing, 274policy directives, 304policy monitoring, 205–206POP (period of performance), 155, 164population, 41, 289–290positive relationships (logit models), 56power grid. See electrical gridpower plants, 229–230PPBE (planning, programming, budgeting and execu-

tion), 127PPDs (Presidential Policy Directives), 255PRA (Paperwork Reduction Act), 82, 254PRA (probabilistic risk assessment)

event tree analysis, 49–52fault tree analysis, 50–52, 53, 54human reliability analysis, 53logistic regression equation, 294, 295Monte Carlo analysis, 53–55quantitative risk determination, 47–48

precedents, judicial, 269predicting leaks, 58–60predicting threats, 206–207predictive analysis, 206–207preponderance of evidence, 281presidential directives, 74, 129. See also executive or-

ders; national security instruments; HSPDsmission requirements and, 127, 128–130

Presidential Policy Directives (PPDs), 255PPD-21, 104

Presidential Study Directives (PSDs), 255presidents

agency creation, 266agency supervision, 74bill signing or vetoing, 263cybersecurity policy role, 69–70Executive Office of. See EOPexecutive orders. See EOsas first responders, 251, 252military or civilian security control policies, 71mission requirements, 127, 128–131national security instruments, 74presidential directives, 74, 129. See also executive

orders; national security instruments; HSPDs

scope of power, 128–130as senior managers, 110

President’s Commission on Critical Infrastructure Pro-tection (PCCIP), 86–87, 255, 256

President’s Council on Year 2000 Conversion, 89primary consequences, defined, 30printers, 182, 183priorities

FISMA requirements, 171risk management framework, 16, 20, 21, 23

privacy issuesbank sales of personal information, 223civilian vs. military cybersecurity control, 70, 71court cases, 269IPv6 and, 279policy formation, 74

Privacy Rule (HIPAA), 224private corporation governance, 213–215private-public partnerships

board of directors role, 231–232critical infrastructure protection, 70, 85, 87–88,

105DHS agencies charged with, 94, 96DHS strategies, 259incentives for, 87, 103, 145National Infrastructure Assurance Council, 87outlining shared threats, 87, 99policy formation, 74post 9/11, 92–93threats to critical infrastructure, 87

private sectorbusiness interruption insurance, 238corporate governance, 213–222critical infrastructure owned by, 85cyber incident reports, 103cybersecurity overview, 211–213duty of care, 213–222electrical grid, 229–230HIPAA compliance, 172–174incentives for partnerships, 87, 103, 145internal audits and controls, 239–241legislative requirements, 222–230liabilities, 213–222model cybersecurity programs, 231–238NSDD-145 computer security issues, 8partnerships. See private-public partnershipspolicy formation, 74protecting critical infrastructure, 70, 85–88, 105risk management strategies, 212Sarbanes-Oxley Act and, 230SEC disclosures, 228

security roles, 231–232strategy questions, 211–213

proactive safeguards, 220, 231probabilistic risk assessment. See PRA (probabilistic

risk assessment)probability

calculating, 35–37illustrated, 38logistic regression equation, 295–296PRA risk management, 47. See also PRApredicting leaks with statistical analysis, 58–60probability distribution, 48probability sampling, 290probability theory, 48–49quantitative risk determination, 48–49values, 54

probable cause, 273procedures, 114, 167processors, 181–182procurement. See acquisitions and procurement“Products and Services” block, 124professional auditors, 241program/project managers, 110, 113

comparing projects, 157–158compliance and reporting, 166–174CONOPS, 137–140defining capabilities, 136DHS cybersecurity programs, 127earned value management, 148–165, 298–302forecasting, 300–302function coordination, 115–116high-level requirement analysis, 132management and acquisition, 143–148mission needs statements, 126–127objective and threshold values, 142–143op models, 140–142tracking projects, 153–157warning system example, 110–113

programming languages, 180–181programs. See softwareproject managers. See program/project managersproposed bills, 261–264proposed rules, 260, 266prosecution of cybercriminals, 6, 9, 268–275prosecutors, 273protected computers, 272protected health information (PHI), 173, 224protection

as capability, 203as high-level requirement, 136infrastructure. See critical infrastructure protection

Index448

Index (P-R) 449

networks, 97, 99–102PCs, 97personal information, 173protected computers, 272

protective markings, 79protocol identifier assignments, 277protocols, 188, 189–190, 277PSDs (Presidential Study Directives), 255public corporation governance, 213–215public hearings, 260, 262, 266public image, 212public-private partnerships. See private-public partner-

shipsPV (planned value)

District Design case study, 152–154percentages, 157–158schedule variances, 154–155SPI equations, 299

PWS (performance work statement), 144, 145–146

QQuadrennial Homeland Security Review report to Con-

gress (QHSR), 130, 259qualitative risk determination, 37–46quantitative risk determination, 37–39, 47

event tree analysis, 49–52fault tree analysis, 50–52, 53, 54human reliability analysis, 53Monte Carlo analysis, 53–55online retailer example, 55–60probabilistic risk assessment, 47–48probability basics, 48–49statistical modeling, 55

questionnaires. See survey designsquestions

advanced research methods/sources, 284–286computer technical fundamentals review, 208cybersecurity law and policy review, 105–107cybersecurity management review, 174–176private sector cybersecurity review, 242–243qualitative research questions, 39–41research questions, 247risk determination review, 65–66risk research questions, 38–39

Rradio signal badges, 236RAM (random access memory), 182, 184–185random sampling, 290ratings agencies, 228re-engineering backwards, 141

Reagan administration, 7–8, 74, 78–80, 128reason, mistakes of, 249reasonable doubt, 274reckless behavior, 271“Recommended Security Controls for Federal Informa-

tion Systems and Organizations” (NIST SP 800-53), 174

reconciliation, 263reconnaissance attacks, 196recovery from attacks

business continuity plans, 238as capability, 203corporate policies, 237“National Strategy to Secure Cyberspace,” 95

red project status, 165reducing risk (capability), 159regional Courts of Appeals, 268Regional Internet Registries (RIRs), 278–279registries (Internet addresses), 278–279regression modeling, 56, 291, 292, 294–295regulations, 265–266, 304

Code of Federal Regulations, 268compliance, 167Congressional and Judicial roles in, 267–268creating, 266–267Federal Register publication, 260impact on projects, 123

regulatory agencies, 236–237reliability, 39reliability standards (NERC), 230reliability tests, 249Reno, Janet, 86rental botnets, 198repairing systems, 237reports

audits, 166–168corporate policies, 235, 237DHS cybersecurity reports, 130–131energy grid cybersecurity, 230Exhibit 300, 169–170federal government practices, 168–169FISMA requirements, 170–172health care system breaches, 225internal controls, 239–240operational planning model, 125Sarbanes-Oxley Act, 230

Requests for Comments (RFCs), 279requests for information (RFIs), 143–144requests for proposals (RFPs), 144–148research methods, 245–249research questions

creating, 247dependency on Internet, 275risk research, 38–39spear phishing attack vulnerabilities, 41–46statistical modeling, 56survey design, 288–296

research sourcesCode of Federal Regulations (CFR), 268Council of Europe, 284executive branch, 251–260, 254

executive orders, 256–258Federal Register, 260OMB memoranda, 258–259OSTP memoranda, 259national security instruments, 255White House strategy and guidance, 259

GAO website, 264government documents, 249–251Internet Engineering Task Force, 279legislative, 264–265

Congressional Record, 264Congressional Research Service, 264–265proposed bills and law, 264

NATO, 283–284THOMAS.gov, 264United Nations, 283

research subjects, 248Réseaux IP Européens Network Coordination Centre

(RIPE NCC), 279resources

as constraints, 21decision-making process, 121identifying in MNS, 135impact on projects, 123management and acquisition phase, 143–148POA&M documents, 147–148risk monitoring and, 63time and money, 150–152trade-offs in risk management, 23

responding to attacksactive responses, 207–208, 237–238containing threats, 61corporate plans, 234, 236–237NATO teams, 284passive responses, 207–208, 237–238presidents as first responders, 251, 252types of responses, 207–208

responding to risksacceptance, 16, 20, 36, 60–61avoidance, 60, 61as capability, 203

cybersecurity insurance, 61–62as high-level requirement, 136mitigation, 60, 61risk management framework, 16, 17, 18, 20risk responses, defined, 60transfer, 16, 20, 60, 61–62unacceptable risks, 22

response rates (surveys), 42responsibilities in CONOPS, 138, 140restitution to victims, 273results, assessing, 120–121reviewing warnings, 112RFCs (Requests for Comments), 279RFIs (requests for information), 143–144RFPs (requests for proposals), 144–148Ridge, Tom, 90RIPE NCC (Réseaux IP Européens Network Coordination

Centre), 279RIRs (Regional Internet Registries), 278–279risk, 17

assessing. See risk assessmentsbenefits of, 64determination. See risk determinationframing. See framing risksgraphing, 33internal audits, 167levels of, 33–37management. See risk management; risk manage-

ment frameworksresponding to. See responding to risksrisk equation, 23risk formula, 23–33severity, 37, 47tolerances, 16, 20, 21, 22unacceptable, 22

risk assessments, 23–24audits, 240Cybersecurity Act, 103DHS monitoring case study, 161–162, 164FISMA requirements, 97–98model corporate cyber program, 232–234risk determination and. See risk determinationrisk equation, 23–24, 34–35risk management framework, 16, 17, 18, 20

risk-based decisions, 19, 98risk determination, 33–37

methodologies, 37–39quadrant diagram, 36qualitative methods, 37–46quantitative methods, 37–39, 47–60review questions, 65–66

Index450

Index (R-S) 451

risk assessment in, 33risk equation, 23–25, 34–35risk framing. See framing risksrisk management, 15–17

consequence assessment, 30–33federal agency roles in, 83–84frameworks, 16, 18health care systems, 224operational planning model, 125organized crime example, 20plans, 15presidential directives for, 96private sector strategies, 212process, 18–19risk, defined, 17risk assessment, 23–33risk determination, 33–60risk formula, 23–33risk framing, 19–23risk managers, 26SEC guidelines, 228–229strategies, not checklists, 66threat assessment, 25–28threat shifting, 28vulnerability assessment, 29–30

risk management frameworks, 16, 17, 18, 20risk management plans, 15risk research questions, 38–39risk responses. See responding to risksrisk tolerances, 16, 20, 21, 22roles (CONOPS), 138, 140Roosevelt administration, 75, 128root server management, 277routers, 182, 183, 185, 187, 188, 190–192, 198–199routing attacks through other countries, 282routing tables, 190RSA SecurID breach, 198, 212–213rules, 205–206, 266Russian-Chechen conflict, 276Russian Federation, 279Russian-Georgian conflict, 277

SSafeguards Rule, 223sample populations, 41, 289–290Sarbanes-Oxley Act (SOX), 168, 230satellites, 3SBU IT (sensitive-but-unclassified information technol-

ogy), 81Scalia, Antonin, 269scanning systems, 201, 205

Schedule Performance Index (SPI), 157, 298–299schedule variances (SVs), 154–158, 163–164schedules

acquisition performance baselines, 142delays in, 163–164DHS monitoring case study, 160Integrated Master Schedules, 148, 149manager’s role, 117objective and threshold values, 142–143variances, 154–155

Schmidt, Howard A., 101“Scientific Integrity,” 259scientific issues, 259scientific methods, 248screen locks, 235search warrants, 272SEC (Securities and Exchange Commission), 228–229,

237SECIR (Stakeholder Engagement and Cyber Infrastruc-

ture Resilience division), 94Secret Service, 90, 93sector-specific agencies (SSAs), 96sectors in management framework, 127secure hash algorithm (SHA-2), 194–195SecurID data breach, 198, 212–213Securities and Exchange Commission (SEC), 228–229,

237security

vs. accessibility, 22certification and accreditation, 171–172OMB role in, 82

security even correlation tools, 205Security Rule (HIPAA), 224self-administered surveys, 40, 41–46, 288Senate, 261–263senior managers, 110, 113, 115, 116sensitive but unclassified information, 8, 78, 79, 233sensitive-but-unclassified information technology (SBU

IT), 81sensitive information, 233sentencing

CFAA offenses, 270–272cyber criminals, 269guidelines, 274–275

September 11, 2001executive orders after, 257reorganizations after, 90risk planning after, 15–16scope of presidential power and, 129

sequences of events, 50servers, 185, 204, 220

service providers (ISPs), 188, 202, 204severity of attacks, 207severity of risk, 37, 47SHA-2 (secure hash algorithm), 194–195shared threats, 28, 87, 88shareholders, 213, 214, 215–219, 221–222shunning attacks, 207signal intelligence, 72signature-based tools, 99–100, 205, 206, 237–238signatures

digital, for DNS, 192IDS/IPS tools, 206internal monitoring, 205known exploits, 206threat signature technology, 99–100, 237–238

simulating attacks, 206–207, 234–235SME (subject matter expert), 161sniffers (packet analyzers), 204, 272social engineering attacks, 235social media phishing attacks, 197Social Security numbers, 273software, 182

antivirus. See antivirus softwareexploits, 195IDS/IPS tools, 206insecurity of, 202in IT systems, 185malware, 195, 196, 271programs, defined, 181signature-based tools, 99–100, 205, 206, 237–238vulnerabilities, 200–202

Sony PlayStation Network, 221–222SOOs (statements of objectives), 144, 146South Ossetia, 277sovereignty, 282Soviet Union. See also Russian Federation

Cold War, 3, 76, 78computer security and, 78Sputnik, 3

SOWs (statements of work), 144SOX (Sarbanes-Oxley Act), 168, 230SP 800-37 (Guide for the Security Certification and Ac-

creditation of Federal Information Systems), 171space allocation (ICANN), 277Space Race, 3spam filters, 197Speaker of the House, 262spear phishing attacks, 41–46, 197–198Special Advisor for Cyberspace Security, 93, 257, 259speed of processors, 182SPI (Schedule Performance Index), 157, 298–299

spies. See espionagesponsors, bills, 261spoofed websites, 198Sputnik, 3SSAs (sector-specific agencies), 96, 104staff functions, 116staffing in models, 125Stakeholder Engagement and Cyber Infrastructure

Resilience division (SECIR), 94stakeholders, 138, 140, 160standard deviations, 291standards, 304state attorneys general, 220state court jurisdictions, 269–270State Department, 72state laws, 227–228statements of objectives (SOOs), 144, 146statements of work (SOWs), 144statistical modeling, 290–292

Monte Carlo analysis, 53–55online retailer probability example, 55–60predicting leaks, 58–60quantitative risk determination, 55regression modeling, 56

“statistically significant,” 290, 291statutes, 304. See also legislationsteps (op models), 141stock, 213–214, 228–229, 238stock values, 212storage, 184–185strategic objectives in models, 124“Strategic Risk Management” block, 125strategies, 114, 115

alternative scenarios, 119–120capability-based planning, 136–137choosing, 120CONOPS, 138executing, 120mission needs statement, 133operational planning model, 124–125

strengths in models, 124–125strong passwords, 57, 220, 235Stuxnet, 10, 37, 275–276subject matter experts (SMEs), 161subprime mortgage crisis, 218–219supercomputing centers, 4supply chains, 166, 170Supreme Court, 268. See also judicial branch of govern-

mentsurvey designs, 288–299

building models, 293–296

Index452

Index (S-T) 453

logit models, 292–293NNSA example, 41–46qualitative risk determination, 39–41response rates, 42sample populations, 289–290statistical models, 290–292

SVs (schedule variances), 154–158, 163–164symbols, fault tree, 52, 53Syria, 276systems, computer, 140, 182–184, 185, 195systems of systems, 182–184, 187

Tt-test, 291target audiences, 111, 112, 113“targeted and actionable” warnings, 112–113targets, 25, 27, 190, 202tasks, 120, 148, 150Taves, Kenneth H., 222–223TCP/IP (Transmission Control Protocol/Internet Proto-

col), 187, 188, 189technical audits, 167technical guidance, 304telephone surveys, 40tensions

between military and civilian control, 70, 71, 78–81, 104–105

between security and freedom, 282terminating sessions, 207terrorism

aggravated identity theft, 273board of directors role in prevention, 231–232counterterrorism reviews, 100–101international issues, 281monitoring for, 204Oklahoma City, 1995, 85–86September 11th, 2001, 15–16, 129in threat spectrum, 28World Trade Center, 1993, 85

test groups, 247test statistics, 290testing

FISMA requirements, 98hypotheses, 248–249penetration testing, 234–235risk research questions, 39

theories (cybersecurity research), 246THOMAS.gov, 264threat assessment

components, 25–28DHS monitoring case study, 161–162

mission needs statements, 133model corporate program, 232–233

threat environments, 133threat shifting, 28threat signature technology, 99–100threats, 23, 25

analyzing consequences/vulnerabilities, 33–37assessing. See threat assessmentattacks. See attacks and exploitscorporate governance and, 216critical infrastructure focus, 87espionage, 4evolution in, 105external, 28factors aiding in, 202growth in, 99identifying, 38, 133, 205–208increases in, 33insider, 200, 233internal, 28malware, 195, 196, 271risk assessment and, 23in risk determination, 36in risk equation, 23in risk management framework, 16, 20shared, 8, 87signature technology, 99–100, 205, 206, 237–238simulating, 206–207spectrum, illustrated, 28threat environments, 133threat shifting, 28worms. See worms

threshold values, 142–143TIC Access Providers, 22TIC (Trusted Internet Connection), 22, 138–139, 141,

258time in budgets, 150–152time-out tries, 295, 296timelines, 120TJ Maxx, 220TJX data breach, 220, 226–227, 272TLDs (top level domains), 192tokens, security, 213tolerances, risk, 16, 20, 21, 22top-down analysis, 50–52top level domains (TLDs), 192total risk equation, 35tracking projects

atypical variances, 302comparing projects, 157–158EVM budgeting, 153–158

EVM indexes, 298–300over budget status, 163red, yellow, and green status, 165variances, significance of, 165

trade-offsrisk management framework, 16, 20, 21, 23secure websites, 59

trade secrets, 233training

corporate programs, 235costs, 160education as capability, 159FISMA requirements, 98health care systems, 224

transferring risks, 16, 20, 60, 61–62Transmission Control Protocol (TCP/IP), 187, 188, 189transnational issues. See global cybersecurity issuestransparency in corporate governance, 215transportation systems, 85, 87, 96travel costs, 146, 160Treasury Department, 72treaties, 284trial courts, 268trial-out tries, 295, 296trials, 274Trojan horses, 196Truman administration, 128trust, customers, 220, 238trust protocols, 179, 188, 191–192, 198–199Trusted Internet Connection (TIC), 22, 138–139, 141,

258Trusted Internet Connections Initiative, 138–139, 258Twitter phishing attacks, 197Tyco, 230

Uunacceptable risks, 22unauthorized access, 9unclassified information, 79unconstitutional regulations, 267–268under budget status, 156undesired events (probability analysis), 51unfavorable variances, 155, 156, 158, 298, 299–300unintentional threats, 25–26United Kingdom cyber defenses, 37United Nations cybersecurity efforts, 283United State Sentencing Commission (USSC), 274United States

government. See Federal governmentgovernment agencies. See under agency names (i.e.,

Defense Department, EPA)

Internet number registry, 278Stuxnet virus, 10, 102, 275–276

United States v. Jones, 269units of analysis, 248, 249unknown vulnerabilities, 201–202updating tools, 238U.S. Attorneys, 273, 274U.S. Computer Readiness Team (US-CERT), 122–123U.S. Cyber Command, 73US-CERT (U.S. Computer Readiness Team), 122–123USB memory sticks, 185“useful life,” defined, 149users

behavioral detection, 206in cybersecurity operations, 202numbers of, in modeling, 57, 295, 296user-friendly websites, 58, 59as vulnerabilities, 200

USNRC (Nuclear Regulatory Commission), 47, 53USSC (United States Sentencing Commission), 274

Vvalidity tests, 249values (binary code), 180variables

logit models, 292PRA risk management, 47regression modeling, 56research, 248test statistics, 291

variances (EVM)atypical, 302comparing projects, 157–158vs. EVM indexes, 298favorable/unfavorable, 155, 156, 158, 298, 299–

300percentages, 157–158significance of, 165understanding, 154–158variance triangle, 156

vendors/contractorscompliance, 168cybersecurity operations, 202health care systems, 224IMS documents, 148POA&M documents, 147–148policies for managing, 238PWS documents, 145RFIs and, 143–144RFP responses, 147–148security breaches, 213

Index454

Index (V-Z) 455

selection, 147–148SOO documents, 146threats resulting from, 233

vetoingbills, 263regulations, 267

victims, 273, 275violating policies, 205–206virus software. See antivirus softwareviruses

capabilities, 196Coreflood virus, 198criminal prosecution, 271Flame, 102, 276government efforts to focus on, 87Stuxnet, 10, 102, 275–276

viva voce, 263voicemail hacking, 5volatile memory, 184–185volunteer sampling, 289–290voting, 263vulnerabilities, 23, 195–196

analyzing threats/consequences, 33–37assessing, 23, 29–30, 161–162, 232, 233BGP, 191–192complexity of systems and, 184corporate governance and, 216databases of, 201DHS monitoring case study, 161–162hash detection methods, 195human, known, and unknown, 200–202identifying, 38increases in, 33Internet, 179IP addresses, 190mainframes, 76“National Strategy to Secure Cyberspace,” 95personal computers, 78–80public-private shared research, 87risk determination, 36risk equation, 23risk management framework, 16, 20trust protocols and, 188

vulnerability assessments, 23, 29–30, 161–162, 232, 233

WWANs (wide area networks), 188War Games, 6Warner Amendment, 81warning systems, 110–113

as capability, 203, 207effectiveness, 112as high-level requirement, 136importance of warnings, 111management, 110–113too many warnings, 112, 113US-CERT failure, 122–123

water systems, 87, 96WBS (work breakdown structure), 146, 148, 160weaknesses. See vulnerabilitieswebsites

cyber attacks, 276District Design. See District Design case studyDNS cache poisoning, 200encrypting, 194fraudulent credit card usage, 222history of, 185–186phishing attacks, 197–198

White House, 259, 276. See also EOP; presidentswide area networks (WANs), 188WiFi networks, 198, 227wireless systems, 198, 227Wiretap Act, 272work breakdown structure (WBS), 146, 148, 160Working Group on Web Security, 280World Summit on the Information Society (WSIS), 283World Trade Center attacks

1993, 852001, 15–16, 90–99, 129, 257

World Wide Web, 9, 185–186WorldCom, 168, 230worms

capabilities, 196criminal prosecution, 271Flame, 102, 276Morris, 8–9, 270Stuxnet, 10, 102, 275–276

written cybersecurity plans, 234WSIS (World Summit on the Information Society), 283

YY2K preparations, 89yellow project status, 165

Zz-test, 291zero-day exploits, 195, 201–202, 206zombie networks, 198