Escolar Documentos
Profissional Documentos
Cultura Documentos
A GENERIC REFERENCE
CURRICULUM
Editors:
Sean S. Costigan
Professor
George C. Marshall European Center for Security Studies
Gernackerstrasse 2
82467 Garmisch-Partenkirchen, Germany
sean.costigan@pfp-consortium.org
4
5
About this Reference Curriculum
This document is the result of the work of a multina- We are especially grateful to the Partnership for Peace
tional team of volunteer academics and researchers Consortium of Defense Academies and Security Studies
drawn from 17 nations associated with the Partnership Institutes, under the leadership of Raphael Perl, and the
for Peace Consortium (PfPC) Emerging Security Chal- Chairs of the ESCWG, Dr. Detlef Puhl (NATO) and
lenges Working Group (ESCWG). Our aim was to pro- Dr. Gustav Lindstrom (GCSP), as well as for the sup-
duce a flexible and generally comprehensive approach to port of the PfPC DEEP and Education Working Groups
the issue of cybersecurity. under Dr. Al Stolberg, Mr. Jean dAndurain and Dr.
David Emelifeonwu. In addition, the leadership of sev-
This document aims to address cybersecurity broadly eral partner nations, including Armenia, Georgia and
but in sufficient depth that non-technical experts will Moldova, helped make this effort possible through direct
develop a more complete picture of the technological and tangible support. Last but most certainly not least,
issues and technology experts will more completely all the volunteers listed as contributors are owed an enor-
appreciate national and international security policy mous debt of gratitude. When we asked if they would be
and defense policy implications. We offer a logical willing to commit to a two-year effort that would take
breakdown of the topic by specific categories, suggesting them deep into the recesses of cybersecurity education,
the level of knowledge to be obtained by various audi- not one flinched. In particular we wish to thank Scott
ences and indicating useful key references so that each Knight, Dinos Kerigan-Kyrou, Philip Lark, Chris Pallaris,
adopting state can adapt this framework to its needs and Daniel Peder Bagge, Gigi Roman, Natalia Spinu, Todor
the specifics of the target student body. Tagarev, Ronald Taylor and Joseph Vann. Without them,
this document simply would not have come together.
6
I. AIM OF THIS DOCUMENT little technical background will find an introduction at a
manageable level of complexity and gain a better appre-
The rapid and unrelenting pace of changes and chal- ciation of where and why technical depth is required.
lenges in cybersecurity1 was the driving force that Those with technical backgrounds may find the material
prompted the ESCWG to request this curriculum a useful overview of areas they are familiar with and an
effort, in accordance with NATOs increased emphasis introduction to broader issues of international, national
on improving cybersecurity awareness, preparedness and legal policies and practices. We trust that everyone
and resilience. will find in it something of value.
News headlines are replete with references to commer- Those who desire to use this document as an approach
cial hacks, data breaches, electronic fraud, the disrup- to cybersecurity should analyze their particular and
tion of government service or critical infrastructure, unique national practices and requirements to adapt it
intellectual property theft, exfiltration of national secu- to their needs. This document offers guidance in identi-
rity secrets, and the potential of cyber destruction. The fying areas that warrant attention and recommends key
domains once simply considered as electronic warfare, sources and approaches.
or information warfare once dominated by network
security experts, is today transforming into a much
broader domain, referred to as cybersecurity. II. CYBERSECURITY AND RISKS
As it is an emergent issue, one in which there remains Security measures are most often informed by mea-
disagreement over basic terms, the ESCWG has sought sures of threats and risks. Both concepts are explored
to bring some clarity and commonality to this issue at some length. However, in simple terms, cyberspace
through creation of this reference curriculum. We have is full of threats, but measures to mitigate threats need
adopted the agreed spelling cybersecurity as one word to be informed by measures of risk. The International
throughout and employ the term cyber as a modifier Organization for Standardization (ISO) defines risk as
or to clarify the focus. the effect of uncertainty on objectives (the effect may
be positive or negative deviation from what is expected).
In drafting this document, we canvassed all PfPC Since measures taken to secure something must be pro-
member institutions and other defense colleges and portionate to the value of what is being secured, there
reviewed military training programs of NATO and PfPC are various levels of security depending on measures of
partner countries to establish what is being taught. We value and risk. Securing cyberspace, therefore, entails a
sought to identify gaps and shared approaches that cut number of considerations to mitigate risks and threats
across traditional boundaries of governmental and mili- while encouraging accessibility and openness across var-
tary structures. The largest gap we observed was the lack ious types of interconnected networks and devices. Estab-
of sufficient understanding of cybersecurity technology lishing the necessary balance between access, usability and
and of threat and risk mitigation practices among security is the core challenge. This curriculum explores
national security and defense policy leaders. A similar approaches to threat and risk assessment, identification
gap in the understanding of national policy frameworks and mitigation, at the technical level and at an agency
was identified among technical experts. and a government policy level, through exploration of
recommended best practices and in comparison to the
This reference curriculum provides a coherent launching published policies of particular states or organizations.
point from which to develop or enhance the teaching
of cybersecurity issues to senior officers, civil servants
and mid-level military and civilian staffs. Like the other III. STRUCTURE OF THIS CURRICULUM
reference curricula developed by the PfPC, the aim of
As previous reference curriculum documents have
this document is conservative. It does not present a
stated, a curriculum is a specific learning program, or
single master course outline for all to follow. It is not
perhaps a range of courses, that collectively describes
exhaustive as to content, details or approaches to the
the teaching, learning and assessment materials and
subject. However, we believe it furnishes a useful heu-
methods appropriate for a given program of study. The
ristic approach to the various domains, comprising a
resulting curriculum therefore is a road map of what
comprehensive introduction to the spectrum of issues
learners may be exposed to. Like any map, it is crafted
entangled in the practices of cybersecurity. Those with
1
In broad outline, we follow the definition devised for the U.S. Department of Homeland Security: Cybersecurity is the 7
activity or process, ability or capability or state whereby information and communications systems and the information
contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.
at a level of abstraction and may not show all routes or either blocks or modules, delivery of the subjects may
details; however, it outlines what the learner should see. take the form of lectures, presentations, participatory
assignments, tours, demonstrations or participation in
Typically, a generic curriculum results in a nested struc- scenario exercises.
ture, with many subtopics and issues nested within a
broad framework2. These many nested parts are con-
nected to broader objectives of a program of study. Given IV. USING THIS CURRICULUM
the interconnectedness of subjects and issues contained
The curriculum makes a number of implicit assump-
within our cybersecurity reference curriculum, we have
tions.
not recommended that the curriculum be broken into
three officer development phases. More will be said First, all of the material identified in this document is
on this point below, when we address how to use this non-classified. Those who adopt this framework may
curriculum. wish to address classified material if the need arises.
In keeping with the structures adopted in other PfPC Second, it is assumed that institutions adopting this
reference curricula, this document is presented through reference curriculum will devote appropriate time and
four themes, each of which is separated into blocks that resources with an expert team to identify national poli-
naturally could be further subdivided. These divisions cies and procedures at the level of detail required for the
are designated Themes (T) and Blocks (B), as reflected target audience. Rote knowledge of transitory technical
in the Table of Contents (see over). matters may be necessary, but the objective here is for
a broader understanding of the challenges of cybersecu-
The four themes of this curriculum are as follows:
rity across the spectrum of issues.
Theme 1: Cyberspace and the Fundamentals of
In adapting this curriculum for local use, it may be pos-
Cybersecurity
sible to implement it in a progressive and sequential
Theme 2: Risk Vectors manner across various career phases, but at all levels the
Theme 3: International Cybersecurity Organiza- comprehensive outline should be followed. However,
tions, Policies and Standards the broad objective of this reference curriculum is more
strategic-operational than it is tactical. In developing
Theme 4: Cybersecurity Management in the specific courses from this reference curriculum, it is sug-
National Context gested that the local course designers consider the time
and resources available, the educational level of the stu-
Each theme is described in detail elsewhere in this docu-
dents and the functions that those students are expected
ment, but each has broad specific areas and issues to
to perform or will be expected to perform, regardless of
address.
their rank.
Subsumed under each theme are several distinct sub-
Third, there is no block on cyber war, cyber conflict or
jects. Each subject is explored in a basic block, which
social media as a conduit for propaganda or disinfor-
itself may be broken down into distinct learning mod-
mation. The design committee elected to leave those
ules, such as lectures, presentations, demonstrations,
focused issues for subsequent development.
tours, scenario exercises or similar activities. For the
most part, because this reference curriculum will require Finally, we reiterate that this reference curriculum is
local adaptation, we have not suggested distinct modules not a single or proposed course structure. Rather, the
and lectures because that level of detail is dependent on document is best used as a key reference providing a
individual need. The various blocks collectively inform broad outline of issues and topics across the spectrum of
each theme. They suggest learning objectives and out- cybersecurity. It may serve as a guide for technical per-
comes to be achieved; these are in turn connected to the sonnel to know where their particular focus falls within
wider objectives of the theme. this broad spectrum of issues. Similarly, it may guide
introductory courses for senior national security policy
Blocks could be delivered as a whole, combined, or
makers, so that they might better appreciate and situate
subdivided into separate modules. This outline does
their national policies with knowledge of the technical
not suggest which blocks to treat which way, but in
context. The three elements of greatest concern when
2
8 See previous reference curriculum documents for the origins and utility of this construct.
deriving any single course from this outline will be the The 300-page manual was written by a group
aim or purpose of the course; the proposed students, of 20 researchers at the invitation of NATOs
particularly their level of technical knowledge and the Cooperative Cyber Defence Centre of Excel-
nature of their employment; and the time available. lence in Tallinn, Estonia.
Those three elements should guide the level of technical
The follow-up Tallinn 2.0 project to the Tal-
detail discussed and the nature of the learning exercises
linn Manual on the International Law Appli-
(lectures, examples, field trips, demonstrations, war
cable to Cyber Warfare is designed to expand the
games, etc.).
scope of the original Tallinn Manual. Tallinn 2.0
will result in the second edition of the Tallinn
V. ADDITIONAL SOURCES Manual and be published by Cambridge Univer-
sity Press in 2016 (source: NATO CCD COE).
The volume of both general and technical literature
The National Cyber Security Framework
related to cybersecurity is expanding rapidly. Course
Manual (2012) by the NATO CCD COE.
designers are encouraged to generate their own list of
key sources; nevertheless, we have included a wide range The NATO CCD COEs e-learning course on
of sources reflecting many different national and inter- Cyber Defence Awareness (which is available
national perspectives relevant to the themes articulated for free but registration is required).
for this reference curriculum, and, where available, we The Cyber Conflict Bibliography by the Jacob
have provided links to active Internet resources. In addi- Burns Law Library, George Washington Uni-
tion to the many sources listed throughout this docu- versity Law School.
ment, the NATO website provides many current arti-
cles and information on issues of interest to the NATO The briefing Cyber defence in the EU: Pre-
community. Sources listed at www.natolibguides.info/ paring for cyber warfare? (31 October 2014) by
cybersecurity include the following: the European Parliamentary Research Service.
The Tallinn Paper no. 8, published in April
NATO Reviews articles/videos on cyber attacks
2015: The Role of Offensive Cyber Opera-
as well as the June 2013 edition on Cyber
tions in NATOs Collective Defence.
the good, the bad and the bug-free (includes
videos, photos, a timeline, infographics, etc.). Other useful resources include the following:
The article NATOs Cyber Capabilities: Yes- Business Continuity Institute, Good Practices
terday, Today, and Tomorrow by Healey and Guidelines 2013, Global Edition: A Guide to
van Bochoven (February 2012) provides a good Global Good Practice in Business Continuity
overview of NATOs cyber capabilities. (England, 2013). http://www.thebci.org/index.
The report On Cyberwarfare (2012) by Fred php/resources/the-good-practice-guidelines
Schreier includes a glossary and very good Gustav Lindstrom, Meeting the Cyber Secu-
selected and thematic bibliographies (Offi- rity Challenge, GCSP Geneva PapersResearch
cial Documents, NATO, OECD, by country, Series no. 7 (June 2012).
Information Warfare, Cyber Security, Books).
International Auditing and Assurance Stan-
The Cyber Special Edition of Strategic Studies dards Board, ISAE 3402 Standard for Reporting
Quarterly 6, no. 3 (Fall 2012). on Controls at Service Organizations.
The Cybersecurity: Shared Risks, Shared ISO/IEC 15408: Common Criteria for Infor-
Responsibilities edition of I/S: A Journal of Law mation Technology Security Evaluation, Ver-
and Policy for the Information Society 8, no. 2 sion 3.1, Revision 4.
(2012).
ITU-D Study Group 1, Final Report, Question
The article Cyberspace Is Not a Warfighting 22-1/1: Securing Information and Communication
Domain (2012) by Martin Libicki. Networks: Best Practices for Developing a Culture of
The Tallinn Manual on the International Law Cybersecurity, 5th Study Period 2014. See http://
Applicable to Cyber Warfare (2012). www.itu.int/ITU-D/study_groups or http://
www.itu.int/pub/D-STG-SG01.22.1-2014
9
J. Lewis and K. Timlin, Cybersecurity and Ron Deibert and Rafal Rohozinski, Shadows in
Cyberwarfare: Preliminary Assessment of the Cloud: Investigating Cyber Espionage 2.0, joint
National Doctrine and Organization, Center for report by the Information Warfare Monitor and
Strategic and International Studies, Washington, Shadowserver Foundation, JR-03-2010, April
DC, 2011. 6, 2010. http://shadows-in-the-cloud.net
National Initiative for Cybersecurity Careers U.S. Department of Defense, The DoD Cyber
and Studies http://niccs.us-cert.gov/glossary Strategy, April 2015, Washington, DC.
Neil Robinson, Luke Gribbon, Veronika World Economic Forum, Partnering for Cyber
Horvath and Kate Robertson, Cybersecurity Resilience: Towards the Quantification of Cyber
Threat Characterisation: A Rapid Compara- Threats. Industry Agenda item (in collabora-
tive Analysis (Santa Monica, CA: Rand Cor- tion with Deloitte), Ref. 301214, 2015.
poration, 2013), prepared for the Center for
Asymmetric Threat Studies (CATS), Swedish
National Defence College, Stockholm.
NIST Special Publication 800-82: Guide to
Industrial Control Systems Security, June
2011.
10
TABLE OF CONTENTS
Block T3-B2 International Standards and Requirements - A Survey of Bodies and Practices
Block T4-B1 National Practices, Policies and Organizations for Cyber Resilience
11
12
Theme 1: Cyberspace and the Fundamentals of Accordingly, students are introduced to basic cyber risk
Cybersecurity analysis methodology and management used to develop
systems architecture and strategies aimed at mitigating
Goal such risks.
The object of this theme is to lay the knowledge foun- Learning Outcomes
dations for all of the instruction that follows by identi-
fying the structural components of cyberspace3, its basic Students will be able to
architecture and the rudiments of cybersecurity. Iden-
tification and management of risk is the major shared describe what is meant by cyberspace and
challenge linking the disparate themes and subjects cybersecurity;
addressed in this curriculum. outline some basic vulnerabilities of developed
states to cyber threats, such as economic intel-
Description ligence gathering for national gain, individual
and enterprise profiling, data theft, database
The challenges of cyberspace and cybersecurity require
corruption or the hijacking of industrial con-
more than a simple rechristening of government organi-
trol systems or process control systems (e.g.,
zations responsible for information technology security
SCADA);
(IT security) or communications security (COMSEC).
The ubiquity of modern computer systems and the describe the basic topology of cyberspace,
ability to communicate or interact through a variety including its physical structures and how it is
of means, from mobile devices to wearable computers, governed by protocols and procedures; and
present a number of inherent vulnerabilities and pos- outline the basic considerations for appropriate
sible attack vectors for both state and non-state actors. security architecture.
Exploitation of the vulnerabilities may have broad
national security implications through deliberate acts of Suggested References
espionage, degradation of command and control facili-
ties, theft of intellectual property and sensitive personal Lukasz Godon, Structure of the Internet.
information, disruption of critical services and infra- http://internethistory.eu/index.php/structure-of-the-
structure, or economic and industrial damage. internet/
Through the five blocks of this theme, students will be Dave Clemente, Cyber Security and Global Interde-
exposed to the basic structure of cyberspace and to a pendence: What is Critical?, Chatham House Paper,
risk-based approach to cybersecurity. T1-B1, Cyber- The Royal Institute of International Affairs, ISBN 978-1-
security and CyberspaceAn Introduction, explores 86203-278-1, February 2013.
the origins and general shape of cyberspace and intro-
Communications Security Establishment Canada
duces the concept of cybersecurity. T1-B2, Information
(CSEC), Harmonized Threat and Risk Assessment (TRA)
Security and Risk, addresses the basics of information
Methodology, 23 October 2007.
security risk analysis methodology and explores a threat-
based approach to assessment. T1-B3, The Structures of D.P. Cornish, Cyber Security and Politically, Socially
Cyberspace: The Internet Backbone and National Infra- and Religiously Motivated Cyber Attacks, European
structures, explores the operation and architecture of Parliament Directorate-General for External Policies
the global Internet and its governance. T1-B4, Proto- of the Union, Directorate BPolicy Department,
cols and Platforms, introduces network technology and February 2009, EP/EXPO/B/AFET/FWC/2006-10/
information technology standards in order to explore the Lot4/15 PE 406.997. http://www.europarl.europa.eu/
basics of network design and operations. Finally, T1-B5, meetdocs/2004_2009/documents/dv/sede090209
Security Architecture and Security Management, intro- wsstudy_/SEDE090209wsstudy_en.pdf
duces the basics of security architecture based on threat,
risk and vulnerability analysis. Risk analysis must guide Chris Hall, Richard Clayton, Ross Anderson and Evan-
and inform the development of cyber architectures and gelos Ouzounis, Inter-X: Resilience of the Internet Inter-
strategy to limit known and unknown vulnerabilities connection EcosystemFull Report, ENISA, April 2011.
and threats at the organizational and national levels. http://www.enisa.europa.eu
3
Cyberspace has been defined here as the electronic world created by interconnected networks of information 13
technology and the information on those networks. Derived from Canadas Cyber Security Strategy, 2014.
R. Tehan, Cybersecurity: Authoritative Reports and
Resources, by Topic, Congressional Research Service,
CRS Report 7-7500 R42507, 15 April 2015. http://
www.crs.gov
14
Block T1-B1: Cybersecurity and CyberspaceAn process, ability or capability, or state whereby informa-
Introduction tion and communications systems and the information
contained therein are protected from and/or defended
Description against damage, unauthorized use or modification or
exploitation. That basic definition shapes what we have
Cyberspace consists of various network-connected included throughout this document.
computer systems and integrated telecommunications
systems. It has become a feature of modern society, Learning Outcomes
enhancing and enabling rapid communication, distrib-
uted command and control systems, mass data storage The student will be able to demonstrate understanding
and transfer and a range of highly distributed systems. at the appropriate level of
All of these are now taken for granted by society and
have become essential to business, our daily lives and the the significance of information and communi-
delivery of services. This ubiquity of and dependency on cation technologies and how they are changing
cyberspace can be seen even in military spheres, where the fabric of modern societies;
communications, command and control, intelligence the nuances of cybersecurity in different
and precision strike elements all rely on many cyber national and cultural contexts, with an
systems and related communication systems. The emphasis on their national approach and poli-
ubiquity of these interconnected systems has brought a cies;
measure of dependency and vulnerability to individuals,
key information communication technology
industries, and governments that is difficult to forecast,
challenges, key providers, key policy sources,
manage, mitigate or prevent. Some nations view such
key stakeholders, legal responsibilities and
vulnerable dependencies as an emerging national secu-
functional responsibilities;
rity or national defense concern and have tasked existing
elements of their security forces to respond, while other both positive and negative impacts of cyber-
nations have created wholly new organizations charged space on society;
with managing or coordinating national cybersecurity broad awareness of the threats and risks to the
policies. Cybersecurity has emerged as an important efficient and secure operation of cyberspace;
crosscutting issue that requires responses from individ-
uals, private businesses, non-government organizations, how the Internet is governed, operated and
the whole of government and a range of international maintained through a network of public, pri-
agencies and bodies. vate and not-for-profit institutions;
the unique national contexts in policy-making
This block aims to familiarize students with the infor- and local governance of the Internet;
mation communication technologies (ICTs) of this
domain, revealing their ubiquity and our attendant the role of standards and protocols in the design
dependency on such systems. The aim is to develop a of the Internet; and
broad sociological, technical and cultural appreciation the military and political imperatives associ-
of modern information technology, its multiple roles ated with cyberspace and the governance of the
and the impact of the notional environment of cyber- Internet.
space to modern life, statecraft and global communica-
tions. This block provides a primer for national security Issues for Potential Modules and Approaches to
students to gain a firm understanding of the topology Consider
and constructs of cyberspace and cybersecurity.
The depth of exploration will depend on the audience
For definitional clarity, we have relied on the U.S. and the time available; however, modules on the national
National Institute of Standards and Technology (NIST) Internet and telecommunications infrastructure, the
definition of cyberspace, the interdependent network of key service providers and the current division of respon-
information technology infrastructures, which includes sibilities for policies and broad security practices within
the Internet, telecommunications networks, computer the national government and defense organization may
systems, and embedded processors and controllers. all be addressed separately for clarity and emphasis.
Cybersecurity has been defined as the activity or
15
Learning Method/Assessment Paul E. Ceruzzi, A History of Modern Computing, 2nd ed.
(Cambridge, Mass.: MIT Press), 2003.
Teaching delivery may include lectures by subject
matter experts (SMEs), seminars, demonstrations, exer- Paul Hoffman, ed., The TAO of IETF: A Novices
cises and classroom simulations. Guide to the Internet Engineering Task Force, Internet
Engineering Task Force, 2015.
Students should be assessed through their participation
and discussion in joint reading exercises and debates, Barry Leiner, Vinton Cerf, David D. Clark, Robert E.
followed by a course knowledge test. Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel,
Larry G. Roberts and Stephen Wolff, Brief History of
References the Internet, accessed 25 April 2015. http://www.inter
netsociety.org/internet/what-internet/history-internet/
Jie Wang, A. Zachary Kissel, Introduction to Network brief-history-internet
Security: Theory and Practice, Singapore: Wiley, 2015.
ISBN 9781118939505. UIN: BLL01017585410. Marie-Laure Ryan, Lori Emerson and Benjamin J. Rob-
ertson, eds., The Johns Hopkins Guide to Digital Media
EU ENISA, Cybersecurity as an Economic Enabler (Baltimore: Johns Hopkins University Press), 2014.
Heraklion, Crete, Greece. March 2016. Available at:
www.enisa.europa.eu/publications/enisa-position- Lance Strate, The Varieties of Cyberspace: Prob-
papers-and-opinions/cybersecurity-as-an-economic- lems in Definition and Delimitation, Western Journal
enabler (Retrieved July 14, 2016). of Communication 63, no. 3 (1999): 382412.
doi:10.1080/10570319909374648
Bundesamt fr Sicherheit in der Informationstechnik
(BSI), The State of IT Security in Germany, 2015. The White House, International Strategy for Cyberspace
Available at: https://www.bsi.bund.de/SharedDocs/ Prosperity, Security, and Openness in a Networked World
Downloads/EN/BSI/Publications/Securitysituation/ (Washington, DC: Executive Office of the President of
IT-Security-Situation-in-Germany-2015.pdf?__blob= the United States, National Security Council), 2011.
publicationFile&v=2
16
T1-B2: Information Security and Risk Learning Outcomes
Learning Method/Assessment
IS comprises the mechanisms and processes that allow
access to physical assets and data contained on or flowing
Teaching delivery may include lectures and demonstra-
across those systems. Information security is focused on
tion with illustrations of actual practices and cases. The
the technology and operations concerned with security
students should be able to define information security,
applications and infrastructure. Information assurance
the cyber kill chain, APT and TRA.
(which may be given different titles nationally) includes
information security issues but also includes a focus on References
information management, data integrity and protection
regimes and protocols to reduce or manage overall risks A. Rutowski, Y. Kadobayashi, I. Furey, D. Rajnovic, R.
and mitigate the impact of incidents. The key security Martin and T. Takahashi, CYBEX The Cybersecurity
objectives generally include confidentiality, integrity, Information Exchange Framework (X.1500), ACM
availability, authentication and non-repudiation. There SIGCOMM Computer Communication Review, Vol.
are individual, organizational/enterprise and national- 40, no. 5, 2010. Available at: http://www.beepcore.org/
level information security practices and regimes. p59-3v40n5i-takahashi3A.pdf
4
Electronic IS often aims at a minimum to ensure service continuity, confidentiality, integrity, availability, authentication and non-
repudiationi.e., appropriate access at the appropriate level for authorized users.
5
As will be explained further, the TRA model weights information assets, threats, vulnerabilities and controls.
6
17
Here, the advanced means coordinated, purposeful and sophisticated and the persistent means continuous. In particular, APTs
entail smart agents with intent, seeking opportunity to read, alter, corrupt, deny access to, exploit or destroy cyber capabilities.
Babak Akhgar et al Application of Big Data for National D.E. Gelbstein, Information Security for Non-Technical
Security: A Practitioners Guide to Emerging Technolo- Managers, 1st Edition, 2013. ISBN 978-87-403-0488-6.
gies. Amsterdam: Butterworth-Heinemann, 2015.
ISBN 9780128019733. British Library Shelfmark: Eric M. Hutchins, Michael J. Clopperty and Rohan
General Reference Collection DRT ELD.DS.28766. M. Amin, Intelligence-Driven Computer Network
UIN: BLL01017039420. Defense Informed by Analysis of Adversary Campaigns
and Intrusion Kill Chains, Proceedings of the 6th Inter-
M. Watin-Augouard, Cyber-Menaces: Un Trait Sail- national Conference on Information Warfare and Security,
lant du Livre Blanc, in, Administration: Revue dtude Washington, DC, 1718 March 2011.
et dinformation Publie par lAssociation du Corps Pr-
fectoral et des Hauts Fonctionnaires du Ministre de Information Systems Audit and Control Association
lintrieur. No.239, 2013. Journal ISSN: 0223-5439. (ISACA), Advanced Persistent Threat Awareness Study
Results, USA, 2014.
H. Fukatsu, IT Security Against Cyber Attacks; A
Common Thread for Both Developed and Developing Richard Kissel, ed., Glossary of Key Information Security
Countries, in, Nihon Igaku Ho shasen Gakkai zasshi ; Terms, NIST Interagency Report (IR) 7298 Revision 2,
Asian Oceanian Congress of Radiology; AOCR 2014; NIST, Computer Security Division, Information Tech-
Kobe, Japan. Journal ISSN: 0048-0428. British Library nology Laboratory, May 2013.
Shelfmark: 6113.254000. UIN: ETOCCN087891561
Gil Klein, Unlocking the Secrets of Cybersecurity:
Safa, Nader Sohrabi, Rossouw Von Solms, and Lynn Industry experts discuss the challenges of hacking,
Futcher. Human aspects of information security in tracking, and attacking in a virtual world, University
organisations. Computer Fraud & Security 2016, no. of Maryland University College Achiever (Spring 2013):
2 (2016): 15-18. 620. https://www.umuc.edu/globalmedia/upload/
Spring2013-Achiever.pdf
Alshaikh, Moneer, Sean B. Maynard, Atif Ahmad,
and Shanton Chang. Information Security Policy: Gary Stoneburner, NIST Special Publication 800-33:
A Management Practice Perspective. arXiv preprint Underlying Technical Models for Information Technology
arXiv:1606.00890 (2016). Security, NIST, December 2001.
Ross J. Anderson, Security Engineering: A Guide to Common Criteria for Information Technology Secu-
Building Dependable Distributed Systems, 2nd Edition rity Evaluation, accessed 17 July 2015. http://www.
(Indianapolis, IN: Wiley), 2008. commoncriteriaportal.org/
18
T1-B3: The Structures of Cyberspace: The Internet Learning Outcomes
Backbone and National Infrastructures
Students will
Description
have an in-depth understanding the physical
This block aims to introduce students to the technical and virtual topology and governance of the
fabric of cyberspace, with a focus on global, national Internet backbone;
and enterprise infrastructure; this includes the archi- be able to explain the role of ASNs in the
tecture of the Internet, computer networks and cellular global interconnection of the Internet and the
networks. The logic of the general structure and the spe- responsibility of the Internet Assigned Num-
cific national topology (i.e., the specifics of the national bers Authority (IANA);
infrastructure supporting networks, telecommunica-
tions providers and routing conduits) should form the understand the relationship between high-level
major focus of this block. (Tier 1) ISPs, subordinate ISPs and end-user
local area networks (LANs);
Background be able to explain the role of authoritative
name servers in the global interconnection
The architecture of the Internet backbone comprises the
of the Internet and the responsibility of the
key data routes between the principal large computer
Internet Corporation for Assigned Names and
network systems and core routers. Commercial, gov-
Numbers (ICANN);
ernment, academic and other high-capacity network
centers host these networks and routers. They control understand the topology and geography of
Internet exchange points and network access points, their national cyberspace, including national
and they exchange Internet traffic between countries registries and ISP governance authorities; and
and continents. Commonly, large Internet service pro- be familiar with the structure and governance
viders (ISPs) (e.g., Tier 1 networks) participate in the of cellular/mobile networks and their Internet
exchange of Internet backbone traffic through privately connectivity in the national context.
negotiated interconnection agreements. Internet ser-
vice providers that manage discrete subdivisions of the Issues for Potential Modules and Approaches to
Internet called Autonomous Systems (AS) are registered Consider
and assigned an Autonomous System Number (ASN).
Routing and reachability between autonomous systems To provide an effective introduction to non-technical
are implemented via a set of Internet core routers using audiences, those using this reference curriculum to
the Border Gateway Protocol (BGP). The management frame a specific course or courses will have to give a
of the relationship between domain names (e.g. www. good deal of consideration to finding the appropriate
google.com) and the routable Internet addresses con- level of technical detail to ensure that the material is
trolled by the AS is performed by the Domain Name comprehensible to their students.
System (DNS) and its own registration authorities.
National network and telecommunications infrastruc-
A National Internet Registry (NIR) is an organization tures may be explored at some depth.
assigned responsibility for coordination of IP (Internet
Learning Method/Assessment
Protocol) address allocation and other Internet resource
management functions at a national level through an The teaching delivery may be by lecture and demon-
international Internet registry. A national government stration. Tours of national facilities, expert briefings and
may also regulate the ISPs within its economic region. challenging oral and practical examinations may enliven
the curriculum.
Cellular telephone/mobile device networks now make
up a large element of the Internet distribution infra- References
structure. These networks interconnect with the Internet
and are referred to as the mobile Web. Their general Konstantinos Moulinos, Rossella Mattioli, EU ENISA,
architecture and the national specifics should also be Communication network interdependencies in smart
explored in this block. grids, Heraklion, Crete, Greece. March 2016. Available
19
at: www.enisa.europa.eu/publications/communication- Rudolph van der Berg, How the Net works: An
network-interdependencies-in-smart-grids (Retrieved introduction to peering and transit, 2 September
July 14, 2016). 2008, accessed 17 July 2015. http://arstechnica.com/
features/2008/09/peering-and-transit/4/
Abdulrahman Alqahtani. Towards a framework for the
potential cyber-terrorist threat to critical national infra-
structure: A quantitative study Information and com-
puter security. Vol 23, No 5; 2015; 532-569. Journal ISSN:
2056-4961. British Library Shelfmark: 4481.796000.
UIN: ETOCvdc_100027180236.0x000001
20
T1-B4: Protocols and Platforms Alternatively, a physical view of the Internet can be
described by how protocols are implemented across net-
Description work devices and platforms (such as switches and routers,
gateways, proxies and firewalls) and the forms of inter-
Communicating systems use well-defined message for- connection among these network devices. For example,
mats, called protocols, for exchanging messages. A com- network switches implementing the Ethernet protocol
munication protocol is a system of rules for exchange of may connect computers on the LAN. The LANs may be
data within or between computers (networked or not). connected to network routers implementing the IP to
The protocols might be thought of as similar to the com- redirect packets of data between networks and perhaps
ponents of an address on an envelope placed in the mail, the rest of the Internet. A mail server connected to the
identifying the sender, the receiver and their respec- network might implement the SMTP.
tive coordinates. Each message has an exact meaning
intended to elicit a response from a range of possible A straightforward mapping of the relationship between
responses pre-determined for that particular situation. physical devices and their responsibility for protocol
Thus, a protocol must define the syntax (rules), seman- implementation is made difficult in contemporary net-
tics (meaning) and synchronization of communication; works by the introduction of virtual devices and net-
the specified behavior is typically independent of how it works. In such networks, the network devices and their
is to be handled or the various systems that it may pass interconnection can be implemented virtually by soft-
through in order to reach the intended destination. ware running on large servers (as in the case of cloud
computing). The virtualization of these systems adds
Each protocol layer and process has its inherent vulner- a layer of complication to security and is an emerging
abilities and risks, which may be explored at various issue that must be addressed.
levels of expertise. This topic may be discussed at a very
basic level but, given the appropriate audience, it may Protocol stacks can be designed and implemented for
be explored at the classified level. specialized applications. Industrial control systems
(ICSs) such as SCADA (Supervisory Control and Data
Background Acquisition) are an example of network communica-
tions protocol stacks being used for reporting sensor
There are two ways to envision and design a network
measurement data and sending control messages. In a
system.
power grid, for instance, they may be responsible for
The logical view of how the Internet works can be con- monitoring loading and switching supply connections
sidered to be protocol-based. A protocol stack is the based on shifting demand. The security of SCADA
software implementation of a set of communications systems is an important topic in the sphere of national
protocol standards. Protocol stacks govern how data is infrastructure security because the systems they control
packaged and moved. The protocol implementations may be of national significance. Many modern weapons
are typically arranged in a layered architecture (i.e., a systems employ electronic systems similar to those of
stack). Protocol implementations close to the bottom of industrial SCADA and they also may be vulnerable.
the stack perform more primitive communications ser-
Each protocol layer has its inherent risks and vulnerabil-
vices, such as the basic communication of a small chunk
ities. These can be explored at various levels of expertise,
of data to another computer on the local network (for
from general knowledge to expert (classified) level.
example, Ethernet). Higher up the stack, the protocols
provide services such as common addressing for global Definition of network security protocol
networks (e.g., IP), error correction and reassembling
larger data objects (e.g., TCP, or Transmission Control In general, network security protocols provide the secu-
Protocol). The highest-level protocols provide the most rity and integrity of data in transit over a network connec-
abstract application-level services, such as delivering tion. Network security protocols define the processes and
e-mail (SMTP (Simple Mail Transfer Protocol)) or web methodology to secure network data. No security protocol
page browsing (HTTP (Hypertext Transfer Protocol)). ensures security. Rather, each protocol provides a partic-
The higher layers in the protocol stack are dependent ular way of thwarting a specific approach to attacking the
upon the more basic services of the layers below. system or network. Note: there may be specific national
or agreed international definitions that apply.
21
Network security protocols often employ cryptog- grounded at the appropriate level given the particulars
raphy and encryption techniques to secure the data so of any particular course derived from this curriculum.
that it can be decrypted or altered only with a specific
algorithm, logical key, mathematical formula and/or References
combination of these. Popular network security pro-
tocols include Secure Shell (SSH), Secure File Transfer E. van Baars, R. Verbrugge, R. A communication algo-
Protocol (SFTP), Secure Hypertext Transfer Protocol rithm for teamwork in multi-agent environments,
(HTTPS) and Secure Socket Layer (SSL). Journal of Applied Non-Classical Logics, Logic and infor-
mation security; Leiden, The Netherlands, 2008; Sep,
Learning Outcomes 2009, 431-462, Lavoisier; 2009. British Library Shelf
Mark: 4943.400000, UIN: ETOCCN074941483
Students will be able to
C.W. Chan Key Exchange Protocols for Multiparty
describe and discuss the role and responsibili- Communication Services, International Symposium
ties of each of the standard network protocol on Cyber Worlds; Tokyo, 2002. Conference ISBN:
stack layers (TCP-/IP-based Internet protocol 0769518621. British Library Shelfmark: 4550.208900.
suite); UIN: ETOCCN046776823.
describe common network devices such as
hubs, switches, routers, gateways and appli- Jan Jatzkowski, Bernd Kleinjohann, Self-Reconfigura-
cation servers, the relationship between the tion of Real-Time Communication in Cyber-Physical
devices implementation of network protocol Systems, 2016. Electronic paper held at the British
stack layers and their functional role in the net- Library. UIN: ETOCvdc_100033448082.0x000001.
work;
J. Ivimaa, T. Kirt, Evolutionary Algorithms for
discuss the basic concepts of the virtualiza- Optimal Selection of Security Measures. Proceed-
tion of network devices and software-defined ings of the 10th European Conference on Information
networks, the impact of these concepts on Warfare and Security at the Tallinn University of Tech-
network architecture and their relationship to nology Tallinn, Estonia July 7-8, 2011, pp. 172-184.
cloud computing environments; Rain Ottis (eds). ISBN 9781908272065 (pbk.) UIN:
describe the basic elements of a SCADA-based BLL01015873308.
ICS environment (this can include ICS-specific
Qadir, Junaid, Arjuna Sathiaseelan, Liang Wang, and
components and their operating foundations
Barath Raghavan. Approximate Networking for Global
in standard Internet protocols); and
Access to the Internet for All (GAIA). arXiv preprint
identify and describe common security proto- arXiv:1603.07431 (2016).
cols, their relationship to the protocol-based
layered network architecture and the particular IEEE Standards Association, IEEE 802 Standards.
security vulnerability each protocol is designed http://standards.ieee.org/about/get/
to address.
Internet Engineering Task Force, Request for Com-
Issues for Potential Modules and Approaches to ments (RFC), accessed 17 July 2015. https://www.ietf.
Consider org/rfc.html
Industrial control systems (e.g., SCADA) and military Certiology, Network Devices, accessed 17 July 2015.
platform IT systems (PIT systems) could be explored http://www.certiology.com/computing/computer-net
in some detail to identify their vulnerabilities and their working/network-devices.html
attractiveness as targets.
Cisco Systems Inc., Virtual LANs VLAN Trunking
Learning Method/Assessment Protocol (VLANs VTP), accessed 17 July 2015. http://
www.cisco.com/c/en/us/tech/lan-switching/virtual-
Lecture, demonstration and case studies are recom- lans-vlan-trunking-protocol-vlans-vtp/index.html
mended. Assessment should be in written form and
22
D. Clark, The Design Philosophy of the DARPA
Internet Protocols, Proceedings of SIGCOMM 88,
10614 (New York: Association for Computing
Machinery), August 1988.
23
T1-B5: Security Architecture and Security Manage- that reduce the risk of the identified threat actors being
ment capable of compromising the identified assets. There
may be national standards for threat and risk assessment
Description and for design considerations and guidance in the selec-
tion of access control mechanisms and architectural lay-
This block deals with basic security architecture (BSA), outs.
which includes technological and operational aspects
and the human and management contexts that influ- The selection and organization of enterprise security
ence its form. The BSA at the national level establishes architecture is often described as a defense-in-depth, in
security architecture and practices to include infrastruc- which the coordinated use of multiple security mecha-
ture (e.g., telecommunications backbones), national- nisms protects the integrity of the information assets.
level content filters and governance structures for cyber- The defense of information assets begins with access
security. The general goal of this block is to teach the controls on their data and moves outward, through the
students how to design/construct security environments security mechanisms in the applications that access the
based on risk analysis so that the risks are within accept- data, the computer hosts that the applications run on
able thresholds. The architecture would include tech- and the fabric of the enterprise network, to the security
nical controls, physical controls, policies and training. perimeter of the enterprise, where it joins global net-
Examples of technical controls are firewalls, intrusion work infrastructure.
detection systems and log management. Examples
of physical controls include access management, fire The enterprise security architecture incorporates a suite
alarms and moisture control. Students will learn how of mechanisms designed to mitigate the risk for that
to conduct risk analysis and security configuration at a particular enterprise. Common mechanisms, or archi-
national level as well as at individual and organizational tectural elements, for implementing security policy
levels. include network zoning, firewalls, intrusion detection
systems (IDSs), anti-virus applications, cryptographic
The BSA is informed by national policies, various secu- techniques and security information and event man-
rity standards, system life cycle, design principles and agement (SIEM) systems. No single one of these sys-
physical architectural elements. In its examination of tems will ensure security. Attack techniques are varied
the design of BSAs, this block explores complemen- and can exploit vulnerabilities in the many protocols,
tary concepts of appropriate control of assets, physical systems and software applications comprising the enter-
and environmental control, management plans, human prise infrastructure.
aspects including screening of employees, continuity of
operations, contingency plans, and cyber systems resil- Security assurance activities are actions taken during
ience. development and evaluation of the enterprise security
architecture to ensure that the security measures in
Background place for a system are effective. Note: in some instances
such measures may prove more notional than real.
Security architecture should be policy-driven. That is, it For example, a data access control product will have
begins with an understanding of the information assets an advertised set of security functionalities. A related
under management. Central to this consideration is the assurance activity might be methodical testing of this
value of the information assets to the defender (i.e., the functionality by a recognized standards organization
impact of their loss or alteration) and the value of these to provide evidence that the product performs the cor-
assets to potential threat actors. It is this asset identifica- rect function, without error. Other examples of assur-
tion and valuation phase that drives the development of ance activities are formal or semi-formal design reviews,
the policy for controlling access to information. development of security guidance documents and
manuals for the user community and operators of the
The threat assessment phase identifies threat actors who
systems, management of security component life cycles,
could reasonably be expected to compromise the iden-
configuration management, management of the secu-
tified assets, and it identifies their technical capability.
rity of the architectural component developer/manufac-
The development of security architecture is driven by
turer environments, and trusted delivery of the archi-
the requirement to design a physical system and the
tectural components from the developer/manufacturer
associated assurance criteria and operations procedures
to the enterprise environment. Security assurance also
24
includes programs to provide background checks and mation, personnel screening and security clearance pro-
security clearances for personnel to establish a level of grams may require review and summation.
trust in the users and operators of the systems.
Learning Method/Assessment
Learning Outcomes
Teaching delivery may include small-group work on the
Student will human, technological and operational aspects.
Be able to discuss how the multiple layers of Guest lectures from private and state organizations can
security mechanisms are placed throughout enliven the discussion and learning experience.
a defense-in-depth enterprise architecture to
provide redundancy in the event that security Means of assessment will depend on the level of knowl-
controls fail or a vulnerability is exploited; edge required as appropriate for the specific students
Be able to suggest, at a rudimentary level, being taught.
appropriate security zoning and the placement
References
of measures such as firewalls using a network
diagram; S.A. Chun, V. Atluri, B.B. Bhattacharya, Risk-Based
Be aware of and understand the scope of Access Control for Personal Data Services, Statistical
national standards and guidance documents Science and Interdisciplinary Research; International
for conducting threat and risk assessments, set- Conference on Information Systems Security; Algo-
ting enterprise/organizational security policy rithms, Architectures; Kolkata, India, 2006; Dec, 2009,
and implementing security architecture; 263-284. Journal ISSN: 1793-6195. Conference ISBN:
9789812836236; 9812836233. British Library Shelf
Understand the relationship of the asset iden-
Mark: 8448.954000. UIN: ETOCCN071364080.
tification phase of threat and risk assessment
(TRA) to the specification of security policy Grard Desmaretz, Cyber Espionnage, Ou, Comment Tout
for the enterprise; le Monde pie Tout le Monde!, Paris: Chiron, 2007. ISBN
Understand the relationship of the threat assess- 9782702712122 (pbk.) UIN: BLL01014343705.
ment phase of the TRA to the identification of
A. Rutowski, Y. Kadobayashi, I. Furey, D. Rajnovic,
exploitable vulnerabilities by expected threat
R. Martin and T. Takahashi, CYBEX The Cyberse-
agents and understand how that drives the
curity Information Exchange Framework (X.1500),
requirements for security measures deployed
ACM SIGCOMM Computer Communication Review,
across the architecture of the enterprise; and
Vol.40, No.5, 2010.
Be aware of and understand the scope of the
national security classification system for the I. Atoum, A. Otoom, A.A. Ali, A Holistic Cyber
protection of documents and information and Security Implementation Framework, in, Informa-
be able to describe its relationship to personnel tion Management & Computer Security, Vol.22; No 3,
screening and security clearance programs. 2014, pp 251-264. Journal ISSN: 0968-5227. UIN:
ETOCRN359424579.
Issues for Potential Modules and Approaches to
Consider Yoo, Hyunguk, and Taeshik Shon. Challenges and
research directions for heterogeneous cyberphysical
Various forms of system architecture management and system based on IEC 61850: Vulnerabilities, security
network security zoning should be discussed to enable requirements, and security architecture. Future Gen-
the students to assess the models their organization has eration Computer Systems 61 (2016): 128-136.
adopted or should adopt.
Australian Government, Department of Defence, Intel-
Human factors engineering and social engineering ligence and Security, Australian Government Information
exploitation gambits may warrant detailed examination. Security Manual: Controls, issued under the authority
of Dr. Paul Taloni, Director, Australian Signals Direc-
The basic national security classification system for torate, Commonwealth of Australia, 2015. See www.
physical access, the protection of documents and infor- protectivesecurity.gov.au
25
Australian Government, Department of Defence, Intel- Anthony Thorn, Tobias Christen, Beatrice Gruber,
ligence and Security, Australian Government Information Roland Portman and Lukas Ruf, What is a Security
Security Manual: Principles, issued under the authority Architecture? paper by the Working Group Security
of Dr. Paul Taloni, Director, Australian Signals Direc- Architecture, Information Security Society Switzerland
torate, Commonwealth of Australia, 2015. See www. (ISSS), 29 September 2008.
protectivesecurity.gov.au
26
NATO and non-NATO members unite in authoring Cybersecurity Reference Curri-
culum. Meeting of the Moldovan Minister of Defence with the editors.
27
28
Theme 2: Risk Vectors Suggested References
Learning Objectives
29
T2-B1: Supply Chain/Vendors Learning Method/Assessment
The whole supply chain is a known vulnerability. Moni- Possible: Map a supply chain and identify risk areas.
toring and securing of supply chains can be extremely
challenging in the global marketplace. Supply chain References
security challenges include integrity and quality and
security assurance as well as prevention of disruptions, A. Sokolov, V. Mesropyan, A. Chulok, A, Aje, Supply
exploits and follow-on attacks. Global supply chains Chain Cyber Security: A Russian outlook, Technova-
include the routes taken by sensitive equipment from tion: an International Journal of Technical Innovation and
the production stage through shipment, for both single Entrepreneurship. 2014. Vol 34; No. 7; 2014, 389-391.
components and finished products such as hardware and Journal ISSN: 0166-4972. British Library Shelfmark:
software. Supply chains are vulnerable to disruption: 8761.150000. UIN: ETOCRN353289650.
products may be intercepted and tampered with and
Florin Gheorghe Filip, Luminita Duta, Deci-
defective elements or malicious code may be introduced
sion Support Systems in Reverse Supply Chain
at various stages of their manufacture, shipping, storage,
Management, Elsevier Paper, 2015. UIN:
installation or repair, and valuable data may be extracted
ETOCvdc_100030799942.0x000001.
during disposal. Thus, tampering may occur anywhere
in a products life cycle. Other nodes of an institutional Dmitry Ivanov, Alexandre Dolgui, Boris Sokolov, Boris,
or national infrastructure can also be compromised Frank Werner, Marina Ivanova, A Dynamic Model and
through the supply chain or through vendors, resulting an Algorithm for Short-Term Supply Chain Scheduling in
in unusual breaches. Can your providers guarantee suf- the Smart Factory Industry 4.0, in International Journal
ficient security? What needs to be done to create security of Production Research, Vol.54, Issue 2, (2016); 2016; pp
in the whole supply chain? 386-402. Journal ISSN: 0020-7543. (Electronic). British
Library Shelfmark: ELD Digital store 4542.486000.
Learning Outcomes
UIN: ETOCvdc_100031962439.0x000001
Students will
J. Sztipanovits, et al. OpenMETA: A Model-and Com-
understand key challenges regarding the life ponent-Based Design Tool Chain for Cyber-Physical
cycle of products, from cradle to grave; Systems, in Journal on Data Semantics. No. 8415,
(2014), pp 235-248. Journal ISSN: 0302-9743. UIN:
be able to explain the role of configuration
ETOCRN350535700.
management (i.e., system design) in relation to
supply chain security; and Lu, Tianbo, Xiaobo Guo, Bing Xu, Lingling Zhao, Yong
understand the role and requirements of articu- Peng, and Hongyu Yang. Next Big Thing in Big Data:
lated policies and practices for supply chain risk The security of the ict supply chain. In Social Com-
management. puting (SocialCom), 2013 International Conference on,
pp. 1066-1073. IEEE, 2013.
Issues for Potential Modules and Approaches to Con-
sider Jon Boyens, Celia Paulsen, Rama Moorthy and Nadya
Bartol, Supply Chain Risk Management for Federal
Vulnerabilities of supply chain to cyber crime
Information Systems and Organizations, NIST Special
and espionage
Publication 800-161, Second Public Draft, U.S. Depart-
Risk mitigation approaches and best practices ment of Commerce, Washington, DC, 2014.
Existing national supply chain risk mitigation
Steven R. Chabinsky Cybersecurity Strategy: A Primer
policies and practices
for Policy Makers and Those on the Front Lines, Journal
of National Security Law & Policy 4, no. 1 (2010): 27.
30
Trusted Computing Group. Fact Sheet. 2009. http://
www.trustedcomputinggroup.org/files/resource_
files/7f38fa36-1d09-3519-add14cb3d28efea6/fact%20
sheet%20May202009.pdf
31
T2-B2: Remote- and Proximity-Access Attacks HTTPS), file transfer services (FTP) and e-mail services
(SMTP, POP3 or IMAP). Remote attacks can target
Description vulnerabilities in the server (software or configuration
errors) that allow the attacker to access information
Cyber attacks can be considered to be either remote from or even gain remote control of the server com-
or local. Local attacks, however, can be categorized puter.
as those conducted through proximity access to sys-
tems or through a trusted insider. Insider attacks are Remote server-side attacks can be conducted if the
addressed separately in Block T2-B3. Remote access attacker can identify a misconfiguration or error in
refers to all methods and approaches taken to access or the software implemented on the server. For example,
disrupt networks where there is no apparent physical an error in the configuration settings might allow an
access to the systems hardware. In a remote attack, an attacker to inappropriately enter a mode reserved for
attacker may have had no prior physical access to the system maintenance, thus gaining very broad access to
system under attack; the attackers access is via a net- the system. Another example is an attack on an HTTP
work or other communication device and the attacker web server that uses a database back end to provide its
may have no previously established privilege on the data resources. Improperly vetted web page requests
system. Conversely, in local attacks, an attacker gener- from an attacker can allow the attacker to pass dan-
ally has some form of established access or privilege on gerous database command strings to the back end
or to the system and attempts to increase his/her level database; this can give control of the database to the
of privilege to gain unauthorized access to information. attacker. This style of attack is called SQL (Structured
Such activity conducted by a malign actor who is not Query Language) injection.
a trusted insider we will address as a proximity-access
attack in this document. As Chabinsky (2010) explains, The advent of better protection for servers (firewalls,
proximity accessbased attack refers to the ability of access control, etc.) has moved the focus of attack from
a malign actor to disrupt, intercept or otherwise access the server to the client applications. However, client
networks and computer systems while in close prox- applications cannot be contacted directly on the net-
imity to their various components, such as worksta- work; client applications are always the initiators of
tions, cables or wireless receivers. Proximity access is communication exchanges. Instead, the attacker must
a form of remote access. Common techniques such as find a way to entice the user of the client application
wireless sniffing (interception of and access to infor- to contact a malicious server that can corrupt the client
mation sent over wireless networks), keyboard stroke application during the exchange. Such luring or entrap-
recording, screen capture, man-in-the-middle intercep- ment activities, referred to by a variety of names, are
tion and insertion of malicious code through physical distinct ploys employing principals of social engineering
means are ways in which attackers can use proximity to convince the operator to undertake behaviors such as
access to exploit vulnerabilities. opening an infected e-mail attachment.
In classic network applications, there is a concept of understand and be able to describe a remote
client and server. A client software application sends accessbased attack scenario, identify the con-
requests to a server software application in accordance stituent parts of such an attack, and contrast
with some protocol, asking for information or for an this with proximity accessbased attack sce-
action to be performed. The client always initiates the narios;
communication. The server always waits to be contacted be familiar with the structure of client-server-
at some known address on the network. Protocols con- based applications and their network topology
trolling this behavior include web services (HTTP or and be able to identify how common protocols
32
such as HTTP, HTTPS, FTP and e-mail pro- ical and Relational Proximities, Journal of Regional
tocols fit this model; Science, Vol.53, No.5, 2013. Journal ISSN: 1467-9787.
be able describe how server-side attacks are
E. Anyefru, Cyber-Nationalism: The imagined Anglo-
informed through an intelligence-gathering
phone Cameroon Community in Cyberspace, in
phase using techniques such as network vulner-
African Identities, Vol.6, No.3, (2008), pp 253-274.
ability analysis tools and fuzzing and explain
Journal ISSN: 1472-5843. British Library Shelfmark:
why network vulnerability analysis tools are
0732.501500. UIN: ETOCRN234554771
valuable to both the attacker and the defender;
have a rudimentary knowledge of server-side A. Almalawi, X Yu, Z Tari, A. Fahad, I. Khalil, An
attack scenarios such as exploitation of weak Unsupervised Anomaly-Based Detection Approach for
configurations, IP spoofing, Denial of Service Integrity Attacks on SCADA systems, in Computers
and Distributed Denial of Service (DoS and & Security. Vol. 46, (2014), pp 94-110. Journal ISSN:
DDoS), SQL injection and network protocol 0167-4048 . British Library Shelfmark: 3394.781000.
based buffer overflows; UIN: ETOCRN359669860 .
be able to describe how the maturing of secu- Y Li, L Shi, P Cheng, J Chen, D.E. Quevedo, Jamming
rity at the network perimeter and improvement Attacks on Remote State Estimation in Cyber-Physical
in server security has led to development and Systems: A Game-Theoretic Approach, IEEE Trans-
proliferation of client-side attack techniques; actions on Automatic Control. Vol.60; No.10, 2015.
have a rudimentary knowledge of client-side Journal ISSN: 0018-9286. UIN: ETOCRN375325720.
attack scenarios such as cross-sight scripting,
cross-site request forgery, web browser exploits Steven R. Chabinsky, Cybersecurity Strategy: A Primer
and Trojan documents; and for Policy Makers and Those on the Front Lines, Journal
of National Security Law & Policy 4, no.1 (2010): 27.
be able to identify and discuss the relation-
ship between client-side attacks and social Shirley Radack, ed., Information Technology Labora-
engineering techniques such as phishing and tory Bulletin: Log Management: Using Computer and
watering hole attacks. Network Records to Improve Information Security, 1, 2
(October 2006), National Institute of Standards and
Issues for Potential Modules and Approaches to
Technology, Technology Administration, U.S. Depart-
Consider
ment of Commerce. http://csrc.nist.gov/publications/
The depth of technical coverage may need to nistbul/b-10-06.pdf
vary greatly, given time constraints and the
technical background of students. Murugiah Souppaya and Karen Scarfone, Guide to Mal-
ware Incident Prevention and Handling for Desktops and
Exploration of various types of attacks Laptops, NIST Special Publication 800-83, Revision1,
employing methods of social engineering U.S. Department of Commerce, July 2013. http://
Learning Method/Assessment dx.doi.org/10.6028/NIST.SP.800-83r1
Teaching delivery may include lecture and demonstra- U.S. Department of Homeland Security, U.S. Com-
tion. Presentations by current network administrators puter Emergency Readiness Team, Using Wireless Tech-
can speak to the constant persistent threats. Real national nology Securely, US-CERT, 2008. http://www.us-cert.
examples should be generated and identified to illustrate gov/reading_room/Wireless-Security.pdf
the practical and immediate issues. Various practical
assessment measures should be developed, depending
on the level of depth the students are expected to reach.
References
33
T2-B3: Insider Access (Local-access Attacks) narios, both essentially local-access attacks, and many of
the mitigation techniques are similar.
Description
One of the foundational principles used to limit local
A computer-based attack of an information system or accessbased attack vulnerabilities is the need-to-know
network exploits a weakness in the system or a software principle, in which users have access to only the infor-
program to carry out some form of malicious action to mation necessary for the conduct of their official duties.
compromise the confidentiality, integrity or availability The principle of least privilege is applied to the design
of information. Such exploits can be considered either and implementation of the access control policy/rules to
remote or local. In local exploits, attackers have previ- ensure that users access only the resources about which
ously established access to the system under attackthat they have a need to know. This philosophy is extended
is, they already have some privilege on the system and to include the principle of separation of dutiesfor
the attacks are attempts to increase this level of privilege example, ensuring that one administrator is not able to
to gain unauthorized access to information. This block both make changes to security policy and also approve
considers local-access attacks. Malicious insiders who those changes.
can physically access or use various systems can cause
significant damage to an operation, company or orga- Compartmentalization is also a classic principle for lim-
nization. They may do this for money, for revenge or iting the impact of local-access attacks. Network secu-
because they have a grudge or are ideologically opposed rity zoning is an effective compartmentalization tech-
to the organization. However, it is also possible to inflict nique. Network zoning is used to mitigate the risk by
similar loss or disruption through operator error or segmenting infrastructure services into logical groupings
other negligence. that have the same communication security policies and
security requirements. The zones are separated by secu-
Background rity perimeters imposed through security and network
devices (firewalls, IDSs, data loss prevention software).
Privilege in computer security is the permission to
perform an action. In this case, permission is a right a Given the range of vulnerabilities identified in this block,
particular user has to access a particular system resource, the logic of programs and procedures designed to mini-
such as a file or an application, to use certain system mize the vulnerabilities inherent to system access using
commands, or to access a particular service, such as a prevention, detection and deterrent approaches should
network device. Typically the policy for controlling emerge. Such measures will be more fully explored else-
the level of privilege a user has is controlled through where in this curriculum.
proper authentication of the electronic identity of the
user and the employment of a set of access control Learning Outcomes
rules (protocols) that govern the read, write and pro-
gram execution actions of the user on the system. An Students will
attacker may attempt to raise privilege and gain access
demonstrate an awareness of threats to an
to more information on the system by taking over
organization that may come from individuals
another users identity (often by taking over a program
within the organization;
being run by a higher-privilege user) or by modifying
the imbedded security policy protocols. If attackers be able to describe local-access attacks and
gain enough privilege, they can assume administrative identify the constituent parts of such an attack;
control of the system. The attacker in such a scenario be able to explain the differences between a
may be an authorized user of the systema malicious remote-access attack and a local-access attack;
insider trying to perform actions that are not permitted.
Alternatively, the attacker may be someone outside of demonstrate an understanding of the concepts
the organization, performing a remote attack in order to of permissions and privilege and how these
take over the credentials of a user with limited privilege. are used to control user access to information
From that access point, the attacker may use the stolen resources on a system;
credentials to perform a local-access attack to raise his display a basic knowledge of techniques used
or her privilege level, thus gaining wider access. Techni- by attackers to abuse their current privilege
cally, it is difficult to distinguish between these two sce- levels and to raise privilege;
34
be able to explain the application of the prin- References
ciple of least privilege and need-to-know and
how they can be used to construct security Markus Kont, Mauno Pihelgas, Jesse Wojtkowiak,Lorena
policy; and Trinberg, Anna-Maria Osula, NATO Cooperative
Cyber Defence Centre of Excellence, Tallinn, 2015
be able to identify how sound network security
Insider Threat Detection Study. Available at: https://
zoning policy can be used to compartmentalize
ccdcoe.org/sites/default/files/multimedia/pdf/Insider_
information.
Threat_Study_CCDCOE.pdf
Issues for Potential Modules and Approaches to
Consider P. Gola and G. Wronka, Handbuch zum Arbeitnehmer-
datenschutz, Rechtsfragen und Handlungshilfen fr die
Policies and programs for personnel training, betriebliche Praxis, 5th ed., Cologne, 2009
vetting, threat mitigation and general aware-
ness of the problems inherent to physical access F. Schwand, Wenn Mitarbeiter Unternehmens-Lap-
to systems and components should all be take- tops privat nutzen, besteht Regelungsbedarf, acant.
aways from this block but may be examined at service GmbH, 23 April 2014. [Online]. Available:
varied levels of detail. http://www.acantmakler.de/2014/04/23/unternehmen-
laptops-private-nutzung/ [Accessed 14 September 2015]
Working through real-life and national exam-
ples would be a good way to engage students Estonian Data Protection Inspectorate (Andmekaitse
with the subject. Inspektsioon), Isikuandmete ttlemine tsuhetes,
Tools for discovering the presence and dis- 2011. [Online]. Available: http://www.aki.ee/sites/
cerning the characteristics of threats active in a www.aki.ee/files/elfinder/article_files/Isikuandmed%20
network may be discussed. t%C3%B6%C3%B6suhe58tes%20juhendmaterjal26%20
05%202014_0.pdf [Accessed 16 July 2015]
Learning Method/Assessment
Deutscher Bundestag, Entwurf eines Gesetzes zur Rege-
Lectures on and demonstrations of examples are recom- lung des Beschftigtendatenschutzes, 15 December
mended. 2010. [Online]. Available at: http://dipbt.bundestag.
de/dip21/btd/17/042/1704230.pdf
Case studies, example scenarios and forensic examina-
tion of actual cases should be discussed. Centre for the Protection of National Infrastructure,
Insider misuse of IT systems, May 2013. https://www.
A possible sophisticated exercise: Have students, cpni.gov.uk/documents/publications/2013/2013008-
working in teams, find and analyze a real-world example insider-misuse_of_it_systems.pdf?epslanguage=en-gb and
of a malicious insider attack and propose methods also see Cyber Insiders, https://www.cpni.gov.uk/advice/
whereby the threat could have been avoided. Students cyber/Cyber-research-programmes/Cyber-insiders/
could work through an example of a malicious insider
abusing his privilege to compromise resources to which Communications Security Establishment Canada, Infor-
he does not have need-to-know access. mation Technology Security Guideline: Network Security
Zoning: Design Considerations for Placement of Services
Methods of assessment should depend on the level of within Zones (ITSG-38), May 2009. https://cse-cst.
knowledge the students will be required to demonstrate gc.ca/en/system/files/pdf_documents/itsg38-eng_0.pdf
in accordance with the learning and performance objec-
tives desired for the particular course they may be on. P.A. Legg et al., Towards a Conceptual Model and Rea-
soning Structure for Insider Threat Detection, Cyber
Security Centre, Department of Computer Science,
University of Oxford, 2013. https://www.cpni.gov.uk/
documents/publications/2014/2014-04-16-insider_
threat_detection.pdf?epslanguage=en-gb
35
2014 Security and Privacy Workshops. https://www.
cpni.gov.uk/documents/publications/2014/2014-
04-16-understanding_insider_threat_framework.
pdf?epslanguage=en-gb or http://www.ieee-secrity.org/
TC/SPW2014/papers/5103a214.pdf
36
T2-B4: Mobility Risks, BYOD and Emerging Trends (applications, etc.) on personal devices may not be
installed consistently, as the owner maintains ultimate
Description administrative control of the device. An insecure device,
like a personal smart phone, cannot be made secure by
The societal shift to mobile communications is irrevers- simply installing secure applications or security tools.
ible and its security ramifications are poorly understood. There are a number of practices that can make personal
Further, the rise of social media such as Facebook and devices more secure or limit the risks they pose. These
Twitter is transforming interpersonal and global com- rely on the security architecture to limit the devices
munications. Digital footprints of individuals and access to the enterprise network and to limit the infor-
organization, distributed access from insecure personal mation that can be moved to the device. Zoning policies
devices to systems that may tie to secure systems, com- that provide network segmentation and segregation can
mercial carriers, and a series of similar and new devel- enable the implementation of workforce mobility and a
opments pose risks to sensitive data and systems. For relatively secure BYOD systems strategy. However, the
instance, the loss or theft of a laptop computer or mobile more secure solutions exist in tension with the usability
phone with electronic contacts, documents or shortcuts of the personal devices.
may prove damaging to an individual, an organization,
a company or a country. This block addresses security Additionally, the move to the use of infrastructure pro-
issues associated with these trends. vided as a service through cloud technologies is leading
to a potential loss of control of basic security architecture
BYOD (Bring Your Own Device) is the policy of per- and security practices. Mobile devices themselves create
mitting employees to bring personally owned mobile data streams that may be of interest to both foreign
devices (laptops, tablets and mobile phones) to their intelligence agencies and commercial entities. The use
workplace and to use those devices, in the course of their of social media also exposes individuals to exploitation
work, to access privileged information and applications. of information that they have disclosed that is accessed
This policy creates tension between the organization, or stored on their mobile devices, exposing a wealth of
whose security policies are designed to control the confi- potentially compromising information on relationships,
dentiality and integrity of its information resources, and opinions, locations and habits. Such social media sites
the employees, who wish to maintain ownership of the may also act as threat vectors by serving as a conduit
device and personal data and to protect themselves from into various IT systems, making them vulnerable to
monitoring. Organizations must establish policies and infection or intrusion. Social media may also be a useful
practices for situations when an employee leaves a posi- conduit for dissemination of propaganda and disin-
tion or when a device is lost, stolen or sold and to ensure formation, crowd sourcing, mass messaging for crowd
that unsecured devices cannot be used by attackers to mobilization, and similar activities.
gain network access to enterprise systems. The use of
the cloud for storage of data presents similar problems Learning Outcomes
of access and configuration control.
Students will
Background
demonstrate an understanding of the positive
and negative aspects of security policy trade-
Common enterprise security practice is to build care-
offs related to social media use in the enter-
fully zoned security architecture and provide controlled
prise environment from the employees and the
choke points to manage access to the Internet. A
employers perspectives;
BYOD policy for Internet-capable devices introduces
new access points that are not likely to be under the be able to analyze mobility and BYOD policies
control of the enterprise security policy. It is a basic in the context of enterprise security architec-
computer security principle that in a computer system, ture and identify security and usability trade-
the integrity of lower layers is typically treated as axi- offs; and
omatic by higher layers. This precludes implementation
be able to analyze cloud computing policies
on the personal device of security policies for enterprise
with respect to information storage and pro-
applications that cannot be subverted by the person
cessing (e.g., health records, government/mili-
in control of the BYOD operating system, typically
tary data) in national and international con-
the owner. In other words, enterprise security systems
texts.
37
Issues for Potential Modules and Approaches to high%20level%20officials%20and%20decision-
Consider makers.pdf
Capabilities of threat actors will be addressed Gabriele Costa , Merlo Alessio, Luca Verderame,
at the appropriate level of detail for the specific Konrad Wrona, Developing a NATO BYOD Secu-
audience. rity Policy, 2016 International Conference on Mili-
Creating an awareness of the need for adapt- tary Communications and Information Systems
ability of security to ever-changing technology. (ICMCIS). IEEEm Brussels, Belguim, May 23-24,
2016. DOI: 10.1109/ICMCIS.2016.7496587. Avail-
The unique requirements for and limitations of
able at: http://ieeexplore.ieee.org/xpl/abstractAu
mobile communications platforms, including
thors.jsp?tp=&arnumber=7496587&url=http%3
BYOD.
A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.
The unique requirements for and limitations of jsp%3Farnumber%3D7496587
cloud usage.
Ree C. Ho , Hiang K. Chua, The Influence of Mobile
The establishment and adoption of best prac-
Learning on Learners Absorptive Capacity: A Case of
tices in an enterprise setting, based on national
Bring-Your-Own-Device (BYOD) Learning Environ-
and international guidance.
ment, in, Taylors 7th Teaching and Learning Conference
The exploitation of personal information 2014 Proceedings, Singapore: Springer,2015. pp471-
shared on social mediaHave you Googled 479. 2015. DOI: 10.1007/978-981-287-399-6_43.
yourself today? discussion and exercise. Print ISBN: 978-981-287-398-9. Online ISBN: 978-
981-287-399-6.
Learning Method/Assessment
Suri, Niranjan, Mauro Tortonesi, James Michaelis, Peter
Teaching delivery may include presentations, in-class Budulas, Giacomo Benincasa, Stephen Russell, Cesare
discussions, breakout groups and discussion of case Stefanelli, and Robert Winkler. Analyzing the applica-
studies. bility of Internet of Things to the battlefield environ-
ment. In 2016 International Conference on Military
Continual assessment of class and group discussion per-
Communications and Information Systems (ICMCIS),
formance and participation should be conducted.
pp. 1-8. IEEE, 2016.
References
Porche III, Isaac R. Emerging Cyber Threats and Impli-
N. Mastali and J. I. Agbinya, Authentication of sub- cations. RAND Corporation, 2016.
jects and devices using biometrics and identity man-
W. Arbaugh, D. Farber and J. Smith, A Secure and
agement systems for persuasive mobile computing:
Reliable Bootstrap Architecture, Proceedings of the 1997
A survey paper, in 2010 Fifth International Confer-
IEEE Symposium on Security and Privacy (Oakland, CA)
ence on Broadband and Biomedical Communications
1997, 6571.
(IB2Com), 2010.
D.P. Cornish, Cyber Security and Politically, Socially
H. Krkkinen, Apple myy Suomessa vaarallisia puhelimia
and Religiously Motivated Cyber Attacks, EU DG-For
ja sulkee kauppiaiden suut, 30 October 2014. [Online].
External Policies of the [European] Union Direc-
Available:http://www.digitoday.fi/tietoturva/2014/10/30/
torate BPolicy, February 2009. http://www.europarl.
applemyysuomessavaarallisiapuhelimiajasulkee
europa.eu/meetdocs/2004_2009/documents/dv/
kauppiaidensuut/201415103/66. [Accessed July 2016]
sede090209wsstudy_/SEDE090209wsstudy_en.pdf
Teemu Visnen, Alexandria Farar, Nikolaos Pissanidis,
Ravi Gupta and Hugh Brooks, Using Social Media for
Christian Braccini, Bernhards Blumbergs, and Enrique
Global Security (Indianapolis, IN: John Wiley & Sons),
Diez. NATO Cooperative Cyber Defence Centre of
2013, ISBN 978-1-118-44231-9.
Excellence, Tallinn, 2015 Defending mobile devices
for highlevel officials and decision-makers. Available
at: https://ccdcoe.org/sites/default/files/multimedia/
pdf/Defending%20mobile%20devices%20for%20
38
Zeb Hallock et al., Cisco Unified Access (UA) and Bring
Your Own Device (BYOD) CVD, Cisco Systems, Inc.,
revised 28 August 2014, accessed 30 July 2015. http://
www.cisco.com/c/en/us/td/docs/solutions/Enterprise/
Borderless_Networks/Unified_Access/BYOD_Design_
Guide.pdf
39
40
Theme 3: International Cybersecurity Organiza- identify the chief national organizations
tions, Policies and Standards responsible for cybersecurity;
identify and understand the roles and require-
Goal
ments of national and international standards
The broad objective of this theme is to expose students agencies;
to international standards and organizations, such as the understand the significance of the relationship
U.S. NIST and the British BSI (and possibly others), between cybersecurity, intelligence and mili-
and the ways in which these relate to national contexts. tary institutions;
Students will come to identify the role of international
be able to analyze national practices and poli-
standards bodies and identify the major international
cies in light of international standards and
organizations with cybersecurity roles or functions. Fur-
good practice;
ther, they should examine their national cybersecurity
policies in light of international standards and recom- understand the roles of key international orga-
mended best practices and do so by comparing them nizations that play a leading role in cybersecu-
to several example national policies. Finally, this theme rity; and
area will address evolving international legal regimes for
be familiar with the evolving international
cybersecurity.
legal framework and the national governments
official policy positions within this emerging
Description
regime.
Each nation will have to tailor this section to its needs, Suggested References
identifying its national bodies responsible for cybersecu-
rity policy and practices and how these affect their respec- European Union External Action, EU International
tive cybersecurity policies and organizations. While par- Cyberspace Policy. http://eeas.europa.eu/policies/
ticulars will vary for each nation, the approach taken eu-cyber-security/index_en.htm
to present this theme may follow these lines: T3-B1,
International Cybersecurity Organizations, as relevant IT Governance Ltd., Information Security & ISO
to the national context; T3-B2, International Standards 27001: An Introduction, IT Governance Green Paper,
and RequirementsA Survey of Bodies and Practices; October 2013.
T3-B3, National Cybersecurity Frameworks, which is
Klimburg, Alexander, ed., National Cyber Security
aimed at analyzing national frameworks in comparison
Framework Manual, NATO Cooperative Cyber Defence
to those of other nations; and T3-B4, Cybersecurity in
Centre of Excellence, Tallinn, Estonia, 2012.
National and International Law.
National Institute of Standards and Technology, U.S.
Learning Objectives Department of Commerce, Security and Privacy Con-
trols for Federal Information Systems and Organizations,
As it is an emerging security issue, various national and
Joint Task Force Transformation Initiative, NIST Spe-
international responses to cybersecurity are taking shape
cial Publication 800-53, Revision 4, April 2013. http://
in existing organizations and in new organizations. As a
dx.doi.org/10.6028/NIST.SP.800-53r4
national crosscutting issue, cybersecurity requires high-
level policy and coordination, but national responses PricewaterhouseCoopers LLP, Why you should adopt
have been quite varied. the NIST Cybersecurity Framework, May 2014.
https://www.pwc.com/us/en/increasing-it-effectiveness/
Through exploring the emerging practice of states devel- publications/assets/adopt-the-nist.pdf
oping national policies for governmental, commercial
and individual cybersecurity and supporting non-state The White House, Cyberspace Policy Review. https://
actors in developing regimes to manage the risks and www.whitehouse.gov/cyberreview/documents
threats, the student will
U.S. Government Accountability Office, Report to
develop an awareness that the national and Congress: Cyberspace: United States Faces Challenges in
international responses require some form of Addressing Global Cybersecurity and Governance, GAO-
multi-stakeholder approach; 10-606, July 2010.
41
T3-B1: International Cybersecurity Organizations Learning Outcomes
The number of international organizations, govern- articulate the various challenges affecting gov-
mental and non-governmental, concerned with global ernments and their interactions with interna-
or regional cybersecurity issues is large and growing. tional organizations;
Their interests range from investigative to regulatory to identify major international organizations,
legal and policy advocacy, oversight and a range of other their policy focus and their role in informing
interests. Many of these organizations work towards and supporting national cybersecurity; and
collective approaches to solving cyber challenges, while
identify the national organizations with
others may serve to amplify national or commercial
responsibilities for international cooperation
goals. For various reasons their varied recommendations
and engagement.
must be considered critically.
Issues for Potential Modules and Approaches to
The website maintained by the NATO Cooperative
Consider
Cyber Defence Center of Excellence (CCD COE),
https://ccdcoe.org/, is a good source for links to many A national SME should be used to identify the nations
regional agencies concerned with broad cybersecurity most important international bodies on which the
policy and practice. These include the European Union nation relies for guidance and through which it expresses
(see particularly the work of the European Agency for its concerns.
Network and Information Security, ENISA (https://
www.enisa.europa.eu/)), the Organisation for Secu- Other topics that may be covered may include the fol-
rity and Co-operation in Europe, OSCE (http://www. lowing:
osce.org/), the United Nations (http://www.un.org/en/
index.html), and of course NATO (http://www.nato. Key international bodies important for
int/). Beyond those sources there are also agencies such informing national practices: the EU, NATO,
as the Global Forum for Incident Response and Security U.S. Government (Cyber Command, etc.) and
Teams (www.first.org), the International Multilateral Europol (see www.europol.europa.eu/ec3)
Partnership Against Cyber Threats (IMPACT), and the How national interests intersect with interna-
Armed Forces Communications and Electronics Associ- tional organizations and their goals
ation (AFCEA). ENISA maintains and regularly updates
Identification of positive and negative aspects
a list of EU member states cyber crises response orga-
of international organizational approaches to
nizations or cyber emergency response teams (CERTs).
cybersecurity
Other international bodies concerned with cybersecu- National arrangements and mechanisms for
rity include the International Organization for Stan- resolving international challenges
dardization (discussed in Block 2 of this theme), the
The Internet being used for transnational crim-
Internet Corporation for Assigned Names and Num-
inal /terrorist/organized crimes purposes
bers (ICANN), the Internet Governance Forum (IGF)
and the UN-backed International Telecommunications Learning Method/Assessment
Union (ITU).
Teaching delivery may include analysis of current issues.
The focus of this block is on how governments interact Students should research and review case studies of inter-
with these many international organizations and adopt national organizational responses and examine trending
common practices often based on their recommenda- international challenges and impacts for nations.
tions.
Assessment should be through a group project with
classroom participation and a written assignment on an
international organizations response to cybersecurity.
42
References
43
T3-B2 International Standards and Requirements Issues for Potential Modules and Approaches to
A Survey of Bodies and Practices Consider
This block introduces students to the range of interna- National and nationally adopted international
tional standards set by standards development organi- standards directly addressing cybersecurity
zations. Students will come to understand the role of Related national procedural or organizational
international technical standards and requirements. standards
They will be introduced to the range of ISO (Interna-
Challenges and complexities involved in imple-
tional Organization for Standardization) standards as
menting international standards
well as to COBIT (Control Objectives for Informa-
tion and Related Technology), ISACA (Information Learning Method/Assessment
Systems Audit and Control Association) and ITIL (the
International Technical Infrastructure Library). Dis- The means and methods of assessment should be appro-
cussions will include U.S. National Institute of Stan- priate for the level of performance established for courses
dards and Technology (NIST), the British Standards and lessons derived from this reference curriculum.
Institute (BSI), Germanys Bundesamt fr Sicherheit in
der Informationstechnik, and ASIS International (and A national expert will summarize the various standards
other standards where possible or desirable) to highlight adopted by the country and explain their relationship to
the types and burdens created by implementing stan- international and emerging standards for cybersecurity.
dards and the challenges presented by competing stan-
dards. Additionally, this block highlights the national Students may find and analyze case studies on imple-
approach to agreeing to international standards. Finally, mentation of international standards.
it addresses the limits of standards and explores the rea-
Group discussion on challenges of implementing inter-
sons for which military, defense or other governmental
national standards should take place. Examples should
organizations may set their own standards.
be developed from local experience.
Learning Outcomes
References
Students will
Iigo Barreira, Izenpe, Jerome Bordier, SEALWeb,
understand the role of international technical Olivier Delos, Arno Fiedler, Nimbus Technologiebera-
standards and requirements; tung GmbH, Tomasz Mielnicki, Gemalto, Artur
Mikina, Polish Security Printing Works, Jon Shamah,
be able to identify international standard devel-
EJ Consultants, Clemens Wanko, TUV Information-
opment organizations (e.g., ISO, NIST);
stechnik GmbH, Clara Galan Manso, ENISA, Sawomir
be able to identify sources of international stan- Grniak, ENISA, Analysis of standards related to Trust
dards informing their national cyber strategy; Service Providers - Mapping of requirements of eIDAS
appreciate the challenges and complexities to existing standards, EU ENISA, July 1, 2016. Avail-
involved in implementing international stan- able at: https://www.enisa.europa.eu/publications/tsp_
dards; and standards_2015
demonstrate knowledge of how and by what Manmohan Chaturvedi, Abhishek Narain Singh,
body their organizations cybersecurity stan- Manmohan Prasad Gupta, Jaijit Bhattacharya, (2014)
dards are established, maintained and promul- Analyses of issues of information security in Indian
gated. context, Transforming Government: People, Process and
Policy, Vol. 8 Issue: 3, pp. 374-397. DOI (available
at): http://www.emeraldinsight.com/doi/abs/10.1108/
TG-07-2013-0019
44
China Universities of Posts and Telecommunications, Vol.
20, Supp.1, 2013, pp25-29. Journal ISSN: 1005-8885.
UIN: ETOCRN339930374
45
T3-B3: National Cybersecurity Frameworks Learning Outcomes
As a national issue that transcends traditional bound- identify the organizations responsible for their
aries between government, industry and citizens, cyber- national cybersecurity policy;
security requires high-level policy and coordination. identify key features of national cybersecurity
Given the interconnectedness of systems, many gov- policy;
ernments have recognized that they require a whole-of-
government approach just for the security management identify responsible organizations and under-
of their own operating systems, let alone to help mini- stand their role in developing and issuing tech-
mize the risks to industry and individuals. However, nical guidance/directives;
national responses have been quite varied. Some nations identify key features for technical guidance/
have created national bodies responsible for managing directives;
national cybersecurity, while other nations have made
discuss the sources of best practices in orga-
coordinating bodies responsible for articulating national
nizing national cybersecurity; and
policies but left management and implementation of the
policies to various government departments. Yet other critically analyze their national approach in
countries struggle to find an appropriate framework. comparison to reference policy frameworks.
Many governments have gone beyond articulating or Issues for Potential Modules and Approaches to
supporting cybersecurity measures only for protecting Consider
the machinery of government and have embraced this Centralized vs. multi-stakeholder approach to
issue as one of national risk, thus undertaking efforts to cybersecurity
support or instill best practices for the private sector and
citizens. Championing or mandating such measures has National approaches to cooperation, coordina-
been particularly the case for the protection of critical tion and collaboration
infrastructures that are often in private ownership. Nev- International organizations: roles and interac-
ertheless, there are some common requirements, such as tion in the national context
establishing structural roles and accountabilities, issuing
Reference policy frameworksreview various
authoritative technical guidance, defining roles and
examples
responsibilities for mitigating risks and responding to
active issues. Learning Method/Assessment
This blocks aims to make students aware of their nations The means and methods of assessment should be appro-
cybersecurity policies, strategies and structures. Stu- priate for the level of performance established for courses
dents need to be informed of the policy strategy frame- and lessons derived from this reference curriculum.
work of their nation (if there is one) and of the organi-
zations responsible for national guidance and technical Teaching delivery may include discussion, subject
specifications. Students will compare different national matter expert lectures, comparative case studies, iden-
and international cybersecurity strategy documents and tification of good practices, and visits to local cyberse-
approaches in order to better comprehend their own curity bodies.
and to assess areas of risk and responsibility.
References
46
Tomas Minarik, National Cyber Security Organisa- Organisation for Economic Co-operation and Develop-
tion: Czech Republic, 2nd Revised Ed, Tallinn, 2016. ment (OECD), Cybersecurity Policy Making at a Turning
NATO CCD COE. Available at: https://ccdcoe.org/ Point: Analysing a New Generation of National Cyberse-
sites/default/files/multimedia/pdf/CS_organisation_ curity Strategies for the Internet Economy, 2012. http://
CZE_032016.pdf oe.cd/security
47
T3-B4: Cybersecurity in National and International Learning Outcomes
Law
Students will
Description
recognize key challenges and policy sources in
Cybersecuritys legal landscape is complex and quickly international cyber law;
changing. There are arguments regarding the appli- be able to explain the legal responsibilities of
cability of existing and emerging international and national cybersecurity stakeholders and stat-
national laws to address cybersecurity issues and chal- utes; and
lenges. There is also wide variation in how countries
address cybersecurity within domestic law. Some states know the national legal statutes concerning
have specific cybersecurity laws; others do not. The cybersecurity (if any) and identify the key legal
attribution challengethe difficulties associated with authorities within their respective organiza-
tracking the source of malign, threatening or illegal tions.
cyber activitycompounds problems in both the Issues for Potential Modules and Approaches to
domestic and the international sphere. Consider
There is an evolving body of literature regarding inter- Subjects such as the contested international
national and national law applicable to cybersecurity. legal status of cyber attacks led by state and
This block introduces students to both international non-state actors, cyber issues in domestic law,
and national laws responsible for a range of cybersecu- organizational compliance requirements, and
rity issues. Many nations and organizations within them individual legal responsibility may be exam-
are subject to compliance laws, such as those requiring ined at some length.
the reporting of certain types of financial transactions or
Explore the debate regarding the International
data breaches. There are also evolving international legal
Code of Conduct for Information Security
and law enforcement norms and practices (such as coop-
proposed to the UN.
eration regimes established by Interpol). Legal require-
ments to report cyber incidents have been adopted by Domestic compliance regulations
many nations, and efforts are underway to determine an Commercial insurance and liability for cyber
international code of cyber ethics. However, there is no risks
international governing body or organization overseeing
the legal aspects of cybersecurity. Learning Method/Assessment
Students will be exposed to national positions on Lectures should be developed in coordination with
domestic and international law relevant to cyberspace, responsible legal representatives able to speak defini-
with the emphasis on cybersecurity. Important domestic tively to their national position on these issues.
aspects are privacy, systems assurance, regulatory com-
pliance and commercial insurance implications within Case studies on international and national legal responses
the emergent national and international legal regimes. to cybersecurity incidents should be examined.
References
48
Anna-Maria Osula and Henry Rigas (eds), International
Cyber Norms: Legal, Policy & Industry Perspectives (2015).
NATO CCD COE. E-Book. Full Book Available at:
https://ccdcoe.org/multimedia/international-cyber-
norms-legal-policy-industry-perspectives.html
49
50
Theme 4: Cybersecurity Management in the National be able to analyze the utility of frameworks and
Context matrices for planning and delegation; and
demonstrate a knowledge of the common
Goal
types of national response organizations and be
The broad objective of this theme is to explore the prac- familiar with the role, mandate and structure
tice of managing cybersecurity in the national context. of their current national systems and organi-
zational incident and crisis management orga-
Description nizations.
7
Derived from the Carnegie Mellon CERT-RMM. 51
T4-B1: National Practices, Policies and Organiza- Issues for Potential Modules and Approaches to
tions for Cyber Resilience Consider
In this block, students will be exposed to a number of Clausewitz Gesellschaft; Bundesakademie fr Sicherhe-
sample comprehensive approaches to cybersecurity as itspolitik. Sicherheitspolitik im Cyber-Zeitalter: Reicht
articulated in published high-level guidance (such as passive Abwehr aus? Bonn, Germany : Mittler Report
that of the United Kingdom or the United States) in Verlag, 2014, British Library Identifier: 016828758.
order for them to analyze the strengths and weaknesses Document Supply Number: 3829.361655 UIN:
of their national policies. The national policies relevant BLL01016828758
to the student body will be compared and contrasted.
Guido Nannariello, E-commerce e tutela del consuma-
Discussion in particular should turn to an examination
tore: indagine sui codici di condotta ed i processi di cer-
of existing policies and practices aimed at preventing,
tificazione, Ispra: Joint Research Centre, Institute for
protecting, reacting to and managing recovery from
the Protection and Security of Citizen, Cybersecurity
cyber incidents. Measures such as audit, verification
Sector, 2001. UIN: BLL01011092147.
and the means of independent review should also be
addressed. F. Cassim, Addressing the Growing Spectre of Cyber
Crime in Africa: Evaluating Measures Adopted by
Learning Outcomes
South Africa and Other Regional Role Players, in,
Students will Comparative and International Law Journal of Southern
Africa, Vol.44, No.1, 2011, pp123-138 (University
be able to interpret national cyber resilience of South Africa). Journal ISSN: 0010-4051. UIN:
documents; ETOCRN296687880.
be able to contribute to the development and
N. Shirazi, A Framework for Resilience Management in
extension of national cyber resilience proce-
the Cloud, in, Elektrotechnik und Informationstechnik,
dures;
Vol. 132; No.2, 2015, pp122-132. Journal ISSN: 0932-
be able to articulate the roles and responsibili- 383X. UIN: ETOCRN370071353.
ties of individuals and organizations respon-
sible for national cyber resilience; Kallberg, Jan. Assessing Indias Cyber Resilience: Insti-
tutional Stability Matters. Strategic Analysis 40, no. 1
understand the challenges of the coordination
(2016): 1-5.
of cyber operations during crisis situations; and
understand decision analysis processes used in An SME will have to compile the appropriate national
making compliance decisions during crisis situ- policies and references. More general references include
ations. the following:
52
Chris Hall, Richard Clayton, Ross Anderson and Evan-
gelos Ouzounis, Inter-X: Resilience of the Internet Inter-
connection Ecosystem, Full Report, ENISA, April 2011.
53
T4-B2: National Cybersecurity Frameworks Learning Outcomes
This block gives students an understanding of national demonstrate an understanding of the concept
cybersecurity strategy and its implementation in the con- of responsibility matrix planning and delega-
text of managing cyber operations, handling national- tion;
level cybersecurity incidents and managing national explore the broad issues surrounding imple-
cybersecurity risk. The focus should be on frameworks mentation of their national cybersecurity
that assist in allocating resources, define organizational strategy;
roles and responsibilities and specify the actions along
understand how to interface with national
the chain of command for responsibility and reporting.
incident response command and control struc-
Drawing from international and national standards, tures;
this block considers security foundations and frame- understand the delegated management of cyber
works, examining several comprehensive frameworks operations at the national level;
for articulating roles and responsibilities for manage-
understand how cyber risk is managed in the
ment of cybersecurity risk and response to cybersecurity
context of national policy; and
incidents. Such frameworks are often summarized in the
form of a Responsibility, Accountability, Command and understand the positive and negative aspects
Information (RACI) delegation matrix. Such matrix of formal resource management frameworks
delegation tools lend themselves to managing cyberse- applied to the national cybersecurity context.
curity operations as well. The example of an RACI chart
will be used as the teaching example. The students will Issues for Potential Modules and Approaches to
be exposed to the general design of such tools before Consider
addressing their national responsibility and response
Topics covered may include the RACI system or similar
matrixes. If possible, the actual national policy tools for
responsibility matrix tools for incident handling and
managing such delegation of responsibilities and tasks
recovery and response management.
will be identified and explored. Discussion will address
decision support tools, risk management tools and Learning Method/Assessment
frameworks, practices and responsibilities. Ultimately,
students will examine the cybersecurity delegated man- An SME should devise a brief survey of methods (such
agement framework adopted by their national govern- as RACI charting) before identifying where national
ment or at least by their organization. and organizational authorities and explicit guidance
exists. The SME can then identify those most germane
Cyber system resilience may include the following to the particulars of the student body.
activities: asset management, controls management,
configuration and change management, threat and vul- The assessment scheme should be developed in accor-
nerabilities management, service continuity planning dance with the level of knowledge and familiarity
and management, external dependencies management, appropriate to the courses derived from this reference
training, and organizational and individual awareness curriculum.
and active management of situational awareness.
References
54
Tuija Kuusisto, Rauno Kuusisto, Leadership for Cyber
Security in Public-Private Relations, in R. Koch,
G. Rodosek (eds), Procedings of the 15th Conference
on Cyber Warfare and Security, Munich, July, 2016.
ISBN1910810932, 9781910810934.
55
T4-B3: Cyber Forensics Issues for Potential Modules and Approaches to
Consider
Description
Creating a resilient system to support recovery
Cyber forensics is the application of investigation and after a cyber incident
analysis techniques to gather, exploit and preserve dig- Forensic examination of social engineering ele-
ital evidence. This domain of activity consists of digital ments exploited to gain access to systems
forensics, hardware forensics and human factor foren-
sics. While forensic activity is essential for day-to-day Hardware devices that could be of forensic
system maintenance and operational efficiency, more value
rigorous control of these activities may be required to Uses of forensic investigation results for crim-
produce evidentiary materials for criminal investiga- inal prosecution
tions. Finally, good forensic practices provide important
Automated tools for basic operational forensics
tools for understanding how adversaries seek to exploit
access to existing systems by, for example, exposing how Learning Method/Assessment
they may seek to access command and control nodes or
how they design malware. Teaching delivery should consist of lecture, demonstra-
tion and discussion of several case studies illustrating
This block presents the key forensics challenges in different forensic elements.
managing cyber incidents. Forensics techniques can be
applied to the investigation of cyber incidents, intelli- The assessment scheme should be developed in accor-
gence gathering and prosecution by law enforcement. dance with the level of knowledge and familiarity
Material to be covered includes tools and techniques appropriate to the courses derived from this reference
to acquire data from multiple sources, to analyze the curriculum.
data and to build a timeline of events. These may be
used to build an attribution case or for various forms Students should be assessed in oral and written format.
of follow-up activity, from activity tracking and moni-
toring to building a criminal case against the perpetra- References
tors. Students will also examine forensic data collection
Risto Vaarandi, Pawe Niziski, NATO Cooperative,
and examination for financial crimes such as money
Cyber Defence Centre of Excellence, Tallinn, Estonia.
laundering.
2013 A Comparative Analysis of Open-Source Log
Students will learn about the issues associated with the Management Solutions for Security Monitoring and
collection of data for forensics from multiple sources, Network Forensics. Available at: https://ccdcoe.
including computers, networks, mobile devices, data- org/sites/default/files/multimedia/pdf/VaarandiNiz
bases and sensors. inski2013_Open-SourceLogManagementSolutions.pdf
the national laws and regulations for data col- Akinola Ajijola, Pavol Zavarsky, Ron Ruhl, A Review
lection in support of law enforcement. and Comparative Evaluation of Forensics Guide-
lines of NIST SP 800-101 Rev.1:2014 and ISO/
IEC 27037:2012. Paper presented at the World
56
Congress on Internet Security (WorldCon) 2014.
pp66-73. 10.1109/WorldCIS.2014.7028169. Avail-
able from the IEEE at: http://ieeexplore.ieee.org/xpl/
articleDetails.jsp?tp=&arnumber=7028169&url=http
%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.
jsp%3Farnumber%3D7028169
57
T4-B4: National-level Security Audit and Assessment Issues for Potential Modules and Approaches to
Consider
Description
Topics to address may include the following:
Assessment of security preparedness is an important role
for countries. Assessment helps test the security controls Good practices in organizations that use self-
as well as identifying the gaps in security infrastructure assessment
and policy. Security assessment can be done at multiple Discussion of case studies of situations in which
levels. First, individual security controls can be tested self-awareness might have increased security
using auditing tools. Second, assessment can be done at
a holistic, system or organizational level through exer- Learning Method/Assessment
cises and real-time simulations. This block introduces
the tools and processes of security audits and assess- Students should practice using a national self-assessment
ments. This will allow students to learn how the assess- tool if available and, if not, they can employ the Cyber
ment of residual vulnerability in systems can be identi- Security Evaluation Tool (CSET) available through the
fied and weighed; moreover, such audits and assessments U.S. Department of Homeland Security (DHS) or a
help establish how to gauge cyber systems readiness to similar approach. It may be fruitful to compare what-
deal with specific types of known threat actors and to ever national method exists to that advocated by the
prepare for activities where an unknown threat emerges U.S. DHS.
(so-called zero-day threats because there is no warning
The assessment scheme should be developed in accor-
of their specific means of attack or malign action).
dance with the level of knowledge and familiarity
Personal and organization cybersecurity self-awareness appropriate to the courses derived from this reference
tools and techniques are diverse, running from ques- curriculum.
tionnaires to technical tools. This block aims to increase
References
understanding of the role of self-awareness as it relates to
cybersecurity for the individual and organization. Ana- Ivan Alcoforado, Leveraging Industry Standards to
lyzing the strengths and weaknesses of different tools Address Industrial Cybersecurity Risk, ISACA Journal,
and approaches is critical to understanding their value. Vol 6, 2014; Journal ISSN: 1944-1967.
Ongoing self-assessment can reduce risks. The consid-
eration of potential biases is also crucial for useful self- Stefan Laube, Rainer Bhme (Department of Infor-
assessment. Operationalization of results is a necessary mation Systems, University of Munster, Germany;
component of any self-assessment effort. As the level Institute of Computer Science, University of Inns-
of security is related to the value, importance or sensi- bruck, Austria), The Economics of Mandatory Secu-
tivity of what is being secured, there is no single pattern rity Breach Reporting to Authorities. Available at:
to simply adopt and apply. Rather, the desired level of http://www.econinfosec.org/archive/weis2015/papers/
cybersecurity will depend on the standards selected and WEIS_2015_laube.pdf
the level of performance that needs to be assured.
Yulia Cherdantseva, et al. A Review of Cyber Security
Learning Outcomes Risk Assessment Methods for SCADA systems. Elec-
tronic monograph. Available at the British Library, ref-
Students will erence: UIN: ETOCvdc_100030733535.0x000001.
understand the importance of security audit
Abhijit Gupta, Subarna Shakya, Information System
and assessment tools, and
Audit; A study for security and Challenges in Nepal,
be able to evaluate and apply appropriate self- in, International Journal of Computer Science and
assessment tools and techniques in a national Information Security, Vol.13, No. 11 (Nov 2015) pp
context. 1-4. Journal ISSN 1947-5500.
58
Karabacak, Bilge, Sevgi Ozkan Yildirim, and Nazife
Baykal. Regulatory approaches for cyber security of
critical infrastructures: The case of Turkey. Computer
Law & Security Review 32, no. 3 (2016): 526-539.
59
Abbreviations ICS Industrial Control System
60
SMTP Simple Mail Transfer Protocol
61
Glossary authentication Definition: The process of verifying the
identity or other attributes of an entity (user, process or
device). Extended definition: Also the process of veri-
fying the source and integrity of data.
Note: Not all terms below appear in the preceding
text, but many may prove useful in crafting specific B
learning exercises, etc.
botnet Definition: A collection of computers compro-
A mised by malicious code and controlled across a net-
work.
access control mechanism Definition: Security mea-
sures designed to detect and deny unauthorized access Build Security Definition: A set of principles, practices
and permit authorized access to an information system and tools to design, develop and evolve information
or a physical facility. systems and software that enhance resistance to vulner-
abilities, flaws and attacks.
active attack Definition: An actual assault perpetrated
by an intentional threat source that attempts to alter a C
system, its resources, its data or its operations.
capability Definition: The means to accomplish a mis-
advanced persistent threat(s) Definition: An adversary sion, function or objective.
that possesses sophisticated levels of expertise and sig-
cloud computing Definition: A model for enabling on-
nificant resources that allow it to create opportunities
demand network access to a shared pool of configurable
to achieve its objectives by using multiple attack vectors
computing capabilities or resources (e.g., networks,
(e.g., cyber, physical and deception). From: NIST SP
servers, storage, applications and services) that can be
800-53 Rev 4.
rapidly provisioned and released with minimal manage-
antivirus software Definition: A program that moni- ment effort or service provider interaction.
tors a computer or network to detect or identify major
Computer Network Defense Analysis Definition:
types of malicious code and to prevent or contain mal-
Where a person uses defensive measures and informa-
ware incidents, sometimes by removing or neutralizing
tion collected from a variety of sources to identify, ana-
the malicious code.
lyze and report events that occur or might occur within
attack Definition: An attempt to gain unauthorized the network in order to protect information, informa-
access to system services, resources or information or an tion systems and networks from threats.
attempt to compromise system integrity.
critical infrastructure Definition: The systems and
attack pattern Definition: Similar cyber events or assets, whether physical or virtual, so vital to society that
behaviors that may indicate that an attack has occurred their incapacity or destruction may have a debilitating
or is occurring, resulting in a security violation or a impact on the security, economy, public health or safety,
potential security violation. environment or any combination of these matters.
attack signature Definition: A characteristic or distinc- cryptography Definition: The use of mathematical
tive pattern that can be searched for or that can be used techniques to provide security services, such as confi-
in matching to previously identified attacks. dentiality, data integrity, entity authentication, and data
origin authentication.
attack surface Definition: The set of ways in which
an adversary can enter a system and potentially cause cyber ecosystem Definition: The interconnected infor-
damage. Extended definition: An information systems mation infrastructure of interactions among persons,
characteristics that permit an adversary to probe, attack, processes, data, and information and communications
or maintain presence in the information system. Adapted technologies, along with the environment and condi-
from: Manadhata, P.K., & Wing, J.M. in Attack Sur- tions that influence those interactions.
face Measurement, http://www.cs.cmu.edu/~pratyus/
as.html#introduction
62
cybersecurity: Short definition: The activity or pro- may hinder an organizations ability to achieve its objec-
cess, ability or capability or state whereby informa- tives.
tion and communications systems and the information
contained therein are protected from and/or defended exploit Definition: A technique to breach the security of
against damage, unauthorized use or modification or a network or information system in violation of security
exploitation. Extended definition: Strategy, policy policy.
and standards regarding the security of and operations
F
in cyberspace, and encompass[ing] the full range of
threat reduction, vulnerability reduction, deterrence, firewall Definition: A capability to limit network traffic
international engagement, incident response, resiliency between networks and/or information systems.
and recovery policies and activities, including com-
puter network operations, information assurance, law H
enforcement, diplomacy, military and intelligence mis-
sions as they relate to the security and stability of the hacker Definition: An unauthorized user who attempts
global information and communications infrastructure. to gain or gains access to an information system.
Adapted from: CNSSI 4009, NIST SP 800-53 Rev 4,
NIPP, DHS National Preparedness Goal; White House I
Cyberspace Policy Review, May 2009.
ICT supply chain threat Definition: A man-made
cyberspace Definition: The electronic world created threat achieved through exploitation of the information
by interconnected networks of information technology and communications technology (ICT) systems supply
and the information on those networks. chain, including acquisition processes.
digital rights management Definition: A form of access intrusion Definition: An unauthorized act of bypassing
control technology to protect and manage use of digital the security mechanisms of a network or information
content or devices in accordance with the content or system.
device providers intentions.
intrusion detection Definition: The process and
distributed denial of service Definition: A denial of methods for analyzing information from networks and
service technique that uses numerous systems to per- information systems to determine whether a security
form the attack simultaneously. breach or security violation has occurred.
E K
enterprise risk management Definition: A comprehen- keylogger Definition: Software or hardware that tracks
sive approach to risk management that engages people, keystrokes and keyboard events, usually surreptitiously/
processes and systems across an organization to improve secretly, to monitor actions by the user of an informa-
the quality of decision making for managing risks that tion system.
63
M risk assessment Definition: The product or process
that collects information and assigns values to risks
malicious code Definition: Program code intended to for the purpose of informing priorities, developing or
perform an unauthorized function or process that will comparing courses of action and informing decision
have adverse impact on the confidentiality, integrity or making. Extended definition: The appraisal of the risks
availability of an information system. facing an entity, asset, system or network, organizational
operations, individuals, geographic area, other organi-
malware Definition: Software that compromises the zations or society; includes determining the extent to
operation of a system by performing an unauthorized which adverse circumstances or events could result in
function or process. harmful consequences.
N risk management Definition: The process of identi-
fying, analyzing, assessing and communicating risk and
network resilience Definition: The ability of a network
accepting, avoiding, transferring or controlling it to an
to (1) provide continuous operation (i.e., highly resistant
acceptable level considering associated costs and benefits
to disruption and able to operate in a degraded mode if
of any actions taken. Extended definition: Includes (1)
damaged); (2) recover effectively if failure does occur;
conducting a risk assessment; (2) implementing strate-
and (3) scale to meet rapid or unpredictable demands.
gies to mitigate risks; (3) monitoring risk continuously
non-repudiation Definition: A property achieved over time; and (4) documenting the overall risk man-
through cryptographic methods to protect against an agement program.
individual or entity falsely denying having performed
S
a particular action related to data. Extended definition:
Provides the capability to determine whether a given spam Definition: The abuse of electronic messaging sys-
individual took a particular action, such as creating tems to indiscriminately send unsolicited bulk messages.
information, sending a message, approving information
or receiving a message. spoofing Definition: Faking the sending address of a
transmission to gain illegal (unauthorized) entry into a
P secure system.
passive attack Definition: An actual assault perpetrated spyware Definition: Software that is secretly or surrepti-
by an intentional threat source that attempts to learn tiously installed into an information system without the
or make use of information from a system but does not knowledge of the system user or owner.
attempt to alter the system, its resources, its data or its
operations. Supervisory Control and Data Acquisition (SCADA)
Definition: A generic name for a computerized system
phishing Definition: A digital form of social engi- that is capable of gathering and processing data and
neering to deceive individuals into providing sensitive applying operational controls to geographically dis-
information. persed assets over long distances.
R supply chain Definition: A system of organizations,
people, activities, information and resources for creating
redundancy Definition: Additional or alternative sys-
and moving products, including product components
tems, sub-systems, assets or processes that maintain a
and/or services from suppliers through to their cus-
degree of overall functionality in case of loss or failure of
tomers.
another system, sub-system, asset or process.
supply chain risk management Definition: The process
resilience Definition: The ability to adapt to changing
of identifying, analyzing and assessing supply chain risk
conditions and prepare for, withstand and rapidly
and accepting, avoiding, transferring or controlling it
recover from disruption.
to an acceptable level considering associated costs and
risk analysis Definition: The systematic examination of benefits of any actions taken.
the components and characteristics of risk.
64
T Z
threat Definition: A circumstance or event that has or Zero-day exploit Definition: An attack exploiting an
indicates the potential to exploit vulnerabilities and to unrecognized vulnerability, launched without warning
adversely impact (create adverse consequences for) orga- and detected only once underway.
nizational operations, organizational assets (including
information and information systems), individuals,
other organizations or society.
Derived and redacted from U.S. DHS National Initia-
threat actor/agent Definition: An individual, group, tive for Cybersecurity Careers and Studies (NICCS)
organization or government that conducts or has the Glossary. With additional material.
intent to conduct detrimental activities.
65
66
Team Leads and Editors: Sean S. Costigan and Michael Hennessy
Curriculum Team Members and Advisers:
67
Dr. Piotr GAWLICZEK Poland Rectors Representative
for Innovation
National Defense University
68
Dr. Gustav LINDSTROM Sweden Head of Programme,
Emerging Security Challenges
Geneva Centre for Security Policy
69
Dr. Detlef PUHL Germany Senior Advisor,
Emerging Security Challenges
Division,
NATO International Staff
70
71
72
CYBERSECURITY
A GENERIC REFERENCE
CURRICULUM
Editors:
Sean S. Costigan
Professor
George C. Marshall European Center for Security Studies
Gernackerstrasse 2
82467 Garmisch-Partenkirchen, Germany
sean.costigan@pfp-consortium.org