Cyber Security Warfare Deterrence

Cyber Security
Contents
II/148
An Introduction
VI
Applying a Security Compliance Framework to Prepare Your Organization
for Cyberwarfare and Cyberattacks
9
Disclaimer10
Introduction11
The Simple Truths of this Article
11
Cyberwar Concepts
11
Cyberweapons That We Know About
13
Who Is the Enemy or the Adversary?
14
DDoS as a Service, as low as US$20 Per Hour
14
Understanding Risks and Threats and Vulnerabilities
15
What Is an ISMS?
17
What is ISO 27001?
17
What Cyberattack / Cyberwarfare Risk Remediation Project Using ISO 27001 Might Look Like
18
Should You Get Your Organization Certified in ISO 27001?
18
Is Compliance with the ISO 27001 Standard or Some Other Security Compliance Framework Still Important
Even If Your Organization Doesnt Get Certified?
19
Mapping to Achieve Compliance with Two or More Security Compliance Frameworks
19
Using ISO 27001 Controls to Defend Against Cyberwarfare and Cyberattacks
20
Recommendations20
Conclusions21
The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the
Internet-based World of Piracy and Theft of Intellectual Property
31
Abstract32
The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the World of
Internet-based Software Piracy and Theft of Intellectual Property
32
Conclusion33
Hacking Humans: The Story of a Successful Well-planned Social Engineering Attack
35
Abstract36
Using Authority and Pretexting as Social Engineering Weapons
36
The Social Engineering Exploit: What Happened?
36
Summary of the Event Report
37
Results of the Exploit Law Enforcement and At Work
38
What If Proper Social Engineering Defenses Had Been Applied?
38
The Importance of Studying and Applying Social Engineering Techniques and Defenses
38
Lessons Learned from This Incident
39
Conclusions39
Attempting to Solve the Attribution Problem Using Wireshark and Other Tools as an Aid
in Cyberwarfare and Cybercrime for Analyzing the Nature and Characteristics of a Tactical or
Strategic Offensive Cyberweapon and Hacking Attacks
56
Introduction57
What is Cyberwarfare?
57
How large a problem is this for the United States?
57
Other Not So Obvious Challenges for Cyberweapons and Cyberdeterrence
57
Is it a problem for other countries?
57
Is it problematic for these countries in the same ways or is there variation? What kind?
58
What are the consequences to the U.S. and others if this threat is left unchecked?
58
What consequences has the threat already produced on American/global society?
58
Has this threat evolved or changed over time or is it relatively constant? If it has evolved or changed, exactly how
has that change happened and what political consequences have emerged from them?
58
Final Thoughts about Cyberwarfare Operations
58
The Attribution Problem
59
Recent Cyber Attacks
61
How do you know?
61
Free Tools You Can Use
61
Wireshark61
Ostinato65
TCPView66
Traffic to Watch
66
Cyber Security
III/148
A Caution to those Who Understand Network Attacks

67
The Future
67
Conclusion67
Audit Project Plan for Dalton, Walton, & Carlton, Inc.
71
Introduction72
Assumptions72
Estimated Time Required
72
Conclusion72
Table of Contents
72
Project Charter
72
Executive Summary
72
Introduction72
Project Name
72
Description72
Purpose73
Resource Time Period
73
Resource Budget
73
Team Members
73
Project Steering Committee
73
Additional Project Stakeholders
73
Assumptions73
Constraints73
Approvals74
Project Scope Statement
74
Scope74
Objectives74
Statement of Work
76
Audit Steps
76
Schedule, Activities and Deliverables
77
Schedule Management Plan
77
Risk Management Plan
77
Risk Assessment Methodology & Procedure
77
Proposed Risk Management Processes
78
Communications Plan
78
Team Members:
78
Project Steering Committee:
79
Additional Project Stakeholders:
79
Communication Methods, Frequency and Descriptions
79
Change Control Board
80
Change Control Process
81
Quality Management Plan
81
Non-Compliance81
Performance Improvement
81
Rating Elements and Standards of Performance
82
Quality of Performance
82
Process of Quality Assurance Assessment
82
Deliverable Performance Metrics
83
Contribution Effectiveness (CE) Performance Metrics
84
Corrective and Preventive Action
86
Contractor Performance Report Generation
86
Score Development Process
86
Development of cumulative scores for each performance/sub-performance area
86
Surveillance Approach
87
Quality Assurance Surveillance Plan
88
Contractors Quality Control Plan
88
Surveillance Methods
88
Periodic Inspection
89
Process Improvement Plan
89
Methodology and Sources of Input:
89
Document Owner and Approval
90
Cyber Security
IV/148
Change History Record

91
Threat Assessment in Cyberwarfare and Cyberdeterrence
95
96
A Single Integrated Operational Plan for War
96
What is the nature of the threat you have chosen?
96
96
96
97
97
97
97
Has this threat evolved or changed over time or is it relatively constant? If it has evolved or changed,
exactly how has that change happened and what political consequences have emerged from them?
98
98
Discussion Questions and Answers Related to Studies in Cyberwarfare
100
Talk about the emergence of and belief system of the H.U.C.
101
Please elaborate and discuss in depth the principles of simple security.
101
Please explain GhostNet.
103
Analyze geopolitically a map of hot spots juxtaposed with potential cyber conflict. Explain any
uniformity and discordance that one might expect to see between regular conflict and cyber conflict 104
In your weeks 3 and 4 videos, you get diametrically opposite issues hacking vs. establishing
norms. Reflecting upon these two video together, explain what you consider to be some of the
chief issues that make hacking a chronic problem to those looking to establish international
norms of cyber behavior
105
U.S. Policy Appraisal Related to Cyberwarfare and Cyberdeterrence
106
107
How long has this policy been in place? Have any changes occurred to the policy over the years?
107
What is the effectiveness of current policy when it concerns this particular threat issue?
108
Short-Term and Long-term Ramifications of Current Policy
108
Allies and Adversaries Connected to this Specific Policy?
108
Conclusion108
Strategic Comparative Analysis in Cyberwarfare and Cyberdeterrence
110
111
What Other Countries / Regions of the World Are Concerned with This Same Threat Issue?
111
Countries Regions of the World That Do Not Place a High Priority on This Threat Issue
112
Some of the Current Policies Being Employed by These Other States / Regions in Regards to the Threat112
Successes and Failures of the Various Alternative Policies Around the Globe
113
Areas of Joint Communication / Operation / Cooperation that Exist or Should Exist Across
Countries Dealing with This Threat Issue
113
Is There One State in Particular That Seems to Be Doing
a Better Job Than the United States Related to Dealing with This Threat Issue?
113
Conclusion114
A Brief Analysis of Russian Cyberwarfare Capabilities Past, Present, and Future
116
Conflict Resolution in Cyberwarfare and Cyberdeterrence
120
121
Current Academic Research on This Threat Problem
121
Intellectual Positions and Theoretical Explanations That Have Been Staked Out on This Threat Problem121
Joint Publication (JP) 5-0, Joint Operation Planning
121
Options in Conflict
123
Conclusion124
Policy Generation Related to Cyberwarfare and Cyberdeterrence
125
126
Current U.S. Policy Covering Cyberwarfare Threats
126
Challenges Related to Cyberwar and Cyberdeterrence Policy and Strategy Creation
126
Recommendations for the U.S. Cyberwarfare Policy and Strategy
126
Recommendations for the U.S. Cyberdeterrence Policy and Strategy
127
Final Thoughts on the Creation of a National Policy on Cyberwar and Cyberdeterrence
127
Conclusion128
Cyber Security
V/148
Integration of Cyberwarfare and Cyberdeterrence Strategies into the

U.S. CONOPS Plan to Maximize Responsible Control and Effectiveness
by the U. S. National Command Authorities
129
U.S. CONOPS Plan to Maximize Responsible Control and Effectiveness by the
U. S. National Command Authorities
130
Part 1 Threat Assessment in Cyberwarfare and Cyberdeterrence
130
Nature of the Threat
130
130
130
130
131
131
131
The Rapid Evolution of Cyberthreats
132
Part 1 Final Thoughts about Cyberwarfare Operations
132
Part 2 U.S. Policy Appraisal Related to Cyberwarfare and Cyberdeterrence
133
133
134
134
134
Part 2 Conclusion
134
Part 3 Strategic Comparative Analysis in Cyberwarfare and Cyberdeterrence
135
135
135
Some of the Current Policies Being Employed by These Other States / Regions in Regards to the Threat 136
Successes and Failures of the Various Alternative Policies around the Globe
136
Areas of Joint Communication / Operation / Cooperation that Exist or
Should Exist Across Countries Dealing with This Threat Issue
136
China and Its Role in Cyberwarfare Capabilities
137
Part 3 Conclusion
137
Part 4 Conflict Resolution in Cyberwarfare and Cyberdeterrence
137
137
Intellectual Positions and Theoretical Explanations That Have Been Staked Out on This Threat Problem
137
138
Options in Conflict
140
Part 4 Conclusion
140
Part 5 Policy Generation Related to Cyberwarfare and Cyberdeterrence
141
141
141
141
141
142
143
Part 5 Conclusion
143
Conclusion143
About the Author
145
Cyber Security
VI/148
An Introduction
Hello and welcome to my first e-book!
My history with computers and computing is an interesting one as most stories go. In the Fall of 1968, while watching the
newly released movie, 2001: A Space Odyssey, I had the opportunity to witness the HAL 9000, an out of control, psycho,
homicidal computer masquerading as something that approximated a sentient, Chess-playing being, who was also in
control of a gigantic space ship. Though I had never touched a computer or written a line of code, I was so disturbed
witnessing the HAL 9000 destroy the lives of several helpless people, as well as try to kill the ships commander, that
as I watched the ships commander turn off the HAL 9000, I rejoiced at the victory of a human over a computer. At that
point, I made myself a promise that if I ever came up against any situation where it was me against a computer, I was
going to win.
About five years later, in August 1973, I started my college studies at Memphis State University (now renamed the
University of Memphis) as a new freshman, on three scholarships, two academic and one full four-year Air Force
ROTC scholarship. I was studying Civil Engineering with an option to minor in Environmental Engineering. A short time
after learning that I had a natural aptitude for working with and programming computers, I went to my advisor and told
him I wanted to switch from Civil Engineering to something related to computers. As my good luck would have it, the
College of Engineering had just launched a new Computer Systems Technology major study program under a degree in
Engineering Technology. The program also had a minor field of study in Manufacturing Technology (which were actually
like Industrial Engineering courses). So with my major changed, I felt excited and confident that I would complete my
next seven semesters in college and graduate with this new Bachelor of Science in Engineering Technology, with a
major in Computer Systems Technology and a minor in Manufacturing Technology. At the end of my first semester, in
December 1973, I was summoned to a conference with the Dean of the College of Engineering. He was pleased that I
had a successful semester, yet he was quite candid in his disappointment about my changing majors into Engineering
Technology, with a major in Computer Systems Technology. He even told me that I was making a huge mistake and
that I was wasting my time in college in pursuit of a B.S. in Engineering Technology, with a major in Computer Systems
Technology. I asked him why? He explained that in the future, computers would be so easy to work with that programmers
would be obsolete and unnecessary. As I heard this, I began to realize that it was a scare tactic and that he didnt want
to see a bright student with a College of Engineering scholarship switch from Civil Engineering. But I was resolved to
transfer into Engineering Technology, with a major in Computer Systems Technology, so I told him so. He was upset, but
he accepted my choice, and I did indeed graduate right on schedule on May 7, 1977 and obtain a B.S. in Engineering
Technology, with a major in Computer Systems Technology. A day before I graduated, I was also commissioned as a
brand new second lieutenant in the United States Air Force, to be assigned as a brand new computer systems staff
officer, supporting the Strategic Air Command Battle Staff at Strategic Air Command Headquarters at Offutt Air Force
Base Nebraska, with an active duty reporting date of July 15, 1977.
I entered USAF active duty with what I believed was strong knowledge and experience of programming in six languages
(FORTRAN, BASIC, ALGOL, SNOBOL, APL, and COBOL, and experience of working with only computer, a Xerox
Sigma-9. The largest, most complex program I had ever written from scratch was a FORTRAN timesharing program,
with about 350 lines of code and it calculated biorhythm data and printed out small reports on the physical, emotional,
and intellectual personal data for a user. I scored an A on that project and the Department Chairman, Dr. Weston
Terry Brooks loved it.
My first assignment in the U.S. Air Force at Strategic Air Command Headquarters involved the car and maintenance of
a 7200 line program that was written in JOVIAL. The program worked well, but by todays standards, it still had enough
bugs in it to justify assigning a full-time programmer. Here were my challenges: 1) the technical program documentation
wasnt current; 2) the program was more than 20 times larger than anything I had ever worked with; 3) I had never
programmed in JOVIAL, or GMAP (Honeywell Assembler) and the Honeywell GCOS operating system and associated
utilities, so they trained me. Anyway, the work was extremely exciting and today, I now know that few people ever get so
much responsibility and so much high visibility opportunity and challenges to prove themselves. Looking back, it made
me grow up quickly in this industry, and I am eternally grateful for my USAF experiences in technology and the good
teachers and mentors I had along the way.
In late 1980, sadly, I left the USAF and returned to civilian life. It is an over simplification to say that the transition from
military to civilian life wasnt easy. For 15 months. I hoped that there would be some type of National Emergency
where they would summon me back to active duty, but that didnt happen. So I then stuck in the life of being a civilian
IT professional. So I made the best of things, and frankly, it has been a pretty good way to grow and make a living. I have
to admit that I have never been bored and that I have pursued each new opportunity as a chance to add value, to learn,
to grow, and to improve my skills.
Cyber Security
VII/148
Through the years that followed the USAF, I had many jobs and acquired many new skills. Among those skills were:
Program Management | Project Management | Portfolio Management | Strategic Planning | Business
Analysis | Business Strategy | Technical Leadership | Technical Management | Technical Staff Management
| Data Center Management | Data Center Operations | Information Security Management | Cybersecurity |
ISO 27001 | PCI DSS | FISMA | FedRAMP | Infrastructure Management | Social Engineering | Operations
Management System Analysis | Risk Management | Knowledge Management | Information Systems
Development | Programming | Problem Management | Incident Management | ITIL-based Service Design
and Service Management | Information Security Management | Agile Project Management | Troubleshooting
| Network Security | Network Administration | Change Management | Services Management | Cloud
Computing | Cloud Data Center Management | Mentoring | Strategic Planning | Staff Mentoring | Writing
Technical Writing | Teaching/mentoring | Team Building | System Administration | System Design | Application
Development | Architecture Security | Architecture Design | Database Administration | Database Design |
Database Implementation
Some General Lessons Learned

A good Internet domain name and associated website will go a long way toward enhancing your marketability
Always work hard and give 120% to ever task and job
Its not how hard you work, but rather HOW MUCH work you get done
If you are standing still in your career development and learning, you are falling behind
Spend a LOT of time outside of work, working outside work, to hone your skills and experience
Get a mentor to guide and advise you ( see http://billslater.com/mentors.htm and http://billslater.com/mentoring )
Remain flexible
Spend your own time and money on the resources (books, hardware, and software) that you need to be successful
Learn as much as you can about risk management, service management, data centers, and security
Aspire to learn leadership skills and to assume greater and greater positions of influence and responsibility
Continually hone your communication skills (written, speaking, and listening) so you can communicate excellently
to those above you and to those you supervise
Find a knowledgeable, wise mentor and seek their counsel and advice often
Mentor others as often as you can get the opportunity
Teach as often as you can get the opportunity, even if it is low pay or on a volunteer basis
Remember that every management decision is based on financial metrics like ROI, TCO, and fixed and variable
costs per time unit. If you cannot provide such metrics, you cannot get your ideas and/or projects accepted by
upper management
It is essential to adopt meaningful metrics that will help management measure the effectiveness of every activity
in which you are engaging. These metrics will be used over time to report your progress and plan for continuous
process improvement.
The growth of technology never stops, so if you stop growing and learning and striving for relevancy, you are on
the fast track out of this challenging career field
In the end, your good name and reputation are the most important things you have. Guard them zealously.
(Proverbs 22:1)
Happy Reading!
William F. Slater, III
MBA, M.S.,PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, IP v6, Cloud ComputingFoundation
ProjectManager / Program Manager
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL
UnitedStates of America
Editors Note
VIII/148
Dear Readers,
It is a great pleasure to present you the newest ebook written by William F. Slater, III. I believe that all of you are familiar
with Mr Slaters work devoted to the field of Cybersecurity. Therefore, I have decided to publish an ebook devoted
to this burning issue. Nowadays cybersecurity generates a great deal of heated debate and that is why I want to
satisfy our Readers strive for knowledge. Mr Slater, our expert, is an extremely knowledgable person who will explain
you everything you should know to protect yourself, your company, and your World from cyber attack. Every aspect
of cybersecurity, cyberwarfare and cyberdeterrence is explained in a detail, and that is why this ebook will be very
pleasurable to read. What is more, you can always write to Mr Slater and ask him for help or clarifications. He is always
willing to help and assist everyone.
To me, this book is more than a compendium of knowledge. Its a tribute to Mr Slaters achievements who encourages
me to learn, develop and fight for the better world. I know Mr Slater personally, he is a friend of mine and I can always
count on him. I hope that all of you will learn a lot thanks to this ebook.
Enjoy your reading,
Ewa Duranc,
Product Manager.
Applying a Security Compliance Framework

to Prepare Your Organization for Cyberwarfare
and Cyberattacks
Cyber Security
10/148
Disclaimer
William F. Slater, III is an IT Security consultant who lives and works in Chicago, IL, United States of America. He has
worked in Information Technology since 1977. In March 2013, he will complete his third graduate degree, an M.S. in
Cybersecurity. Though he has prior experience as a computer systems staff officer serving at Strategic Air Command
Headquarters from 1977 to 1980, and as an civilian IT service management Project Manager working with the U.S.
from 2009 to 2010, and he has had a top secret clearance (1977 1980) and a secret clearance (2009 2011), he did
not access any classified documents from the U.S military or the U.S. government to research and write this paper.
This paper is therefore, is an unclassified document that was researched and written using resources that are available
to the general public. Other information reflected in this paper is the professional opinion of Mr. Slater, who is solely
responsible for the content of this paper.
Finally, Mr. Slater is a very patriotic American who always hopes for the best for the Republic of the United States of
America and her Allies. This includes trying to do what is in his power as an IT professional, an educator, and a writer to
make the use of Cyberspace and the Internet safe for everyone.
Cyber Security
11/148
Introduction
On Monday, CNN posted a web article with this headline, Nations Prepare for Cyberwar, describing the inevitability of
a cyberwar that is coming or is possibly already here (Goldman, 2013).
One of the main disadvantages of the hyper-connected world of the 21st century is the very real danger that countries,
organizations, and people who use networks computer resources connected to the Internet face because they are at
risk of cyberattacks that could result in anything ranging from denial service, to espionage, theft of confidential data,
destruction of data, and/or destruction of systems and services. As recognition of these dangers, national leaders,
business leaders, and the military leaders of most modern countries are now acknowledging that the potential and
likely eventuality of cyberwar is very real. This article will introduce come concepts about the realities and weapons of
cyberwarfare and discuss how an organization can use a security compliance framework of controls to mitigate the risks
of cyberattacks and cyberwarfare.
The Simple Truths of this Article

1. Cyberwar is coming or could be already here. All the signs and news media coverage and publicly known actions
of the U.S. Government confirm it
2. If you use have an IT infrastructure that is important to your business operations, you need to protect your business
from Cyberattacks and Cyberwarfare
3. There are many things you can do, and things you cannot legally do if you are in the United States, to protect
your business from Cyberattacks and Cyberwarfare. Restrictions inside the U.S. Code, Title 10, and other various
cyber legislation strictly prohibit retaliation or going on the offensive. But you can prepare and protect yourself from
cyberattacks.
4. In any organization, Management Support is required to understand and allocate the resources to defend against
cyberattacks.
5. Understanding risk identification, threats, vulnerabilities, controls, performing risk assessment, and risk
management are essential to becoming an effective protector of IT assets.
6. Because of the complex nature of most IT infrastructures and assets and how they integrate with an organizations
business operations, it is better to use some type of proven framework with which to assure that all the important
aspects of compliance and infrastructure security have meet address and are being measured.
Cyberwar Concepts
Cyberattacks and cyberwarfare tactics, by some expert estimates, date back to the early 1980s when there was a set
of suspicious explosions that were likely generated in control systems on some pipelines in Asia, though this has never
been conclusively confirmed. However, the idea of using computers and software to attack another entity via networks
dates back to the early 2000s and by some accounts, well before that. The diagram from Lewis University shows a brief
graphic history between 2000 and 2009.
Cyber Security
Figure 1 A Brief History of Cyberwarfare by Lewis University, Romeoville, IL
12/148
Cyber Security
13/148
Cyberweapons That We Know About

Cyberattacks and cyberwarfare tactics have typically been in the realm of Distributed Denial of Service (DDoS) attacks
with some more sophisticated attacks as shown in the Technolytics diagram below.
Figure 2 Classes of Cyberweapon Capabilities, by Technolytics.

Since 2007, as the existence of well-orchestrated cyberwar attacks such as the DDoS attacks on Estonia (2007),
Georgia (2008), and Kyrgyzstan (2009), as well as the Stuxnet (2010), Duqu (2011), and Flame (2012) have all become
known to the world through security researchers, their victims, and the media. As a result, it has become apparent
most who are watching this area that cyberspace has now become the new realm onto which the field of international
conflict has been extended, and that cyberwarfare is now no longer a theoretical issue that could one day threaten those
participants and systems that rely upon connections to the Internet and Internet-connected networks. Unfortunately
however, despite the emergence of a new breed of intelligent cyberweapons (i.e. Stuxnet, Flame, Duqu, and Shamoon)
with the ability to strike with precision and accuracy, the present findings and research on cyberwarfare related events
shows that the U.S. is playing catch-up and doing so badly (Turanski and Husick, 2012).
Cyber Security
14/148
The diagram below shows the rapid evolution of cyberweapons over time. It is obvious that according to this diagram,
starting in about 2008, until what is predicted to be about 2020, the evolution of the sophistication of cyberweapons will
be be quite significant. This rapid rise in sophistication and capabilities of cyberweapons, coupled with their relative ease
of use, proliferation and economic benefit, will make these weapons very compelling for military and strategic use, and
make the likelihood of cyberwar increasingly significant for the foreseeable future.
Figure 3 Evolution of Cyberweapon Capabilities, 1994 2020, by Technolytics.
Who Is the Enemy or the Adversary?

In the world of cyberattacks and cyberwarfare, the issue of who your adversary usually depended on your perspective.
From the perspective of the U.S. and its allies, the adversary usually falls into one of these five categories: Russia,
China, North Korea, Iran, or non-state actors. Much is already known about our potential adversaries, such as Russia,
China, North Korea and Iran, but what is perhaps less understood is the degree to which they have been successful in
integrating cyberwarfare and cyberdeterrence capabilities into their own national war plans. Nevertheless, due to the
previous extensive experience of China, Russia and the U.S. with strategic war planning, it is more likely that each of
these countries stand the greatest chance of making integrating cyberwarfare and cyberdeterrence capabilities into their
respective war plans. Yet, as far back as June 2009, it was clear that the U.S. and Russia were unable to agree on a
treaty that would create the terms under which cyberwarfare operations could and would be conducted (Markoff, J. and
Kramer, A. E., 2009).
DDoS as a Service, as low as US$20 Per Hour

We now live in a world where the Internet and malware have made it possible to buy services such as DDoS attacks
against an enemy or a competitor for prices as low as $20 hour. When you consider the implications of this idea, the
economic will make the idea of tactical cyberattacks more appealing to organizations. I know some of the URLs where
these services are available, but rather than give them advertisement, I would just invite you to do an Internet search
using your favorite search engine.
Cyber Security
15/148
Understanding Risks and Threats and Vulnerabilities

To deal with the realities of cyberattacks and cyberwar, one must grasp a few simple concepts related to risk quantification,
risk assessment, and risk management. Risk in the world of Information Technology is a calculation of the likelihood of
an undesirable event based on the estimated severity of impact when the event occurs, the probability of the events
occurrence, and the ability to detect the event should it actually occur. Usually risk is usually explained and understood
in terms of threats and vulnerabilities, and damages to assets. Risk is important to understand because risk reduction is
usually accomplished by the application of one or more controls.
Examples of assets that could be impacted by risk in an organization include:
Physical
People
Information (including documentation, strategy, business model, etc.
Data and Databases
Organization
Websites
Systems
Servers, Computers, Network Infrastructure components, etc.
Intangibles (brand, reputation, etc.)
Services (Including power, cooling, backup power, and services provided to clients)
In addition, in the world of IT, you usually have four basic strategies to manage risk once it has been identified and
assessed:
1. Mitigate it
2. Transfer it
3. Avoid it
4. Ignore it
I have included some diagrams to help readers understand the relationships between risk, vulnerabilities, threats,
assets and controls that reduce risk.
Cyber Security
16/148
Figure 4 Risk relationship diagram, from ISO27001.org.
Figure 5 Relationships between IT security management controls, Threats and Assets (Exposures), Jaquith, 2007
Cyber Security
17/148
What Is an ISMS?
The fast-paced, electronically-enabled business environment of the 21st century is characterized by the tactical and
strategic uses of information as business enablers. In practically every organization, information is now seen as a
primary asset and as such, it must be protected. Yet the proliferation and reliance on information in an organization
also introduces responsibilities and risks which if not addressed, can subject the organization to extraordinary risks that
could severely impact the viability of the business. The best strategy for an organization to manage these new business
realities is to adopt a strong compliance management posture in the area of Information Security to ensure that its
information assets are protected in the most comprehensive, standardized manner possible. Presently, the best tool to
manage the challenges of Information Security is an enterprise Information Security Management System (ISMS). The
ISMS is a centralized system of policies, procedures, and guidelines that when created and uniformly applied will provide
the best practices to help ensure that an organizations Information Security is being managed in a standardized way
using documented best practices. The introduction of an ISMS into an organizations business operations will serve to
identify, document and classify information assets and risks and then document the mitigation of risks using established,
documented controls. When an organization has chosen the standardized ISO 27001 Security Management Framework
the key benefits to implementing an ISMS would be:
The implementation of a standardized Information Security Management System into the organization
Better management and fulfillment of the Information Security requirements from the organizations Clients
Reduction of risks related to cyberattacks and cyberwarfare
Reduction of risk of loss of existing customers
Increased opportunities for new business
Reduction of risk to regulatory penalties
Reduction of risk reputational damage
The creation of an Information Security-aware culture at the organization
Enabling ISO27001-compliant offices to communicate and conduct business in areas affected by Information
Security in a standard way
Better management of IT assets and their associated risks
The ability to have an Information Security Management System that is based on the Deming model of Plan Do
Check Act for continuous process improvement
The adoption of the most widely recognized internal standard for implementing an ISMS
Note that the Information Security has rapidly risen to the forefront as a serious business issue. Because of its rapid
rise to prominence and the dynamic and evolving nature of threats and the associated risk management efforts, the
models to measure and quantify the value of such projects can often seem frustrating at best. So while this ISMS project
may difficult to quantify using traditional methods such as return on investment, it is clear that the benefits of continued
customer relationships as well as the ability to attract future customers through a demonstrated strong and continually
improving posture of Information Security compliance management will far outweigh the costs associated with an ISO
27001project.
Indeed, after implementing the ISMS under ISO 27001 standards, an organization will have better control of the
Information that is the lifeblood of its business, and it will be able to demonstrate to its customers and its business
partners that it too has adopted a strong posture of compliance in the area of Information Security.
What is ISO 27001?

ISO 27001 is an international standard with 133 controls in 11 domains which provide structured standard for the creation
of an Information Security Management System based on strongly focused risk management and continuous process
improvement under the Plan Do Check- Act model. The present version was developed in 2005 and an updated
Cyber Security
18/148
version is expected to be published by ISO sometime in 2013. This version is predicted to have several additions that
will focus on Cloud Computing and also standardized IT services and service management as described under ITIL and
ISO 20000. In fact, in October 2012, the ISO 27013 standard was published and it demonstrates how to integrate an
ISO 2000 based Service Management System with an ISO 27001-based Information Security Management System.
What Cyberattack / Cyberwarfare Risk Remediation Project Using ISO 27001

Might Look Like
It is possible to create and implement an ISMS using a fast-track method as shown in figure 6 below. Note that
management must support such a project in terms of resources (monetary, people, and assets) and politically in order
for it to be successful. Nevertheless, it is possible to accomplish such a project if management and the project team have
the will and resources to succeed.
Figure 6 A Fast-track ISMS Implementation Project Timeline, William Slater, 2012
Should You Get Your Organization Certified in ISO 27001?

Should you get your organization certified in ISO 27001 if you make the effort to remediate your cyberattack and
cyberwarfare risks using an ISO 27001 ISMS control framework? The quick answer is, it depends. Currently, there
are less than 9000 ISO 27001 ISMS certificate holders worldwide. Despite the apparent emphasis on security and risk
reduction, quite often, organizations will pursue the ISO 27001 certification either to comply with regulatory requirements
(as is required in India), or as a business enabler, because their business partners and/or customers expect it or have
greater confidence in an organization that has an ISO 27001 certification. Though is not easy or inexpensive in terms of
resources to earn or maintain and ISO 27001 certification, the return on investment, particularly in areas like the North
America and South America where the ISO 27001 certification is still relatively rare, can be quite significant.
Figure 7 below shows the numbers of ISO 27001 ISMS Certificate Registrants by continent as of 2011. Note that
according the PECB, a certification body that trains and certifies ISO 27001 implementers and auditors, the number of
ISO 27001 ISMS Certificate Registrants is expected to double each year in North America for the foreseeable future.
Cyber Security
19/148
Figure 7 ISO 27001 ISMS Registrants by Continent as of 2011 (source unknown)
Is Compliance with the ISO 27001 Standard or Some Other Security Compliance Framework Still Important Even If Your Organization Doesnt Get Certified?
Personally, I believe that the chief responsibility of the leadership of organization is to recognize risks and reduce them,
as cost effectively as possible to manageable levels, and to comply with the laws and regulations that impact its operating
environment. Even if an organization does not seek or achieve a certification under a security compliance standard such
as ISO 27001, the organization can embrace and comply with the security controls of a security compliance standard, and
thereby significantly reduce its business and security risks. The value in each of these security compliance frameworks
(i.e. ISO 27001, PSC DSS. FISMA, HIPAA, etc.) is that each offers a set of well defined controls that are structured in
a way to allow the organization that adopts then to visibly demonstrate its efforts to reduce risks to its assets and its
operating environment.
Mapping to Achieve Compliance with Two or More Security Compliance

Frameworks
When an organization is required to comply with two or more security compliance frameworks, a process known as
mapping using a table showing the similarity of various controls is used to understand and communicate the specific
controls of each standard, and usually on a one to one basis. Typically, the standard that is already in place or the one
Cyber Security
20/148
that is the most familiar is represented on the left column, and the newer standard that is required for a new compliance
initiative is located on the right column. An example is shown in figure 8 below.
Figure 8 Mapping ISO 27001 Annex A controls to NIST 800-53 Controls (FISMA)
Using ISO 27001 Controls to Defend Against Cyberwarfare and Cyberattacks

Of the 133 controls defined in Annex A of the ISO 27001 standard, not all of these are required to reduce the risk of
cyberattacks and cyberwarfare. However, using my knowledge of the ISO 27001 standard framework of 133 controls,
and my knowledge of the various characteristics and aspects of cyberattacks and cyberwarfare, I created the table
in Appendix A that can be used to understand how these various defined controls can be used to mitigate the risks
associated with cyberattacks and cyberwarfare. The right-most column gives a simple yes or no to indicate the usefulness
of the control in the mitigation of risks associated with cyberattacks and cyberwarfare.
Recommendations
The section has been divided into recommendations for four distinct groups of people that will probably comprise the
population of this magazines readers. I deliberately omitted government officials and military officials because they have
Cyber Security
21/148
their own elite teams of cyberwarfare experts to advise them on these issues. In addition, they have a perspective of
cyberattacks and cyberwarfare in which they must consider battle plans and strategies that include both offensive and
defensive operations. To best understand the true nature of cyberdeterrence and cyberwarfare, everyone would be well
advised to read many of the materials in the reference section of this article, and in particular, read Martin Libickis book,
Cyberdeterrence and Cyberwar, because I consider it to be the best unclassified reference on the market.
For IT Professionals:
1. Educate yourself, continually about Cyberwarfare.
2. Stay abreast of the threats and vulnerabilities associated with your infrastructure and the information technologies
that you work with.
3. Stay abreast of the security controls required to mitigate the risks associated with the information technologies that
you work with.
4. Where possible, get professional training and certifications associated with IT security and your job positions.
For IT Managers:
1. Learn the security compliance standard or standards that will enable you to help your organization effectively
lower risk to acceptable levels.
2. Learn risk management in the IT world.
3. Learn what your teams do and keep them motivated to be the best at what they do.
For Executives and Business Owners:
1. Remember your responsibilities to the Board of Directors, your shareholders and other stakeholders in your
organization: Cyberattacks and cyberwarfare represent serious threats that can obliterate an organizations ability
to function (see the 2007 cyberattacks in Estonia, or the 2008 attacks in Georgia if you require more proof). If you
plan for your organization to be an ongoing concern for the foreseeable future, you have no alternative than to
ensure it is protected from cyberattacks and the effects of cyberwarfare.
2. Learn the security compliance standard or standards that will enable you to help your organization effectively
lower risk to acceptable levels.
3. Learn risk management in the IT world.
4. Learn what your managers and your teams do and keep them motivated to be the best at what they do.
For Hackers:
1. Consider becoming legitimate because the need for experienced cybersecurity professionals to defend
organizations and countries has never been greater and in the long run, the compensation will probably be much
more lucrative.
2. Make sure that if you do join a team that it is a winning team.
Conclusions
This article has covered some of the better known aspects of cyberattacks and cyberwarfare, and attempted to show
that risks can be managed by applying security compliance frameworks such as ISO 27001. While this has only been an
introduction, because scores of books have been written on these topics since 2005, it is important to understand these
basic concepts and take them seriously. The future of your business, the satisfaction and confidence of your stakeholders,
business partners, and your customers all depend on your ability to protect your business and its operations capabilities
in the day and age of cyberattacks and cyberwarfare.
Cyber Security
Resources:
22/148
Bousquet, A. (2009). The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. New York, NY: Columbia University Press.
Brewer, D. and Nash, M. (2010). Insights into the ISO/IEC 27001 Annex A. A paper written published by Dr. David Brewer and Dr. Michael Nash to
explain ISO 27001 and Risk Reduction in Organizations. Retrieved from http://www.gammassl.co.uk/research/27001annexAinsights.pdf on March
10, 2011.
Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative (CNCI). Published by the White House January 2008. Retrieved from http://
www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative on January 5, 2012.
Calder, A. and Watkins, S. (2012). IT Governance: An International Guide to Data Security and ISO27001/ISO27002, 5th edition. London, U.K.: IT
Governance Press.
Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security and What to Do About It. New York, NY: HarperCollins
Publishers.
Crosston, M. (2011). World Gone Cyber MAD: How Mutually Assured Debilitation Is the Best Hope for Cyber Deterrence. An article published in the
Strategic Studies Quarterly, Spring 2011. Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf on October 10, 2012.
Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
Edwards, M. and Stauffer, T. (2008). Control System Security Assessments. A technical paper presented at the 2008 Automation Summit A Users
Conference, in Chicago. Retrieved from http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.
org/journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012.
Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillan.
Gerwitz, D. (2011). The Obama Cyberdoctrine: tweet softly, but carry a big stick. An article published at Zdnet.com on May 17, 2011. Retrieved from
http://www.zdnet.com/blog/government/the-obama-cyberdoctrine-tweet-softly-but-carry-a-big-stick/10400 on September 25, 2012.
Gjelten, T. (2010). Are Stuxnet Worm Attacks Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved from http://www.npr.
org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet on December 20, 2011.
Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from http://www.
npr.org/templates/story/story.php?storyId=130260413 on December 20, 2011.
Gjelten, T. (2011). Security Expert: U.S. Leading Force Behind Stuxnet. An article published at NPR.org on September 26, 2011. Retrieved from
http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-forcebehind-stuxnet on December 20, 2011.
Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from http://www.
npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
Goldman, D. (2013). Nations prepare for cyber war. An article published at CNN on January 7, 2013. Retrieved from http://money.cnn.
com/2013/01/07/technology/security/cyber-war/index.html?hpt=hp_c3 on January 7, 2013.
Hagestad, W. T. (2012). 21st Century Chinese Cyberwarfare. Cambridgeshire, U.K.: IT Governance.Hyacinthe, B. P. (2009). Cyber Warriors at War:
U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
ISO. (2005) Information technology Security techniques Information security management systems requirements, ISO/IEC 27001:2005.
Retrieved from http://www.ansi.org on February 1, 2011.
Jaquith, A. (2007). Security Metrics. Boston, MA: Addison Wesley.
Kaplan, F. (1983), The Wizards of Armageddon: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on
How to Use the Bomb. Stanford, CA: Stanford University Press.
Kerr, D. (2012). Senator urges Obama to issue cybersecurity executive order. An article published at Cnet.com on September 24, 2012. Retrieved
from http://news.cnet.com/8301-1009_3-57519484-83/senator-urges-obama-to-issue-cybersecurity-executive-order/ on September 26, 2012.
Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
Langer, R. (2010). A Detailed Analysis of the Stuxnet Worm. Retrieved from http://www.langner.com/en/blog/page/6/ on December 20, 2011.
Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28,
2009. Retrieved from http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all on June 28, 2009.
Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks target three major banks, using Muslim outrage as cover. An article published on
September 22, 2012 at Poltix.Topix.com. Retrieved from http://politix.topix.com/homepage/2214-iran-attacks-us-banks-in-cyber-war on September
22, 2012.
McBrie, J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION AND CLOSING THE STANCE. A scholarly paper published by the USAWC
STRATEGY RESEARCH PROJECT. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA423774 on September 30, 2012.
Obama, B. H. (2012). Defense Strategic Guidance 2012 Sustaining Global Leadership: Priorities for 21st Century Defense. Published January 3,
2012. Retrieved from http://www.defense.gov/news/Defense_Strategic_Guidance.pdf on January 5, 2012.
Obama, B.H. (2011). INTERNATIONAL STRATEGY for Cyberspace. Published by the White House on May 16, 2011. Retrieved from http://www.
whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf on May 16, 2011.
Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a New Direction. Lexington, KY: The University of Kentucky Press.
Pry, P. V. (1999). War Scare: Russia and America on the Nuclear Brink. Westport, CT: Praeger Publications.
Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An article published in SC Magazine, September 4, 2012. Retrieved from http://www.
scmagazine.com/cyber-cold-war-espionage-and-warfare/article/254627/ on September 7, 2012.
Saini, M. (2012). Preparing for Cyberwar A National Perspective. An article published on July 26, 2012 at the Vivikanda International Foundation.
Retrieved from http://www.vifindia.org/article/2012/july/26/preparing-for-cyberwar-a-national-perspective on October 14, 2012.
Sanger, D. E. (2012). Confront and Coneal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data Security. N. Potomac, MD: Larstan Publishing, Inc.
Schmitt, E. and Shanker, T. (2011). U.S. Debated Cyberwarfare in Attack Plan on Libya. An article published in the New York Times on October 17,
2011. Retrieved from http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html on October 17, 2011.
Slater, W. F. (2013). ISO 27001 Resource Page. Retrieved from http://billslater.com/iso27001 on January 12, 2013.
Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government Institutes.
Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks Expose Vulnerabilities. An article published at BusinessWeek.com on September
28, 2012. Retrieved from http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability on
September 30, 2012.
Technolytics. (2012). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict, third edition. Purchased and downloaded on
September 26, 2012.
The ISO 27000 Directory. (2012). An Introduction to ISO 27001, ISO 27002....ISO 27008. Retreived from http://www.27000.org/index.htmhttp://
idcontent.bellevue.edu/content/CIT/cyber/615/compliance on December 7, 2012.
Cyber Security

23/148
Turzanski, E. and Husick, L. (2012). Why Cyber Pearl Harbor Wont Be Like Pearl Harbor At All... A webinar presentation held by the Foreign Policy
Research Institute (FPRI) on October 24, 2012. Retrieved from http://www.fpri.org/multimedia/2012/20121024.webinar.cyberwar.html on October 25,
2012.
U.S. Army. (1997). Toward Deterrence in the Cyber Dimension: A Report to the Presidents Commission on Critical Infrastructure Protection.
Retrieved from http://www.carlisle.army.mil/DIME/documents/173_PCCIPDeterrenceCyberDimension_97.pdf on November 3, 2012.
U.S. Department of Defense, JCS. (2006). Joint Publication (JP) 5-0, Joint Operation Planning, updated on December 26, 2012. Retrieved from
http://www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on October 25, 2012.
Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia: ANU E Press.
Cyber Security
24/148
Appendix A ISO27001 Domains, Control Objectives and Controls

ISO 27001:2005 Controls
Clause
Security Policy
Control Objective/Control
5.1
Information Security Policy
5.1.1
Information Security Policy Document
Yes
5.1.2
Review of Information Security Policy
No
Organization of
Information security
Asset Management
Does It Apply to
Defending Against
Cyberattacks and
Cyberwarfare?
Section
6.1
Internal Organization
6.1.1
Management Commitment to information security
Yes
6.1.2
Information security Co-ordination
No
6.1.3
Allocation of information security Responsibilities
Yes
6.1.4
Authorization process for Information Processing facilities No
6.1.5
Confidentiality agreements
No
6.1.6
Contact with authorities
No
6.1.7
Contact with special interest groups
No
6.1.8
Independent review of information security
No
6.2
External Parties
6.2.1
Identification of risk related to external parties
No
6.2.2
Addressing security when dealing with customers
No
6.2.3
Addressing security in third party agreements
No
7.1
Responsibility for Assets
7.1.1
Inventory of assets
Yes
7.1.2
Ownership of Assets
Yes
7.1.3
Acceptable use of assets
Yes
7.2
Information classification
7.2.1
Classification Guidelines
Yes
7.2.2
Information Labeling and Handling
Yes
Cyber Security
Human Resource
Security
Physical and
Environmental
Security
25/148
8.1
Prior to Employment
8.1.1
Roles and Responsibilities
Yes
8.1.2
Screening
Yes
8.1.3
Terms and conditions of employment
No
8.2
During Employment
8.2.1
Management Responsibility
Yes
8.2.2
Information security awareness, education and training
Yes
8.2.3
Disciplinary process
No
8.3
Termination or change of employment
8.3.1
Termination responsibility
No
8.3.2
Return of assets
Yes
8.3.3
Removal of access rights
Yes
9.1
Secure Areas
9.1.1
Physical security Perimeter
Yes
9.1.2
Physical entry controls
Yes
9.1.3
Securing offices, rooms and facilities
Yes
9.1.4
Protecting against external and environmental threats
Yes
9.1.5
Working in secure areas
Yes
9.1.6
Public access, delivery and loading areas
Yes
9.2
Equipment security
9.2.1
Equipment sitting and protection
Yes
9.2.2
Support utilities
Yes
9.2.3
Cabling security
No
9.2.4
Equipment Maintenance
No
9.2.5
Security of equipment off-premises
Yes
9.2.6
Secure disposal or reuse of equipment
Yes
9.2.7
Removal of Property
Yes
Cyber Security
26/148
10.1 Operational Procedures and responsibilities

10.1.1
Documented operating Procedures
Yes
10.1.2
Change Management
Yes
10.1.3
Segregation of Duties
Yes
10.1.4
Separation of development and Operations facilities
Yes
10.2 Third Party Service Delivery Management

10.2.1
Service Delivery
No
10.2.2
Monitoring and review of third party services
No
10.2.3
Manage changes to the third party services
No
10.3 System Planning and Acceptance

10.3.1
Capacity management
Yes
10.3.2
System acceptance
Yes
10.4 Protection against Malicious and Mobile Code
Communications
and Operations
Management
10.4.1
Controls against malicious code
Yes
10.4.2
Controls against Mobile code
Yes
10.5 Back-Up
10.5.1
Information Backup
Yes
10.6 Network Security Management

10.6.1
Network controls
Yes
10.6.2
Security of Network services
Yes
10.7 Media Handling

10.7.1
Management of removable media
Yes
10.7.2
Disposal of Media
Yes
10.7.3
Information handling procedures
Yes
10.7.4
Security of system documentation
Yes
10.8 Exchange of Information

10.8.1
Information exchange policies and procedures
Yes
10.8.2
Exchange agreements
Yes
10.8.3
Physical media in transit
Yes
10.8.4
Electronic Messaging
Yes
Cyber Security
27/148
10.8.5
Business Information systems
Yes
10.9 Electronic Commerce Services
Communications
and Operations
Management
10.9.1
Electronic Commerce
Yes
10.9.2
On-Line transactions
Yes
10.9.3
Publicly available information
Yes
10.1 Monitoring
10.10.1
Audit logging
Yes
10.10.2
Monitoring system use
Yes
10.10.3
Protection of log information
Yes
10.10.4
Administrator and operator logs
Yes
10.10.5
Fault logging
Yes
10.10.6
Clock synchronization
Yes
11.1 Business Requirement for Access Control
11.1.1
Access control Policy
Yes
11.2 User Access Management
Access control
11.2.1
User Registration
Yes
11.2.2
Privilege Measurement
Yes
11.2.3
User password management
Yes
11.2.4
Review of user access rights
Yes
11.3 User Responsibilities

11.3.1
Password Use
Yes
11.3.2
Unattended user equipment
Yes
11.3.3
Clear Desk and Clear Screen Policy
Yes
11.4 Network Access control

11.4.1
Policy on use of network services
Yes
11.4.2
User authentication for external connections
Yes
11.4.3
Equipment identification in networks
Yes
11.4.4
Remote diagnostic and configuration port protection
Yes
Cyber Security
28/148
11.4.5
Segregation in networks
Yes
11.4.6
Network connection control
Yes
11.4.7
Network Routing control
Yes
11.5 Operating System Access Control

11.5.1
Secure Log-on procedures
Yes
11.5.2
User identification and authentication
Yes
11.5.3
Password Management system
Yes
11.5.4
Use of system utilities
Yes
11.5.5
Session Time-out
Yes
11.5.6
Limitation of connection time
Yes
11.6 Application access control

11.6.1
Information access restriction
Yes
11.6.2
Sensitive system isolation
Yes
11.7 Mobile Computing and Teleworking
11.7.1
Mobile computing and communication
Yes
11.7.2
Teleworking
Yes
12.1 Security Requirements of Information Systems
12.1.1
Security requirement analysis and specifications
Yes
12.2 Correct Processing in Applications
Information
Systems Acquisition
Development and
Maintenance
12.2.1
Input data validation
Yes
12.2.2
Control of internal processing
Yes
12.2.3
Message integrity
Yes
12.2.4
Output data validation
Yes
12.3 Cryptographic controls

12.3.1
Policy on the use of cryptographic controls
Yes
12.3.2
Key Management
Yes
12.4 Security of System Files

12.4.1
Control of Operational software
Yes
12.4.2
Protection of system test data
Yes
Cyber Security
29/148
12.4.3
Yes
Access control to program source library
12.5 Security in Development & Support Processes

12.5.1
Change Control Procedures
Yes
12.5.2
Technical review of applications after Operating system

changes
Yes
12.5.3
Restrictions on changes to software packages
Yes
12.5.4
Information Leakage
Yes
12.5.5
Outsourced Software Development
Yes
12.6 Technical Vulnerability Management
12.6.1
Control of technical vulnerabilities
13.1 Reporting Information

Weaknesses
Information
Security Incident
Management
Security
Yes
Events
and
13.1.1
Reporting Information security events
Yes
13.1.2
Reporting security weaknesses
Yes
13.2 Management of Information Security Incidents and

Improvements
13.2.1
Responsibilities and Procedures
Yes
13.2.2
Learning for Information security incidents
Yes
13.2.3
Collection of evidence
Yes
14.1 Information Security Aspects of Business Continuity

Management
Business Continuity
Management
14.1.1
Including Information Security in Business continuity

management process
Yes
14.1.2
Business continuity and Risk Assessment
Yes
14.1.3
developing and implementing continuity plans including

information security
Yes
14.1.4
Business continuity planning framework
Yes
14.1.5
Testing, maintaining and re-assessing business continuity

plans
Yes
Cyber Security
30/148
15.1 Compliance with Legal Requirements
Compliance
15.1.1
Identification of applicable legislations
Yes
15.1.2
Intellectual Property Rights ( IPR)
Yes
15.1.3
Protection of organizational records
Yes
15.1.4
Data Protection and privacy of personal information
Yes
15.1.5
Prevention of misuse of information processing facilities
Yes
15.1.6
Regulation of cryptographic controls
Yes
15.2 Compliance with Security Policies and Standards

and Technical compliance
15.2.1
Compliance with security policy
Yes
15.2.2
Technical compliance checking
Yes
15.3 Information System Audit Considerations

15.3.1
Information System Audit controls
Yes
15.3.2
Protection of information system audit tools
Yes
(ISO, 2005)
Cyber Security
31/148
The Rise and Fall of Megaupload.com and Kim

Dotcom, and the Possible Implications for
the Internet-based World of Piracy and Theft
of Intellectual Property
Cyber Security
32/148
Abstract
In January 2012 the U. S. Government took down the Megauploads.com website and then quickly filed charges against
the owner, Kim Dotcom, and his colleagues for alleged copyright infringement, conspiracy to commit money laundering,
racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind eye to requests from
copyright holders to remove copyright-protected files. Kim Dotcom and his colleagues were arrested a few hours later
in New Zealand and await extradition to the U.S. to be tried for these charges. Conviction on these charges could result
in severe fines and possibly many years in a U.S. Federal prison. This paper will discuss the rise and fall of Kim Dotcom
and Megauploads.com and it will review issues how lawful governments may treat similar offenses in the future.
The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the World of Internet-based Software Piracy and Theft of Intellectual Property
Less than 24 hours after end of the global SOPA Protest on the world wide web, on January 19, 2012, the governments
of the U.S. and New Zealand acted swiftly to stop the Megauploads.com empire that Kim Dotcom had built. The U.S.
Department of Justice shut down the Megaupload.com website and produced a 72-page federal indictment against
Kim Dotcom, Megaupload.com, and several of the business partners for alleged copyright infringement, conspiracy to
commit money laundering, racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind
eye to requests from copyright holders to remove copyright-protected files. Almost 12,000 miles away, on January 20,
2012, New Zealands law enforcement authorities were forcibly entering Mr. Dotcoms home, a leased luxury mansion in
the serene New Zealand countryside, and forcing their way into a safe room where Mr. Dotcom was hiding with guns,
cash, and his closest colleagues (Acohido, 2012). Mr. Kim Dotcom and his colleagues were then arrested and now
await extradition to the U.S. to be tried for these charges. Conviction on these charges could result in severe fines and
possibly many years of imprisonment in a U.S. Federal prison. This paper will discuss the rise and fall of Kim Dotcom
and Megaupload.com and it will review issues how lawful governments may treat similar offenses in the future.
Originally as Kim Schmidt, Mr. Dotcom, a native citizen of Germany, began is computer career in Germany in his early
20s in the early 1990s. He first began his career as a computer expert and then very shortly afterwards opened a
computer security-related business. A short time later, Mr. Schmidt was indicted in Germany on computer fraud charges
and later paid a fine and was released on probation. A few years later, Mr. Schmidt changed his named legally to Kim
Dotcom, perhaps as a prelude to starting the Megaupload.com business, and to position himself as a self-styled
Internet mogul entrepreneur.
Now as a 38-year old German foreign national and temporary resident of New Zealand, at 6 feet 6 inches tall and over
285 pounds, Mr. Kim Dotcom, is both in stature and in his actions, a larger than life figure, who openly flaunted his wealth
and his playboy lifestyle, the obvious results of the success of his Megaupload.com business (MikelVizualBazzikHck,
2012). With an annual income of more than $30 million, the flamboyant Mr. Dotcom could afford nearly everything
he wanted, except permanent citizenship as a New Zealander. Yet after his arrest on January 20, 2012, he and his
colleagues were incarcerated in a New Zealand jail, awaiting extradition to the U.S. to stand trial for the charges listed
in their U.S. federal indictment (Acohido, 2012) However, Mr. Dotcom and his colleagues were initially denied the right
to post bail to obtain temporary freedom because they were deemed by the local magistrate as a severe flight risk due
to the vast amount of wealth at their disposal.
At his arraignment on January 23, 2012, Mr. Dotcom and his codefendants audaciously denied all the charges in their
indictment, claiming total innocence (Booth, 2012). At this moment, Mr. Dotcom, his fellow incarcerated colleagues, and
their legal defense team are continuing to vigorously fight extradition on grounds that the U.S. does not have the legal
standing to indict them for the charges listed in the federal indictment.
Nevertheless, the manner in which the authorities in New Zealand apprehended Mr. Dotcom and his colleagues while
New Zealand soil, while the United States was shutting down the Megaupload.com business website could be a
foreshadowing of how certain countries will treat others accused of software piracy and copyright infringement in the
future. This trend could possibly occur, with or without the passage of SOPA, PIPA, and/or federal legislation to protect
the rights of intellectual property owners on the Internet. Indeed, this high profile case of the demise of Mr. Dotcom, his
colleagues and their Megaupload.com business shows the lengths to which the U.S. Government may be willing to go
to shut down websites that promote software piracy, including producing detailed criminal indictments and incarcerating
people, even if they are in foreign countries. Such actions may occur with or without the benefit of legislation such as
SOPA or PIPA. Such actions are also very likely to have a chilling effect on rampant software piracy by international
perpetrators which had not been taken very seriously until these events (RT.com, 2012).
Cyber Security
33/148
Some legal experts have predicted that it is likely that Mr. Dotcom and his colleagues will likely try to use the concept
of hactivism as a defense against the charges for which they are indicted (Bright 2012). The idea behind hactivism
is that it could be construed to be an act protected by the First Amendment because they may try to say they were
exercising their rights of Free Speech as guaranteed by the First Amendment to the U.S. Constitution. Of course, the
U.S. Government could easily argue that the First Amendment applies only to U.S. citizens and those living in the U.S.,
which would easily defect the hactivism as protected Free Speech argument.
On February 16, 2012, the U.S. Department of Justice returned a superseding indictment against Kim Dotcom and
his colleagues. The updated indictment was the result of additional investigation by the Department of Justice and it
contained even more charges than the first indictment. The superseding indictment also shed additional light on how
Megaupload.com was actually being used. The document provides additional details stating that Megaupload.com,
which originally had claimed to have had more than 180 million registered users, actually had only 66.6 million users as
of Jan. 19, 2012. Furthermore, the investigation also revealed that only 5.86 million of these users had ever uploaded a
file to either Megaupload.com or Megavideo.com, prosecutors said (Halzack, 2012).
On February 22, 2012, the New Zealand justice system finally permitted Kim Dotcom and his colleagues to post bail and
gain provisional freedom while they wait to determine of the U.S. Government will have them extradited to the U.S. to
stand trial for the charges listed in the superseding indictment that was filed on February 16, 2012 (Tsukayama, 2012).
Conclusion
The strange, unfolding case of Mr. Dotcom and Megaupload.com, and all the circumstances surrounding the related
actions of the governments of New Zealand and the United States are certainly worthy of examination as a case study
in a Cyberethics course. In addition, as more facts and events with multiple dimensions in ethics and law are revealed
in this case, the outcome will likely shed additional light on some timely legal issues related to Internet-based software
piracy, the theft of intellectual property, and how lawful governments will treat others who commit similar offenses in the
future. Will the United States and other governments reach beyond their borders again to incarcerate and criminally try
trial those they believe are guilty of Internet-related crimes such as software piracy and copyright violations? Only time
will tell, but the implications of the U.S. Governments case against Mr. Dotcom and his colleagues will likely have farreaching effects in the area of intellectual property, copyrights, software piracy, and the national and international laws
related to these topics for many years to come.
Cyber Security
References
34/148
Acohido, B. (2012). Government takedown of Megaupload leads to new fears. An article published at USATODAY.com website on January 20, 2012.
Retrieved from the web at http://www.usatoday.com/tech/news/story/2012-01-20/megaupload-arrests-FBI/52697186/1 on January 21, 2012.
The American Dream. (2012). According To The FBI, Internet Privacy Is Now Considered To Be Suspicious Activity. An article published at
endoftheamericandream.com. retrieved from the web at http://endoftheamericandream.com/archives/according-to-the-fbi-internet-privacy-is-nowconsidered-to-be-suspicious-activity on February 4, 2012.
Booth, R. (2012). Kim Dotcom Denies Internet Piracy. An article published on Monday, January 23, 2012 at the Guardian.co.uk website. Retrieved
from the web at http://www.guardian.co.uk/technology/2012/jan/23/kim-dotcom-denies-internet-piracy on January 23, 2012.
Bright, A. (2012). Kim Dotcom: Are such Internet sensations pirates or hactivists? An article published at CSMONITOR.com. Retrieved from the
web at http://www.csmonitor.com/World/Global-Issues/2012/0125/Kim-Dotcom-Are-such-Internet-sensations-pirates-or-hactivists/Kim-Dotcom on
February 5, 2012.
Business Software Alliance. (2010). 2010 Piracy Impact Study:the economic Benefits of reducing software piracy. Retrieved from the web at http://
portal.bsa.org/piracyimpact2010/studies/piracyimpactstudy2010.pdf on February 5, 2012.
Business Software Alliance. (2009). 2009 Software Piracy on the Internet: A Threat To Your Security. Published at Wired.com. Retrieved from the
web at http://www.wired.com/images_blogs/threatlevel/2009/10/bsareport.pdf on February 5, 2012.
Flacy, M. (2012). Megaupload owner found hiding in safe room with sawed-off shotgun. An article published at Digitaltrends.com on January 21,
2012. Retrieved from the web at http://www.digitaltrends.com/web/megaupload-owner-found-hiding-in-safe-room-with-sawed-off-shotgun/ on
February 5, 2012.
Halzack, S. (2012). Megaupload indictment returned with charges added for Kim Dotcom and others. An article published at the WashingtonPost.
com website on February 17, 2012. Retrieved from the web at http://www.washingtonpost.com/business/economy/megaupload-indictment-returnedwith-charges-added-for-kim-dotcom-and-others/2012/02/17/gIQAAXBNKR_story.html on February 20, 2012.
MikelVizualBazzikHck. (2012). MEGAUPLOAD: US Govt yet to present Evidence against Kim Dotcom (3 News). A Youtube.com video posted by
MikelVizualBazzikHck. Retrieved from the web at http://www.youtube.com/watch?v=7Fg7_f6-S0I&feature=related on January 30, 2012.
Neuman, J. (2009). Debunking BSAs piracy-malware link. An article published at MYCE.com on October 15, 2009. Retrieved from the web at http://
www.myce.com/news/debunking-bsas-piracy-malware-link-21041/ on February 5, 2012.
Paoli, C. (2012). Anonymous Retaliates With Gov., Media Web Site Shutdowns After Megaupload Arrests. An article published at Redmondmag.com
on January 19, 2012. Retrieved from the web at http://redmondmag.com/articles/2012/01/19/anonymous-retaliates-after-megaupload-arrests.aspx on
January 20, 2012.
RT.com. (2012). US courts already enforcing SOPA-style shut-downs. An article published on December 20, 2011 at RT.com Retrieved from the web
at http://rt.com/usa/news/us-court-sopa-morris-203/ on February 14, 2012.
Ryan, J. (2012). Megaupload Back in High Tech Whack-a-mole. An article published at the ABCNews.com website. Retrieved from the web at http://
abcnews.go.com/Technology/megaupload-back-high-tech-whack-mole/story?id=15405292 on January 20, 2012.
Tassi, P. (2012). You Will Never Kill Piracy, and Piracy Will Never Kill You. An article published at Forbes.com on February 3, 2012. Retrieved from
the web at http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/ on February 5, 2012.
Tsukayama, H. (2012). Report: Megaupload founder released on bail. An article published at the WashingtonPost.com on February 22, 2012.
Retrieved from the web at http://www.washingtonpost.com/business/technology/report-megaupload-founder-released-on-bail/2012/02/22/
gIQA7hjBTR_story.html on February 22, 2012.
U.S. Department of Justice. (2012). Federal Indictment against Kim Dotcom, Megaupload.com, et al. A U.S. Government document published at
USATODAY.com website on January 20, 2012. Retrieved from the web at http://i.usatoday.net/tech/pdfs/12-0120-megaupload-indictment.pdf on
January 21, 2012.
U.S. Department of Justice. (2012). The Superseding Federal Indictment Against Kim Dotcom, et al. Published on February 16, 2012 at the
WashingtonPost.com. Retrieved from the web at http://www.washingtonpost.com/wp-srv/business/documents/megaupload-indictment.pdf on
February 22, 2012.
Cyber Security
35/148
Hacking Humans: The Story of a Successful

Well-planned Social Engineering Attack
Cyber Security
36/148
Abstract
This paper will review an actual incident related to a social engineering exploit, why this exploit was effective, and what
steps could have been taken to recognize and nullify or avoid this exploits. The exploit that will be described involves
authority, pretexting, and deception, resulting in psychological manipulation. The exploit had serious consequences,
both in my personal professional life. The exploit was short-lived, occurring in August 2008, but very likely damaged
my career and reputation at Gehenomsoft where I was employed at the time. In addition, this exploit quickly escalated
to a criminal assault against me, and though the case was never resolved, it was a very traumatic experience. This
paper will explore why each of these social engineering techniques was effective, and how I could apply knowledge and
techniques learned in the materials from my Social Engineering class, as well as other research materials, to prevent
similar attacks.
Using Authority and Pretexting as Social Engineering Weapons

This brief paper will examine an incident in which authority and pretexting was used with deception to help an intruder to
gain access to an office area that was protected by traditional physical security controls as well as policies, as well as the
outcomes of each of this incident. In his book, Influence: Science and Practice, Robert Cialdini discusses the concept
of authority as a trigger that can influence human behavior, for better or worse (Cialdini, 2009). Pretexting is a social
engineering technique in which the social engineer invents a story that sounds convincing, so that he or she may gave
a favor or access to an area to which they might not otherwise be able to obtain access (Hadnagy, 2011). Each of these
social engineering techniques used deception, intent, and motive can constitute formidable threats that can overcome
most of the people without the specialized experience and training to recognize them. This incident happened to me at
the Gehenomsoft Midwestern Regional Office in Downers Grove, IL, while I worked at Gehenomsoft in 2008.
In his book, Cialdini reviewed the classic 1974 case study of Professor Milgram was cited as an example of how
authority could be used to influence behavior. The Milgram study showed a truly dark side of authority, where his student
subjects were willing to follow orders to send large voltages of electricity into the bodies of the studys participants,
despite what the subjects consciences might have otherwise led them to believe whether following these orders was
morally right or wrong. The fact that these subjects consistently followed orders and shocked the participants without
argument, compassion, or question illustrated the degree to which they were influenced by his authority as a professor
and the architect of the study. This was Milgrams simple final conclusion of his experiment: It is the extreme willingness
of adults to go to almost any lengths on command of an authority that constitutes the chief finding of the study (Cialdini,
2009).
The Social Engineering Exploit: What Happened?

This social engineering attack, which involved the use of authority, pretexting and deception occurred on Friday evening,
August 22, 2008, at the site of the Gehenomsofts Midwest Regional Office in Downers Grove, IL. The intruder had
quietly entered the building past the first floor security checkpoint about 6:00 PM and appeared in the hall way on
the third floor of this secure office building after business hours, around 7:00 PM. I encountered this person as I was
returning from the restroom. He identified himself as D. J. Roosevelt and presented an authentic-looking Gehenomsoft
Blue Badge. He stated that he was from field services in the State and Local Government sector, and that his badge had
been mistakenly deactivated. He also said he needed to get some things in the office. I hesitated at first, but he seemed
legitimate, so I used my badge to allow him access into the secured Gehenomsoft offices.
In retrospect I now realize that it was a well-executed social engineering attack where I was the victim. The perpetrator
used authority, pretexting, and deception for the purpose of psychological manipulation to obtain access to the secure
Gehenomsoft office area where he wanted access to start his series of property thefts. Another reason that this exploit
worked was that the intruder was African-American. Since he was casually dressed, as many Gehenomsoft Managers
might do on Fridays, I was afraid that if I refused his request to enter the facility, I would be later accused of racism and
my job would be on the line, because in certain workplace situations like that, you are guilty until proven innocent.
When I returned to a conference room where I had been working, I attempted to look him up in the Gehenomsoft Global
Address List of 100,000 employees I quickly discovered that the intruder was a rogue ex-Gehenomsoft employee and
that I had been unwittingly fooled. Feeling that I was responsible for helping the suspect gain access, I quickly ran back
to find him, confront him and ask him to leave the premises. By the time I found him, he had stuffed several items,
into the wheeled travel bag he had with him. More details about this entire incident, including a detailed timeline are in
Appendix A of this document.
Cyber Security
37/148
The end results of this exploit was that the intruder got away with stealing thousands of dollars of equipment and
information, and he assaulted me during his exit as I attempted to follow him out of the building. After this incident was
reported, it probably negatively damaged my reputation at Gehenomsoft, showing my management that I was probably
not reliable that I would exercise poor judgment under duress or in unpredictable stressful situations.
Summary of the Event Report

I wrote some quick notes and produced an extremely detailed 14-page report that gave the timeline and details of all
events. It was very useful for analysis and led to charges being filed against DJ Roosevelt for criminal assault. There is
a currently open warrant for his arrest.
I distributed this report to:
1. My Gehenomsoft manager
2. Gehenomsoft Security
3. Building Security
4. Downers Grove Police Department (Officer Kimberly Wolfe
Social Engineering Techniques That Were Used In This Attack
The table below shows the social engineering techniques that were used along with descriptions.
Social Engineering Technique
Description
Authority
I was led to believe that he was a person of authority and was authorized access,
so I followed his instructions and used my card to admit him
Pretexting
His cover story that he worked in the Gehenomsoft State and Local Government
Services Sector and that he had been in the field so long that his badge had been
deactivated sounded very convincing
Deception
Since he was an ex-Gehenomsoft employee, he had to use Deception with Authority

and Pretexting because his access via his Gehenomsoft Badge was electronically
revoked. The only way for easy access the Gehenomsoft facility was to use these
techniques
Table 1
Why These Social Engineering Techniques Were Successful
The table below shows why these social engineering techniques were successful.
Social Engineering Technique Why Was the Technique Successful?
Authority
He spoke and carried himself like he was a real Gehenomsoft employee, perhaps
even a low echelon manager.
Pretexting
His story sounded very convincing and he produced an official Gehenomsoft Blue
Badge.
Deception
The deception worked because the Authority and Pretexting techniques worked
and because he was already standing outside a Gehenomsoft Facility with a
Gehenomsoft Blue Badge. It also worked because I was tired, hungry, and because
I believed I would e accused of racism if I refused to assist him by using my badge
to grant him access.
Table 2
Cyber Security
38/148
Defensive Techniques that Could Have Been Used to Prevent the Exploit
The table below shows how these social engineering techniques could have been thwarted.
Social Engineering Technique
How to Prevent this Exploit
Authority
Do not believe anyone who is a stranger, no matter how much authority they
seem to have.
Pretexting
Do not believe anyone who is a stranger, no matter how believable their story
is. In fact, dont even give them the time of day, even if they have an official
Gehenomsoft Blue Badge.
Deception
Do not allow myself to be deceived especially by a stranger. Recognize the signs

of attempted Social Engineering attacks that use techniques such as Authority
and Pretexting.
Table 3
Results of the Exploit Law Enforcement and At Work

In short, the results of this social engineering attack were a bit surprising to me. After a careful review by Gehenomsoft
Global Risk Management and Gehenomsoft Security, my Gehenomsoft management elected to not press to criminal
charges against the suspect, even though no one questioned the fact that this former Gehenomsoft employee was the
person who had tricked me into providing access so he could get into a secure area and obtain thousands of dollars worth
of equipment. Because I was assaulted during the suspects get away I elected to work with the officials from the Downers
Grove Police Department, and help them assemble the evidence to file criminal assault charges here in Illinois. As a result,
a warrant was created for his arrest and he cannot legally return to Illinois to live, work and/or visit. Today, as far as I know,
the suspect is now a Private Cloud Evangelist and Messaging Expert for American Airlines and living in the Dallas area.
What If Proper Social Engineering Defenses Had Been Applied?

The following outcomes would have been the likely results if I had been skilled at dealing with this type of social
engineering attack:
1. A foiled attempt at Social Engineering attacks
2. Gehenomsoft Equipment would not have been stolen
3. I would not have been assaulted
4. The following would not have been bothered
My Gehenomsoft managers
Gehenomsoft Security
Building Security
Downers Grove Police Department (Officer Kimberly Wolfe)
5. I might still be working at Gehenomsoft
The Importance of Studying and Applying Social Engineering Techniques and

Defenses
Every security professional must be mindful of the weaknesses in human systems as well as the other security controls
in place to provide security to people and other assets. When humans are fooled into providing access into a secure
area, the reliability of other security controls can quickly degrade and the intruder can achieve their intended objectives,
whether that might be sabotage, theft, or perhaps something as serious as assault, kidnapping or murder.
Cyber Security
39/148
Lessons Learned from This Incident

The personal lesson that I learned from this event was to always question the authority and credentials of someone who
is unknown, even when they appear legitimate. I think Gehenomsofts lesson learned was to confiscate the badges of
all terminated employees. The Building Security was able to use the information in my report to fortify their security and
better train their security staff, so that ex-employees would not be able to access areas where their former offices were
located.
Conclusions
The incident described in this paper was real and it used social engineering techniques of authority, pretexting and
deception to allow the intruder to obtain access and achieve his objective of stealing equipment. This incident could
have been prevented through better security awareness training that focused on the ability of intruders to use well-known
social engineering exploits to obtain access into secure areas. Fortunately, this incident produced valuable lessons
learned and fortunately this course in Human Aspects of Cybersecurity has provided deeper insights on how and why
such social engineering attacks based on authority and deception can succeed. As long as we are capturing lessons
learned in incidents like this, we can aspire to become smarter security professionals and also to incorporate these
lessons into future security awareness training programs so that others can benefit from the knowledge, experience,
and lessons learned.
Finally, the following list of conclusions can be drawn from
People execute Social Engineering attacks because they know that they can be successful
If humans are unaware of social engineering techniques, they are vulnerable
Successful social engineering attacks easily cause other security controls to fail
Social engineering attacks are extremely dangerous because when they cause other security controls to fail, they
can lead to theft and in some cases, threats and/or violence
Through education, training, and application of proper Social Engineering Defenses, people can minimize
vulnerabilities to social engineering attacks
Cyber Security
40/148
References
Bellevue University. (2012). Videos on Psychological Aspects of Social Engineering Attacks. Retrieved from http://www.au.af.mil/au/awc/awcgate/fbi/
nlp_interviewing.pdf on April 14, 2012.
Cialdini, R. B. (2009). Influence: Science and Practice, fifth edition. Boston, MA: Pearson Education.
Hadnagy, C. (2011). Social Engineering: The Art of Human Hacking. Indianapolis, IN: Wiley Publishing, Inc.
Parker, T., et al. (2004). Cyber Adversary Characterization: Auditing the Hacker Mind. Rockland, MA: Syngress Publishing, Inc.
PI Magazine. (2005). FTC. FTC Interview on Pretexting. Retrieved from http://www.pimagazine.com/ftc_article.htm on April 6, 2012.
Sandoval, V.A. and Adams, S. H. (2001). Subtle Skills for Building Rapport Using Neuro-Linguistic Programming in the Interview Room. Retrieved
from http://www.au.af.mil/au/awc/awcgate/fbi/nlp_interviewing.pdf on April 14, 2012.
Schneier, B. (2008). Psychology of Security. An article published at Schneier.com on January 18, 2008. Retrieved from http://www.schneier.com/
essay-155.html on March 13, 2012.
Schneier, B. (2012). Liars & Outliers: Enabling the Trust That Society Needs to Thrive. Indianapolis, IN: John Wiley and Sons, Inc.
Teller. (2012). An Interview with Teller. Published in Smithsonian Magazine, March 2012.
U.S. Department of Homeland Security Office of Security. (2012). Elicitation: Would you recognize it? Retrieved from http://www.social-engineer.
org/wiki/archives/BlogPosts/ocso-elicitation-brochure.pdf on March 29, 2012.
Wiles, J., et al. (2007). Low Techno Securitys Guide to Managing Risks: For IT Managers, Auditors, and Investigators. Burlington, MA: Syngress
Publishing, Inc.
Wiles, J., et al. (2012). Low Tech Hacking: Street Smarts for Security Professionals. Waltham, MA: Syngress Publishing, Inc.
Wilhelm, T. and Andress, J. (2011). Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques. Burlington, MA: Syngress Publishing,
Inc.
Appendix A Events related to the Security Breach Incident at Gehenomsoft Downers Grove Office Facility
on August 22, 2008
Date:
August 23, 2008
To:
Rod Blagojevich, Security Manager
From:
William F. Slater, III, Data Center Manager
CC:
George Ryan, Area Data Center Manager
Subject:
22, 2008
Events related to the Security Breach Incident at Gehenomsoft Downers Grove Office Facility on August
Robert,
Thank you for taking the initial security report over the phone last night.
Overall, I feel that it was a very traumatic experience and I am still very upset about it. After re-thinking the events during
the writing of this report, I have come to the conclusion that I was very likely in danger of physical harm from the moment
I first saw the person who identified himself as DJ Roosevelt on the third floor. The fact that he made his way into a
secure building underscores the need to shore up Building Security vulnerabilities at this Downers Grove office location.
Anyway, shown below in Appendix A is my report of the events involving the security breach at the office building where
the Gehenomsoft Downers Grove Office is located. Diagrams with time sequential numbered circles are also included.
I have attempted to be as thorough and complete as possible.
After reviewing this report, please contact me if you have questions or wish to discuss.
Regards,
William F. Slater, III, PMP
Gehenomsoft Corporation
Data Center Manager | Chicago Data Center
US Data Center Services East Region
Global Foundation Services
312-810-4805 mobile / 708-397-2674 x 397 office
312-758-0307 (alternate mobile)
william.slater@Gehenomsoft.com
Cyber Security
41/148
Appendix A Detailed List of the August 22, 2008 Events Related to the Security Breach at Gehenomsoft
Downers Grove, IL
Event No. Time
Description
Comments
6:00 PM
According to James Thompson, the Building Security person, See Diagram 1.

at 3025 Highland Parkway, Downers Grove, IL, the intruder
entered the building through the main entrance, using his I learned this fact as
security badge.
the police officers and
Building
Engineer
discussed the situation
before we went upstairs
to see where the events
took place inside the
building.
12:00 Noon I worked in the Wrigley Conference Room at Gehenomsoft See Diagram 2.
7:00 PM
Downers Grove
My sole purpose for being
at the Gehenomsoft
Downers Grove office
was to get five new staff
members trained in an
online Security course,
via a cabled network
connection using my
laptop to access the
course
training
that
was on Gehenomsofts
corporate network. Such
access was not possible
where I normally work
at the Gehenomsoft
Chicago Data Center in
Northlake, IL.
7:05 PM
I got ready to go home for the evening. I went to the Mens See Diagram 2
Restroom on the third floor. As I approached the restroom, in
the hallway not far from the restroom, I saw the first person I
saw in almost 90 minutes.
Event No.
Time
Description
7:10 PM
When I left the restroom, I saw this person again. He approached See Diagram 2
me and said he worked for Gehenomsoft. He asked me to help him
gain access to the office area on the third floor. He said he had been
out on assignment for a few months and that his badge had stopped
working. I asked to see his badge and he presented a Gehenomsoft
badge that had the name DJ Roosevelt on it. I asked him where
he worked and he said he worked in the State and Local Area. He
looked like any other Gehenomsoft employee who might be dressed
casually on a Friday, wearing blue jeans and a colored t-shirt. So I
used my badge to help him enter the office area.
7:15 PM
When I returned to the Wrigley Room, I started to have a funny See Diagram 2
feeling about this person, so I looked him up in the Gehenomsoft
Global Address List using my laptop. He didnt exist. I quickly
shutdown and packed up my computer and proceeded to the
office area that he had just entered at 7:10 PM.
Comments
Cyber Security
42/148
Event No.
Time
Description
Comments
7:18 PM
I returned to the third floor Gehenomsoft office other side and

started looking for this person. First I went through the area
on the left side (south side of the floor plan). After I completed
searching this area, I saw this person in close to the middle part
of the floor plan.
See Diagram 2.
I asked if he really worked for Gehenomsoft, and he said,

Yes. Then I asked if his name was really, DJ Roosevelt. He
said, Yes. Then I asked if I could examine his Gehenomsoft
badge once again so I could write down the badge number. He
refused this request. I told him I was questioning if he was a
Gehenomsoft employee.
Then he proceeded to take a set of keys from his pocket and
open a storage cabinet where office supplies are stored. At that
time, he stated, See, if I wasnt a Gehenomsoft employee, how
would I have keys that would open this cabinet?
He was carrying a bag

that was on a mobile
cart, and a backpack that
seemed to be empty. The
bag on the cart seemed
to be more full that when
I first encountered him
in the hall way, meaning
that he probably filled his
bag with several items
from the office. Note:
He did not discuss his
actions or the contents of
the bag.
At that point, I asked again if his name was really, DJ Roosevelt.

He laughed and said, No, it isnt.
At that time, I started for the nearest exit (on the south side) to
go see the Security Guard downstairs.
6
7:20 PM
This person decided to take the long way around the office area See Diagram 2
on the south side of the third floor.
7:20 PM
I started for the nearest exit (on the south side) to go take the See Diagram 2
elevator and see the Security Guard downstairs.
7:21 PM
As I entered the elevator, I told this person that he and I would See Diagram
be stopping to have a chat with the building Security Guard. At Diagram 3.
the time, I forgot that the Security Guard was on the SECOND
FLOOR and not the FIRST FLOOR. I thought our destination
would take us to where the Security Guard was and that would
provide me with assistance.
When the elevator door closed, the following transpired:
He leaned up against the area where the elevator controls
where and said: Im telling you man, you better not mess with
me. If you do, Im gonna fuck you up. Do you understand?
Then he lunged at me as if to throw a punch. Then he said, Do
you want me to fuck you up? You better not mess with me. I
mean it, I will fuck you up. Do you hear me?
I said, Yes. And I was extremely shook up over these verbal
assaults.
7:22 PM
Much to my surprise, when the elevator reached the FIRST See Diagram 3
FLOOR, there was no building Security Guard to assist. The
person exited the elevator and proceeded at a very fast pace
down the walkway to the First Floor Parking Area.
10
7:23 PM
I followed at a distance of about 60 to 70 feet, and called 911 to See Diagram 3

try to get some police support from the Downers Grove Police
Department.
and
Cyber Security
43/148
11
7:23 PM
Asked the 911 Operator to please dispatch the Downers Grove See Diagram 4
Police Department as quickly as possible.
12
7:24 PM
The person exited through the doors to the First Floor Parking See Diagram 4
Lot. I tried to follow but, expecting the door to open outward, I
was pushing the door rather than pulling it and, finding it wouldnt
open, thought it had been locked or tampered with. This was
a result of my frustration and trying to continue to pursue the
individual and give details to the 911 operator at the same time.
13
7:24 PM
The person started his red, late model mini-SUV vehicle See Diagram 4
and rapidly drove away as I finally got the door to open and
tried in vain to get this persons license plate number. I was
unsuccessful in trying to get the number.
14
7:25 PM I went upstairs to my car parked on the second level parking

7:50 PM
and patiently waited in my car until the Downers Grove Police
Department (DGPD) sent officers to the site to investigate. First
on the scene at 7:30 PM was officer Kim Wolfe, Badge #64, of
the (DGPD). She arrived in an unmarked police car. Two regular
DGPD squad cars arrived a short time later. I gave detailed
reports to Officer Wolfe. She gave me the DGPD Report No.
08-8805.
See Diagram 5.
Officer Wolfe told me
that this incident was not
unique in nature because
crimes like this are rather
common and on the
rise in office buildings in
the western suburbs of
Chicago.
Her contact numbers are
Voicemail:
630-434-5699 x 4783
General Phone:
630-434-5600
Her e-mail address is
kwolfe@downers.us
15
7:50 PM
Met with the 3025 Highland Parkway Building Engineer, the See Diagram 5
Building Security person and the DGPD Officers. The Building
Engineer assured us that the person who did this will show up
on video that was recorded to DVD. He double checked all the
times with me.
16
7:57 PM
I accompanied the Building Engineer and officers from the See Diagram 5
DGPD back up to the third floor to retrace the events involving
the person who portrayed himself as a Gehenomsoft employee.
I also pointed out the cabinet with office supplies that the person
used his keys to open.
17
8:13 PM
Went down to the Second Floor Security Guard and wrote out See Diagram 5
(by hand) an incident report for him.
18
8:25 PM
Called my Manager, George Ryan and left a message. I then See Diagram 6
called Rod Blaogjevich, our Security Manager.
19
8:40 PM
Answered an incoming call from George Ryan. I promised to See Diagram 6

call Rod Blaogjevich back.
Cyber Security
44/148
20
8:48 PM
I called Rod Blaogjevich back, and as instructed, I also called See Diagram 6
the Gehenomsoft Global Security Operations Center.
21
9:05 PM
Started out on the road for home.
22
9:50 AM George Ryan called and asked for a detailed account of the (No diagram is associated
10:15 AM, security breach incident.
with this event.)
August 23,
2008
(No diagram is associated

with this event.)
Diagram 1
Security Breach Incident

Second Floor
6666 Highland Parkway
Downers Grove, IL
Friday Evening, August 22, 2008
Driveway
Second Floor
Parking Area
Elevators
Security
Desk
0
Front
Entrance
Elevators
6666 Highland Parkway, Second Floor

Downers Grove, IL
North
Diagram 1 of 6
(Approximate Floorplan
Not drawn to scale.)
Cyber Security
45/148
Diagram 2

Microsoft Offices Suite 600
Downers Grove, IL
Wrigley
Conference
Room
Elevators
Elevators
Reception
Desk
Womens
Restroom
Mens
Restroom
6666 Highland Parkway, Suite 600

Downers Grove, IL
North
Diagram 2 of 6
Cyber Security
46/148
Diagram 3

First Floor
Downers Grove, IL
Elevators
9
10
Elevators
6666 Highland Parkway, First Floor

Downers Grove, IL
North
Diagram 3 of 6
Cyber Security
47/148
Diagram 4

First Floor with Parking Garage
Downers Grove, IL
Elevators
12
First Floor
Parking Area
11
13
Elevators
6666 Highland Parkway, First Floor

Downers Grove, IL
North
Diagram 4 of 6
Cyber Security
48/148
Diagram 5

Second Floor
Downers Grove, IL
Driveway
Second Floor
Parking Area
Elevators
17
15
16
Front
Entrance
Elevators

Downers Grove, IL
North
14
Diagram 5 of 6
Cyber Security
49/148
Diagram 6

Second Floor
Downers Grove, IL
Driveway
Second Floor
Parking Area
Elevators
Security
Desk
Front
Entrance
Elevators
18
19
20

Downers Grove, IL
North
Diagram 6 of 6
Cyber Security
Appendix B Summary and Analysis
50/148
Cyber Security
51/148
Cyber Security
52/148
Cyber Security
53/148
Cyber Security
54/148
Cyber Security
55/148
Cyber Security
56/148
Attempting to Solve the Attribution Problem

Using Wireshark and Other Tools
as an Aid in Cyberwarfare and Cybercrime
for Analyzing the Nature and Characteristics
of a Tactical or Strategic Offensive Cyberweapon
and Hacking Attacks
Cyber Security
57/148
Introduction
destruction of data, and/or destruction of systems and services. As a recognition of these dangers, the national leaders
and military of most modern countries have now recognized that the potential and likely eventuality of cyberwar is
very real and many are preparing to counter the threats of cyberwar with modern technological tools using strategies
and tactics under a framework of cyberdeterrence, with which they can deter the potential attacks associated with
cyberwarfare.
What is Cyberwarfare?
During my studies prior to and as a student in this DET 630 Cyberwarfare and Cyberdeterrence course at Bellevue
University, it occurred to me that considering the rapid evolution of the potentially destructive capabilities of cyberweapons
and the complex nature of cyberdeterrence in the 21st century, it is now a critical priority to integrate the cyberwarfare
and cyberdeterrence plans into the CONOPS plan. Indeed, if the strategic battleground of the 21st century has now
expanded to include cyberspace, and the U.S. has in the last five years ramped up major military commands, training,
personnel, and capabilities to support cyberwarfare and cyberdeterrence capabilities, the inclusion of these capabilities
should now be a critical priority of the Obama administration if has not already happened.

Without the integration of cyberwarfare and cyberdeterrence technologies, strategies, and tactics into the CONOPS
Plan, the national command authorities run a grave risk of conducting a poorly planned offensive cyberwarfare operation
that could precipitate a global crisis, impair relationships with its allies, and potentially unleash a whole host of unintended
negative and potentially catastrophic consequences. In non-military terms, at least four notable cyberspace events
caused widespread damages via the Internet because of the rapid speed of their propagation, and their apparently
ruthless and indiscriminant selection of vulnerable targets. They are 1) the Robert Morris worm (U.S. origin, 1988); 2) the
ILOVEYOU worm (Philippines origin, 2000); the Code Red worm (U.S. origin, 2001); and the SQL Slammer worm (U.S.
origin, 2003). If not executed with great care and forethought, a cyberweapons could potentially unleash even greater
damage on intended targets and possible on unintended targets that were connected via the Internet.

The cyberspace threat and vulnerability landscape is notable in that it is continually dynamic and shifting. Those who
are responsible for protecting assets in cyberspace have many more challenges on their hands than their military
counterparts who utilize weapons like guns, explosives, artillery, missiles, etc. For example, there are by some
estimates over 350 new types of malware that are manufactured each month. There are also monthly patch updates
to most Microsoft software and operating systems, and phenomena such as evil hackers and zero-day exploits are
apparently never ending. Therefore, the inclusion of cyberweapons and cyberdeterrence capabilities into the CONOPS
Plan would require more frequent, rigorous, complex, and integrated testing to ensure that it was always effective and
up to date. In the dynamic world of cyberspace with its constantly shifting landscape of new capabilities, threats and
vulnerabilities, the coordination of the constant refresh and testing of a CONOPS Plan that integrated these cyberwarfare
and cyberdeterrence capabilities would be no small feat. In addition, constant intelligence gathering and reconnaissance
would need to be performed on suspected enemies to ensure that our cyberweapons and cyberdeterrence capabilities
would be in constant state of being able to deliver the intended effects for which they were designed.

The careful planning and integration of cyberweapons and cyberdeterrence is likely a challenge for every country with
these capabilities. For example, much is already known about our potential adversaries, such as Russia, China and
North Korea, but what is perhaps less understood is the degree to which they have been successful in integrating
cyberwarfare and cyberdeterrence capabilities into their own national war plans. Nevertheless, due to the previous
extensive experience of Russia and the U.S. with strategic war planning, it is more likely that each of these countries
stand the greatest chance of making integrating cyberwarfare and cyberdeterrence capabilities into their respective war
plans. Yet, as far back as June 2009, it was clear that the U.S. and Russia were unable to agree on a treaty that would
create the terms under which cyberwarfare operations could and would be conducted (Markoff, J. and Kramer, A. E.,
2009).
Cyber Security
58/148
Every country that is modern enough to have organizations, people, and assets that are connected to computers and
the Internet faces similar challenges of planning and managing cyberweapons and cyberdeterrence, and the poorer the
country, the more significant the challenges. For example, when a small group of hackers from Manila in the Philippines
unleashed the ILOVEYOU worm on the Internet in 2000, it caused over $2 billion in damages to computer data
throughout the world. Agents from the FBI went to Manila to track down these people and investigate how and why the
ILOVEYOU worm catastrophe occurred. To their surprise, they learned that each of these hackers who were involved
could successfully escape prosecution because there were no laws in the Philippines with which to prosecute them. So
actually most countries lack the technological and legal frameworks with which to successfully build a coordinated effort
to manage the weapons and strategies of cyberwarfare and cyberdeterrence, despite the fact that most now embrace
cyberspace with all the positive economic benefits it offers for commerce and communications.
As stated earlier, without the careful integration of cyberwarfare and cyberdeterrence technologies, strategies, and
tactics into the CONOPS Plan, the national command authorities run a grave risk of launching a poorly planned offensive
cyberwarfare operation that could precipitate a global crisis, impair relationships with its allies, and potentially unleash
a whole host of unintended negative and potentially catastrophic consequences.

I believe that yes, the absence of well-defined cyberwarfare and cyberdeterrence strategies and tactics in the CONOPS
Plan has already produced some situations that have either damaged Americas image abroad, or that could imperil its
image and have far more negative consequences. For example, operates such as Stuxnet, Flame, Duque, etc., might
have either been better planned or possibly not executed at all if cyberwarfare and cyberdeterrence strategies and
tactics were defined in the CONOPS Plan. Also, the news media indicated during the revolution in Libya that resulted in
the fall of Qaddafi, cyberwarfare operations were considered by the Obama administration. The negative reactions and
repercussions on the world stage might have far outweighed any short term advantages that could have resulted from
a successful set of cyberattacks against Libyan infrastructure assets that were attached to computer networks. Again,
a comprehensive CONOPS Plan that included well-defined cyberwarfare and cyberdeterrence strategies and tactics
could have prevented such possible cyberattacks from even being considered, and it could have prevented the news
of the possible consideration being publicized in the press (Schmitt, E. and Shanker, T., 2011). Without such restraint
and well-planned deliberate actions, the U.S. runs the risk of appearing like the well-equipped cyber bully on the world
stage, and an adversary who is willing to unleash weapons that can and will do crippling damage to an opponent, using
technologies that are rapid, decisive, and not well-understood by those for whom they are intended. A similar effect and
world reaction might be if U.S. Army infantry troops were equipped with laser rifles that emitted deadly laser blasts with
pinpoint precision across several hundred yards.
Has this threat evolved or changed over time or is it relatively constant? If it has evolved
or changed, exactly how has that change happened and what political consequences have
emerged from them?
The threat has certainly rapidly evolved over time. Since Stuxnet was released in 2010, countries and the general public
are now aware of some of the offensive, strategic and destructive capabilities and potential of cyberweapons (Gelton,
T., 2011).
The changes that produced Stuxnet and other recent, more modern cyberweapons were a national resolve to excel in the
cyberwarfare area, coupled with excellent reconnaissance on desired targets, and partnering with computer scientists
in Israel. The political consequences are not well understood yet, except to say that the U.S. and Israel are probably
less trusted and suspected of even greater future capabilities, as well as having the will to use them. Again, having wellplanned cyberwarfare and cyberdeterrence strategies and tactics defined in the CONOPS Plan might indeed, restrain
such possibly reckless decisions as to unleash cyberweapon attacks without what the world might consider the correct
provocation.

In the words of Deb Radcliff, in an article published in SC Magazine in September 2012, we are already in a cyberwar
(Radcliff, D., 2012). But as I was performing my research, it occurred to me that a country like the U.S., might in the
Cyber Security
59/148
future unleash such a devastating cyberattack that it could cripple the enemys ability to communicate surrender. I think
that the moral implications of such circumstances need to be justly considered as a matter of the laws of war, because
if a country continues to attack an enemy that has indicated that they are defeated and want to surrender, this shifts the
moral ground from which the U.S. may have it was conducting its cyberwarfare operations. This is one other unintended
consequence of cyberwarfare and one that needs to be carefully considered.
To further understand the relationship of threats, counter-measures, and exposures in cyberspace, I have included this
diagram by Jaquith, shown below.
Figure 1 Logical Model of IT Security Management Controls (Jacquith, 2007)
The Attribution Problem

One of the most perplexing issues of cyberwarfare and cybercrime is the fact that attackers can and very often will use
software and other servers from which to launch their attacks. Because of the way the Internet was designed its endto-end nature of IP communications using other computers to launch attacks is not that difficult. In fact, the computers
that actually perform the attacks are called zombies as they are configured with remote control programs that are
manipulated by the attackers. The recipients can do forensic analysis and determine which zombie computers sent
the attacks, however, it is practically impossible to collect the data about who the person or persons that originated the
attacks. Thus, it is very difficult to attribute the original cause of the attack, hence the name the attribution problem. In
cyberwarfare, this is particularly difficult, because the National Command Authorities would want to understand to whom
and where they should employee the cyberwarfare capable units of the U.S. Military to launch a punishing retaliatory
cyberattack.
Cyber Security
60/148
The most common type of attack for zombie computers is known as the distributed denial of service attack or DDoS
attack. In February 2000, the first sensational wave of DDoS attacks were launched from zombie computers that
were physically located at major universities in California. The following figures provide some of the details about those
attacks and which companies were the targets.
Figure 2 Denial of Service Attack diagram from ABC news in February 2000
Figure 3 Denial of Service Attack Victims diagram from ABC news in February 2000
Cyber Security
61/148
Figure 4 Denial of Service Attack Zombies diagram from ABC news in February 2000
Recent Cyber Attacks

As recently as September 23, 2012 September 30, 2012, cyber attacks in the form of distributed denial of service
(DDOS) attacks from the Middle East against several major U.S. banks based have publicly demonstrated the ire of the
attackers and also the vulnerabilities of banks with a customer presence in cyberspace (Strohm and Engleman, 2012).
How do you know?

Its not always intuitively obvious, but if your network is slowing down or computers or other devices attached to your
network are acting strangely, you could be under attack. But its best to use analysis tools to understand what is really
going on.
Free Tools You Can Use

This section covers three free tools that you can use to understand network activity on your network in greater detail.
Wireshark
Wireshark is a free, open source packet analysis tool that evolved from its predecessor, Ethereal. Wireshark is notable
for its ability to quickly, capture and display traffic in a real time sequential way, and allow this traffic to be displayed,
broken down at the packet level by each level of the OSI model, from the physical layer up through the application
layer. The traffic can also shows the senders and the receivers of each packet, and can be easily summarized with the
selection of a few menu choices. The first figure below is from a table in the Wireshark documentation, and the figures
that follow are from an actual Wireshark session where about 500,000 packets were collected for summarization and
analysis. All this data can also be saved for later analysis.
Wireshark will run on both Windows-based platforms and Mac OS X platforms. This is the website location where you
can find Wireshark: http://www.wireshark.org/download.html.
Cyber Security
Figure 5 Wireshark Documentation Packet Analysis Capabilities for Captured Packets
62/148
Cyber Security
Figure 6 Wireshark Opening Screenshot after a Network Interface Has Been Selected for Packet Capture
63/148
Cyber Security
Figure 7 Wireshark Conversation Analysis Screen
Figure 8 Wireshark Protocol Analysis Screen
64/148
Cyber Security
65/148
Figure 9 Wireshark Endpoint Analysis Screen
Ostinato
Ostinato is a free, open source-based packet generator that can be used to conduct network experiments, particularly
for packet analysis in conjunction with a tool such as Wireshark. It is easy to install, configure and use. Figure 9 below
shows a screenshot from Ostinato.
Ostinato will run on Windows-based platforms and several other platforms. This is the website location where you can
find Ostinato: http://code.google.com/p/ostinato/.
Figure 10 Ostinato Packet Generator Screen
Cyber Security
66/148
TCPView
TCPView is an excellent analysis program that shows what is happening on your computer at layer four of the OSI
networking model. If you remember, this is where TCP and UDP activities take place. TCPView allows the user to view
and sort data by process, PID, protocol (TCP or UDP), local address, remote address, port number, TCP state, sent
packets, sent bytes, received packets, and received bytes. The data can also be saved for later analysis.
TCPView was originally written by Mark Russinovich and Bryce Cogswell and was published and distributed for free
by their company, Sysinternals. In 2006, Microsoft acquired Sysinternals and TCPView and many other tools that were
created by Sysinternals continue to be updated and distributed by Microsoft for free.
TCPView will only run on Windows-based platforms and this is the website location where you can find TCPView and
many other great Sysinternals tools: http://technet.microsoft.com/en-us/sysinternals.
Figure 11 TCPView in operation, with records sorted by sent packets, in descending order
Traffic to Watch
By far the most interesting and dangerous external traffic to watch on most networks is ICMP traffic. ICMP is the
Internet Control Messaging Protocol, and there are eight types of ICMP messages. Hackers can easily use ICMP
(PING) messages to create DDOS attacked. A tool like Simple Nomads icmpenum can issue ICMP messages such as
ICMP_TIMESTAMP_REQUEST and ICMP_INFO and make it possible to map a network inside of a firewall (K, 2011).
Outbound traffic is just as important as inbound traffic if not more so (Geers, 2011). It is not uncommon for programs
like botnets to take up residence and open up secure channels to transmit data to remote servers in places like China,
Russia, Eastern Europe and even North Korea.
Programs that are unrecognizable should be suspected as possible malware and should be quickly researched to
determine if they are hostile. If they cannot be easily identified, that is a bad sign and they should probably be uninstalled.
Cyber Security
67/148
A Caution to those Who Understand Network Attacks

Title 10 of the U.S. Code forbids U.S. Citizens from taking offensive action against network attackers. Nevertheless,
monitoring the evidence and results of unwanted traffic could help you understand it and also help you decide how
to improve upon your network defenses (firewall settings for inbound traffic, desktop firewalls, etc.) and even provide
evidence to law enforcement authorities.
The Future
Without trying to present a gloomy picture of the cyberspace environment that is composed of the Internet and all the
computers, smart phones and other devices attached to it, it appears that for the time being, the bad guys far outnumber
the good guys and it appears that they are winning. But it is also apparent that that now more free information and free
tools are available than ever before. For the foreseeable future, every person who uses the Internet should seek to
educate themselves about the dangers in cyberspace and the ways to protect themselves from these dangers.
Conclusion
This article has briefly reviewed the topic of cyberwarfare and presented some information about free network analysis
tools that can help you better understand your network traffic.
The good news is that President Obama and his Administration have an acute awareness of the importance of the
cyberspace to the American economy and the American military. The bad news is that because we are already in some
form of cyberwarfare that appears to be rapidly escalating, it remains to be seen what effects these cyberattacks and
the expected forthcoming Executive Orders that address cybersecurity will have on the American people and our way of
life. I believe it will be necessary to act prudently, carefully balancing our freedoms with our need for security, and also
considering the importance of enabling and protecting the prosperity of the now electronically connected, free enterprise
economy that makes the U.S. the envy of and the model for the rest of the world.
Cyber Security
References
1.
2.
3.
4.
5.
6.
7.
8.
68/148
Andreasson, K. (Ed.). (2012). Cybersecurity: Public Sector Threats and Responses. Boca Raton, FL: CRC Press.
Andress, J. and Winterfeld, S. (2011). Cyber Warfare: Techniques and Tools for Security Practitioners. Boston, MA: Syngress.
Arndreasson, K. (ed.). (2012). Cybersecurity: Public Sector Threats and Responses. Boca Raton, FL: CRC Press.
Barnett, M. B. and Finnemore, M. (2004). Rules for the World: International Organizations in Global Politics. Ithaca, NY: Cornell University Press.
Bayles, A., et al. (2007). Penetration Testers Open Source Toolkit, Volume 2. Burlington, MA: Syngress.
Blitz, A. (2011). Lab Manual for Guide to Computer Forensics and Investigations, fourth edition. Boston, MA: Course Technology, Cengage Learning.
Brancik, K. (2008). Insider Computer Fraud: An In-Depth Framework for Detecting and Defending Against Insider IT Attacks. Boca Raton, FL:
Auerbach Publications.
9. Britz, M. T. (2009). Computer Forensics and Cyber Crime: An Introduction, second edition. Upper Saddle River, NJ: Prentice-Hall.
10. Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative (CNCI). Published by the White House January 2008. Retrieved from http://www.
whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative on January 5, 2012.
11. Calder, A. and Watkins, S. (2010). IT Governance: A Managers Guide to Data Security and ISO27001/ISO27002, 4th edition. London, UK: Kogan
Page.
12. Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
13. Carrier, B. (2005). File System Forensic Analysis. Upper Saddle River, NJ: Addison-Wesley.
14. Carvey, H. (2009). Windows Forensic Analysis DVD Toolkit, second edition. Burlington, MA:
15. Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, third edition. New York, NY: Elsevier.
16. Chappell, L. (2010). Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide, first edition. San Jose, CA: Chappell
University.
17. Cialdini, R. B. (2009). Influence: Science and Practice, fifth edition. Boston, MA: Pearson Education.
18. Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security and What to Do About It. New York, NY: HarperCollins
Publishers.
19. CNBC. (2012) Cyber Espionage: The Chinese Threat. A collection of articles about the cyber threats posed by Chinese hackers. Retrieved from http://
www.cnbc.com/id/47962207/ on July 10, 2012.
20. Cole, E. and Ring, S. (2006). Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Present Employees and Contractors from Stealing
Corporate Data. Rockland, MA: Syngress Publishing, Inc.
21. Cole, E., et al. (2009). Network Security Bible, second edition. Indianapolis, IN: Wiley Publishing, Inc.
22. Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
23. Davidoff, S. and Ham, J. (2012). Network Forensics: Tracking Hackers Through Cyberspace. Upper Saddle River, NJ: Prentice-Hall.
24. Dhanjani, N. (2009). Hacking: The Next Generation. Sebastopol, CA: OReilly.
25. Edwards, M. and Stauffer, T. (2008). Control System Security Assessments. A technical paper presented at the 2008 Automation Summit A Users
Conference, in Chicago. Retreived from the web at http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
26. Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.org/
journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012.
27. Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillan.
28. Friedman, G. (2004). Americas Secret War: Inside the Hidden Worldwide Struggle Between America and Its Enemies. New York, NY: Broadway
Books.
29. Geers, K. (2011). Strategic Cyber Security. A Cybersecurity technical paper published at DEFCON 20.
30. Georgetown University. (2012). International Engagement in Cyberspace part 1. A YouTube video. Retrieved from http://www.youtube.com/watch?v=R
1lFNgTui00&feature=related on September 21, 2012.
31. Gerwitz, D. (2011). The Obama Cyberdoctrine: tweet softly, but carry a big stick. An article published at Zdnet.com on May 17, 2011. Retrieved from
32. Gjelten, T. (2010). Are Stuxnet Worm Attacks Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved from the web at http://
www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet on December 20, 2011.
33. Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from the web at
http://www.npr.org/templates/story/story.php?storyId=130260413 on December 20, 2011.
34. Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from the web at
35. Gjelten, T. (2011). Security Expert: U.S. Leading Force Behind Stuxnet. An article published at NPR.org on September 26, 2011. Retrieved from the
web at http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force 36. behind-stuxnet on December 20, 2011.
37. Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from the web at
http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
38. Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from the web at
39. Glenny, M. (2011). Dark Market: Cyberthieves, Cybercops and You. New York, NY: Alfred A. Knopf.
40. Grabo, C. M. (2004). Anticipating Surprise: Analysis for Strategic Warning. Lanham, MD: University Press of America, Inc.
41. Guerin, J. (2010). The Essential Guide to Workplace Investigations: How to Handle Employee Complaints & Problems. Berkeley, CA: Nolo.
42. Guerin, J. (2010). The Essential Guide to Workplace Investigations: How to Handle Employee Complaints & Problems. Berkeley, CA: Nolo.
43. Harper, A., et al. (2011). Gray Hat Hacking: The Ethical Hackers Handbook, third edition. New York, NY: McGraw Hill.
44. Hintzbergen, J., el al. (2010). Foundations of Information Security Based on ISO27001 and ISO27002, second edition. Amersfoort, NL: Van Haren
Publishing.
45. Honkers Union of China. (2012). Honkers Union of China website. Retrieved from http://www.huc.me/ on September 21, 2012.
46. Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
47. Jones, K. J., et al. (2006). Real Digital Forensics: Computer Security and Incident Response. Upper Saddle River, NJ: Addison-Wesley.
48. Jones, R. (2006). Internet Forensics: Using Digital Evidence to Solve Computer Crime. Cambridge, MA, CA: OReilly.
49. K., Dr. (2011). Hackers Handbook, fourth edition. London, U.K.: Carlton.
50. Kaplan, F. (1983), The Wizards of Armagedden: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on
51. Kerr, D. (2012). Senator urges Obama to issue cybersecurity executive order. An article published at Cnet.com on September 24, 2012 Retrieved
Cyber Security
69/148
52. Knapp, E D. (2011). Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control
Systems. Waltham, MA: Syngress, MA.
53. Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
54. Landy, G. K. (2008). The IT/Digital Legal Companion: A Comprehensive Business Guide to Software, IT, Internet, Media, and IP Law. Burlington, MA:
Syngress.
55. Langer, R. (2010). Retrieved from the web at http://www.langner.com/en/blog/page/6/ on December 20, 2011.
56. Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
57. Lockhart, A. (2007). Network Security Hacks: Tips & Tools for Protecting Your Privacy, second edition. Sebastopol, CA: OReilly.
58. Logicalis. (2011). Seven Ways to Identify a Secure IT Environment. Published at IT Business Edge in 2011. Retrieved from http://www.itbusinessedge.
com/slideshows/show.aspx?c=92732&placement=bodycopy in May 5, 2011.
59. Long, J., et al. (2008). Google Hacking for Penetration testers, Volume 2. Burlington, MA: Syngress Publishing, Inc.
60. Long, J., et al. (2008). No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Burlington, MA: Syngress Publishing,
Inc.
61. Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28,
62. Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks target three major banks, using Muslim outrage as cover. An article published on
22, 2012.
63. McBrie, J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION AND CLOSING THE STANCE. A scholarly paper published by the USAWC
64. Middleton, B. (2005). Cyber Crime Investigators Field Guide, second edition. Boca Raton, FL: Auerbach Publications.
65. Mitnick, K. and Simon, W. (2002). The Art of Deception: Controlling the Human Element Security. Indianapolis, IN: Wiley Publishing, Inc.
66. Mitnick, K. and Simon, W. (2006). The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers. Indianapolis, IN: Wiley
Publishing, Inc.
67. Nelson, B., Et al. (2010). Guide to Computer Forensics and Investigations, fourth edition. Boston, MA: Course Technology, Cengage Learning.
68. Northcutt, S. and Novak, J. (2003). Network Intrusion, third edition. Indianapolis, IN: New Riders.
69. Obama, B. H. (2012). Defense Strategic Guidance 2012 Sustaining Global Leadership: Priorities for 21st Century Defense. Published January 3,
70. Obama, B.H. (2011). INTERNATIONAL STRATEGY for Cyberspace. Published by the White House on May 16, 2011. Retrieved from http://www.
71. Osborne, M. (2006). How to Cheat at Managing Information Security. Rockland, MA: Syngress.
72. Parker, T., et al. (2004). Cyber Adversary Characterization: Auditing the Hacker Mind. Rockland, MA: Syngress Publishing, Inc.
73. Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a New Direction. Lexington, KY: The University of Kentucky Press.
74. Philipp, A., et al. (2010). Hacking Exposed Computer Forensics: Secrets and Solutions, second edition. New York, NY: McGraw-Hill.
75. Pry, P. V. (1999). War Scare: Russia and America on the Nuclear Brink. Westport, CT: Praeger Publications.
76. Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An article published in SC Magazine, September 4, 2012. Retrieved from http://www.
77. Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.
78. Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.
79. Rogers, R., et al. (2008). Nessus Network Auditing, second edition. Burlington, MA: Syngress.
80. Rosenbaum, R. (2011). How the End Begins: The Road to a Nuclear World War III. New York, NY: Simon and Schuster.
81. RT. (2012). Iran may launch pre-emptive strike on Israel, conflict could grow into WWIII senior commander. An article published at RT.com on
September 23, 2012. Retrieved from http://rt.com/news/iran-strike-israel-world-war-803/ on September 24, 2012.
82. Sanger, D. E. (2012). Confront and Coneal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
83. Schell, B. H., et al. (2002). The Hacking of America: Whos Doing It, Why, and How. Westport, CT: Quorum Press.
84. Schlesinger, J. (2012). Chinese Espionage on the Rise in US, Experts Warn. An article published at CNBC.com on July 9, 2012. Retrieved from http://
www.cnbc.com/id/48099539 on July 10, 2012.
85. Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data Security. N. Potomoc, MD: Larstan Publishing, Inc.
86. Schmitt, E. and Shanker, T. (2011). U.S. Debated Cyberwarfare in Attack Plan on Libya. An article published in the New York Times on October 17,
87. Seagren, E. (2007). Secure Your Network for Free: Using NMAP, Wireshark, SNORT, NESSUS, and MRTG. Rockland, MA: Syngress.
88. Seagren, E. (2007). Secure Your Network for Free: Using NMAP, Wireshark, SNORT, NESSUS, and MRTG. Rockland, MA: Syngress.
89. SEM. (2011). The Hackers Underground. Retrieved from http://serpentsembrace.wordpress.com/2011/05/17/the-hackers-underground/ on September
21, 2012.
90. Simpson, M. T., et al. (2011). Hands-On Ethical Hacking and Network Defense. Boston, MA: Course Technology.
91. Skpudis, E. and Liston, T. (2006). Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, second edition. Upper
Saddle River, NJ: Prentice-Hall.
92. Soloman, M. G., et al. (2011). Computer Forensics Jump Start, second edition. Indianapolis, IN: Wiley Publishing, Inc.
93. Stallings, W. (2011). Network Security Essentials: Applications and Standards, fourth edition. Boston, MA: Prentice Hall.
94. Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government Institutes.
95. Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks Expose Vulnerabilities. An article published at BusinessWeek..com on September
28, 2012 Retrieved from http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability on
September 30, 2012.
96. Technolytics. (2011). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.
com on April 16, 2011.
97. The Hackers Underground. An article published at the Serpents Embrace blog. Retrieved from http://serpentsembrace.wordpress.com/tag/honkerunion-of-china/ on September 21, 2012.
98. Trost, R. (2010). Praaactical Intrusion Analysis: Prevention and Detection for the Twenty-First Century. Boston, MA: Addison-Wesley.
99. Vacca, J. R. (2002). Computer Forensics: Computer Crime Scene Investigation. Hingham, MA: Charles River Media.
100. van Wyk, K. R. and Forno, R. (2001). Incident Response. Cambridge, MA, CA: OReilly.
101. Verizon. (2012). The 2012 Verizon Data Breach Investigations Report. Retrieved from http://www.verizonbusiness.com/resources/reports/rp_databreach-investigations-report-2012_en_xg.pdf on September 17, 2012.
102. Version. (2012). The 2012 Verizon Data Breach Investigations Report. Retrieved from http://www.verizonbusiness.com/resources/reports/rp_databreach-investigations-report-2012_en_xg.pdf on September 17, 2012.
Cyber Security
70/148
103. Volonino, L. and Anzaldua, R. (2008). Computer Forensics for Dummies. Hoboken, NJ: Wiley Publishing, Inc.
104. Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia: ANU E Press.
105. Whitman, M. E. and Mattord, H. J. (2007). Principles of Incident Response & Disaster Recovery. Boston, MA: Course Technology Cengage
Learning.
106. Wikipedia Commons. (2011). Stuxnet Diagram. Retrieved from the web at http://en.wikipedia.org/wiki/File:Step7_communicating_with_plc.svg on
December 20, 2011.
107. Wiles, J., et al. (2007). Low Techno Securitys Guide to Managing Risks: For IT Managers, Auditors, and Investigators. Burlington, MA: Syngress
Publishing, Inc.
108. Wiles, J., et al. (2012). Low Tech Hacking: Street Smarts for Security Professionals. Waltham, MA: Syngress Publishing, Inc.
109. Wilhelm, T. and Andress, J. (2011). Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques. Burlington, MA: Syngress Publishing,
Inc.
110. Zalewski, M. (2005). Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks. San Francisco, CA: No Starch Press.
111. Zetter, K. (2011). How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History. An article published on July 11, 2011 at Wired.
com. Retrieved from the web at http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 on December 20, 2011.
112. Zittrain, J. (2012). Professor Zittrain Q&A Hacktivism: Anonymous, lulzsec, and Cybercrime in 2012 and Beyond. A YouTube video. Retrieved from
http://www.youtube.com/watch?v=CZWjfxY8nmU&feature=related on September 21, 2012.
Cyber Security
Audit Project Plan

for Dalton, Walton, & Carlton, Inc.
71/148
Cyber Security
72/148
Introduction
This Audit Project Plan will provide the Charter, Scope, Statement of Work, Communications Management Plan, Quality
Management Plan, and other associated IT Infrastructure project-related information to audit Dalton, Walton, and
Carltons entire infrastructure.
Assumptions
1. We will performing this audit work as a certified security specialist in accordance with the best practices described
under ISO 19011:2011 Guidelines for Auditing Management Systems. Therefore we will not be actually
touching or logging into any IT equipment that belongs to Dalton, Walton, & Carlton. Nor will we be using our own
equipment to log into any computer network that belongs to Dalton, Walton, & Carlton.
2. Estimated times are estimates only. If the activities require less time, that is the only time that will be logged.
Conversely, if any activities take less time, that is the time that will be logged.
Estimated Time Required

We are estimating a total of 60.0 hours for the actual work effort involved in this engagement. The audit should take
about 40 hours and the report with findings and recommendations should require about 20 hours of preparation time.
Conclusion
This IT infrastructure audit should take approximately five days. If management has the necessary requested
documentation and evidence of controls, the audit process should go well. If not, this audit may require multiple visits
and take longer than the management team planned. Nevertheless, the end result should be that Dalton, Walton, &
Carlton will have a better understanding of the effectiveness of its Security relative to its infrastructure.
Best regards,

MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Owner and Sr. Security Consultant, Slater Technologies
Table of Contents
Project Charter
Executive Summary
Dalton, Walton & Carlton, INC. has chosen Slater Technologies, Inc. to perform a detailed IT Infrastructure audit on it its
IT Infrastucture and submit its findings and recommendations.
Introduction
This is Project Charter for the IT Infrastructure Audit Project.
Project Name
IT Infrastructure Audit Project at DALTON, WALTON & CARLTON, Inc.
Description
DALTON, WALTON & CARLTON will use this project to determine the state of its IT Infrastructure.
Cyber Security
73/148
Purpose
DALTON, WALTON & CARLTON s customers and business partners are inquiring with increasing regularity about
DALTON, WALTON & CARLTON s posture and progress in the area of Information Security, because in many cases
they too have adopted their own Information Security framework for their internal business policies, processes, and
procedures. This audit will provide the necessary information related to the current state of DALTON, WALTON &
CARLTON s IT Infrastructure.
Resource Time Period

The time period of this project is from March 5, 2013 approximately March 19, 2013.
Resource Budget
The budget for this project is not published.
Team Members
TBA
DALTON, WALTON & CARLTON
William Slater Slater Technologies, Inc.
IT Manager
Audit Project Manager
Project Steering Committee

TBA
President and CEO
TBA
CFO
TBA
CIO
Additional Project Stakeholders

TBA
Chief of Staff
TBA
Director of HR
TBA
Accounting Manager
TBA
Lead Application Developer
TBA
Web Application Developer
TBA
Web Master
TBA
Manager Client Relationship Services
TBA
Director Marketing & Sales
TBA
Director Critical Customer Relationship
Assumptions
The Audit Project Manager will be provided the time, asset information, business process information, and other
associated resources, as well as access to the people and the information required to successfully complete this project
within the allotted time.
Constraints
Time, Budget, and Schedule comprise the standard constraints of every project. In addition, the following project risks
and business risks have been identified:
Cyber Security
74/148
Project Risks
Not accomplishing this IT Infrastructure Audit as quickly as possible to meet the needs and requirements of
Minimize Negative Business Impacts
Understanding:
DALTON, WALTON & CARLTON Culture
Needs, Politics, and Customer and Business Pressures on the Business Leaders
Enable Project requirements with minimal Business Impact to DALTON, WALTON & CARLTON
Accurate collection, classification of asset data and information
Accurate identification of Business Data Processes, and Data and Information Owners
Accurate risk assessment (threats and vulnerabilities) of asset data
Accurate application and documentation of controls to asset data
Successful implementation of the ISMS and the Information Security Awareness Program
Survive being the Bearer of Bad News
Business Risks
Any negative impacts related to the IT Infrastructure Audit could negatively impact the business operations of
DALTON, WALTON & CARLTON.
In the 21st Century, the Business Risks and negative consequences related to substandard Information Security
practices now exceed the efforts required to protect data and information. Example: Resource Skills and Training
Requirements
The Audit Team will bring its own experience, knowledge, resource tools and laptop to the project. They will be given
access to a Dalton, Walton & Carlton e-mail account (OFFICE 360). They will also be given access to the DALTON,
WALTON & CARLTON documentation, especially documents related to corporate policies, guidelines, processes, and
procedures.
A network accessible portal (Sharepoint Server?) will be established on DALTON, WALTON & CARLTON s network as
an Audit Document Repository.
Approvals
As of February 18, 2013, both the President at DALTON, WALTON & CARLTON and the Managing Director at DALTON,
WALTON & CARLTON approved this Audit Project.
Project Scope Statement

Scope
The Scope of this audit will be Dalton, Walton, and Carltons entire IT Infrastructure.
Objectives
Determine the following with regards Dalton, Walton, and Carltons entire infrastructure:
Existence of company policies related to asset usage
Cyber Security
75/148
Existence of company policies related to Internet usage

Existence of company policies related to e-mail usage
Effectiveness of company policies related to asset usage
Effectiveness of company policies related to Internet usage
Effectiveness of company policies related to e-mail usage
Existence of other company controls related to asset usage
Existence of other company controls related to Internet usage
Existence of other company controls related to e-mail usage
Effectiveness other company controls related to asset usage
Effectiveness other company controls related to Internet usage
Effectiveness other company controls related to e-mail usage
Existence of other company controls related to data and asset usage
Existence of other company controls related to data and Internet usage
Existence of other company controls related to data and e-mail usage
Effectiveness other company controls related to data and Internet usage
Effectiveness other company controls related to data and e-mail usage
Existence and effectiveness of security awareness training related to asset usage, Internet usage and e-mail
usage
Existence and effectiveness of records related to employee participation in security awareness training
Existence and effectiveness of records related to employee disciplinary actions related to misuse of assets,
Internet and/or e-mail
Existence and effectiveness of Infrastructure documentation
Existence and effectiveness of Infrastructure documentation related to Internet usage
Existence and effectiveness of Infrastructure documentation related to e-mail usage
Existence and effectiveness of Infrastructure documentation related to Internet security
Existence and effectiveness of Infrastructure documentation related to e-mail security
Existence and effectiveness of documentation related to company asset usage
Existence and effectiveness of documentation related to employee Internet usage
Existence and effectiveness of documentation related to employee e-mail usage
Existence and effectiveness of service management and service level agreement(s) related to asset usage
Existence and effectiveness of service management and service level agreement(s) related to Internet usage
Cyber Security
76/148
Existence and effectiveness of service management and service level agreement(s) related to employee e-mail
usage
Statement of Work
Audit Steps
Member of the Slater Technologies Audit Team will:
1. Conduct a pre-audit meeting, and discuss the audit plan and request the following
Existence of company policies related to Internet usage
Existence of company policies related to e-mail usage
Existence of other company controls related to Internet usage
Existence of other company controls related to e-mail usage
Existence of other company controls related to data and Internet usage
Existence of other company controls related to data and e-mail usage
Effectiveness other company controls related to data and Internet usage
Effectiveness other company controls related to data and e-mail usage
Existence of security awareness training related to Internet usage and e-mail usage
Existence of records related to employee participation in security awareness training
Existence of records related to employee disciplinary actions related to misuse of Internet and/or e-mail
Existence of Infrastructure documentation and provider usage related to Internet usage
Existence of Infrastructure documentation and provider usage related to e-mail usage
Existence of Infrastructure documentation related to Internet security
Existence of Infrastructure documentation related to e-mail security
Existence of documentation related to employee Internet usage
Existence of documentation related to employee e-mail usage
Existence of service management artifacts and service level agreement(s) related to, asset usage, Internet
usage, and e-mail usage
2. Discuss the roles and responsibilities
3. Present an audit schedule with workflow diagrams, tests and procedures.
4. Conduct the audit on the list of artifacts gathered. Collect evidence for each item.
5. Prepare the audit findings report
6. Prepare recommendations
7. Conduct the audit close-out meeting and present the report with the audit findings and recommendations
Cyber Security
77/148
8. Create and present a remediation plan

9. Conduct a follow-up to evaluate the remediation actions
10. Prepare and present the final audit report that covers the status of the remediation actions
Schedule, Activities and Deliverables

See Appendices A, B, and C for this information.
Schedule Management Plan

The Project Schedule is shown in Appendix A and Appendix B. It organizes and defined the scope of the project by
subdividing the project work units.
The Schedule and the Deliverables will be managed according to the dates in the project schedule. The Audit Projects
progress will be reported on a weekly basis, and any schedule or deliverable changes that take place will be documented
and reviewed under the Change Management Plan and be reflected as soon as possible in a Weekly Status Report or
a special Ad Hoc Project Status Report.
Risk Management Plan

The Risk Management Plan will consist of a risk analysis process by which the various project risks will be identified
by members of the project team and then analyzed according to the methodology and the tables shown in Appendix D.
After the risk identification and analysis process, each risk will be carefully recorded in the Project Risk Register shown
in Appendix E.
Risk Assessment Methodology & Procedure

The Risk Assessment Methodology will be iterative, simplistic, and based primarily on the idea that the major risks
associated with an asset can be identified, characterized, and quantified. Each risk will be carefully cataloged in a Risk
Register and assigned a remediation strategy and an owner. Note that the Risk Assessment effort for the duration of
the Audit Project, and that the Risk Assessment Register could be updated as frequently as once per week, during the
Project Team Meeting. The basic steps are outlined below.
Risk Assessment Procedure
1. Identify the project detail or impact to be analyzed
2. Describe the project detail or impact
3. Identify and describe threats for this project detail or impact
4. For each threat assess risk using the following criteria (see tables in Appendix D):
How frequently this event could occur
The amount of damage that could happen
The ability to detect it if it occurs
Multiply the values that from a), b), and c) to determine the Risk Probability Number (RPN)
5. Update the Risk Register assigning a Risk Owner and Risk Management Strategy (Appendix E shows an example
Risk Register for Dalton, Walton & Carlton)
Early risks that have already been identified:
Project Risks
Minimize Negative Business Impacts
Cyber Security
78/148
Understanding:
Dalton, Walton & Carlton Culture
Needs, Politics, and Customer and Business Pressures on the Business Leaders
Enable Project Needs with minimal Business Impact
Accurate collection, classification of asset data and information
Successful Auditing of the Dalton, Walton & Carlton IT Infrastructure
Survive being the Bearer of Bad News
Business Risks
Customers who have Information Security Compliance Frameworks will expect the same from their business
partners
In the 21st Century, the Business Risks and negative consequences related to substandard Information Security
practices now exceed the efforts required to protect data and information.
Proposed Risk Management Processes

Title: Risk
Proposed
Risk Management
Management
for IS Risk Processes
List Pilot
Synovate
User or
CAPSIM Employee
Contractor
or Intern
Contractor
Head of Information
Assurance
Start
Risk Committee
Risk Owner
Take
Action:
Mitigate
Accept
Transfer
Avoid
Bi-Weekly Review
Meeting
Investigate
Risk
Identify
Risk
Assigned
Owner?
IS Incident Response
Team
No
Yes
Decide Risk
Management
Strategy:
Mitigate
Accept
Transfer
Avoid
Update
Risk List
Notify Incident
Response
Team
Initiate
Incident
Response
Plan
No
Credible?
Risk Item
Resolved?
Yes
Yes
Input Risk to IS
Risk List
(See instructions)
Emergency
Imminent?
Update
Risk List
No
Notify
Management
Assign Appropriate
Risk Owner
Update Risk
Parameters and
Risk Owner in
Risk List
No
Communicate
Details to Risk
Owner
Phase: PLAN
Yes
Stop
Communications Plan
Team Members:
TBA
William Slater Slater Technologies, Inc.
IT Manager
Audit Project Manager
Cyber Security
79/148
Project Steering Committee:

TBA
President and CEO
TBA
CFO
TBA
CIO
Additional Project Stakeholders:

TBA
Chief of Staff
TBA
Director of HR
TBA
Accounting Manager
TBA
Lead Application Developer
TBA
Web Application Developer
TBA
Web Master
TBA
Manager Client Relationship Services
TBA
Director Marketing & Sales
TBA
Director Critical Customer Relationship
Communication Methods, Frequency and Descriptions

Source
Frequency
Description
Outcome
Comments
Weekly Project Weekly

Team Meetings
The Project Team (TBA and

William Slater).
These weekly meetings
will take place either at the
end of the week or at the
beginning of the week.
Agendas and Minutes Reports will be

prepared.
Requested changes and improvements
will be implemented.
W e e k l y Weekly
Project Status
Management
Meetings
Project Owner and the Project

Managers will participate.
These weekly meetings
will take place either at the
end of the week or at the
beginning of the week.
Agendas and Minutes Reports will be

prepared.
Any
requested
changes
and
improvements will be documented
and implemented.
S e n i o r As needed.
Management
Meetings
The Project Team and the Agendas and Minutes Reports

Stakeholders will be invited. will be prepared. Any requested
changes and improvements will be
documented and implemented.
Audit Project As needed.

Management
R e v i e w
Meetings
The Project Leadership Any

requested
changes
and O n e - P a g e
Team (TBA and William improvements will be documented Summary of the
Slater) will meet one a week and implemented.
Project Status.
to discuss the status of the
project.
These monthly contract
review meetings will start in
November and continue for
the duration of the project.
Cyber Security
80/148
Project Manager Random and Infrequent e-mail requests Any

requested
changes
and
E-Mails
infrequent.
made by the Project Manager improvements will be documented
and implemented.
Stakeholder and Random but Infrequent e-mail requests Any
requested
changes
and
M a n a g e m e n t infrequent
made by the Dalton, Walton improvements will be documented
E-Mails
& Carlton Management.
and implemented.
One of the most fundamental DALTON, WALTON & CARLTON project management responsibilities is to properly
manage change. Changes are a natural part of all projects, but they must be controlled and explained to all stakeholders
to ensure expectations are met and deliverables maintain high quality. This is especially true for large, company-wide
projects that have many interdependent parts. The key highlights of this projects Change Control Process are shown
below:
Definition of a Change
A internal (DALTON, WALTON & CARLTON ) or external (client) change in process or a request that could affect the
Scope of Work, deliverables, budget, schedule, the Project Management Plan, the IT department or other DALTON,
WALTON & CARLTON department, Reports, layouts, and anything in operations that impacts the process between
receiving project-related work products and displaying results on in the ISMS.
And changes will be assessed for impact to schedule, deliverables, budget and risk. It is possible that changes that
could impact the schedule deliverables, budget could require a renegotiation in the Services Delivery contract.
Each change should be documented, and evaluated for cost, time, risk, and repercussions. The written Change Request
Form below is to be approved for each material change. This form allows changes to be detailed (e.g. mock-ups,
success criteria, deliverable assumptions, etc.) before the ISMS architect and/or business units begin work.
Change Management Form:
Change Management Title:
Description of Changes:
Schedule change:
Budget change:
Scope change:
Project document changes:
Change Control Board
Name
Role
Responsibility
TBA
IT Project Manager
DALTON, WALTON & CARLTON IT Project Recommend and Review

Management
William IT Audit Project manager IT Audit Project Management

Slater
Authority
Recommend and Review
TBA
President and CEO
DALTON, WALTON & CARLTON Operations and Recommend, Review and

Executive Management
Approve
TBA
CFO
DALTON, WALTON & CARLTON Chief Financial Recommend, Review and

Officer
Approve
TBA
CIO
DALTON, WALTON & CARLTON Chief Information Recommend, Review and

Officer
Approve
Cyber Security
81/148
Change Control Process

Change request submittal
Every change will be documented using the form shown above and then submitted
for review and approval.
Change request tracking
Change requests will be numbered, dated and tracked.
Change request review
Changes will be reviewed for approval by the Audit Project Change Control Board.
Change request disposition
Change requests will be retained, whether they are approved or not.
Attach relevant forms used in the change control process.
Quality Management Plan

DALTON, WALTON & CARLTON and Slater Technologies shall continually monitor this IT Infrastructure Audit Projects
performance based on the results of their surveillance or assessments. In the event of a negative evaluation, Slater
Technologies shall initiate a performance improvement plan for review and approval by DALTON, WALTON & CARLTON
Management.
Using the critical success factors, Slater Technologies along with DALTON, WALTON & CARLTON will perform
performance evaluation activities on a regular basis. Each requirement identified in the Audit Project Plan has clear
expectations and metrics with time intervals defined. The requirements crucial to support, that most impact the customer,
are identified as critical success factors. Using these factors, the surveillance methods and the schedule as a guideline,
Slater Technologies will monitor its performance. At the end of the task order period of performance, Slater Technologies
will solicit DALTON, WALTON & CARLTON for an evaluation overall performance.
Non-Compliance
Errors, defects, issues, deviations, and noncompliance in regards to requirements specified in individual task orders
must be itemized, documented, tracked to closure, and reported by DALTON, WALTON & CARLTON Management.
The DALTON, WALTON & CARLTON Project Manager and Slater Technologies must verify all problems are tracked
to closure and must provide continuing feedback to management and if necessary, the Project Team and Stakeholders
concerning the status of the problem.
Performance Improvement
During the period of performance, if Slater Technologies performance is found to be below DALTON, WALTON &
CARLTON expectations per the expectations of the Statement of Work, Slater Technologies may initiate a performance
improvement plan.
If Slater Technologies can quickly resolve the deficiency with a solution acceptable to DALTON, WALTON & CARLTON,
SLATER TECHNOLOGIES may forego the remainder of the performance improvement process at DALTON, WALTON
& CARLTONs discretion. SLATER TECHNOLOGIES shall submit a plan to the COTR within five (5) working days of
the identification of the deficiency. SLATER TECHNOLOGIES shall submit the plan which consists of the following
components listed below:
Problem Identification
Improvement Alternatives
Recommended Solution
Solution Implementation
DALTON, WALTON & CARLTON will provide a response to SLATER TECHNOLOGIES within five (5) working days.
Upon DALTON, WALTON & CARLTON approval of the improvement plan, SLATER TECHNOLOGIES shall immediately
commence with implementing the solution.
Cyber Security
82/148
Rating Elements and Standards of Performance

If needed, and mutually agreed upon, SLATER TECHNOLOGIESs performance can be evaluated by assessing the
key deliverables described above and/or critical factors contained within the Statement of Work. The rating elements
and acceptable standards of performance for the key deliverables are described below.
Quality of Performance
Completeness: Contractor addressed all of the requirements relating to the deliverable.
Content: The deliverable under review shows evidence of comprehensive research and provides a thorough treatment
of the deliverables topic.
Professionalism: The deliverable under review is written clearly.
Timeliness Delivered according to schedule established in the contract or as modified by the CO.
Internal Quality Control Extent to which SLATER TECHNOLOGIES identifies problems and/or deficiencies in the
deliverables and corrects them.
Process of Quality Assurance Assessment

The process by which SLATER TECHNOLOGIESs performance will be evaluated is as follows and may be modified in
discussion with SLATER TECHNOLOGIES at the Post-Contract Award Meeting. Each deliverable will be evaluated in
accordance with the following definitions of Contractor performance.
Excellent Level of performance exceeding the minimum standards of performance for the deliverable:
Meets all elements for a satisfactory performance
Ability to stay ahead of schedule
Submit deliverables ahead of schedule, needing few or no further revisions
All goals as outlined in the Statement of Work are met
Satisfactory Level of performance meeting the minimum standards of performance for the deliverable:
All Deliverables are prepared and submitted according to required specifications
Ability to stay on schedule
All Deliverables are submitted on time without delay
Deliverables need minimum amount of revisions by Slater Technologies, with no more than one revision submitted
Quality and quantity of staffing is upheld throughout duration of contract
Unacceptable Level of performance that is not acceptable and fails to meet the minimum standards of performance
for the deliverable:
Does not meet elements of satisfactory performance
More than one deliverable submission is required
Unable to stay on schedule
The DALTON, WALTON & CARLTON Project Manager must substantiate all individual scores judged to be excellent or
unacceptable. Performance at the satisfactory level is expected from SLATER TECHNOLOGIES.
Cyber Security
83/148
The DALTON, WALTON & CARLTON Project Manager will forward copies of completed evaluation forms to Slater
Technologies by the close of five (5) business days from the date each deliverable is received by the DALTON, WALTON
& CARLTON Project Manager.
For the purpose of documentation, SLATER TECHNOLOGIES may respond in writing to any unacceptable score within
five working days after receipt of the form. However, this does not mean that the DALTON, WALTON & CARLTON
Project Manager will change his scores.
SLATER TECHNOLOGIES will review each key deliverable evaluation form prepared by the DALTON, WALTON &
CARLTON Project Manager. When appropriate, the CO may investigate the event further to determine if all the facts and
circumstances surrounding the event were considered in the opinions outlined on the forms. Discussion with SLATER
TECHNOLOGIES of the unacceptable deliverable does not negate the DALTON, WALTON & CARLTON s right to
terminate SLATER TECHNOLOGIES for default or poor performance.
Deliverable Performance Metrics

Quality Performance (QP) is the measure of Technical soundness, grammar and rework of each product developed as
part of this support effort. The following paragraphs define the Quality measurement standards:
Technical Proficiency (TP): Does the product have sufficient technical definition to adequately address the defined
issue.
Table for Technical Proficiency (TP) Performance Standards
Technical Proficiency (TP)
Exceptional
Performance meets all and exceeds many STATEMENT OF WORK requirements. Products
are of the highest quality with no technical issues. Product effectively addresses all technical
questions enabling timely and efficient decision making by the customer.
Satisfactory
Performance meets most STATEMENT OF WORK requirements. Products are of good quality
meeting minimal technical requirements. Product addresses most technical questions.
Unsatisfactory
Performance meets few STATEMENT OF WORK requirements with poor technical content and
did not adequately address the technical issue.
Grammar: Does the product contain grammar errors such as poor spelling or poor sentence structure?
Table for Grammar (Gr) Performance Standards
Grammar (Gr)
Exceptional
Performance meets all and exceeds many STATEMENT OF WORK requirements. Products are
of the highest quality with no grammatical issues to include, no misspelled words, no undefined
acronyms and document was delivered in proper format.
Satisfactory
meeting minimal grammatical expectations to include few misspelled words, most acronyms
defined and minimal issues with document format.
Unsatisfactory
excessive grammatical errors in spelling, use of acronyms and format.
Rework: Does the contractor consistently require excessive work to accomplish assigned task.
Cyber Security
84/148
Table for Rework Performance Standards

Rework Performance (Rw)
Exceptional
Performance meets all and exceeds many STATEMENT OF WORK requirements. Products
are of the highest quality with no rework required prior to acceptance by customer.
Satisfactory
and required minimal rework prior to acceptance by customer.
Unsatisfactory
excessive rework was required prior to acceptance by customer.
Each of these quality measures are graded using the Phase Performance Report. All scores will include examples of
contractor Quality Performance. The scores will be consolidated to establish a consolidated quality score for the task
order.
Quality Performance (QP): Technical Proficiency + Grammar Performance + Rework Performance.
Contribution Effectiveness (CE) Performance Metrics

a. Contribution Effectiveness: is defined as the ability of the contractor to perform task requirements specified in the
Task Order and to provide sound, comprehensive, professional products and services that a) directly respond to
the task and answers the action, question, issue, or provides specified information; and b) meets the customers
timeline to support DALTON, WALTON & CARLTON decision making and responses.
b. The nature of support services often requires the contractor to respond to undefined tasking on a daily basis. The
customer tasks normally include a suspense date and a definition of the task goal. The purpose of the Contribution
Effectiveness assessment is to determine the contractors performance in executing the service defined task
within the requirements of the Statement of Work.
c. Contribution Effectiveness has three specific performance measurement areas: Quality, Responsiveness and
Timeliness. Each of these performance standards within this Performance Measure will be measured separately
to develop an overall consolidated performance measure for Quality, Responsiveness, and Timeliness. These
separate scores will be consolidated to calculate the overall task order Contribution Effectiveness performance
grade for each reporting period. The following paragraphs define the performance standards for measurement of
each Contribution effectiveness measure.
Responsiveness (RP) is a measure of SLATER TECHNOLOGIESs ability to respond to defined issues or contract
changes such as unplanned changes in task order requirements from the DALTON, WALTON & CARLTON Project
Manager or DALTON, WALTON & CARLTON Management. Other changes include, but are not limited to:
Approved modifications to the Statement of Work
Relocation of Personnel within a Functional Area of Between Functional Areas
Change of Work Location from On-Site to Off-Site
Contractor Personnel Attendance or Performance Issues
Other
Cyber Security
85/148
Table for Responsiveness Performance Standards

Responsiveness Performance (RP)
Exceptional
Performance meets all and exceeds many STATEMENT OF WORK requirements. All formally
identified requests are resolved in a timely and efficient manner.
Satisfactory
Performance meets most STATEMENT OF WORK requirements.

request are resolved in a timely and efficient manner.
Unsatisfactory
Performance meets few STATEMENT OF WORK requirements. Few formally identified requests
are resolved in a timely or efficient manner.
Most formally identified
Timeliness (TiP) is a measure of the contractors ability to deliver products in a timely manner. Delivery schedule in a
service environment is primarily determined upon assignment of the task. Both the Dalton, Walton & Carlton and the
contractor should make every effort to obtain written agreement on delivery schedule at time of assignment, but a lack of
written delivery date does not prohibit Dalton, Walton & Carlton from grading timeliness for each period of performance.
Table for Timeliness Performance Standards
Timeliness Performance (TiP)
Exceptional
Performance meets all and exceeds many STATEMENT OF WORK requirements. All formally
defined delivery dates and informally defined delivery schedules are met.
Satisfactory
Performance meets most STATEMENT OF WORK requirements. Few formally defined delivery
dates are missed and most informally defined delivery schedules are met.
Unsatisfactory
Performance meets few STATEMENT OF WORK requirements. Most defined delivery dates are
missed and an excessive number of informally defined delivery schedules are missed.
The following process will be utilized to collect, validate, consolidate and analyze Quality, Responsiveness and Timeliness
Performance effectiveness by SOW task.
a. The DALTON, WALTON & CARLTON Project Manager will initiate the process with a request to Slater
Technologies for Quality performance with sample supporting data for each quality measure. The DALTON,
WALTON & CARLTON Project Manager will utilize a Contract Performance Survey to capture input from multiple
members of the DALTON, WALTON & CARLTON team supported by Statement of Work task deliverable.
b. Upon receipt of the Performance Survey performance data from the Dalton, Walton & Carlton team, the DALTON,
WALTON & CARLTON Project Manager will review performance and grade the performance using the guidelines
established in the Quality Management Plan.
c. Once completed, the DALTON, WALTON & CARLTON Project Manager will submit the completed Performance
Report to SLATER TECHNOLOGIES.
d. Generation of monthly Contractor Performance Reports (CPR) will be accomplished. The CPR will be a
consolidated report as defined in this document (Contractor Performance Report Generation).
e. Quality, Responsiveness, Timeliness and Teamwork Performance is a calculated score comprised of the summed
values of each of the performance areas defined in this section. The scoring system is defined below in the
Contractor Performance Report Generation Portion of this document.
Quality, Responsiveness, and Timeliness (QRT) = Quality Performance (QP) + Responsiveness Performance (RP)
+ Timeliness Performance (TiP).
Cyber Security
86/148
Corrective and Preventive Action

SLATER TECHNOLOGIESs Quality Control Plan, which will be managed by the SLATER TECHNOLOGIES and the
DALTON, WALTON & CARLTON Project Manager, will provide both corrective and preventative actions to assure that
all quality standards are met or exceeded. The plan consists of the following items:
1. Regular of review of the Audit Project Performance via deliverables and a weekly SLATER TECHNOLOGIES
Management Report that the Project Manager will write and submit each Friday.
2. Regular participation in all management meetings with DALTON, WALTON & CARLTON Management and the
DALTON, WALTON & CARLTON Project Manager, especially those that occur monthly to review the Audit Project
Contract performance.
3. Other meetings with DALTON, WALTON & CARLTON Management and the DALTON, WALTON & CARLTON
Project Manager as required.
4. Addressing any deficiencies as they are identified, complete with action plans and progress reviews if necessary
to ensure required levels of performance, including meeting deliverable schedules and quality as required by the
Statement of Work and DALTON, WALTON & CARLTON Management.
Contractor Performance Report Generation

The scoring process defined below is a bottom up monthly process. Scores are entered at the lowest level of each
Performance Area and cumulative scores are calculated as defined below. Where necessary these scores are combined
to calculate the cumulative performance for each Performance area. Performance Area scores are consolidated by
Statement of Work Deliverable and cumulative Statement of Work Deliverable Performance scores are calculated.
Consolidation of cumulative Statement of Work Deliverable scores are used to calculate Contract Performance. The
following section of this report defines the calculation process.
Score Development Process

Each Performance measure uses adjective measures as defined in the previous section of this document. The principle
input tool to the scoring process is the Monthly Contractor Performance Input Report or the Phase Performance Input
Report. The following section of this report defines the process for transitioning performance from adjective to measurable
standards capable of meeting each of the assessment goals defined in the Quality Management Plan.
Each of the Performance and Sub-Performance areas will receive one (1) of three (3) possible scores:
Exceptional
Satisfactory
Unsatisfactory
Conversion of adjective to numerical scoring is accomplished through assignment of numerical values for each
performance score. Numerical values will be assigned as defined below:
Exceptional = 10 points
Satisfactory = 5 points
Unsatisfactory = 0 points
In this manner we have established the ability to grade each performance area using measurable performance standards;
therefore, enabling achievement of each of the assessment objectives described in paragraph 5.1 above.
Development of cumulative scores for each performance/sub-performance area

Step #1 Development of Monthly Score (MS).
Cyber Security
87/148
Quality Performance Calculation Example:

(QAms) = Tpms + Grms + Rwms + RPms + TiPms
EXAMPLE SCORES
Monthly Technical Proficiency (Tpms ) Adjective Score = Exceptional,
Monthly Score (Tpms ) = 10
Monthly Technical Proficiency (Tpms ) Adjective Score = Exceptional,
Monthly Score (Tpms ) = 10
Monthly Rework Performance (Rwms ) Adjective Score = Satisfactory
Monthly Score (Rwms ) = 5
Monthly Responsiveness Performance(RPms ) Adjective Score = Unsatisfactory
Monthly Score (RPms ) = 0
Monthly Timeliness Performance (TiPms ) Adjective Score = Exceptional Monthly Score (TiPms ) = 10
QAms = 10 + 5 + 5 + 0 + 10 = 30
Step #2. Calculate the Cumulative Score (Cum) for each performance area.
Quality Performance Calculation Example:
QAmax = (# QA sub areas x 10) + QAmax
QAcum= (QAms + QAcum ) QAmax
For this example, previous month QAmax = 120 (2 months have passed by) QAcum = 105.
QAmax = (5 x 10) + 120 = 180
QAcum= (40 + 105) 180
QAcum= 145 180
QAcum= .81
All cumulative scores are calculated as percentages and tracked using percentages.
This process is followed for each of the performance measures.
Purpose
This section details the method to be used in verifying contractor compliance with the contract requirements. The key
elements of this process are the contractors quality control program and Dalton, Walton & Carltons identified high risk
and critical operational requirements.
The intent of the surveillance approach is to allow DALTON, WALTON & CARLTON to gain confidence in SLATER
TECHNOLOGIESs way of doing business and then adjust the level of oversight to a point that maintains that confidence
while minimizing administrative cost to the DALTON, WALTON & CARLTON. With this intent, the surveillance approach
may not be one that stays the same throughout the duration of the contract.
Cyber Security
88/148
Surveillance Folder
A surveillance folder will be developed and maintained to accomplish contract quality assurance for a performance
requirement. The folder is typically contained in hardcopy, but may be maintained in a computer database provided that
there is adequate backup of the data to preclude accidental loss. The surveillance folder must contain the following sections,
but may contain any other sections or information that the DALTON, WALTON & CARLTON Project Manager finds useful.
Quality Assurance Surveillance Plan

This document is the Quality Assurance Surveillance Plan.
Contractors Quality Control Plan

SLATER TECHNOLOGIESs Quality Control Plan will be managed by the SLATER TECHNOLOGIES and will consist
of the following:
1. Regular of review of SLATER TECHNOLOGIES Performance via deliverables and a weekly SLATER
TECHNOLOGIES Management Report that SLATER TECHNOLOGIES will write and submit each Friday.
2. Regular participation in all management meetings with DALTON, WALTON & CARLTON Management and the
DALTON, WALTON & CARLTON Project Manager, especially those that occur monthly to review Audit Project
Contract performance.
3. Other meetings with DALTON, WALTON & CARLTON Management and the DALTON, WALTON & CARLTON
Project Manager as required.
4. Addressing any deficiencies as they are identified, complete with action plans and progress reviews if necessary
to ensure required levels of performance, including meeting deliverable schedules and quality as required by the
Statement of Work and DALTON, WALTON & CARLTON Management.
Activity Log
SLATER TECHNOLOGIES will create and provide a Surveillance Activity Checklist: conversations or meetings with the
contractor, notes and comments.
Contract
See any of the following to obtain a current copy of the Audit Project Contract.
The DALTON, WALTON & CARLTON Project Manager
SLATER TECHNOLOGIES
Record
A section used for filing all documentation associated with contract quality assurance, e.g. discrepancy reports (both
active and resolved),Customer Complaint forms, correspondence, receiving report inputs, letters of interpretation from
the DALTON, WALTON & CARLTON Project Manager, etc. (This section may take up two sections of the folder.)
Surveillance Methods
100 Percent Inspection
Surveillance based on 100% inspection is considered the most appropriate method for infrequent tasks or activities
with stringent performance requirements. 100% inspection is used for rigorous performance requirements when safety
and health are on the line, or passing this Audit is at stake. Based on resource constraints and cost impact, DALTON,
WALTON & CARLTON exercises this method of surveillance in cases where outputs and/or deliverables define integral
aspects of critical program elements.
Random Sampling
This is often the most appropriate method for recurring tasks. With random sampling, services are sampled to determine
if the level of performance is acceptable. Random sampling works best when the number of instances of the services
being performed is very large and a statistically valid sample can be obtained. Computer programs may be available to
assist in establishing sampling procedures.
Cyber Security
89/148
Periodic Inspection
This method, sometimes called planned sampling, consists of the evaluation of tasks selected on other than a 100
percent or random basis. It may be appropriate for tasks that occur infrequently and where 100 percent inspection is
neither required nor practicable. A predetermined plan for inspecting part of the work is established using subjective
judgment and analysis of agency resources to decide what work to inspect and how frequently to inspect it.
Customer Input
Although usually not a primary method, this is a valuable supplement to more systematic methods. For example, in a case
where random sampling indicates unsatisfactory service, customer complaints can be used as substantiating evidence.
In certain situations where customers can be relied upon to complain consistently when the quality of performance is
poor, e.g. building services, customer surveys and customer complaints may be a primary surveillance method and
customer satisfaction an appropriate performance standard. In all cases, complaints should be documented, preferably
on a standard form.
Data Tracking
Spreadsheets and database applications can be used as surveillance methods. Summaries of such data tracking metrics
can be distributed to management in weekly, monthly, quarterly, biannually, or annual intervals.
Walkthrough
Walkthroughs are beneficial for evaluating plans, documentation, and other deliverables. They serve to orient staff
members to new technology products and services. Walkthroughs will be conducted internally and on an as-needed
basis. They will be used to present plans, documentation, or other deliverables for review and approval, work being
performed, deliverable due dates, major milestones and critical paths, and/or scheduled reports. This particular method
of surveillance will be conducted consistent with other appropriate monitoring techniques to validate the results of the
evaluation, reinforce other measures of performance, and ensure consistency.
Process Improvement Plan

Methodology and Sources of Input:
The IT Audit Project Team will employ the classic Deming Model of Plan, Do, Check, and Act to implement Process
Improvement during the ISMS Implementation Project. See figure below:
Figure 2 Plan Do Check Act Cycle
Cyber Security
90/148
Feedback for the process improvement will be received and processed at the meetings described in the Communications
Plan section of this document.
Document Owner and Approval

The President of Dalton, Walton & Carlton is the owner of this document and is responsible for ensuring that this
procedure is reviewed in line with the review requirements of this IT Infrastructure Audit Project.
A current version of this document is available to all members of Executive Staff on the Dalton, Walton & Carlton
Intranet and will be published in the Project Management folder of the Dalton, Walton & Carlton Audit Project Document
Repository.
This plan was submitted for approval by the Managing Director on February 18, 2013 and is issued on a version
controlled basis under his signature.
Signature:
Date: February 18, 2013
______________________________________
TBA, President
Cyber Security
91/148
Change History Record

Issue
Description of Change
Approval
Date of Issue
Initial issue
President
February 18, 2013
Appendix A Audit Schedule

Time
Day 1
3/5/2013
Day 2
3/6/2013
Day 3
3/7/2013
Day 4
3/8/2013
Day 5
3/9/2013
07:30 AM
07:59 AM
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
08:00 AM
08:59 AM
Task 1.0
Task 3.0
Task 4.0
Task 5.0
Task 6.0
09:00 AM
09:59 AM
Task 2.0
Day 6
3/12/2013
Day 7
3/13/2013
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
Task 7
Task 8
010:00 AM
010:59 AM
011:00 AM
011:59 AM
012:00 Noon
012:59 PM
*** Lunch *** *** Lunch *** *** Lunch *** *** Lunch *** *** Lunch ***
001:00 PM
001:59 PM
002:00 PM
002:59 PM
Task 9
003:00 PM
003:59 PM
004:00 PM
004:59 PM
Task 10
Cyber Security
92/148
Appendix B Itemized Description of Audit Work

Task Item
No.
Estimate
Time in
Hours
1.0
Project Kick-Off Meeting
.5
3/5/2013
2.0
Audit Work
7.5
3/5/2013
Observe and record observations
3.0
Audit Work
8.0
3/6/2013
4.0
Audit Work
8.0
3/7/2013
5.0
Audit Work
8.0
3/8/2013
6.0
Audit Work
8.0
3/9/2013
7.0
Analysis of results
8.0
3/12/2013
Perform analysis of results.
8.0
Prepare and Submit Final 5.0

Audit Report
3/13/2013
Prepare and submit the final

report after the review has been
completed.
9.0
Prepare Remediation Plan 2.0
3/13/2013
10.0
Project Close-out Meeting 1.0
3/13/2013
Total
Actual Time Planned

in Hours
Date
Actual
Date
60.0
Comments
Estimated Total
Appendix C Audit Work Responsibility Assignments

Task
No.
Item
Dalton, Walton, and

Carlton Person(s)
Assigned
Slater
Technologies,
Inc.
Comments
1.0
Project Kick-Off Meeting
TBD
William Slater
2.0
Audit Work
TBD
William Slater
3.0
Audit Work
TBD
William Slater
4.0
Audit Work
TBD
William Slater
5.0
Audit Work
TBD
William Slater
6.0
Audit Work
TBD
William Slater
7.0
Analysis of results
TBD
William Slater
8.0
Prepare and Submit Final TBD

Audit Report
William Slater
9.0
Prepare Remediation Plan
TBD
William Slater
Perform analysis of results.
10.0
Project Close-out Meeting
TBD
William Slater
Prepare and submit the final report of

the findings within three business days
after the review has been completed.
Updates file with new addresses
Cyber Security
93/148
Appendix D Risk Management Risk Impact Analysis Tools

The tables below show the basic factors that characterize factors of risk. Using the most appropriate number in the
far right column for each factor, the risk management planner multiplies these three numbers together resulting with a
Risk Probability Number. Using this method, risks entered into the Risk Analysis Matrix shown in Table 4 are quantified,
compared, and ranked, according to the impact they represent. This information is recorded in the Risk Register, shown
in Appendix E.
Table 1 Probability of Occurrence
Table 2 Severity Rating Categories
Cyber Security
94/148
Table 3 Detection Capability Categories
Table 4 Risk Analysis Matrix Obtaining the RPN Factor

Appendix E Risk Register
The Risk Management Plan includes a Risk Register, which lists systematically cataloged, rated, and managed risks.
The Risk Register is shown below. The tables shown in Appendix D show how the risk factors are quantified and the way
the Risk Probability Number (RPN) is calculated.
Risk Management Register for the Dalton, Walton, & Carlton Project Plan
Risk
No.
Risk
Category
References

Risk
Description
Probability
Impact
Detection
RPN
Risk
Management
Strategy
Contingency
Summary
Anderson, R. (2008). Security Engineering, second edition. Indianapolis, IN: John Wiley.
Davis, C., et al. (2011). IT Auditing: Using Controls to Protect Information Assets, second edition. New York, NY: McGraw-Hill.
Senft, S., et al. (2013). Information Technology Control and Audit, fourth edition. Boca Raton, FL: CRC Press.
Risk
Owner(s)
Status
Cyber Security
Threat Assessment
in Cyberwarfare and Cyberdeterrence
95/148
Cyber Security
96/148

destruction of data, and/or destruction of systems and services. As a recognition of these dangers, the national leaders
and military of most modern countries have now recognized that the potential and likely eventuality of cyberwar is
very real and many are preparing to counter the threats of cyberwar with modern technological tools using strategies
and tactics under a framework of cyberdeterrence, with which they can deter the potential attacks associated with
cyberwarfare.

During the 1950s and 1960s, when it became evident that nuclear weapons could play a major role in strategic warfare,
the United States, utilized a think-tank of individuals, both military and civilian, to craft the strategic war-fighting plans of
the U.S. that would deal with very real possibility that tactical and possibly strategic nuclear weapons may be required
during a major wartime scenario. The first such war plan was called the Single Integrated Operational Plan (SIOP). The
process of its creation involved the use of intelligence data about potential enemies, a threat assessment process, and
then a process whereby the identified likely targets would be prioritized and matched with weapons. The process of
matching weapons to targets also included intricate sequence timings, and the various event triggers that would result
in the execution of such attacks. In the 1980s, the SIOP evolved into something called the OPSPLAN and later, it was
renamed the CONOPS Plan, but it has always been kept up to date and tested at least semiannually so that all involved
would know their roles if the nation command authorities deemed it necessary to execute this intricate war plan.
Note that as far back as the 1970s, there were 24 defined levels of conflict between the U.S. and a potential adversary,
ranging from a war of words, all the way to strategic nuclear war. No matter what the name of it was, the national war
plan has always been a key tool of the national command authorities for understanding what military responses would
be required in the event of these various levels of conflict.
What is the nature of the threat you have chosen?


ruthless and indiscriminant selection of vulnerable targets. They are 1) the Robert Morris worm (U.S. origin,1988); 2) the

Cyber Security
97/148

plans. Yet, as far back as June 2009, it was clear that the U.S. and Russia were unable to agree on a treaty that would
create the terms under which cyberwarfare operations could and would be conducted (Markoff, J. and Kramer, A. E.,
2009).
Is it problematic for these countries in the same ways or is there variation?

What kind?

I believe that yes, the absence of well-defined cyberwarfare and cyberdeterrence strategies and tactics in the CONOPS
Plan has already produced some situations that have either damaged Americas image abroad, or that could imperil its
image and have far more negative consequences. For example, operates such as Stuxnet, Flame, Duque, etc., might
have either been better planned or possibly not executed at all if cyberwarfare and cyberdeterrence strategies and
tactics were defined in the CONOPS Plan. Also, the news media indicated during the revolution in Libya that resulted in
the fall of Qaddafi, cyberwarfare operations were considered by the Obama administration. The negative reactions and
and well-planned deliberate actions, the U.S. runs the risk of appearing like the well-equipped cyberbully on the world
Cyber Security
98/148
Has this threat evolved or changed over time or is it relatively constant? If it

has evolved or changed, exactly how has that change happened and what political consequences have emerged from them?
The threat has certainly rapidly evolved over time. Since Stuxnet was released in 2010, countries and the general public
are now aware of some of the offensive, strategic and destructive capabilities and potential of cyberweapons (Gelton,
T., 2011).
provocation.

future unleash such a devastating cyberattack that it could cripple the enemys ability to communicate a surrender. I
think that the moral implications of such circumstances need to be justly considered as a matter of the laws of war,
because if a country continues to attack an enemy that has indicated that they are defeated and want to surrender, this
shifts the moral ground from which the U.S. may have it was conducting its cyberwarfare operations. This is one other
unintended consequence of cyberwarfare and one that needs to be carefully considered.
To further understand the relationship of threats, counter-measures, and exposures in cyberspace, I have included this
diagram by Jaquith, shown below.
Cyber Security
References
99/148
Arndreasson, K. (ed.). (2012). Cybersecurity: Public Sector Threats and Responses. Boca Raton, FL: CRC Press.
Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to national Security and What to Do About It. New York, NY: HaperCollins
Publishers.
Conference, in Chicago. Retreived from http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillian.
Friedman, G. (2004). Americas Secret War: Inside the Hidden Worldwide Struggle Between America and Its Enemies. New York, NY: Broadway
Books.
Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011.
Grabo, C. M. (2004). Anticipating Surprise: Analysis for Strategic Warning. Lanham, MD: University Press of America, Inc.
Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
Langer, R. (2010). Retrieved from http://www.langner.com/en/blog/page/6/ on December 20, 2011.
Retrieved from http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.
Rosenbaum, R. (2011). How the End Begins: The Road to a Nuclear World War III. New York, NY: Simon and Schuster.
Schell, B. H., et al. (2002). The Hacking of America: Whos Doing It, Why, and How. Westport, CT: Quorum Press.
Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data Security. N. Potomoc, MD: Larstan Publishing, Inc.
Swiderski, F. and Snyder, W. (2004). Threat Modeling. Redmond, WA. Microsoft Press.
Technolytics. (2011). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.
Wikipedia Commons. (2011). Stuxnet Diagram. Retrieved from http://en.wikipedia.org/wiki/File:Step7_communicating_with_plc.svg on December 20,
2011.
Zetter, K. (2011). How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History. An article published on July 11, 2011 at Wired.
com. Retreived from http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 on December 20, 2011.
Cyber Security
Discussion Questions and Answers

Related to Studies in Cyberwarfare
100/148
Cyber Security
101/148
Talk about the emergence of and belief system of the H.U.C.

H.U.C. is the Honker Union of China. Their website, which contains forums and information about the organization is
located at http://www.huc.me/ (Honkers Union of China, 2012).
H.U.C. is a well-organized Chinese hacker organization that is based entirely in China. They are talented and apparently
have extensive knowledge about hacking and computers and the Internet, as well how to conduct cyber attacks and
cyber espionage.
They seem to have emerged shortly after the Chinese Embassy was bombed during U.S. airstrike operations in Belgrade
in the former Yugoslavia. The groups primary motivations are reportedly patriotism and efforts to promote Chinese
nationalism.
These are the types of operations that make H.U.C. so dangerous in cyberspace:
1. Hacking
2. DDOS
3. Malware distribution
4. Espionage
In addition, a friend who returned to the U.S. after teaching in China for several years told me this evening as we were
discussing Chinese hackers and Chinese Hacker Organizations:
They are not really underground. In China if you have the $$$ and the right connections, you can hire a
hacker team to attack the competitor of your choice. Or you can pay a water army do destroy someones
online reputation. Some of the bigger groups are multi-million dollar ops.
Some Brief Conclusions:
1. H.U.C. appears to be accomplished, well-organized, talented, capable, experienced, willing to announce and brag
about their exploits, and determined to conduct further attack operations in the future (Honkers Union of China,
2012).
2. According to J. Schelesinger, the slowing economy in China has caused state sponsored hackers to increase their
efforts to steal industrial and military secrets from U.S. organizations (Schlesinger, J., 2012).
3. H.U.C. makes the world of cyberspace a more dangerous place, particularly for those who are unprotected and/or
unaware (Honkers Union of China, 2012).
References
Honkers Union of China. (2012). Honkers Union of China website. Retrieved from http://www.huc.me/ on September 21, 2012.
Schlesinger, J. (2012). Chinese Espionage on the Rise in US, Experts Warn. An article published at CNBC.com on July 9, 2012. Retrieved from http://
www.cnbc.com/id/48099539 on July 10, 2012.
CNBC. (2012) Cyber Espionage: The Chinese Threat. A collection of articles about the cyber threats posed by Chinese hackers. Retrieved from http://
www.cnbc.com/id/47962207/ on July 10, 2012.
The Hackers Underground. An article published at the Serpents Embrace blog. Retrieved from http://serpentsembrace.wordpress.com/tag/honkerunion-of-china/ on September 21, 2012.
SEM. (2011). The Hackers Underground. Retrieved from http://serpentsembrace.wordpress.com/2011/05/17/the-hackers-underground/ on September
21, 2012.
Please elaborate and discuss in depth the principles of simple security.

As described in the brief web article, Three Simple Security Principles, these are the three simple security principles.
1. A secure network assumes the host is hostile
2. A secure host assumes the network is hostile
3. Secure applications assume the user is hostile
Cyber Security
102/148
In the case of the first Principle No. 1, the network needs to have defenses that protect it from hosts that are possibly
infected.
In the case of the first Principle No. 2, each host needs to have defenses that protect them from other hosts and from
anything else attached to the network that could possibly be infected.
In the case of the first Principle No. 3, each host and the network and all applications need to have defenses that protect
them from other hosts and from anything else attached to the network that could possibly be infected. This is also
applying the concept of least privilege, in which every user is only allowed access to the required data and resources in
a computer networked environment (Compare Business Products, 2010).
Ironically, when doing effective security control analysis and security risk analysis, most organizations take it a bit further
than these three principles described above. In fact, they usually agree that an asset is secure if it is able to satisfy these
criteria:
Is Confidentiality guaranteed?
Is Integrity guaranteed?
Is Availability guaranteed?
These are often referred to as the CIA Triad. And if the answer to any of these questions is NO, then the asset is not
considered secure and the control that is designed to secure that asset must be reevaluated.
However, one of the founding fathers of the computer security field, Mr. Donn Parker, also established three additional
simple criteria that truly augment the CIA concept of security.
Is the asset under the owners control?
Is the asset authentic?
Is the asset usable?
And if the answer to any of these additional three questions is NO, then the asset is not considered secure and the
control that is designed to secure that asset must be reevaluated. These three additional concepts together with CIA
form what is now commonly referred to as the Parkerian Hexad, in honor of Mr. Parker (Hintzbergen, J., el al., 2010).
Finally, here is a short checklist for having some quick idea if an organization is practicing good information security
principles:
How to Identify a Secure Environment
1. Do they have an established Security Program?
2. Are data and Information are classified according to their importance and sensitivity?
3. Do they have well-defined Security Policies?
4. Do they have clear Guidelines for Acceptable Use of Assets?
5. Do they have a companywide Security Awareness Education Program?
6. Are Risks Identified and Managed via a Risk Management Program?
7. Does an Incident Response Plan exist?
If the answer to each of these questions is YES, the organization is probably pretty serious about Information Security
(Logicalis, 2011).
Cyber Security
103/148
References

Compare Business Products. (2010). Three Simple Security Principles. An article published at Compare Business Products on February 2, 2010.
Retrieved from http://www.comparebusinessproducts.com/briefs/three-simple-security-principals on September 21, 2012.
Hintzbergen, J., el al. (2010). Foundations of Information Security Based on ISO27001 and ISO27002, second edition. Amersfoort, NL: Van Haren
Publishing.
Logicalis. (2011). Seven Ways to Identify a Secure IT Environment. Published at IT Business Edge in 2011. Retreived from http://www.itbusinessedge.
com/slideshows/show.aspx?c=92732&placement=bodycopy in May 5, 2011.
Please explain GhostNet.

GhostNet is an extremely sophisticated, malicious spyware program that deploys a Trojan remote access program called
gh0st RAT (Remote Access Tool). The program usually spreads via e-mail attachments and continues to propagate
using the address book found on each victims computer. After a computer is infected with the gh0st RAT Trojan, it can
be remotely controlled by the hackers that operate GhostNet. The gh0st RAT program can even turn on the computers
built-in camera and also eavesdrop and record sounds via the audio microphone. Other worrisome activities that gh0st
RAT can engage in include:
Download, upload, delete, and rename files
Formatting drives
Open CD-ROM tray
Drop viruses and worms
Log keystrokes, keystroke capture software
Hack passwords, credit card numbers
Hijack homepage
View screen (to invade privacy and capture sensitive information such as passwords, bank accounts, financial
data, etc.)
Besides e-mail attachments, gh0st RAT can also spread via P2P file sharing, downloads, and perhaps even via IRC
chat windows.
The gh0st RAT Trojan can usually be detected because the performance of the system slows down. It operates as an
.EXE file and removal of the gh0st RAT Trojan can require some technical skills because a user must open the Windows
Registry Editor and look under this Registry Key:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RUN/
The EXE will be located there is the machine is infected and the related key wit the name of the EXE file should be
deleted.
Any other possible references to the executable under
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion
Or
HKEY_LOCAL_MACHINE/SOFTWARE/
should also be deleted (KoushalBlog, 2009).
When in doubt, call an expert who is experienced with dealing with desktop malware infections.
References

Koushal Blog. (2009). What is GhostNet and How It Works. Retrieved from http://koushalblog.blogspot.com/2009/03/what-is-ghostnet-and-how-itworks.html on September 21, 2012.
Cyber Security
104/148
Analyze geopolitically a map of hot spots juxtaposed with potential cyber

conflict. Explain any uniformity and discordance that one might expect to see
between regular conflict and cyber conflict
The area of the world that I chose was the Middle East with Israel and Iran, as well as the United States. It is obvious
to me that as the possibility of a shooting war continues to become a real possibility, it will probably be preceded by
cyberwarfare attacks.
In fact, this whole thing with the U.S., Israel, and Iran is probably about to get VERY UGLY Take a look! Just yesterday,
September 22, 2012, it was reported that Iranian conducted cyber attacks against U.S. Banks (Mayday, M. 2012).
As far back as 2011, it was starting to become known that the U.S. and Israel were working together to develop and
unleash the Stuxnet cyberweapon attack against a large Iranian facility in which uranium was being processed (Zetter,
K. 2011). Later, supposedly a follow on sophisticated cyberattack occurred and this cyberweapon had the code name
of Flame.
As far as uniformity, the cyberwarfare hostilities would be directed against high-value strategic targets inside each
country, much the same as a bomber would strike these targets. But the discordance factors would include:
1. The cyberweapon strikes would be lightning fast and most likely unseen until they had accomplished their intended
damage(s).
2. The other side would likely have problems with the attribution of the source location of the attack.
3. The two sides would be in bitter disagreement about the nature of the attacks and the effects of the attack, and
this would likely erupt into a war of words and propaganda.
4. It is also likely that a shooting war may erupt soon after the cyberattacks, noting that the country which initiates it
did so in an effort to wage what is known as a Preemptory First Strike, which is a concept developed in 1970s
military doctrine and nuclear strategy in which it was believed that the side that strikes first will have the greatest
opportunity to inflict massive damage while still having the opportunity to use its weapons. The idea behind that
doctrine was also known as use it or lose it because it was thought that if the country that struck first waited, its
military capabilities could not survive well enough to launch a retaliatory strike (Freedman, L., 2003).
References

Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security and What to Do About It. New York, NY: HaperCollins
Publishers.
Conference, in Chicago. Retrieved from the web at http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
Friedman, G. (2004). Americas Secret War: Inside the Hidden Worldwide Struggle Between America and Its Enemies. New York, NY: Broadway
Books.
Gjelten, T. (2010). Are Stuxnet Worm Attacks Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved from the web at http://
www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet on December 20, 2011.
Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from the web at
Gjelten, T. (2011). Security Expert: U.S. Leading Force Behind Stuxnet. An article published at NPR.org on September 26, 2011. Retrieved from the
web at http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force behind-stuxnet on December 20, 2011.
Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from the web at
Grabo, C. M. (2004). Anticipating Surprise: Analysis for Strategic Warning. Lanham, MD: University Press of America, Inc.
Kaplan, F. (1983), The Wizards of Armagedden: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on
Knapp, E D. (2011). Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control
Systems. Waltham, MA: Syngress, MA.
Langer, R. (2010). Retrieved from the web at http://www.langner.com/en/blog/page/6/ on December 20, 2011.
22, 2012.
Cyber Security

105/148
Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.
Rosenbaum, R. (2011). How the End Begins: The Road to a Nuclear World War III. New York, NY: Simon and Schuster.
RT. (2012). Iran may launch pre-emptive strike on Israel, conflict could grow into WWIII senior commander. An article published at RT.com on
September 23, 2012. Retrieved from http://rt.com/news/iran-strike-israel-world-war-803/ on September 24, 2012.
Wikipedia Commons. (2011). Stuxnet Diagram. Retrieved from the web at http://en.wikipedia.org/wiki/File:Step7_communicating_with_plc.svg on
December 20, 2011.
Zetter, K. (2011). How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History. An article published on July 11, 2011 at Wired.
com. Retrieved from the web at http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 on December 20, 2011.
In your weeks 3 and 4 videos, you get diametrically opposite issues hacking vs. establishing norms. Reflecting upon these two video together, explain
what you consider to be some of the chief issues that make hacking a chronic
problem to those looking to establish international norms of cyber behavior
I enjoyed both of these videos, but I liked all speakers and the structure of the second video much better than the one
with Professor Jonathan Zittrain. They were all brilliant and accomplished and well-researched and credentialed, but I
felt that Professor Zittrain was trying too much to be ironic and funny at the same time.
After viewing both videos, these are some of the chief issues that I think are making hacking a chronic problem:
1. The hacking problem is not well understood either in this country or internationally.
2. The hackers know and understand their world better than others understand the world of cyberspace.
3. The hackers are MUCH more evil and determined and malicious than people realize. A great example is all the evil
things that Anonymous attackers did to HBGary.
4. The hackers have a strange mindset and enjoy bragging about their exploits.
5. The hackers do what they do in a fearless manner, knowing that there is little or no chance that that will be caught.
6. The hackers are actually well-organized and can skillfully plan out and organize and execute precision attacks.
7. There are lot more well-organized hackers out there who well understand cyberspace and the good guys than
there are good guys who understand the hackers.
8. The hackers revel in the stupidity and relative helplessness of their victims.
9. The hackers can and will strike from anywhere, at any time and in numbers and in ways that are not expected or
can be accurately predicted.
10. I believe that the good guys should enlist skilled hackers into their cause to fight foreign hostiles, but I sincerely
believe that the good guys dont have the skills or the diplomatic know how to do that.
11. The good guys believe that international agreements can be attained to define and agree on what cyberwarfare is
and what cyberweapons are, and how to assess the effects of the damage of cyberweapons. They also seem to
believe that 2012 would be the decisive year in which the groundwork for legislation and policy was laid to deal
with cyberwarfare issues. The hackers do not even consider this a remote possibility, in my estimation.
References

Georgetown University. (2012). International Engagement in Cyberspace part 1. A YouTube video. Retrieved from http://www.youtube.com/watch?v=R
1lFNgTui00&feature=related on September 21, 2012.
Zittrain, J. (2012). Professor Zittrain Q&A Hacktivism: Anonymous, lulzsec, and Cybercrime in 2012 and Beyond. A YouTube video. Retrieved from
http://www.youtube.com/watch?v=CZWjfxY8nmU&feature=related on September 21, 2012.
Cyber Security
106/148
U.S. Policy Appraisal

Related to Cyberwarfare and Cyberdeterrence
Cyber Security
107/148

This brief paper will discuss U.S. Policy related to cyberwarfare and cyberdeterrence.
The current written policy related to cyberwarfare threats can be found in President Obamas Defense Strategic
Guidance 2012, a 16-page policy documented that was published on January 3, 2012. The excerpt related specifically
to cyberwarfare and cyber threats is shown below:
To enable economic growth and commerce, America, working in conjunction with allies and partners
around the world, will seek to protect freedom of access throughout the global commons those areas
beyond national jurisdiction that constitute the vital connective tissue of the international system. Global
security and prosperity are increasingly dependent on the free flow of goods shipped by air or sea. State
and non-state actors pose potential threats to access in the global commons, whether through opposition
to existing norms or other anti-access approaches. Both state and non-state actors possess the capability
and intent to conduct cyber espionage and, potentially, cyber attacks on the United States, with possible
severe effects on both our military operations and our homeland. Growth in the number of space-faring
nations is also leading to an increasingly congested and contested space environment, threatening safety
and security. The United States will continue to lead global efforts with capable allies and partners to
assure access to and use of the global commons, both by strengthening international norms of responsible
behavior and by maintaining relevant and interoperable military capabilities (Obama, 2012).
The first explicit Obama Administration policy acknowledging the realities of cyber threats were published in a 30-page
document titled International Strategy for Cyberspace in May 2011.
Today, as nations and peoples harness the networks that are all around us, we have a choice. We can
either work together to realize their potential for greater prosperity and security, or we can succumb to
narrow interests and undue fears that limit progress. Cybersecurity is not an end unto itself; it is instead an
obligation that our governments and societies must take on willingly, to ensure that innovation continues
to flourish, drive markets, and improve lives. While offline challenges of crime and aggression have made
their way to the digital world, we will confront them consistent with the principles we hold dear: free speech
and association, privacy, and the free flow of information.
The digital world is no longer a lawless frontier, nor the province of a small elite. It is a place where the
norms of responsible, just, and peaceful conduct among states and peoples have begun to take hold. It is
one of the finest examples of a community self-organizing, as civil society, academia, the private sector,
and governments work together democratically to ensure its effective management. Most important of all,
this space continues to grow, develop, and promote prosperity, security, and openness as it has since its
invention. This is what sets the Internet apart in the international environment, and why it is so important
to protect.
In this spirit, I offer the United States International Strategy for Cyberspace. This is not the first time my
Administration has address the policy challenges surrounding these technologies, but it is the first time
that our Nation has laid out an approach that unifies our engagement with international partners on the
full range of cyber issues. And so this strategy outlines not only a vision for the future of cyberspace, but
an agenda for realizing it. It provides the context for our partners at home and abroad to understand our
priorities, and how we can come together to preserve the character of cyberspace and reduce the threats
we face (Obama, 2011).
How long has this policy been in place? Have any changes occurred to the
policy over the years?
This policy has evolved from the Comprehensive National Cybersecurity Initiative (CNCI) that was published by President
George W. Bush in January 2008. The three primary tenets of the CNCI policy were:
To establish a front line of defense against todays immediate threats by creating or enhancing shared
situational awareness of network vulnerabilities, threats, and events within the Federal Government and
ultimately with state, local, and tribal governments and private sector partners and the ability to act quickly
to reduce our current vulnerabilities and prevent intrusions.
Cyber Security
108/148
To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and
increasing the security of the supply chain for key information technologies.
To strengthen the future cybersecurity environment by expanding cyber education; coordinating and
redirecting research and development efforts across the Federal Government; and working to define and
develop strategies to deter hostile or malicious activity in cyberspace (Bush, 2008)
Though the Obama Administration reviewed and approved Bushs CNCI policy in May 2009, Obama, who is regarded
as the most technology-savvy president that has ever occupied the White House, went much further to acknowledge the
importance of cyberspace to the American economy and the American military, and the importance of defending the U.S.
from adversaries that could threaten us via cyberspace. Obamas policy also acknowledges the reality that future wars
will be fought on the realm of cyberspace, and has thus funded the preparation of the U.S. armed forces to prepare for
conflict in cyberspace (Gerwitz, 2011).
What is the effectiveness of current policy when it concerns this particular

threat issue?
The Obama Administrations policies have been effective in raising the awareness of the U.S. population as to the
importance of protecting assets that are connected in cyberspace. These policies have also been effective in providing
for the preparation of the U.S. military to deal with conflict in cyberspace.
However, the policies have not been particularly effective as a deterrence to cyber threats presented by potential
national enemies and non-state actors. As recently as September 23, 2012 September 30, 2012, cyber attacks in
the form of distributed denial of service (DDOS) attacks from the Middle East against several major U.S. banks based
have publicly demonstrated the ire of the attackers and also the vulnerabilities of banks with a customer presence in
cyberspace (Strohm and Engleman, 2012).

In the short-term, the Obama Administrations policies regarding cyberspace have done much to raise the awareness of
cyberspace as an area that requires protection for the public good and prosperity of the American people. These policies
have also served to show our allies and our potential enemies that the U.S. has the intention of defending cyberspace
and all our interests that are connected to it. In the long-term, these policies will probably evolve to reveal in a general,
unclassified way, stronger defenses, stronger deterrent capabilities and probably offensive cyberweapons.
On the legislative front, as recently as September 23, 2012, Chairman of the Senate Homeland Security Committee,
Senator Joseph Lieberman (D., Connecticut), realizing that Congress would fail to pass cybersecurity legislation to
designed to help protect the United States and its people, sent an urgent letter to President Obama to ask for the
creation of a new Presidential Executive Order that would address several current cybersecurity issues, that includes
how and when and where law enforcement can become involved in cybersecurity issues (Kerr, 2012). Though many
digital privacy rights advocates, including the Electronic Frontier Foundation, the Electronic Privacy Information Center,
and the American Civil Liberties Union have strenuously fought recent cybersecurity legislation, it is expected by many
cybersecurity experts that if President Obama is reelected in November 2012, an Executive Order drafted and signed by
the Obama Administration provide the tools that the federal government wants. Even if President Obama is not reelected
in November 2012, it is expected that some expedient action on the part of the new president would probably take place
even before Congress could successfully agree upon and pass such legislation.

It is entirely likely that there are classified versions of the International Strategy for Cyberspace policy that address the
nature of how U.S. policies regarding the defense of cyberspace will affect our allies and our adversaries. But since it
has been publicly revealed that the Obama Administration has conducted offensive cyberwarfare operations against Iran
between June 2009 and June 2010, it is also likely that both our allies and our enemies have a clearer understanding of
U.S. capabilities as well as the intent to use cyberweapons when it deems it is in its best interests to do so.
Conclusion
The good news is that President Obama and his Administration have an acute awareness of the importance of the
cyberspace to the American economy and the American military. The bad news is that because we are already in some
form of cyberwarfare that appears to be rapidly escalating, it remains to be seen what effects these cyberattacks and
Cyber Security
109/148
the expected forthcoming Executive Orders that address cybersecurity will have on the American people and our way of
life. I believe it will be necessary to act prudently, carefully balancing our freedoms with our need for security, and also
considering the importance of enabling and protecting the prosperity of the now electronically connected, free enterprise
economy that makes the U.S. the envy of and the model for the rest of the world.
References

Andreasson, K. (ed.). (2012). Cybersecurity: Public Sector Threats and Responses. Boca Raton, FL: CRC Press.
Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative (CNCI). Published by the White House January 2008. Retrieved from http://www.
Publishers.
Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.org/
Kerr, D. (2012). Senator urges Obama to issue cybersecurity executive order. An article published at Cnet.com on September 24, 2012 Retrieved
Sanger, D. E. (2012). Confront and Conceal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks Expose Vulnerabilities. An article published at BusinessWeek..com on September
28, 2012 Retrieved from http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability on
September 30, 2012.
Cyber Security
Strategic Comparative Analysis

110/148
Cyber Security
111/148

This brief paper will present a strategic comparative analysis of the present state of cyberwarfare and cyberdeterrence
issues.
What Other Countries / Regions of the World Are Concerned with This Same
Threat Issue?
The countries that are primarily concerned with cyberwarfare and cyberdeterrence threat issues are the same countries
that already have the greatest cyberwarfare capabilities and also the most to lose in the event of a full-scale cyberwarfare
attack.
The diagram below from 2009 shows the comparative cyberwar capabilities of the 66 largest countries in the world.
Cyber Security
112/148
Table 1 Country Cyber Capabilities Ratings (Technolytics, 2012)
Countries Regions of the World That Do Not Place a High Priority on This
Threat Issue
Countries that are more focused on the survival and welfare of their citizens, coupled with the fact that they are largely
consumers of Internet and computer capabilities versus being able to afford to channel resources into the development
of cyberweapons or the resources required to develop a credible cyberdeterrence strategy. It is also ironic that the U.K.
with its stature and status does not rank higher on the list shown in table 1.
Some of the Current Policies Being Employed by These Other States / Regions
in Regards to the Threat
China, Russia, and India, each of which are in the top four of the countries listed in Table 1, have well-defined cyberwarfare
policies and strategies. Ironically, the U.S., which occupies the number 2 position in that same table, does not yet have
well-defined cyberwarfare policies and strategies. For comparison, Table 2 below shows a summary of the policies and
strategies of China, Russia and India.
Cyber Security
113/148
Country
Policy
Strategy
China
China supports cyberwarfare capabilities, especially providing The Chinese will wage unrestricted
such capabilities in the Peoples Liberation Army.
warfare and these are the principles:
Omni-directionality
Synchrony
Limited objectives
Unlimited measures
Asymmetry
Minimal consumption
Multi-dimensional coordination
Adjustment, control of the entire process
(Hagestad, 2012).
Russia
Russia supports cyberwarfare capabilities, especially providing The ability to achieve cyber superiority
is essential to victory in cyberspace.
such capabilities in the Russian Army.
The nature of cyberwarfare and information warfare requires (Fayutkin, 2012).
that the development of a response to these challenges must be
organized on an interdisciplinary basis and include researchers
from different branches political analysts, sociologists,
psychologists, military specialists, and media representatives
(Fayutkin, 2012)..
India
India supports cyberwarfare capabilities, especially providing

such capabilities in the Indian Army.
It is essential for efficient and effective conduct of war including
cyber-war. The war book therefore needs to specify as how
to maintain no-contact cyber war and when the government
decide to go for full-contact or partial-contact war then how
cyber war will be integrated to meet overall war objectives
(Saini, 2012).
Strategies are still under development,

but will follow the guidance of policies
related to the conduct of war.
(Saini, 2012)
Table 2 Summary of Cyberwarfare Policies and Strategies of China, Russia, and India
Successes and Failures of the Various Alternative Policies Around the Globe
Despite some of the negative press from the Stuxnet virus, this collaborative effort by the U.S. and Israel has been
looked at with both fascination and as an event that has quickly and successfully heralded in a new age of warfare, the
age of cyberwarfare. However, many still feel that in the absence of publically defined policies and strategies by the
Obama Administration, it invites a secretive and even random appearance of and the continued use of cyberweapons
(Sanger, 2012).
Areas of Joint Communication / Operation / Cooperation that Exist or Should

Exist Across Countries Dealing with This Threat Issue
Apparently, the U.S. has already created cyberweapons with the help of Israeli cyberweapon experts. At least one of
these cyberweapons was effectively used to impede the development of Irans nuclear material refinement program
from 2009 to 2010.
It is likely however, that through the auspices of the United Nations, or perhaps some G20 accord, there may be some
general consensus on the importance of defining the appropriate uses cyberweapons. There also needs to be some
agreement on types of response to cyberattacks, and effective methods of cyberdeterrence.
Is There One State in Particular That Seems to Be Doing a Better Job Than the
United States Related to Dealing with This Threat Issue?
China is probably doing a better job than the realm of cyberwarfare for three reasons: 1) the government has invested
considerable resources into their cyberwarfare capabilities; 2) the number of personnel devoted to cyberwarfare efforts
is reportedly in the tens of thousands; and 3) the Chinese government is able to easily operate under a cloak of secrecy
and conduct operations without fear of cyberwarfare activities being leaked to Chinese press agencies.
Cyber Security
114/148
Recommendations for the U.S.
In August 1945, the dramatic destruction of both Hiroshima and Nagasaki not only resulted in the surrender of Japan
and effectively ended World War II, it ushered in the age of nuclear warfare. Yet, it was years until the U.S. had the policy
and unified strategic plan, the SIOP, with which to centrally control the use of nuclear weapons in wartime situations, as
well as conduct a national policy of strategic nuclear deterrence.
It is not unreasonable to assume that the path towards a cohesive U.S. policy and set of strategies regarding the
use of cyberweapons will follow a path that is similar to the strategic war plan maturity path from Hiroshima to the
SIOP. Today, in the absence of any clear policy on the use of cyberweapons, Crosston advocates the agreement on a
policy of Mutually Assured Debilitation in which everyone with cyberweapons would come to a general understanding
that the use of these weapons would result in the expectation that massive destruction would be unleashed on every
participants assets (Crosston, 2011). This makes perfect sense considering that the Mutually Assured Destruction
nuclear deterrence policy was effective and worked well during the Cold War from the 1950s to 1980s.
Yet, today, I believe that once a cohesive U.S. policy on cyberwarfare and cyberweapons is defined by the National
Command Authorities, there is an eight-step process that could result in the development and rapid maturation of a
strong national strategy U.S. Cyberwarfare:
1. Define the doctrines and principles related to cyberwarfare and the needs under which cyberwarfare would be
conducted.
2. Create the policies that embody these doctrines and principles.
3. Conduct the intelligence gathering to accurately understand the landscape of the cyber battlefield.
4. Perform the analysis to create the strategy
5. Create the strategic plan and tactics
6. Conduct regular war games, at least twice yearly to test the strategic plan and tactics
7. Analyze and document the results of the cyberwarfare war games.
8. Refine the strategies and tactics for cyberwarfare and cyberdeterrence based on the results of analyzing the
outcomes of the cyberwarfare war games
Note that it is also essential to continually assess the capabilities of Information Technology so that tools that our
cyberwarfare fighters are using are state of the art and that they are effective and perform well as they are integrated
into the cyberwar war fighting environment.
Conclusion
This paper has presented a brief strategic comparative analysis of countries with cyberwarfare capability and presented
a set of processes by which the U.S. can quickly catch up where it is lagging behind in policies and strategies that will
define its ability to conduct cyberwarfare and cyberdeterrence in the future.
Cyber Security
References

115/148
Hagestad, W. T. (2012). 21st Century Chinese Cyberwarfare. Cambridgeshire, U.K.: IT Governance.
Kramer, F. D. (Ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
September 26, 2012.
Cyber Security
116/148
A Brief Analysis of Russian Cyberwarfare

Capabilities Past, Present, and Future
Cyber Security
117/148
Information provided in the November 2011 Potomac Institute for Policy Studies set of lectures on Russian Cyber
Capabilities was an excellent, authoritative indoctrination for understanding the mindset of the Russian leaders toward
cyberwarfare, as well as understanding the history and foundation of these perspectives. Specifically, it showed that
Russian leaders frame their cyberwarfare capabilities and ideas under the idea of Information Security of the Russian
Federation. Analysis of their mindset and activities reveals the following:
Putin is indeed very tech-savvy
The Russian military has successfully waged punishing cyberwar operations against both Estonia and Georgia
The mindset of the Russian leaders is often described as a 19th century geopolitical perspective
The Russian people are still unhappy with the outcome of the fall of the Soviet Empire, which is regarded as the
greatest geopolitical failure of the 20th century
The Russian leaders and its military have the will and the capability to wage cyberwar if necessary to achieve
whatever national political objectives are deemed as necessary for the benefit of the Rodina (The Motherland)
Regarding their own people, Putins Information Security Doctrine of September 2010 empowers the state to
control information to accomplish these objectives:
Protect strategically important information
Protect against deleterious foreign information
Inculcate patriotism and values

(The Potomac Institute for Policy Studies, 2011).
Though it has not been widely publicized, as far back, as 1982 and again in 2000, the Russians were themselves
attacked by cyberattacks in the control systems associated with their remote Siberian gas pipelines (2011, Tsang).
As mentioned earlier, the punishing Russian cyberattacks on Estonia in 2007 and Georgia in 2008, demonstrated an
effective and visible cyberwarfare capability not previously witnessed, and ironically there was no attempt to conceal
these (Czosseck and Geers, 2009).
In the article, Russia Now 3 and 0 in Cyber Warfare, it was revealed that apparently, in January 2009, Russia launched
its third massive set of DDoS cyberattacks on Kyrgyzstan, which is also one of its neighbors. So in each of the years
between 2007 and 2009, Russia showed that it was able, willing, and very capable in conducting effective cyberwarfare
operations to achieve their desired military and national objectives in the cyberspace shared with its neighbors (Carrol,
2009).
In 2009, it was also noted that Russia and the U.S. have fundamental disagreements on what the nature of treaties
should be to prevent cyberwarfare. At that time, Russian leaders, recognizing the reportedly favored a total cyberweapon
disarmament. The U.S. vehemently disagreed with this position, stating that it was necessary to concentrate on strong
cyberdefensive capabilities due to the fact that they were seeing as many as 50,000 attacks per day (Markoff and
Kramer, (2009). It became clear at this time that the inability for these two cyber superpowers to reach an agreement
on the use of cyberweapons would likely result in a cyberweapons arms race and increase the danger and possibility
of a cyberwar.
Yet, as late as 2011, specific cyber capabilities of what the Russians either currently possess or are in the process of
developing became publically known. Despite official denials to the contrary, Russian documents were obtained and
translated. These documents show that there is active research on development of cyberattack tools and capabilities in
the following areas:
Means of effect on components of electronic equipment and its associated power supply
Temporary or irreversible disabling of components of electronic systems
Means of power electronic suppression: ultra-powerful microwave generators
Cyber Security
118/148
Explosive magnetic generators

Explosive magneto-hydrodynamic generators
Software for disabling equipment (hard drive head resonance, monitor-burnout, etc.
Software for erasing rewritable memory
Software for affecting continuous power sources
Means of disabling electronic networks
Means of effect on programming resource of electronic control modules
Disabling or changing the algorithm of functioning control system software by using special software
Means of penetrating information security systems
Means of concealing information collection sources
Means of disabling all or specific software in information systems, possibly at a strictly given point in time, or with
the onset of a certain event in the system (i.e. a logic bomb)
Means of covertly partially changing the algorithm of functioning software
Means of collecting data circulating in the enemy information system
Means of delivering and introduction of specific algorithms to a specific place of an information system
Means of effect of facility security systems
Means of effect on programming resource of electronic control modules
Stopping o rdisorganizing the functioning of data exchange subsystems by an effect of the signal propagation
medium and on the algorithms of functioning
Electronic warfare assets, especially ground-based and airborne (helicopters and unmanned aerial vehicles)
Droppable expendable jammers
Means of effect on the data transfer protocols of communications and data transfer systems
Means of effect on addressing and routing algorithms
Means of intercepting and disrupting the passage of information in its technical transfer channels
Means of provoking a system overload by false requests of establishing contact (i.e. DDoS attacks) (K, 2011)
This extensive specific list of areas of research made me think that perhaps some Russian hackers were behind the
massive power grid failures that affected the Northeastern part of the United States in August 2004. Certainly, if their
capabilities were advanced enough in 2004, they could probably have undermined infrastructure defenses in the U.S.
to successfully execute such an attack, possibly simply as a show of force and/or to probe our capabilities to defend
against and respond to such an attack.
After seeing the extensive list of potential and current cyberweapon capabilities, it became clear to me that Russia
intends to dominate cyberspace if they are given that opportunity by the U.S. failing to recognize and meet the threats.
By 2012, analysis by an Israeli defense analyst showed the following regarding Russian policy and strategy related to
cyberweapons:
Cyber Security
119/148
Country
Policy
Strategy
Russia
Russia supports cyberwarfare capabilities, especially The ability to achieve cyber superiority is
providing such capabilities in the Russian Army.
essential to victory in cyberspace. (Fayutkin,
The nature of cyberwarfare and information warfare requires 2012).
that the development of a response to these challenges
must be organized on an interdisciplinary basis and include
researchers from different branches political analysts,
sociologists, psychologists, military specialists, and media
representatives (Fayutkin, 2012).
So what does it all mean? Obviously Russians have progressively demonstrated that they have the will, the vision, the
doctrines, the tools, the knowledge, and experience with which to successfully wage serious cyberwarfare. Russia is
now and should be regarded for the foreseeable future, as a potential and worthy adversary, and it should be considered
to me cyberweapon superpower on the battlefield of cyberspace.
References
Carrol, W. (2009). Russia Now 3 and 0 in Cyber Warfare. Retrieved from http://defensetech.org/2009/01/30/russia-now-3-and-0-in-cyber-warfare/ on
October 21, 2012.
Czosseck, C. and Geers, K. (Editors) (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
K., Dr. (2011). Hackers Handbook, fourth edition. London, U.K.: Carlton.
The Potomac Institute for Policy Studies. (2011). Russian Cyber Capabilities: Policy and Practice. A conference video posted at YOUTUBE.com.
Retrieved from http://www.youtube.com/watch?v=ZVwVhegU1S4&feature=related on October 19, 2012.
Tsang, R. (2009). Cyberthreats, Vulnerabilities, and Attacks of SCADA Networks. A scholarly paper published at the University of California at
Berkley. Retrieved from http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf on October 21, 2012.
Cyber Security
Conflict Resolution
120/148
Cyber Security
121/148

This brief paper will present the ideas of conflict analysis and resolution as well as possible alternatives to solutions I
have proposed related to cyberwarfare and cyberdeterrence policy and strategy issues.

however, the present findings and research on cyberwarfare related events shows that the U.S. is playing catch-up and
doing so badly (Turanski and Husick, 2012).
Intellectual Positions and Theoretical Explanations

That Have Been Staked Out on This Threat Problem
As recently as the 2008 2009 timeframe, John Boyds conflict model known as Observe Orient Decide Act (OODA)
began to be applied to analyze the ideas of cybernetic warfare and net-centric warfare. The model itself has been
analyzed for its ability to simply demonstrate the nature of the complexity of conflict, complete with factors of ambiguity,
unpredictability, and so the model has also been used to define the nature of life itself. Yet, the model is also impacted by
the chaotic nature of life and reality. The further shows the similarity between actual cyberwarfare events and this model.
Other characteristics of the OODA loop model are its continuous nature and the feedback loops that provide data on which
to base some form (or forms) of decision and action. The OODA Loop model is shown in the diagram below:
Figure 1 Boyds OODA Loop Model (Bousquet, 2009)

However, one key distinction between Boyds OODA model and cybernetic warfare is Boyds focus on the conditions
of emergence transformation of systems through information rather than merely the manner in which information is
processed by a fixed organizational schema. Boyd would argue that Claude Shannon and others tend to overemphasize
the view of information related to structure as opposed to information as a process (Bousquet, 2009).

As recently as December 2006, the Joint Chiefs of Staff provided an inside look into how the U.S. National War Plan was
created and maintained. In the document titled, Joint Publication (JP) 5-0, Joint Operation Planning. While this publically
available, 264-page, document is unclassified, it does provide an extraordinary look into the strategic military thinking,
principles, and guidance of the Joint Chiefs of Staff and the National Command Authorities as they create policies and
strategies that enforce the national strategic objectives of the United States. This document that was created during
the Bush administration, is also significant because it is one of the first official publically known such documents that
included cyberspace as part of the operational realm of conflict, along with air, sea, land, and space for conducting
military operations (U.S. DoD, JCS, 2006). The high-level diagram below shows simply the concept of the inputs and
Cyber Security
122/148
the outputs that lead to understanding the operational environment of conflict, and it compares somewhat to the OODA
figure shown earlier:
Figure 2 Understanding the Operational Environment (U.S. DoD, JCS, 2006)

To further illustrate the intent of the Joint Chiefs of Staff to the diagram below to visually explain the interconnected
nature of the realms related to the operational environment of conflict and the nature of the systems analysis required
for decision making.
Figure 3 Understanding the Interconnected Nature of the Realms Related to the Operational Environment of Conflict
and the Nature of the Systems Analysis Required for Decision Making (U.S. DoD, JCS, 2006)
Cyber Security
123/148
The JCS also described the environment of conflict as a place where simultaneity of operations would and this
environment would include the information environment and cyberspace:
Simultaneity refers to the simultaneous application of military and nonmilitary power against the enemys
key capabilities and sources of strength.
Simultaneity in joint force operations contributes directly to an enemys collapse by placing more demands
on enemy forces and functions than can be handled. This does not mean that all elements of the joint
force are employed with equal priority or that even all elements of the joint force will be employed. It refers
specifically to the concept of attacking appropriate enemy forces and functions throughout the OA (across
the physical domains and the information environment [which includes cyberspace]) in such a manner as
to cause failure of their moral and physical cohesion (U.S. DoD, JCS, 2006).
Therefore, the JCS also created a Course of Action framework for determining the best courses of action in a conflict
environment, and here again, cyberspace is included in that realm of options in which a course of action could and would
be developed (U.S. DoD, JCS, 2006).
Figure 4 Course of Action Development (U.S. DoD, JCS, 2006)
Options in Conflict
Based on the current state of where the U.S. stands with the lack of coherent and cohesive incorporated into its National
CONOPSPLAN, and the potential for unintended consequences where the unilateral use of cyberweapons can and will
occur, I see three possible options for the U.S., and each of these options has advantages and disadvantages.
Cyber Security
Option Description
124/148
Advantage
Disadvantage
Create policies that mandate the inclusion Prevents unintended consequences Takes time, politics, skills,
of cyberwarfare and cyberdeterrence of unilateral use or unplanned use knowledge, and money
into the U.S. National CONOPS Plan
of cyberweapons
Limited creation and application of Prevents some possible unintended Still requires some time,
policies that mandate the inclusion of consequences of unilateral use or political wrangling, skills,
knowledge, and money
cyberwarfare and cyberdeterrence into unplanned use of cyberweapons
the U.S. National CONOPS Plan
Do nothing whatsoever related to Saves time, political wrangling, and Unintended consequences
cyberweapons and U.S. National money
of unilateral use or unplanned
CONOPS Plan. Just continue to the
use of cyberweapons
present trend to continue to conduct
cyberwarfare operations on an ad hoc
basis in secrecy, and allow the situation
with current cyberwarfare threats to
continue (Sanger, 2012).
Table 1 Comparing Options for Incorporating Cyberwar and Cyberdeterrence Policies and Strategies into the U.S.
National CONOPS Plan.
Conclusion
This paper has presented a brief look at the U.S. Militarys recognition of cyberspace as an extension of the operational
environment of conflict and a comparison of the options that exist for resolving the issues that threaten Americas ability
to create the coherent and cohesive policies and strategies that will define its ability to effectively conduct cyberwarfare
and cyberdeterrence in the future.
References

Kramer, F. D. (Ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
22, 2012.
September 26, 2012.
2012.
U.S. Department of Defense, JCS. (2006). Joint Publication (JP) 5-0, Joint Operation Planning, updated on December 26, 2012. Retrieved from http://
www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on October 25, 2012.
Cyber Security
125/148
Policy Generation
Related to Cyberwarfare and Cyberdeterrence
Cyber Security
126/148

This brief paper will present the ideas for the creation of national policy or enhancement of existing national policy
related to cyberwarfare and cyberdeterrence issues.

Both state and non-state actors possess the capability and intent to conduct cyber espionage and,
potentially, cyber attacks on the United States, with possible severe effects on both our military operations
and our homeland. Growth in the number of space-faring nations is also leading to an increasingly congested
and contested space environment, threatening safety and security. The United States will continue to lead
global efforts with capable allies and partners to assure access to and use of the global commons, both by
strengthening international norms of responsible behavior and by maintaining relevant and interoperable
military capabilities (Obama, 2012).
Though the Obama Administration reviewed and approved Bushs CNCI policy in May 2009, Obama, who is regarded
as the most technology-savvy president that has ever occupied the White House, went much further to acknowledge the
importance of cyberspace to the American economy and the American military, and the importance of defending the U.S.
from adversaries that could threaten us via cyberspace. Obamas policy also acknowledges the reality that future wars
will be fought on the realm of cyberspace, and has thus funded the preparation of the U.S. armed forces to prepare for
conflict in cyberspace (Gerwitz, 2011).
Challenges Related to Cyberwar and Cyberdeterrence Policy and Strategy

Creation
The creation of policies and strategies related to cyberwar and cyberdeterrence are complicated by six major issues:
1. The lack of international definition and agreement on what constitutes an act of cyberwar (Markoff and Kramer,
2009).
2. The lack of the ability to clearly attribute the source of an attack (Turzanski and Husick, 2012).
3. The ability for non-state actors to conduct potent cyberattacks (Turzanski and Husick, 2012).
4. The inability to clearly define what the exact nature of critical infrastructure targets (Turzanski and Husick, 2012).
5. The massive proliferation and reliance on of ubiquitous, highly insecure, vulnerable systems based on SCADA
technologies during the 1980s and 1990s (Turzanski and Husick, 2012).
6. The continually changing landscape of information technology including the vulnerabilities and threats related to
systems that are obsolete, yet remain in operational use for several years past their intended useful life.

It is not unreasonable to assume that the path towards a coherent and cohesive U.S. policy and set of strategies regarding
the use of cyberweapons will follow a path that is similar to the strategic war plan maturity path from Hiroshima to the
nuclear deterrence policy was effective and worked well during the Cold War from the 1950s through 1990s.
Yet, today, I believe that once a coherent and cohesive U.S. policy on cyberwarfare and cyberweapons is defined by the
National Command Authorities, there should be an eight-step process that could result in the development and rapid
maturation of a strong national strategy U.S. Cyberwarfare:
Cyber Security
127/148
conducted.

A strongly worded, explicit U.S. national policy regarding cyber deterrence would serve to further strengthen the U.S. in
cyberspace as well as protect critical infrastructure and our allies. According to a 1997 paper that was prepared by the
U.S. Army for the Clinton administration, Toward Deterrence in the Cyber Dimension these would be recommended
elements of such a policy:
1. Continue to design, create, possess, and use offensive cyber warfare capabilities when necessary
2. Develop a defensive system for surveillance, assessment, and warning of a cyber attack. (I think such capability
presently exists now)
3. A declaration that any act of deliberate information warfare resulting in the loss of life or significant destruction of
property will be met with a devastating response (U.S. Army, 1997).
4. I would also include Crosstons idea of Mutually Assured Debilitation (Crosston, 2011).

According to Kramer, the table below contains the 10-step remedy for creating a policy that would protect the U.S. in
cyberspace.
Cyber Security
128/148
Idea
Explanation
Unify Policy Direction
Effective policies will not be created by a single person or entity, but they require
centralized leadership to unify their direction and intent.
Specialize Policy Direction
Recognizing that one size does not fit all, specialized policies need to be created
for varies infrastructures and industries to ensure maximum protection.
Strengthen and Unify Regulation
Regulations must be strengthened to be more effective, or new, more effective

regulations must be created.
Define State and Local Roles
A workable Federal policy must have the involvement of state and local authorities
to be effective
Define International Interfaces
This is required because cyberspace is connected internationally and because

there is still lack of international agreement on many aspects of cyberwar.
Mandate
Effective
Systems Ensure that there is a realization and commitment for the need to have higher
Engineering for Infrastructure- minimum standards for the quality of software that is related to infrastructure.
related Software
Dont Take No for an Answer
Ensure that stakeholders and those responsible participants realize the resolute,
unwavering commitment toward a workable policy solution
Establish and Implement Clear This will ensure the best allocation of financial and management resources.
Priorities
Inform the Public Clearly and The public needs to understand the efforts being made to protect the U.S.
Accurately
Conduct a Continuing Program of Keep the policy updated and relevant to changing technologies.
Research
Table 1 A 10-step Remedy toward the Creation of National Policy (Kramer, et al, 2009)
Conclusion
This paper has presented a brief look at the importance of creating a set of publicly available, coherent and cohesive
national policies and strategies that will address its intentions and capabilities to effectively conduct cyberwarfare and
cyberdeterrence operations now and in the future. At the present moment, the lack of such policies effectively represents
a window of risk and uncertainty during a time when cyber threats and cyber attacks are growing at an exponential
rate. That has the elements of a real potential for a cyber disaster if this weak policy situation is not resolved as soon
as possible. Here, I presented a set of processes by which the U.S. can quickly address the national challenges of
effectively creating the urgently needed national policies and integrated strategies for conducting cyberwarfare and
cyberdeterrence operations now and in the future.
References

2012.
U.S. Army. (1997). Toward Deterrence in the Cyber Dimension: A Report to the Presidents Commission on Critical Infrastructure Protection. Retrieved
from http://www.carlisle.army.mil/DIME/documents/173_PCCIPDeterrenceCyberDimension_97.pdf on November 3, 2012.
Cyber Security
129/148
Integration of Cyberwarfare and Cyberdeterrence

Strategies into the U.S. CONOPS Plan to Maximize
Responsible Control and Effectiveness by the
Cyber Security
130/148

U.S. CONOPS Plan to Maximize Responsible Control and Effectiveness by the
This paper deals with issues related to the present situation of lack of a clearly defined national policy on the use of
cyberweapons and cyberdeterrence, as well as the urgent present need to include strategies and tactics for cyberwarfare
and cyberdeterrence into the national CONOPS Plan, which is the national strategic war plan for the United States.
Part 1 Threat Assessment in Cyberwarfare and Cyberdeterrence

organizations, and people who use networked computer resources connected to the Internet face because they are at
risk of cyberattacks that could result in one or more cyber threat dangers such as denial of service, espionage, theft of
confidential data, destruction of data, and/or destruction of systems and services. As a result of these cyber threats, the
national leaders and military of most modern countries have now recognized the potential for cyberattacks and cyberwar
is very real and many are hoping to counter these threats with modern technological tools using strategies and tactics
under a framework of cyberdeterrence, with which they can deter the potential attacks associated with cyberwarfare.
Nature of the Threat


ruthless and indiscriminant selection of vulnerable targets. They are 1) the Robert Morris worm (U.S. origin, 1988); 2) the


Cyber Security
131/148
plans. Yet, as recently as June 2009, it was clear that the U.S. and Russia were unable to agree on a treaty that would
create the terms under which cyberwarfare operations could and would be conducted (Markoff and Kramer, 2009).

The absence of well-defined cyberwarfare and cyberdeterrence strategies and tactics in the CONOPS Plan has
already produced some situations that have either damaged Americas image abroad, or that could imperil its image
and have far more negative consequences. For example, operates such as Stuxnet, Flame, Duque, etc., might have
either been better planned or possibly not executed at all if cyberwarfare and cyberdeterrence strategies and tactics
were defined in the CONOPS Plan. Also, the news media indicated during the revolution in Libya that resulted in the
fall of Qaddafi, cyberwarfare operations were considered by the Obama administration. The negative reactions and
and well-planned deliberate actions, the U.S. runs the risk of appearing like the well-equipped cyber bully on the world
Cyber Security
132/148
The Rapid Evolution of Cyberthreats

As predicted in the Technolytics chart below, cyberweapons have rapidly evolved over time.
Figure 1 Evolution of Cyberweapons (Technolytics, 2012).

Since Stuxnet was released in 2010, countries and the general public are now aware of some of the offensive, strategic
and destructive capabilities and potential of cyberweapons (Gelton, T., 2011).
provocation.
Part 1 Final Thoughts about Cyberwarfare Operations

future unleash such a devastating cyberattack that it could cripple the enemys ability to communicate surrender. I think
that the moral implications of such circumstances need to be justly considered as a matter of the laws of war, because
if a country continues to attack an enemy that has indicated that they are defeated and want to surrender, this shifts the
moral ground from which the U.S. may have it was conducting its cyberwarfare operations. This is one other unintended
consequence of cyberwarfare and one that needs to be carefully considered.
Cyber Security
133/148
Part 2 U.S. Policy Appraisal Related to Cyberwarfare and Cyberdeterrence

This section will examine current U.S. Policy related to cyberwarfare and cyberdeterrence.

To enable economic growth and commerce, America, working in conjunction with allies and partners
around the world, will seek to protect freedom of access throughout the global commons those areas
beyond national jurisdiction that constitute the vital connective tissue of the international system. Global
security and prosperity are increasingly dependent on the free flow of goods shipped by air or sea. State
and non-state actors pose potential threats to access in the global commons, whether through opposition
to existing norms or other anti-access approaches. Both state and non-state actors possess the capability
and intent to conduct cyber espionage and, potentially, cyber attacks on the United States, with possible
severe effects on both our military operations and our homeland. Growth in the number of space-faring
nations is also leading to an increasingly congested and contested space environment, threatening safety
and security. The United States will continue to lead global efforts with capable allies and partners to
assure access to and use of the global commons, both by strengthening international norms of responsible
behavior and by maintaining relevant and interoperable military capabilities (Obama, 2012).
The first explicit Obama Administration policy acknowledging the realities of cyber threats were published in a 30-page
document titled International Strategy for Cyberspace in May 2011.
Today, as nations and peoples harness the networks that are all around us, we have a choice. We can
either work together to realize their potential for greater prosperity and security, or we can succumb to
narrow interests and undue fears that limit progress. Cybersecurity is not an end unto itself; it is instead an
obligation that our governments and societies must take on willingly, to ensure that innovation continues
to flourish, drive markets, and improve lives. While offline challenges of crime and aggression have made
their way to the digital world, we will confront them consistent with the principles we hold dear: free speech
and association, privacy, and the free flow of information.
The digital world is no longer a lawless frontier, nor the province of a small elite. It is a place where the
norms of responsible, just, and peaceful conduct among states and peoples have begun to take hold. It is
one of the finest examples of a community self-organizing, as civil society, academia, the private sector,
and governments work together democratically to ensure its effective management. Most important of all,
this space continues to grow, develop, and promote prosperity, security, and openness as it has since its
invention. This is what sets the Internet apart in the international environment, and why it is so important
to protect.
In this spirit, I offer the United States International Strategy for Cyberspace. This is not the first time my
Administration has address the policy challenges surrounding these technologies, but it is the first time
that our Nation has laid out an approach that unifies our engagement with international partners on the
full range of cyber issues. And so this strategy outlines not only a vision for the future of cyberspace, but
an agenda for realizing it. It provides the context for our partners at home and abroad to understand our
priorities, and how we can come together to preserve the character of cyberspace and reduce the threats
we face (Obama, 2011).
Though the Obama Administration reviewed and approved President Bushs CNCI policy in May 2009, Obama, who
is regarded as the most technology-savvy president that has ever occupied the White House, went much further to
acknowledge the importance of cyberspace to the American economy and the American military, and the importance
of defending the U.S. from adversaries that could threaten us via cyberspace. Obamas policy also acknowledges the
reality that future wars will be fought on the realm of cyberspace, and has thus funded the preparation of the U.S. armed
forces to prepare for conflict in cyberspace (Gerwitz, 2011).
Cyber Security
134/148
The Obama Administrations policies have been effective in raising the awareness of the U.S. population as to the
importance of protecting assets that are connected in cyberspace. These policies have also been effective in providing
for the preparation of the U.S. military to deal with conflict in cyberspace.
However, the present policy has not been effective as a deterrence to cyber threats presented by potential national
enemies and non-state actors. As recently as September 23, 2012 September 30, 2012, cyber attacks in the form of
distributed denial of service (DDOS) attacks from the Middle East against several major U.S. banks based have publicly
demonstrated the ire of the attackers and also the vulnerabilities of banks with a customer presence in cyberspace
(Strohm and Engleman, 2012).

In the short-term, the Obama Administrations policies regarding cyberspace have done much to raise the awareness of
cyberspace as an area that requires protection for the public good and prosperity of the American people. These policies
have also served to show our allies and our potential enemies that the U.S. has the intention of defending cyberspace
and all our interests that are connected to it. In the long-term, these policies will probably evolve to reveal in a general,
unclassified way, stronger defenses, stronger deterrent capabilities and probably offensive cyberweapons.
On the legislative front, as recently as September 23, 2012, Chairman of the Senate Homeland Security Committee,
Senator Joseph Lieberman (D., Connecticut), realizing that Congress would fail to pass cybersecurity legislation to
designed to help protect the United States and its people, sent an urgent letter to President Obama to ask for the
creation of a new Presidential Executive Order that would address several current cybersecurity issues, that includes
how and when and where law enforcement can become involved in cybersecurity issues (Kerr, 2012). Though many
digital privacy rights advocates, including the Electronic Frontier Foundation, the Electronic Privacy Information Center,
and the American Civil Liberties Union have strenuously fought recent cybersecurity legislation, it is expected by many
cybersecurity experts that if President Obama is reelected in November 2012, an Executive Order drafted and signed by
the Obama Administration provide the tools that the federal government wants. Even if President Obama is not reelected
in November 2012, it is expected that some expedient action on the part of the new president would probably take place
even before Congress could successfully agree upon and pass such legislation.

It is entirely likely that there are classified versions of the International Strategy for Cyberspace policy that address the
nature of how U.S. policies regarding the defense of cyberspace will affect our allies and our adversaries. But since it
has been publicly revealed that the Obama Administration has conducted offensive cyberwarfare operations against Iran
between June 2009 and June 2010, it is also likely that both our allies and our enemies have a clearer understanding of
U.S. capabilities as well as the intent to use cyberweapons when it deems it is in its best interests to do so.
Part 2 Conclusion
The good news is that President Obama and his Administration apparently have an acute awareness of the importance
of the cyberspace to the American economy and the American military. The bad news is that because we are already in
some form of cyberwarfare that appears to be rapidly escalating, it remains to be seen what effects these cyberattacks
and the expected forthcoming Executive Orders that address cybersecurity will have on the American people and our
way of life. Nevertheless, it will be necessary to act prudently, carefully balancing our freedoms with our need for security,
and also considering the importance of enabling and protecting the prosperity of the now electronically connected, free
enterprise economy that makes the U.S. the envy of and the model for the rest of the world.
Cyber Security
135/148
Part 3 Strategic Comparative Analysis in Cyberwarfare and Cyberdeterrence

This section will present a strategic comparative analysis of the present state of cyberwarfare and cyberdeterrence
issues as that relate to other countries that could be considered adversaries, now or in the not too distant future.
The countries that are primarily concerned with cyberwarfare and cyberdeterrence threat issues are the same countries
that already have the greatest cyberwarfare capabilities and also the most to lose in the event of a full-scale cyberwarfare
attack.
The diagram below from a 2009 study shows the comparative cyberwar capabilities of the 66 largest countries in the
world.
Figure 2 Country Cyber Capabilities Ratings (Technolytics, 2012)
Countries that are more focused on the survival and welfare of their citizens, coupled with the fact that they are largely
consumers of Internet and computer capabilities versus being able to afford to channel resources into the development
of cyberweapons or the resources required to develop a credible cyberdeterrence strategy. It is also ironic that the U.K.
with its stature and status does not rank higher on the list shown in table 1.
Cyber Security
136/148
Some of the Current Policies Being Employed by These Other States / Regions in Regards
to the Threat
China, Russia, and India, each of which are in the top four of the countries listed in Table 1, have well-defined cyberwarfare
policies and strategies. Ironically, the U.S., which occupies the number 2 position in that same table, does not yet have
well-defined cyberwarfare policies and strategies. For comparison, Table 2 below shows a summary of the policies and
strategies of China, Russia and India.
Country
Policy
Strategy
China
China supports cyberwarfare capabilities, especially The Chinese will wage unrestricted warfare and
providing such capabilities in the Peoples Liberation these are the principles:
Army.
Omni-directionality
Synchrony
Limited objectives
Unlimited measures
Asymmetry
Minimal consumption
Multi-dimensional coordination
Adjustment, control of the entire process
(Hagestad, 2012).
Russia
Russia supports cyberwarfare capabilities, especially The ability to achieve cyber superiority is essential to
victory in cyberspace. (Fayutkin, 2012).
providing such capabilities in the Russian Army.
The nature of cyberwarfare and information warfare
requires that the development of a response to these
challenges must be organized on an interdisciplinary
basis and include researchers from different branches
political analysts, sociologists, psychologists,
military specialists, and media representatives
(Fayutkin, 2012).
India
India supports cyberwarfare capabilities, especially Strategies are still under development, but will follow
providing such capabilities in the Indian Army.
the guidance of policies related to the conduct of war.
It is essential for efficient and effective conduct of (Saini, 2012)
war including cyber-war. The war book therefore
needs to specify as how to maintain no-contact cyber
war and when the government decide to go for fullcontact or partial-contact war then how cyber war will
be integrated to meet overall war objectives (Saini,
2012).
Table 1 Summary of Cyberwarfare Policies and Strategies of China, Russia, and India
Successes and Failures of the Various Alternative Policies around the Globe
Despite some of the negative press from the Stuxnet virus, this collaborative effort by the U.S. and Israel has been
looked at with both fascination and as an event that has quickly and successfully heralded in a new age of warfare, the
age of cyberwarfare. However, many still feel that in the absence of publically defined policies and strategies by the
Obama Administration, it invites a secretive and even random appearance of and the continued use of cyberweapons
(Sanger, 2012).
Areas of Joint Communication / Operation / Cooperation that Exist or Should Exist Across
Countries Dealing with This Threat Issue
Apparently, the U.S. has already created one or more rather sophisticated cyberweapons with the help of Israeli
cyberweapon experts. At least one of these cyberweapons, the Stuxnet Worm, was effectively used to impede the
development of Irans nuclear material refinement program from 2009 to 2010 (Langer, 2010).
Cyber Security
137/148
It is likely however, that through the auspices of the United Nations, or perhaps some G20 accord, there may be some
general consensus on the importance of defining the appropriate uses cyberweapons. There also needs to be some
agreement on types of response to cyberattacks, and effective methods of cyberdeterrence.
China and Its Role in Cyberwarfare Capabilities

China is probably doing a better job than the realm of cyberwarfare for three reasons: 1) the government has invested
considerable resources into their cyberwarfare capabilities; 2) the number of personnel devoted to cyberwarfare efforts
is reportedly in the tens of thousands; and 3) the Chinese government is able to easily operate under a cloak of secrecy
and conduct operations without fear of cyberwarfare activities being leaked to Chinese press agencies (Hagestad,
2012).
Part 3 Conclusion
This paper has presented a brief strategic comparative analysis of countries with cyberwarfare capability.
Part 4 Conflict Resolution in Cyberwarfare and Cyberdeterrence

This section will present the ideas of conflict analysis and resolution as they relate to cyberwarfare.

however, the present findings and research on cyberwarfare related events shows that the U.S. is playing catch-up and
doing so badly (Turanski and Husick, 2012).
Intellectual Positions and Theoretical Explanations That Have Been Staked Out
on This Threat Problem
As recently as the 2008 2009 timeframe, John Boyds conflict model known as Observe Orient Decide Act
(OODA) began to be applied to analyze the ideas of cybernetic warfare and net-centric warfare. The model itself
has been analyzed for its ability to simply demonstrate the nature of the complexity of conflict, complete with factors of
ambiguity, unpredictability, and so the model has also been used to define the nature of life itself. Yet, the model is also
impacted by the chaotic nature of life and reality. The further shows the similarity between actual cyberwarfare events
and this model. Other characteristics of the OODA loop model are its continuous nature and the feedback loops that
provide data on which to base some form (or forms) of decision and action. The OODA Loop model is shown in the
diagram below:
Figure 3 Boyds OODA Loop Model (Bousquet, 2009)
Cyber Security
138/148
However, one key distinction between Boyds OODA model and cybernetic warfare is Boyds focus on the conditions
of emergence transformation of systems through information rather than merely the manner in which information is
processed by a fixed organizational schema. Boyd would argue that Claude Shannon and others tend to overemphasize
the view of information related to structure as opposed to information as a process (Bousquet, 2009).

As recently as December 2006, the Joint Chiefs of Staff provided an inside look into how the U.S. National War Plan was
created and maintained. In the document titled, Joint Publication (JP) 5-0, Joint Operation Planning. While this publically
available, 264-page, document is unclassified, it does provide an extraordinary look into the strategic military thinking,
principles, and guidance of the Joint Chiefs of Staff and the National Command Authorities as they create policies and
strategies that enforce the national strategic objectives of the United States. This document that was created during
the Bush administration is also significant because it is one of the first official publically known such documents that
included cyberspace as part of the operational realm of conflict, along with air, sea, land, and space for conducting
military operations (U.S. DoD, JCS, 2006). The high-level diagram below shows simply the concept of the inputs and
the outputs that lead to understanding the operational environment of conflict, and it compares somewhat to the OODA
figure shown earlier:
Figure 4 Understanding the Operational Environment (U.S. DoD, JCS, 2006)

To further illustrate the intent of the Joint Chiefs of Staff to the diagram below to visually explain the interconnected
nature of the realms related to the operational environment of conflict and the nature of the systems analysis required
for decision making.
Cyber Security
139/148
Figure 5 Understanding the Interconnected Nature of the Realms Related to the Operational Environment of Conflict
and the Nature of the Systems Analysis Required for Decision Making (U.S. DoD, JCS, 2006)
The JCS also described the environment of conflict as a place where simultaneity of operations would and this
environment would include the information environment and cyberspace:
Simultaneity refers to the simultaneous application of military and nonmilitary power against the enemys
key capabilities and sources of strength.
Simultaneity in joint force operations contributes directly to an enemys collapse by placing more demands
on enemy forces and functions than can be handled. This does not mean that all elements of the joint
force are employed with equal priority or that even all elements of the joint force will be employed. It refers
specifically to the concept of attacking appropriate enemy forces and functions throughout the OA (across
the physical domains and the information environment [which includes cyberspace]) in such a manner as
to cause failure of their moral and physical cohesion (U.S. DoD, JCS, 2006).
Therefore, the JCS also created a Course of Action framework for determining the best courses of action in a conflict
environment, and here again, cyberspace is included in that realm of options in which a course of action could and would
be developed (U.S. DoD, JCS, 2006).
Cyber Security
140/148
Figure 6 Course of Action Development (U.S. DoD, JCS, 2006)
Options in Conflict
Based on the current state of where the U.S. stands with the lack of coherent and cohesive incorporated into its National
CONOPSPLAN, and the potential for unintended consequences where the unilateral use of cyberweapons can and will
occur, I see three possible options for the U.S., and each of these options has advantages and disadvantages.
Option Description
Advantage
Disadvantage
Create policies that mandate the inclusion of Prevents unintended consequences Takes time, politics,
cyberwarfare and cyberdeterrence into the of unilateral use or unplanned use skills, knowledge, and
U.S. National CONOPS Plan
of cyberweapons
money
Limited creation and application of policies Prevents some possible unintended

that mandate the inclusion of cyberwarfare consequences of unilateral use or
and cyberdeterrence into the U.S. National unplanned use of cyberweapons
CONOPS Plan
Do
nothing
whatsoever
related
to Saves time, political wrangling, and Unintended
consecyberweapons and U.S. National CONOPS money
quences of unilateral
Plan. Just continue to the present trend to
use or unplanned use
continue to conduct cyberwarfare operations
of cyberweapons
on an ad hoc basis in secrecy, and allow the
situation with current cyberwarfare threats to
continue (Sanger, 2012).
Still requires some time,

political
wrangling,
skills, knowledge, and
money
Table 2 Comparing Options for Incorporating Cyberwar and Cyberdeterrence Policies and Strategies into the U.S.
National CONOPS Plan.
Part 4 Conclusion
This section has presented a brief look at the U.S. Militarys recognition of cyberspace as an extension of the operational
environment of conflict and a comparison of the options that exist for resolving the issues that threaten Americas ability
to create the coherent and cohesive policies and strategies that will define its ability to effectively conduct cyberwarfare
and cyberdeterrence in the future.
Cyber Security
141/148
Part 5 Policy Generation Related to Cyberwarfare and Cyberdeterrence

This section will present the ideas for the creation of national policy or enhancement of existing national policy related
to cyberwarfare and cyberdeterrence issues.

As started earlier in the Part 2 Policy Analysis, the current written policy related to cyberwarfare threats can be found
in President Obamas Defense Strategic Guidance 2012, a 16-page policy documented that was published on January
3, 2012. It has already been noted that this policy has not been effective in deterring cyberattacks and other acts of
cyberwar.

The creation of policies and strategies related to cyberwar and cyberdeterrence are complicated by six major issues:
1. The lack of international definition and agreement on what constitutes an act of cyberwar (Markoff and Kramer,
2009).
2. The lack of the ability to clearly attribute the source of an attack (Turzanski and Husick, 2012).
3. The ability for non-state actors to conduct potent cyberattacks (Turzanski and Husick, 2012).
4. The inability to clearly define what the exact nature of critical infrastructure targets (Turzanski and Husick, 2012).
5. The massive proliferation and reliance on of ubiquitous, highly insecure, vulnerable systems based on SCADA
technologies during the 1980s and 1990s (Turzanski and Husick, 2012).
6. The continually changing landscape of information technology including the vulnerabilities and threats related to
systems that are obsolete, yet remain in operational use for several years past their intended useful life.

During the 1950s and 1960s, when it became evident that nuclear weapons could play a major role in strategic warfare,
the United States, utilized a think-tank of individuals, both military and civilian, to craft the strategic war-fighting plans of
the U.S. that would deal with very real possibility that tactical and possibly strategic nuclear weapons may be required
during a major wartime scenario. The first such war plan was called the Single Integrated Operational Plan (SIOP).
The process of its creation involved the use of intelligence data about potential enemies, a threat assessment process,
and then a process whereby the identified likely targets would be prioritized and matched with weapons. The process
of matching weapons to targets also included intricate sequence timings, and the various event triggers that would
result in the execution of such attacks. In the 1980s, the SIOP evolved into something called the OPSPLAN and later,
it was renamed the CONOPS Plan, but it has always been kept up to date and tested at least semiannually so that all
involved would know their roles if the nation command authorities deemed it necessary to execute this intricate war plan
(Freedman, 2003).
Note that as far back as the 1970s, there were 24 defined levels of conflict between the U.S. and a potential adversary,
ranging from a war of words, all the way to strategic nuclear war. No matter what the name of it was, the national war
plan has always been a key tool of the national command authorities for understanding what military responses would
be required in the event of these various levels of conflict.

It is not unreasonable to assume that the path towards a coherent and cohesive U.S. policy and set of strategies regarding
the use of cyberweapons will follow a path that is similar to the strategic war plan maturity path from Hiroshima to the
nuclear deterrence policy was effective and worked well during the Cold War from the 1950s through 1990s.
Cyber Security
142/148
Yet, today, I believe that once a coherent and cohesive U.S. policy on cyberwarfare and cyberweapons is defined by the
National Command Authorities, there should be an eight-step process that could result in the development and rapid
maturation of a strong national strategy U.S. Cyberwarfare:
conducted.

A strongly worded, explicit U.S. national policy regarding cyber deterrence would serve to further strengthen the U.S. in
cyberspace as well as protect critical infrastructure and our allies. According to a 1997 paper that was prepared by the
U.S. Army for the Clinton administration, Toward Deterrence in the Cyber Dimension these would be recommended
elements of such a policy:
1. Continue to design, create, possess, and use offensive cyber warfare capabilities when necessary
2. Develop a defensive system for surveillance, assessment, and warning of a cyber attack. (I think such capability
presently exists now)
3. A declaration that any act of deliberate information warfare resulting in the loss of life or significant destruction of
property will be met with a devastating response (U.S. Army, 1997).
4. I would also include Crosstons idea of Mutually Assured Debilitation (Crosston, 2011).
Cyber Security
143/148

According to Kramer, the table below contains the 10-step remedy for creating a policy that would protect the U.S. in
cyberspace.
Idea
Explanation
Unify Policy Direction
Effective policies will not be created by a single person or entity, but they
require centralized leadership to unify their direction and intent.
Specialize Policy Direction
Recognizing that one size does not fit all, specialized policies need to
be created for varies infrastructures and industries to ensure maximum
protection.
Strengthen and Unify Regulation
Regulations must be strengthened to be more effective, or new, more

effective regulations must be created.
Define State and Local Roles
A workable Federal policy must have the involvement of state and local
authorities to be effective
Define International Interfaces
This is required because cyberspace is connected internationally and

because there is still lack of international agreement on many aspects
of cyberwar.
Mandate Effective Systems Engineering for Ensure that there is a realization and commitment for the need to have
Infrastructure-related Software
higher minimum standards for the quality of software that is related to
infrastructure.
Dont Take No for an Answer
Ensure that stakeholders and those responsible participants realize the

resolute, unwavering commitment toward a workable policy solution
Establish and Implement Clear Priorities
This will ensure the best allocation of financial and management

resources.
Inform the Public Clearly and Accurately
The public needs to understand the efforts being made to protect the
U.S.
Conduct a Continuing Program of Research Keep the policy updated and relevant to changing technologies.
Table 3 A 10-step Remedy toward the Creation of National Policy (Kramer, et al, 2009)
Part 5 Conclusion
This section has presented a brief look at the importance of creating a set of publicly available, coherent and cohesive
national policies and strategies that will facilitate U.S. capabilities to effectively conduct cyberwarfare and cyberdeterrence
operations now and in the future. At the present moment, the lack of such policies effectively represents a window of
risk and uncertainty during a time when cyber threats and cyber attacks are growing at an exponential rate. That has
the elements of a real potential for a cyber disaster if this weak policy situation is not resolved as soon as possible.
Here, I presented a set of processes and a framework by which the U.S. can quickly address the national challenges
of effectively creating the urgently needed national policies and integrated strategies for conducting cyberwarfare and
cyberdeterrence operations now and in the future.
Conclusion
This paper has presented a brief look at the importance of creating a clear set of publicly available, coherent and cohesive
national policy. It then advocated the incorporation of strategies that will address U.S. intentions and capabilities to
effectively conduct cyberwarfare and cyberdeterrence operations now and in the future, into the U.S. CONOPS Plan.
Cyber Security
References
144/148
Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative (CNCI). Published by the White House January 2008. Retrieved from http://www.
Publishers.
Conference, in Chicago. Retrieved from http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillan.
Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from http://www.npr.
org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
Hagestad, W. T. (2012). 21st Century Chinese Cyberwarfare. Cambridgeshire, U.K.: IT Governance.
Kerr, D. (2012). Senator urges Obama to issue cybersecurity executive order. An article published at Cnet.com on September 24, 2012. Retrieved
Langer, R. (2010). A Detailed Analysis of the Stuxnet Worm. Retrieved from http://www.langner.com/en/blog/page/6/ on December 20, 2011.
22, 2012.
Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data Security. N. Potomac, MD: Larstan Publishing, Inc.
Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks Expose Vulnerabilities. An article published at BusinessWeek.com on September
28, 2012. Retrieved from http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability on
September 30, 2012.
September 26, 2012.
2012.
U.S. Army. (1997). Toward Deterrence in the Cyber Dimension: A Report to the Presidents Commission on Critical Infrastructure Protection. Retrieved
from http://www.carlisle.army.mil/DIME/documents/173_PCCIPDeterrenceCyberDimension_97.pdf on November 3, 2012.
U.S. Department of Defense, JCS. (2006). Joint Publication (JP) 5-0, Joint Operation Planning, updated on December 26, 2012. Retrieved from http://
www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on October 25, 2012.
Cyber Security
145/148
About the Author

William F. Slater, III is an IT security professional who lives and works in Chicago, IL. He has over 20-security related
certifications, including a CISSP, SSCP, and a CISA certification. In March 2013 he completes his M.S. in Cybersecurity
Program at Bellevue University in Bellevue, Nebraska. He has written numerous articles on IT Security and Cyberwarfare.
Mr. Slater is also an adjunct professor at the Illinois Institute of Technology and the devoted husband of Ms. Joanna
Roguska, who is a web developer and a native of Warsaw, Poland. You can read more about Mr. Slater at http://billslater.
com/interview.
Cyber Security
146/148
Managing Editor: Ewa Duranc

ewa.duranc@pentestmag.com
Associate Editors: Zbigniew Fiona
zbigniew.fiolna@pentestmag.com
Betatesters & Proofreaders: Ewa Duranc, Zbigniew Fiona
Senior Consultant/Publisher: Pawe Marciniak
CEO: Ewa Dudzic
ewa.dudzic@software.com.pl
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl
DTP: Ireneusz Pogroszewski
[ GEEKED AT BIRTH ]
Production Director: Andrzej Kuca

andrzej.kuca@software.com.pl
Publisher: Hakin9 Media Sp z o.o. SK

ul. Pospu 17A
02-676 Warszawa
phone: 0048224273717
en@pentestmag.com
www.pentestmag.com
Whilst every effort has been made to ensure the high quality of the
magazine, the editors make no warranty, express or implied, concerning
the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are reserved by the
companies which own them.
DISCLAIMER!
The techniques described in our articles may only be used in
private, local networks. The editors hold no responsibility for
misuse of the presented techniques or consequent data loss.
You can talk the talk.

Can you walk the walk?
[ ITS IN YOUR DNA ]

LEARN:
Advancing Computer Science
Artificial Life Programming
Digital Media
Digital Video
Enterprise Software Development
Game Art and Animation
Game Design
Game Programming
Human-Computer Interaction
Network Engineering
Network Security
Open Source Technologies
Robotics and Embedded Systems
Serious Game and Simulation
Strategic Technology Development
Technology Forensics
Technology Product Design
Technology Studies
Virtual Modeling and Design
Web and Social Media Technologies
www.uat.edu > 877.UAT.GEEK

Cyber Security Warfare Deterrence

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Security Warfare Deterrence

Uploaded by

Copyright:

Available Formats

Cyber Security

A Caution to those Who Understand Network Attacks

Change History Record

Integration of Cyberwarfare and Cyberdeterrence Strategies into the

Applying a Security Compliance Framework

The Simple Truths of this Article

Figure 1 A Brief History of Cyberwarfare by Lewis University, Romeoville, IL

Cyberweapons That We Know About

Figure 2 Classes of Cyberweapon Capabilities, by Technolytics.

Figure 3 Evolution of Cyberweapon Capabilities, 1994 2020, by Technolytics.

Who Is the Enemy or the Adversary?

DDoS as a Service, as low as US$20 Per Hour

Understanding Risks and Threats and Vulnerabilities

Figure 4 Risk relationship diagram, from ISO27001.org.

What is ISO 27001?

What Cyberattack / Cyberwarfare Risk Remediation Project Using ISO 27001

Figure 6 A Fast-track ISMS Implementation Project Timeline, William Slater, 2012

Should You Get Your Organization Certified in ISO 27001?

Figure 7 ISO 27001 ISMS Registrants by Continent as of 2011 (source unknown)

Mapping to Achieve Compliance with Two or More Security Compliance

Using ISO 27001 Controls to Defend Against Cyberwarfare and Cyberattacks

Appendix A ISO27001 Domains, Control Objectives and Controls

Information Security Policy

Information Security Policy Document

Review of Information Security Policy

Management Commitment to information security

Information security Co-ordination

Allocation of information security Responsibilities

Authorization process for Information Processing facilities No

Contact with authorities

Contact with special interest groups

Independent review of information security

Identification of risk related to external parties

Addressing security when dealing with customers

Addressing security in third party agreements

Responsibility for Assets

Acceptable use of assets

Information Labeling and Handling

Roles and Responsibilities

Terms and conditions of employment

Information security awareness, education and training

Termination or change of employment

Removal of access rights

Physical security Perimeter

Physical entry controls

Securing offices, rooms and facilities

Protecting against external and environmental threats

Working in secure areas

Public access, delivery and loading areas

Equipment sitting and protection

Security of equipment off-premises

Secure disposal or reuse of equipment

10.1 Operational Procedures and responsibilities

Documented operating Procedures

Separation of development and Operations facilities

10.2 Third Party Service Delivery Management

Monitoring and review of third party services

Manage changes to the third party services

10.3 System Planning and Acceptance

10.4 Protection against Malicious and Mobile Code

Controls against malicious code

Controls against Mobile code

10.6 Network Security Management

Security of Network services

A Caution to those Who Understand Network Attacks

Change History Record