Professional Documents
Culture Documents
Contents
II/148
An Introduction
VI
Applying a Security Compliance Framework to Prepare Your Organization
for Cyberwarfare and Cyberattacks
9
Disclaimer10
Introduction11
The Simple Truths of this Article
11
Cyberwar Concepts
11
Cyberweapons That We Know About
13
Who Is the Enemy or the Adversary?
14
DDoS as a Service, as low as US$20 Per Hour
14
Understanding Risks and Threats and Vulnerabilities
15
What Is an ISMS?
17
What is ISO 27001?
17
What Cyberattack / Cyberwarfare Risk Remediation Project Using ISO 27001 Might Look Like
18
Should You Get Your Organization Certified in ISO 27001?
18
Is Compliance with the ISO 27001 Standard or Some Other Security Compliance Framework Still Important
Even If Your Organization Doesnt Get Certified?
19
Mapping to Achieve Compliance with Two or More Security Compliance Frameworks
19
Using ISO 27001 Controls to Defend Against Cyberwarfare and Cyberattacks
20
Recommendations20
Conclusions21
The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the
Internet-based World of Piracy and Theft of Intellectual Property
31
Abstract32
The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the World of
Internet-based Software Piracy and Theft of Intellectual Property
32
Conclusion33
Hacking Humans: The Story of a Successful Well-planned Social Engineering Attack
35
Abstract36
Using Authority and Pretexting as Social Engineering Weapons
36
The Social Engineering Exploit: What Happened?
36
Summary of the Event Report
37
Results of the Exploit Law Enforcement and At Work
38
What If Proper Social Engineering Defenses Had Been Applied?
38
The Importance of Studying and Applying Social Engineering Techniques and Defenses
38
Lessons Learned from This Incident
39
Conclusions39
Attempting to Solve the Attribution Problem Using Wireshark and Other Tools as an Aid
in Cyberwarfare and Cybercrime for Analyzing the Nature and Characteristics of a Tactical or
Strategic Offensive Cyberweapon and Hacking Attacks
56
Introduction57
What is Cyberwarfare?
57
How large a problem is this for the United States?
57
Other Not So Obvious Challenges for Cyberweapons and Cyberdeterrence
57
Is it a problem for other countries?
57
Is it problematic for these countries in the same ways or is there variation? What kind?
58
What are the consequences to the U.S. and others if this threat is left unchecked?
58
What consequences has the threat already produced on American/global society?
58
Has this threat evolved or changed over time or is it relatively constant? If it has evolved or changed, exactly how
has that change happened and what political consequences have emerged from them?
58
Final Thoughts about Cyberwarfare Operations
58
The Attribution Problem
59
Recent Cyber Attacks
61
How do you know?
61
Free Tools You Can Use
61
Wireshark61
Ostinato65
TCPView66
Traffic to Watch
66
Cyber Security
III/148
Cyber Security
IV/148
Cyber Security
V/148
Cyber Security
VI/148
An Introduction
Hello and welcome to my first e-book!
My history with computers and computing is an interesting one as most stories go. In the Fall of 1968, while watching the
newly released movie, 2001: A Space Odyssey, I had the opportunity to witness the HAL 9000, an out of control, psycho,
homicidal computer masquerading as something that approximated a sentient, Chess-playing being, who was also in
control of a gigantic space ship. Though I had never touched a computer or written a line of code, I was so disturbed
witnessing the HAL 9000 destroy the lives of several helpless people, as well as try to kill the ships commander, that
as I watched the ships commander turn off the HAL 9000, I rejoiced at the victory of a human over a computer. At that
point, I made myself a promise that if I ever came up against any situation where it was me against a computer, I was
going to win.
About five years later, in August 1973, I started my college studies at Memphis State University (now renamed the
University of Memphis) as a new freshman, on three scholarships, two academic and one full four-year Air Force
ROTC scholarship. I was studying Civil Engineering with an option to minor in Environmental Engineering. A short time
after learning that I had a natural aptitude for working with and programming computers, I went to my advisor and told
him I wanted to switch from Civil Engineering to something related to computers. As my good luck would have it, the
College of Engineering had just launched a new Computer Systems Technology major study program under a degree in
Engineering Technology. The program also had a minor field of study in Manufacturing Technology (which were actually
like Industrial Engineering courses). So with my major changed, I felt excited and confident that I would complete my
next seven semesters in college and graduate with this new Bachelor of Science in Engineering Technology, with a
major in Computer Systems Technology and a minor in Manufacturing Technology. At the end of my first semester, in
December 1973, I was summoned to a conference with the Dean of the College of Engineering. He was pleased that I
had a successful semester, yet he was quite candid in his disappointment about my changing majors into Engineering
Technology, with a major in Computer Systems Technology. He even told me that I was making a huge mistake and
that I was wasting my time in college in pursuit of a B.S. in Engineering Technology, with a major in Computer Systems
Technology. I asked him why? He explained that in the future, computers would be so easy to work with that programmers
would be obsolete and unnecessary. As I heard this, I began to realize that it was a scare tactic and that he didnt want
to see a bright student with a College of Engineering scholarship switch from Civil Engineering. But I was resolved to
transfer into Engineering Technology, with a major in Computer Systems Technology, so I told him so. He was upset, but
he accepted my choice, and I did indeed graduate right on schedule on May 7, 1977 and obtain a B.S. in Engineering
Technology, with a major in Computer Systems Technology. A day before I graduated, I was also commissioned as a
brand new second lieutenant in the United States Air Force, to be assigned as a brand new computer systems staff
officer, supporting the Strategic Air Command Battle Staff at Strategic Air Command Headquarters at Offutt Air Force
Base Nebraska, with an active duty reporting date of July 15, 1977.
I entered USAF active duty with what I believed was strong knowledge and experience of programming in six languages
(FORTRAN, BASIC, ALGOL, SNOBOL, APL, and COBOL, and experience of working with only computer, a Xerox
Sigma-9. The largest, most complex program I had ever written from scratch was a FORTRAN timesharing program,
with about 350 lines of code and it calculated biorhythm data and printed out small reports on the physical, emotional,
and intellectual personal data for a user. I scored an A on that project and the Department Chairman, Dr. Weston
Terry Brooks loved it.
My first assignment in the U.S. Air Force at Strategic Air Command Headquarters involved the car and maintenance of
a 7200 line program that was written in JOVIAL. The program worked well, but by todays standards, it still had enough
bugs in it to justify assigning a full-time programmer. Here were my challenges: 1) the technical program documentation
wasnt current; 2) the program was more than 20 times larger than anything I had ever worked with; 3) I had never
programmed in JOVIAL, or GMAP (Honeywell Assembler) and the Honeywell GCOS operating system and associated
utilities, so they trained me. Anyway, the work was extremely exciting and today, I now know that few people ever get so
much responsibility and so much high visibility opportunity and challenges to prove themselves. Looking back, it made
me grow up quickly in this industry, and I am eternally grateful for my USAF experiences in technology and the good
teachers and mentors I had along the way.
In late 1980, sadly, I left the USAF and returned to civilian life. It is an over simplification to say that the transition from
military to civilian life wasnt easy. For 15 months. I hoped that there would be some type of National Emergency
where they would summon me back to active duty, but that didnt happen. So I then stuck in the life of being a civilian
IT professional. So I made the best of things, and frankly, it has been a pretty good way to grow and make a living. I have
to admit that I have never been bored and that I have pursued each new opportunity as a chance to add value, to learn,
to grow, and to improve my skills.
Cyber Security
VII/148
Through the years that followed the USAF, I had many jobs and acquired many new skills. Among those skills were:
Program Management | Project Management | Portfolio Management | Strategic Planning | Business
Analysis | Business Strategy | Technical Leadership | Technical Management | Technical Staff Management
| Data Center Management | Data Center Operations | Information Security Management | Cybersecurity |
ISO 27001 | PCI DSS | FISMA | FedRAMP | Infrastructure Management | Social Engineering | Operations
Management System Analysis | Risk Management | Knowledge Management | Information Systems
Development | Programming | Problem Management | Incident Management | ITIL-based Service Design
and Service Management | Information Security Management | Agile Project Management | Troubleshooting
| Network Security | Network Administration | Change Management | Services Management | Cloud
Computing | Cloud Data Center Management | Mentoring | Strategic Planning | Staff Mentoring | Writing
Technical Writing | Teaching/mentoring | Team Building | System Administration | System Design | Application
Development | Architecture Security | Architecture Design | Database Administration | Database Design |
Database Implementation
Some General Lessons Learned
A good Internet domain name and associated website will go a long way toward enhancing your marketability
Always work hard and give 120% to ever task and job
Its not how hard you work, but rather HOW MUCH work you get done
If you are standing still in your career development and learning, you are falling behind
Spend a LOT of time outside of work, working outside work, to hone your skills and experience
Get a mentor to guide and advise you ( see http://billslater.com/mentors.htm and http://billslater.com/mentoring )
Remain flexible
Spend your own time and money on the resources (books, hardware, and software) that you need to be successful
Learn as much as you can about risk management, service management, data centers, and security
Aspire to learn leadership skills and to assume greater and greater positions of influence and responsibility
Continually hone your communication skills (written, speaking, and listening) so you can communicate excellently
to those above you and to those you supervise
Find a knowledgeable, wise mentor and seek their counsel and advice often
Mentor others as often as you can get the opportunity
Teach as often as you can get the opportunity, even if it is low pay or on a volunteer basis
Remember that every management decision is based on financial metrics like ROI, TCO, and fixed and variable
costs per time unit. If you cannot provide such metrics, you cannot get your ideas and/or projects accepted by
upper management
It is essential to adopt meaningful metrics that will help management measure the effectiveness of every activity
in which you are engaging. These metrics will be used over time to report your progress and plan for continuous
process improvement.
The growth of technology never stops, so if you stop growing and learning and striving for relevancy, you are on
the fast track out of this challenging career field
In the end, your good name and reputation are the most important things you have. Guard them zealously.
(Proverbs 22:1)
Happy Reading!
William F. Slater, III
MBA, M.S.,PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, IP v6, Cloud ComputingFoundation
ProjectManager / Program Manager
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL
UnitedStates of America
Editors Note
VIII/148
Dear Readers,
It is a great pleasure to present you the newest ebook written by William F. Slater, III. I believe that all of you are familiar
with Mr Slaters work devoted to the field of Cybersecurity. Therefore, I have decided to publish an ebook devoted
to this burning issue. Nowadays cybersecurity generates a great deal of heated debate and that is why I want to
satisfy our Readers strive for knowledge. Mr Slater, our expert, is an extremely knowledgable person who will explain
you everything you should know to protect yourself, your company, and your World from cyber attack. Every aspect
of cybersecurity, cyberwarfare and cyberdeterrence is explained in a detail, and that is why this ebook will be very
pleasurable to read. What is more, you can always write to Mr Slater and ask him for help or clarifications. He is always
willing to help and assist everyone.
To me, this book is more than a compendium of knowledge. Its a tribute to Mr Slaters achievements who encourages
me to learn, develop and fight for the better world. I know Mr Slater personally, he is a friend of mine and I can always
count on him. I hope that all of you will learn a lot thanks to this ebook.
Enjoy your reading,
Ewa Duranc,
Product Manager.
Cyber Security
10/148
Disclaimer
William F. Slater, III is an IT Security consultant who lives and works in Chicago, IL, United States of America. He has
worked in Information Technology since 1977. In March 2013, he will complete his third graduate degree, an M.S. in
Cybersecurity. Though he has prior experience as a computer systems staff officer serving at Strategic Air Command
Headquarters from 1977 to 1980, and as an civilian IT service management Project Manager working with the U.S.
from 2009 to 2010, and he has had a top secret clearance (1977 1980) and a secret clearance (2009 2011), he did
not access any classified documents from the U.S military or the U.S. government to research and write this paper.
This paper is therefore, is an unclassified document that was researched and written using resources that are available
to the general public. Other information reflected in this paper is the professional opinion of Mr. Slater, who is solely
responsible for the content of this paper.
Finally, Mr. Slater is a very patriotic American who always hopes for the best for the Republic of the United States of
America and her Allies. This includes trying to do what is in his power as an IT professional, an educator, and a writer to
make the use of Cyberspace and the Internet safe for everyone.
Cyber Security
11/148
Introduction
On Monday, CNN posted a web article with this headline, Nations Prepare for Cyberwar, describing the inevitability of
a cyberwar that is coming or is possibly already here (Goldman, 2013).
One of the main disadvantages of the hyper-connected world of the 21st century is the very real danger that countries,
organizations, and people who use networks computer resources connected to the Internet face because they are at
risk of cyberattacks that could result in anything ranging from denial service, to espionage, theft of confidential data,
destruction of data, and/or destruction of systems and services. As recognition of these dangers, national leaders,
business leaders, and the military leaders of most modern countries are now acknowledging that the potential and
likely eventuality of cyberwar is very real. This article will introduce come concepts about the realities and weapons of
cyberwarfare and discuss how an organization can use a security compliance framework of controls to mitigate the risks
of cyberattacks and cyberwarfare.
Cyberwar Concepts
Cyberattacks and cyberwarfare tactics, by some expert estimates, date back to the early 1980s when there was a set
of suspicious explosions that were likely generated in control systems on some pipelines in Asia, though this has never
been conclusively confirmed. However, the idea of using computers and software to attack another entity via networks
dates back to the early 2000s and by some accounts, well before that. The diagram from Lewis University shows a brief
graphic history between 2000 and 2009.
Cyber Security
12/148
Cyber Security
13/148
Cyber Security
14/148
The diagram below shows the rapid evolution of cyberweapons over time. It is obvious that according to this diagram,
starting in about 2008, until what is predicted to be about 2020, the evolution of the sophistication of cyberweapons will
be be quite significant. This rapid rise in sophistication and capabilities of cyberweapons, coupled with their relative ease
of use, proliferation and economic benefit, will make these weapons very compelling for military and strategic use, and
make the likelihood of cyberwar increasingly significant for the foreseeable future.
Cyber Security
15/148
Cyber Security
16/148
Figure 5 Relationships between IT security management controls, Threats and Assets (Exposures), Jaquith, 2007
Cyber Security
17/148
What Is an ISMS?
The fast-paced, electronically-enabled business environment of the 21st century is characterized by the tactical and
strategic uses of information as business enablers. In practically every organization, information is now seen as a
primary asset and as such, it must be protected. Yet the proliferation and reliance on information in an organization
also introduces responsibilities and risks which if not addressed, can subject the organization to extraordinary risks that
could severely impact the viability of the business. The best strategy for an organization to manage these new business
realities is to adopt a strong compliance management posture in the area of Information Security to ensure that its
information assets are protected in the most comprehensive, standardized manner possible. Presently, the best tool to
manage the challenges of Information Security is an enterprise Information Security Management System (ISMS). The
ISMS is a centralized system of policies, procedures, and guidelines that when created and uniformly applied will provide
the best practices to help ensure that an organizations Information Security is being managed in a standardized way
using documented best practices. The introduction of an ISMS into an organizations business operations will serve to
identify, document and classify information assets and risks and then document the mitigation of risks using established,
documented controls. When an organization has chosen the standardized ISO 27001 Security Management Framework
the key benefits to implementing an ISMS would be:
The implementation of a standardized Information Security Management System into the organization
Better management and fulfillment of the Information Security requirements from the organizations Clients
Reduction of risks related to cyberattacks and cyberwarfare
Reduction of risk of loss of existing customers
Increased opportunities for new business
Reduction of risk to regulatory penalties
Reduction of risk reputational damage
The creation of an Information Security-aware culture at the organization
Enabling ISO27001-compliant offices to communicate and conduct business in areas affected by Information
Security in a standard way
Better management of IT assets and their associated risks
The ability to have an Information Security Management System that is based on the Deming model of Plan Do
Check Act for continuous process improvement
The adoption of the most widely recognized internal standard for implementing an ISMS
Note that the Information Security has rapidly risen to the forefront as a serious business issue. Because of its rapid
rise to prominence and the dynamic and evolving nature of threats and the associated risk management efforts, the
models to measure and quantify the value of such projects can often seem frustrating at best. So while this ISMS project
may difficult to quantify using traditional methods such as return on investment, it is clear that the benefits of continued
customer relationships as well as the ability to attract future customers through a demonstrated strong and continually
improving posture of Information Security compliance management will far outweigh the costs associated with an ISO
27001project.
Indeed, after implementing the ISMS under ISO 27001 standards, an organization will have better control of the
Information that is the lifeblood of its business, and it will be able to demonstrate to its customers and its business
partners that it too has adopted a strong posture of compliance in the area of Information Security.
Cyber Security
18/148
version is expected to be published by ISO sometime in 2013. This version is predicted to have several additions that
will focus on Cloud Computing and also standardized IT services and service management as described under ITIL and
ISO 20000. In fact, in October 2012, the ISO 27013 standard was published and it demonstrates how to integrate an
ISO 2000 based Service Management System with an ISO 27001-based Information Security Management System.
Cyber Security
19/148
Is Compliance with the ISO 27001 Standard or Some Other Security Compliance Framework Still Important Even If Your Organization Doesnt Get Certified?
Personally, I believe that the chief responsibility of the leadership of organization is to recognize risks and reduce them,
as cost effectively as possible to manageable levels, and to comply with the laws and regulations that impact its operating
environment. Even if an organization does not seek or achieve a certification under a security compliance standard such
as ISO 27001, the organization can embrace and comply with the security controls of a security compliance standard, and
thereby significantly reduce its business and security risks. The value in each of these security compliance frameworks
(i.e. ISO 27001, PSC DSS. FISMA, HIPAA, etc.) is that each offers a set of well defined controls that are structured in
a way to allow the organization that adopts then to visibly demonstrate its efforts to reduce risks to its assets and its
operating environment.
Cyber Security
20/148
that is the most familiar is represented on the left column, and the newer standard that is required for a new compliance
initiative is located on the right column. An example is shown in figure 8 below.
Figure 8 Mapping ISO 27001 Annex A controls to NIST 800-53 Controls (FISMA)
Recommendations
The section has been divided into recommendations for four distinct groups of people that will probably comprise the
population of this magazines readers. I deliberately omitted government officials and military officials because they have
Cyber Security
21/148
their own elite teams of cyberwarfare experts to advise them on these issues. In addition, they have a perspective of
cyberattacks and cyberwarfare in which they must consider battle plans and strategies that include both offensive and
defensive operations. To best understand the true nature of cyberdeterrence and cyberwarfare, everyone would be well
advised to read many of the materials in the reference section of this article, and in particular, read Martin Libickis book,
Cyberdeterrence and Cyberwar, because I consider it to be the best unclassified reference on the market.
For IT Professionals:
1. Educate yourself, continually about Cyberwarfare.
2. Stay abreast of the threats and vulnerabilities associated with your infrastructure and the information technologies
that you work with.
3. Stay abreast of the security controls required to mitigate the risks associated with the information technologies that
you work with.
4. Where possible, get professional training and certifications associated with IT security and your job positions.
For IT Managers:
1. Learn the security compliance standard or standards that will enable you to help your organization effectively
lower risk to acceptable levels.
2. Learn risk management in the IT world.
3. Learn what your teams do and keep them motivated to be the best at what they do.
For Executives and Business Owners:
1. Remember your responsibilities to the Board of Directors, your shareholders and other stakeholders in your
organization: Cyberattacks and cyberwarfare represent serious threats that can obliterate an organizations ability
to function (see the 2007 cyberattacks in Estonia, or the 2008 attacks in Georgia if you require more proof). If you
plan for your organization to be an ongoing concern for the foreseeable future, you have no alternative than to
ensure it is protected from cyberattacks and the effects of cyberwarfare.
2. Learn the security compliance standard or standards that will enable you to help your organization effectively
lower risk to acceptable levels.
3. Learn risk management in the IT world.
4. Learn what your managers and your teams do and keep them motivated to be the best at what they do.
For Hackers:
1. Consider becoming legitimate because the need for experienced cybersecurity professionals to defend
organizations and countries has never been greater and in the long run, the compensation will probably be much
more lucrative.
2. Make sure that if you do join a team that it is a winning team.
Conclusions
This article has covered some of the better known aspects of cyberattacks and cyberwarfare, and attempted to show
that risks can be managed by applying security compliance frameworks such as ISO 27001. While this has only been an
introduction, because scores of books have been written on these topics since 2005, it is important to understand these
basic concepts and take them seriously. The future of your business, the satisfaction and confidence of your stakeholders,
business partners, and your customers all depend on your ability to protect your business and its operations capabilities
in the day and age of cyberattacks and cyberwarfare.
Cyber Security
Resources:
22/148
Bousquet, A. (2009). The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. New York, NY: Columbia University Press.
Brewer, D. and Nash, M. (2010). Insights into the ISO/IEC 27001 Annex A. A paper written published by Dr. David Brewer and Dr. Michael Nash to
explain ISO 27001 and Risk Reduction in Organizations. Retrieved from http://www.gammassl.co.uk/research/27001annexAinsights.pdf on March
10, 2011.
Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative (CNCI). Published by the White House January 2008. Retrieved from http://
www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative on January 5, 2012.
Calder, A. and Watkins, S. (2012). IT Governance: An International Guide to Data Security and ISO27001/ISO27002, 5th edition. London, U.K.: IT
Governance Press.
Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security and What to Do About It. New York, NY: HarperCollins
Publishers.
Crosston, M. (2011). World Gone Cyber MAD: How Mutually Assured Debilitation Is the Best Hope for Cyber Deterrence. An article published in the
Strategic Studies Quarterly, Spring 2011. Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf on October 10, 2012.
Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
Edwards, M. and Stauffer, T. (2008). Control System Security Assessments. A technical paper presented at the 2008 Automation Summit A Users
Conference, in Chicago. Retrieved from http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.
org/journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012.
Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillan.
Gerwitz, D. (2011). The Obama Cyberdoctrine: tweet softly, but carry a big stick. An article published at Zdnet.com on May 17, 2011. Retrieved from
http://www.zdnet.com/blog/government/the-obama-cyberdoctrine-tweet-softly-but-carry-a-big-stick/10400 on September 25, 2012.
Gjelten, T. (2010). Are Stuxnet Worm Attacks Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved from http://www.npr.
org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet on December 20, 2011.
Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from http://www.
npr.org/templates/story/story.php?storyId=130260413 on December 20, 2011.
Gjelten, T. (2011). Security Expert: U.S. Leading Force Behind Stuxnet. An article published at NPR.org on September 26, 2011. Retrieved from
http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-forcebehind-stuxnet on December 20, 2011.
Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from http://www.
npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
Goldman, D. (2013). Nations prepare for cyber war. An article published at CNN on January 7, 2013. Retrieved from http://money.cnn.
com/2013/01/07/technology/security/cyber-war/index.html?hpt=hp_c3 on January 7, 2013.
Hagestad, W. T. (2012). 21st Century Chinese Cyberwarfare. Cambridgeshire, U.K.: IT Governance.Hyacinthe, B. P. (2009). Cyber Warriors at War:
U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
ISO. (2005) Information technology Security techniques Information security management systems requirements, ISO/IEC 27001:2005.
Retrieved from http://www.ansi.org on February 1, 2011.
Jaquith, A. (2007). Security Metrics. Boston, MA: Addison Wesley.
Kaplan, F. (1983), The Wizards of Armageddon: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on
How to Use the Bomb. Stanford, CA: Stanford University Press.
Kerr, D. (2012). Senator urges Obama to issue cybersecurity executive order. An article published at Cnet.com on September 24, 2012. Retrieved
from http://news.cnet.com/8301-1009_3-57519484-83/senator-urges-obama-to-issue-cybersecurity-executive-order/ on September 26, 2012.
Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
Langer, R. (2010). A Detailed Analysis of the Stuxnet Worm. Retrieved from http://www.langner.com/en/blog/page/6/ on December 20, 2011.
Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28,
2009. Retrieved from http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all on June 28, 2009.
Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks target three major banks, using Muslim outrage as cover. An article published on
September 22, 2012 at Poltix.Topix.com. Retrieved from http://politix.topix.com/homepage/2214-iran-attacks-us-banks-in-cyber-war on September
22, 2012.
McBrie, J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION AND CLOSING THE STANCE. A scholarly paper published by the USAWC
STRATEGY RESEARCH PROJECT. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA423774 on September 30, 2012.
Obama, B. H. (2012). Defense Strategic Guidance 2012 Sustaining Global Leadership: Priorities for 21st Century Defense. Published January 3,
2012. Retrieved from http://www.defense.gov/news/Defense_Strategic_Guidance.pdf on January 5, 2012.
Obama, B.H. (2011). INTERNATIONAL STRATEGY for Cyberspace. Published by the White House on May 16, 2011. Retrieved from http://www.
whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf on May 16, 2011.
Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a New Direction. Lexington, KY: The University of Kentucky Press.
Pry, P. V. (1999). War Scare: Russia and America on the Nuclear Brink. Westport, CT: Praeger Publications.
Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An article published in SC Magazine, September 4, 2012. Retrieved from http://www.
scmagazine.com/cyber-cold-war-espionage-and-warfare/article/254627/ on September 7, 2012.
Saini, M. (2012). Preparing for Cyberwar A National Perspective. An article published on July 26, 2012 at the Vivikanda International Foundation.
Retrieved from http://www.vifindia.org/article/2012/july/26/preparing-for-cyberwar-a-national-perspective on October 14, 2012.
Sanger, D. E. (2012). Confront and Coneal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data Security. N. Potomac, MD: Larstan Publishing, Inc.
Schmitt, E. and Shanker, T. (2011). U.S. Debated Cyberwarfare in Attack Plan on Libya. An article published in the New York Times on October 17,
2011. Retrieved from http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html on October 17, 2011.
Slater, W. F. (2013). ISO 27001 Resource Page. Retrieved from http://billslater.com/iso27001 on January 12, 2013.
Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government Institutes.
Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks Expose Vulnerabilities. An article published at BusinessWeek.com on September
28, 2012. Retrieved from http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability on
September 30, 2012.
Technolytics. (2012). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict, third edition. Purchased and downloaded on
September 26, 2012.
The ISO 27000 Directory. (2012). An Introduction to ISO 27001, ISO 27002....ISO 27008. Retreived from http://www.27000.org/index.htmhttp://
idcontent.bellevue.edu/content/CIT/cyber/615/compliance on December 7, 2012.
Cyber Security
23/148
Turzanski, E. and Husick, L. (2012). Why Cyber Pearl Harbor Wont Be Like Pearl Harbor At All... A webinar presentation held by the Foreign Policy
Research Institute (FPRI) on October 24, 2012. Retrieved from http://www.fpri.org/multimedia/2012/20121024.webinar.cyberwar.html on October 25,
2012.
U.S. Army. (1997). Toward Deterrence in the Cyber Dimension: A Report to the Presidents Commission on Critical Infrastructure Protection.
Retrieved from http://www.carlisle.army.mil/DIME/documents/173_PCCIPDeterrenceCyberDimension_97.pdf on November 3, 2012.
U.S. Department of Defense, JCS. (2006). Joint Publication (JP) 5-0, Joint Operation Planning, updated on December 26, 2012. Retrieved from
http://www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on October 25, 2012.
Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia: ANU E Press.
Cyber Security
24/148
Security Policy
Control Objective/Control
5.1
5.1.1
Yes
5.1.2
No
Organization of
Information security
Asset Management
Does It Apply to
Defending Against
Cyberattacks and
Cyberwarfare?
Section
6.1
Internal Organization
6.1.1
Yes
6.1.2
No
6.1.3
Yes
6.1.4
6.1.5
Confidentiality agreements
No
6.1.6
No
6.1.7
No
6.1.8
No
6.2
External Parties
6.2.1
No
6.2.2
No
6.2.3
No
7.1
7.1.1
Inventory of assets
Yes
7.1.2
Ownership of Assets
Yes
7.1.3
Yes
7.2
Information classification
7.2.1
Classification Guidelines
Yes
7.2.2
Yes
Cyber Security
Human Resource
Security
Physical and
Environmental
Security
25/148
8.1
Prior to Employment
8.1.1
Yes
8.1.2
Screening
Yes
8.1.3
No
8.2
During Employment
8.2.1
Management Responsibility
Yes
8.2.2
Yes
8.2.3
Disciplinary process
No
8.3
8.3.1
Termination responsibility
No
8.3.2
Return of assets
Yes
8.3.3
Yes
9.1
Secure Areas
9.1.1
Yes
9.1.2
Yes
9.1.3
Yes
9.1.4
Yes
9.1.5
Yes
9.1.6
Yes
9.2
Equipment security
9.2.1
Yes
9.2.2
Support utilities
Yes
9.2.3
Cabling security
No
9.2.4
Equipment Maintenance
No
9.2.5
Yes
9.2.6
Yes
9.2.7
Removal of Property
Yes
Cyber Security
26/148
Yes
10.1.2
Change Management
Yes
10.1.3
Segregation of Duties
Yes
10.1.4
Yes
Service Delivery
No
10.2.2
No
10.2.3
No
Capacity management
Yes
10.3.2
System acceptance
Yes
Communications
and Operations
Management
10.4.1
Yes
10.4.2
Yes
10.5 Back-Up
10.5.1
Information Backup
Yes
Network controls
Yes
10.6.2
Yes
Yes
10.7.2
Disposal of Media
Yes
10.7.3
Yes
10.7.4
Yes
Yes
10.8.2
Exchange agreements
Yes
10.8.3
Yes
10.8.4
Electronic Messaging
Yes
Cyber Security
27/148
10.8.5
Yes
Communications
and Operations
Management
10.9.1
Electronic Commerce
Yes
10.9.2
On-Line transactions
Yes
10.9.3
Yes
10.1 Monitoring
10.10.1
Audit logging
Yes
10.10.2
Yes
10.10.3
Yes
10.10.4
Yes
10.10.5
Fault logging
Yes
10.10.6
Clock synchronization
Yes
11.1.1
Yes
Access control
11.2.1
User Registration
Yes
11.2.2
Privilege Measurement
Yes
11.2.3
Yes
11.2.4
Yes
Password Use
Yes
11.3.2
Yes
11.3.3
Yes
Yes
11.4.2
Yes
11.4.3
Yes
11.4.4
Yes
Cyber Security
28/148
11.4.5
Segregation in networks
Yes
11.4.6
Yes
11.4.7
Yes
Yes
11.5.2
Yes
11.5.3
Yes
11.5.4
Yes
11.5.5
Session Time-out
Yes
11.5.6
Yes
Yes
11.6.2
Yes
11.7.1
Yes
11.7.2
Teleworking
Yes
12.1.1
Yes
Information
Systems Acquisition
Development and
Maintenance
12.2.1
Yes
12.2.2
Yes
12.2.3
Message integrity
Yes
12.2.4
Yes
Yes
12.3.2
Key Management
Yes
Yes
12.4.2
Yes
Cyber Security
29/148
12.4.3
Yes
Yes
12.5.2
Yes
12.5.3
Yes
12.5.4
Information Leakage
Yes
12.5.5
Yes
12.6.1
Information
Security Incident
Management
Security
Yes
Events
and
13.1.1
Yes
13.1.2
Yes
Yes
13.2.2
Yes
13.2.3
Collection of evidence
Yes
Business Continuity
Management
14.1.1
Yes
14.1.2
Yes
14.1.3
Yes
14.1.4
Yes
14.1.5
Yes
Cyber Security
30/148
Compliance
15.1.1
Yes
15.1.2
Yes
15.1.3
Yes
15.1.4
Yes
15.1.5
Yes
15.1.6
Yes
Yes
15.2.2
Yes
Yes
15.3.2
Yes
(ISO, 2005)
Cyber Security
31/148
Cyber Security
32/148
Abstract
In January 2012 the U. S. Government took down the Megauploads.com website and then quickly filed charges against
the owner, Kim Dotcom, and his colleagues for alleged copyright infringement, conspiracy to commit money laundering,
racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind eye to requests from
copyright holders to remove copyright-protected files. Kim Dotcom and his colleagues were arrested a few hours later
in New Zealand and await extradition to the U.S. to be tried for these charges. Conviction on these charges could result
in severe fines and possibly many years in a U.S. Federal prison. This paper will discuss the rise and fall of Kim Dotcom
and Megauploads.com and it will review issues how lawful governments may treat similar offenses in the future.
The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the World of Internet-based Software Piracy and Theft of Intellectual Property
Less than 24 hours after end of the global SOPA Protest on the world wide web, on January 19, 2012, the governments
of the U.S. and New Zealand acted swiftly to stop the Megauploads.com empire that Kim Dotcom had built. The U.S.
Department of Justice shut down the Megaupload.com website and produced a 72-page federal indictment against
Kim Dotcom, Megaupload.com, and several of the business partners for alleged copyright infringement, conspiracy to
commit money laundering, racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind
eye to requests from copyright holders to remove copyright-protected files. Almost 12,000 miles away, on January 20,
2012, New Zealands law enforcement authorities were forcibly entering Mr. Dotcoms home, a leased luxury mansion in
the serene New Zealand countryside, and forcing their way into a safe room where Mr. Dotcom was hiding with guns,
cash, and his closest colleagues (Acohido, 2012). Mr. Kim Dotcom and his colleagues were then arrested and now
await extradition to the U.S. to be tried for these charges. Conviction on these charges could result in severe fines and
possibly many years of imprisonment in a U.S. Federal prison. This paper will discuss the rise and fall of Kim Dotcom
and Megaupload.com and it will review issues how lawful governments may treat similar offenses in the future.
Originally as Kim Schmidt, Mr. Dotcom, a native citizen of Germany, began is computer career in Germany in his early
20s in the early 1990s. He first began his career as a computer expert and then very shortly afterwards opened a
computer security-related business. A short time later, Mr. Schmidt was indicted in Germany on computer fraud charges
and later paid a fine and was released on probation. A few years later, Mr. Schmidt changed his named legally to Kim
Dotcom, perhaps as a prelude to starting the Megaupload.com business, and to position himself as a self-styled
Internet mogul entrepreneur.
Now as a 38-year old German foreign national and temporary resident of New Zealand, at 6 feet 6 inches tall and over
285 pounds, Mr. Kim Dotcom, is both in stature and in his actions, a larger than life figure, who openly flaunted his wealth
and his playboy lifestyle, the obvious results of the success of his Megaupload.com business (MikelVizualBazzikHck,
2012). With an annual income of more than $30 million, the flamboyant Mr. Dotcom could afford nearly everything
he wanted, except permanent citizenship as a New Zealander. Yet after his arrest on January 20, 2012, he and his
colleagues were incarcerated in a New Zealand jail, awaiting extradition to the U.S. to stand trial for the charges listed
in their U.S. federal indictment (Acohido, 2012) However, Mr. Dotcom and his colleagues were initially denied the right
to post bail to obtain temporary freedom because they were deemed by the local magistrate as a severe flight risk due
to the vast amount of wealth at their disposal.
At his arraignment on January 23, 2012, Mr. Dotcom and his codefendants audaciously denied all the charges in their
indictment, claiming total innocence (Booth, 2012). At this moment, Mr. Dotcom, his fellow incarcerated colleagues, and
their legal defense team are continuing to vigorously fight extradition on grounds that the U.S. does not have the legal
standing to indict them for the charges listed in the federal indictment.
Nevertheless, the manner in which the authorities in New Zealand apprehended Mr. Dotcom and his colleagues while
New Zealand soil, while the United States was shutting down the Megaupload.com business website could be a
foreshadowing of how certain countries will treat others accused of software piracy and copyright infringement in the
future. This trend could possibly occur, with or without the passage of SOPA, PIPA, and/or federal legislation to protect
the rights of intellectual property owners on the Internet. Indeed, this high profile case of the demise of Mr. Dotcom, his
colleagues and their Megaupload.com business shows the lengths to which the U.S. Government may be willing to go
to shut down websites that promote software piracy, including producing detailed criminal indictments and incarcerating
people, even if they are in foreign countries. Such actions may occur with or without the benefit of legislation such as
SOPA or PIPA. Such actions are also very likely to have a chilling effect on rampant software piracy by international
perpetrators which had not been taken very seriously until these events (RT.com, 2012).
Cyber Security
33/148
Some legal experts have predicted that it is likely that Mr. Dotcom and his colleagues will likely try to use the concept
of hactivism as a defense against the charges for which they are indicted (Bright 2012). The idea behind hactivism
is that it could be construed to be an act protected by the First Amendment because they may try to say they were
exercising their rights of Free Speech as guaranteed by the First Amendment to the U.S. Constitution. Of course, the
U.S. Government could easily argue that the First Amendment applies only to U.S. citizens and those living in the U.S.,
which would easily defect the hactivism as protected Free Speech argument.
On February 16, 2012, the U.S. Department of Justice returned a superseding indictment against Kim Dotcom and
his colleagues. The updated indictment was the result of additional investigation by the Department of Justice and it
contained even more charges than the first indictment. The superseding indictment also shed additional light on how
Megaupload.com was actually being used. The document provides additional details stating that Megaupload.com,
which originally had claimed to have had more than 180 million registered users, actually had only 66.6 million users as
of Jan. 19, 2012. Furthermore, the investigation also revealed that only 5.86 million of these users had ever uploaded a
file to either Megaupload.com or Megavideo.com, prosecutors said (Halzack, 2012).
On February 22, 2012, the New Zealand justice system finally permitted Kim Dotcom and his colleagues to post bail and
gain provisional freedom while they wait to determine of the U.S. Government will have them extradited to the U.S. to
stand trial for the charges listed in the superseding indictment that was filed on February 16, 2012 (Tsukayama, 2012).
Conclusion
The strange, unfolding case of Mr. Dotcom and Megaupload.com, and all the circumstances surrounding the related
actions of the governments of New Zealand and the United States are certainly worthy of examination as a case study
in a Cyberethics course. In addition, as more facts and events with multiple dimensions in ethics and law are revealed
in this case, the outcome will likely shed additional light on some timely legal issues related to Internet-based software
piracy, the theft of intellectual property, and how lawful governments will treat others who commit similar offenses in the
future. Will the United States and other governments reach beyond their borders again to incarcerate and criminally try
trial those they believe are guilty of Internet-related crimes such as software piracy and copyright violations? Only time
will tell, but the implications of the U.S. Governments case against Mr. Dotcom and his colleagues will likely have farreaching effects in the area of intellectual property, copyrights, software piracy, and the national and international laws
related to these topics for many years to come.
Cyber Security
References
34/148
Acohido, B. (2012). Government takedown of Megaupload leads to new fears. An article published at USATODAY.com website on January 20, 2012.
Retrieved from the web at http://www.usatoday.com/tech/news/story/2012-01-20/megaupload-arrests-FBI/52697186/1 on January 21, 2012.
The American Dream. (2012). According To The FBI, Internet Privacy Is Now Considered To Be Suspicious Activity. An article published at
endoftheamericandream.com. retrieved from the web at http://endoftheamericandream.com/archives/according-to-the-fbi-internet-privacy-is-nowconsidered-to-be-suspicious-activity on February 4, 2012.
Booth, R. (2012). Kim Dotcom Denies Internet Piracy. An article published on Monday, January 23, 2012 at the Guardian.co.uk website. Retrieved
from the web at http://www.guardian.co.uk/technology/2012/jan/23/kim-dotcom-denies-internet-piracy on January 23, 2012.
Bright, A. (2012). Kim Dotcom: Are such Internet sensations pirates or hactivists? An article published at CSMONITOR.com. Retrieved from the
web at http://www.csmonitor.com/World/Global-Issues/2012/0125/Kim-Dotcom-Are-such-Internet-sensations-pirates-or-hactivists/Kim-Dotcom on
February 5, 2012.
Business Software Alliance. (2010). 2010 Piracy Impact Study:the economic Benefits of reducing software piracy. Retrieved from the web at http://
portal.bsa.org/piracyimpact2010/studies/piracyimpactstudy2010.pdf on February 5, 2012.
Business Software Alliance. (2009). 2009 Software Piracy on the Internet: A Threat To Your Security. Published at Wired.com. Retrieved from the
web at http://www.wired.com/images_blogs/threatlevel/2009/10/bsareport.pdf on February 5, 2012.
Flacy, M. (2012). Megaupload owner found hiding in safe room with sawed-off shotgun. An article published at Digitaltrends.com on January 21,
2012. Retrieved from the web at http://www.digitaltrends.com/web/megaupload-owner-found-hiding-in-safe-room-with-sawed-off-shotgun/ on
February 5, 2012.
Halzack, S. (2012). Megaupload indictment returned with charges added for Kim Dotcom and others. An article published at the WashingtonPost.
com website on February 17, 2012. Retrieved from the web at http://www.washingtonpost.com/business/economy/megaupload-indictment-returnedwith-charges-added-for-kim-dotcom-and-others/2012/02/17/gIQAAXBNKR_story.html on February 20, 2012.
MikelVizualBazzikHck. (2012). MEGAUPLOAD: US Govt yet to present Evidence against Kim Dotcom (3 News). A Youtube.com video posted by
MikelVizualBazzikHck. Retrieved from the web at http://www.youtube.com/watch?v=7Fg7_f6-S0I&feature=related on January 30, 2012.
Neuman, J. (2009). Debunking BSAs piracy-malware link. An article published at MYCE.com on October 15, 2009. Retrieved from the web at http://
www.myce.com/news/debunking-bsas-piracy-malware-link-21041/ on February 5, 2012.
Paoli, C. (2012). Anonymous Retaliates With Gov., Media Web Site Shutdowns After Megaupload Arrests. An article published at Redmondmag.com
on January 19, 2012. Retrieved from the web at http://redmondmag.com/articles/2012/01/19/anonymous-retaliates-after-megaupload-arrests.aspx on
January 20, 2012.
RT.com. (2012). US courts already enforcing SOPA-style shut-downs. An article published on December 20, 2011 at RT.com Retrieved from the web
at http://rt.com/usa/news/us-court-sopa-morris-203/ on February 14, 2012.
Ryan, J. (2012). Megaupload Back in High Tech Whack-a-mole. An article published at the ABCNews.com website. Retrieved from the web at http://
abcnews.go.com/Technology/megaupload-back-high-tech-whack-mole/story?id=15405292 on January 20, 2012.
Tassi, P. (2012). You Will Never Kill Piracy, and Piracy Will Never Kill You. An article published at Forbes.com on February 3, 2012. Retrieved from
the web at http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/ on February 5, 2012.
Tsukayama, H. (2012). Report: Megaupload founder released on bail. An article published at the WashingtonPost.com on February 22, 2012.
Retrieved from the web at http://www.washingtonpost.com/business/technology/report-megaupload-founder-released-on-bail/2012/02/22/
gIQA7hjBTR_story.html on February 22, 2012.
U.S. Department of Justice. (2012). Federal Indictment against Kim Dotcom, Megaupload.com, et al. A U.S. Government document published at
USATODAY.com website on January 20, 2012. Retrieved from the web at http://i.usatoday.net/tech/pdfs/12-0120-megaupload-indictment.pdf on
January 21, 2012.
U.S. Department of Justice. (2012). The Superseding Federal Indictment Against Kim Dotcom, et al. Published on February 16, 2012 at the
WashingtonPost.com. Retrieved from the web at http://www.washingtonpost.com/wp-srv/business/documents/megaupload-indictment.pdf on
February 22, 2012.
Cyber Security
35/148
Cyber Security
36/148
Abstract
This paper will review an actual incident related to a social engineering exploit, why this exploit was effective, and what
steps could have been taken to recognize and nullify or avoid this exploits. The exploit that will be described involves
authority, pretexting, and deception, resulting in psychological manipulation. The exploit had serious consequences,
both in my personal professional life. The exploit was short-lived, occurring in August 2008, but very likely damaged
my career and reputation at Gehenomsoft where I was employed at the time. In addition, this exploit quickly escalated
to a criminal assault against me, and though the case was never resolved, it was a very traumatic experience. This
paper will explore why each of these social engineering techniques was effective, and how I could apply knowledge and
techniques learned in the materials from my Social Engineering class, as well as other research materials, to prevent
similar attacks.
Cyber Security
37/148
The end results of this exploit was that the intruder got away with stealing thousands of dollars of equipment and
information, and he assaulted me during his exit as I attempted to follow him out of the building. After this incident was
reported, it probably negatively damaged my reputation at Gehenomsoft, showing my management that I was probably
not reliable that I would exercise poor judgment under duress or in unpredictable stressful situations.
Description
Authority
I was led to believe that he was a person of authority and was authorized access,
so I followed his instructions and used my card to admit him
Pretexting
His cover story that he worked in the Gehenomsoft State and Local Government
Services Sector and that he had been in the field so long that his badge had been
deactivated sounded very convincing
Deception
Table 1
Why These Social Engineering Techniques Were Successful
The table below shows why these social engineering techniques were successful.
Social Engineering Technique Why Was the Technique Successful?
Authority
He spoke and carried himself like he was a real Gehenomsoft employee, perhaps
even a low echelon manager.
Pretexting
His story sounded very convincing and he produced an official Gehenomsoft Blue
Badge.
Deception
The deception worked because the Authority and Pretexting techniques worked
and because he was already standing outside a Gehenomsoft Facility with a
Gehenomsoft Blue Badge. It also worked because I was tired, hungry, and because
I believed I would e accused of racism if I refused to assist him by using my badge
to grant him access.
Table 2
Cyber Security
38/148
Defensive Techniques that Could Have Been Used to Prevent the Exploit
The table below shows how these social engineering techniques could have been thwarted.
Social Engineering Technique
Authority
Do not believe anyone who is a stranger, no matter how much authority they
seem to have.
Pretexting
Do not believe anyone who is a stranger, no matter how believable their story
is. In fact, dont even give them the time of day, even if they have an official
Gehenomsoft Blue Badge.
Deception
Table 3
Cyber Security
39/148
Conclusions
The incident described in this paper was real and it used social engineering techniques of authority, pretexting and
deception to allow the intruder to obtain access and achieve his objective of stealing equipment. This incident could
have been prevented through better security awareness training that focused on the ability of intruders to use well-known
social engineering exploits to obtain access into secure areas. Fortunately, this incident produced valuable lessons
learned and fortunately this course in Human Aspects of Cybersecurity has provided deeper insights on how and why
such social engineering attacks based on authority and deception can succeed. As long as we are capturing lessons
learned in incidents like this, we can aspire to become smarter security professionals and also to incorporate these
lessons into future security awareness training programs so that others can benefit from the knowledge, experience,
and lessons learned.
Finally, the following list of conclusions can be drawn from
People execute Social Engineering attacks because they know that they can be successful
If humans are unaware of social engineering techniques, they are vulnerable
Successful social engineering attacks easily cause other security controls to fail
Social engineering attacks are extremely dangerous because when they cause other security controls to fail, they
can lead to theft and in some cases, threats and/or violence
Through education, training, and application of proper Social Engineering Defenses, people can minimize
vulnerabilities to social engineering attacks
Cyber Security
40/148
References
Bellevue University. (2012). Videos on Psychological Aspects of Social Engineering Attacks. Retrieved from http://www.au.af.mil/au/awc/awcgate/fbi/
nlp_interviewing.pdf on April 14, 2012.
Cialdini, R. B. (2009). Influence: Science and Practice, fifth edition. Boston, MA: Pearson Education.
Hadnagy, C. (2011). Social Engineering: The Art of Human Hacking. Indianapolis, IN: Wiley Publishing, Inc.
Parker, T., et al. (2004). Cyber Adversary Characterization: Auditing the Hacker Mind. Rockland, MA: Syngress Publishing, Inc.
PI Magazine. (2005). FTC. FTC Interview on Pretexting. Retrieved from http://www.pimagazine.com/ftc_article.htm on April 6, 2012.
Sandoval, V.A. and Adams, S. H. (2001). Subtle Skills for Building Rapport Using Neuro-Linguistic Programming in the Interview Room. Retrieved
from http://www.au.af.mil/au/awc/awcgate/fbi/nlp_interviewing.pdf on April 14, 2012.
Schneier, B. (2008). Psychology of Security. An article published at Schneier.com on January 18, 2008. Retrieved from http://www.schneier.com/
essay-155.html on March 13, 2012.
Schneier, B. (2012). Liars & Outliers: Enabling the Trust That Society Needs to Thrive. Indianapolis, IN: John Wiley and Sons, Inc.
Teller. (2012). An Interview with Teller. Published in Smithsonian Magazine, March 2012.
U.S. Department of Homeland Security Office of Security. (2012). Elicitation: Would you recognize it? Retrieved from http://www.social-engineer.
org/wiki/archives/BlogPosts/ocso-elicitation-brochure.pdf on March 29, 2012.
Wiles, J., et al. (2007). Low Techno Securitys Guide to Managing Risks: For IT Managers, Auditors, and Investigators. Burlington, MA: Syngress
Publishing, Inc.
Wiles, J., et al. (2012). Low Tech Hacking: Street Smarts for Security Professionals. Waltham, MA: Syngress Publishing, Inc.
Wilhelm, T. and Andress, J. (2011). Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques. Burlington, MA: Syngress Publishing,
Inc.
Appendix A Events related to the Security Breach Incident at Gehenomsoft Downers Grove Office Facility
on August 22, 2008
Date:
To:
From:
CC:
Subject:
22, 2008
Events related to the Security Breach Incident at Gehenomsoft Downers Grove Office Facility on August
Robert,
Thank you for taking the initial security report over the phone last night.
Overall, I feel that it was a very traumatic experience and I am still very upset about it. After re-thinking the events during
the writing of this report, I have come to the conclusion that I was very likely in danger of physical harm from the moment
I first saw the person who identified himself as DJ Roosevelt on the third floor. The fact that he made his way into a
secure building underscores the need to shore up Building Security vulnerabilities at this Downers Grove office location.
Anyway, shown below in Appendix A is my report of the events involving the security breach at the office building where
the Gehenomsoft Downers Grove Office is located. Diagrams with time sequential numbered circles are also included.
I have attempted to be as thorough and complete as possible.
After reviewing this report, please contact me if you have questions or wish to discuss.
Regards,
William F. Slater, III, PMP
Gehenomsoft Corporation
Data Center Manager | Chicago Data Center
US Data Center Services East Region
Global Foundation Services
312-810-4805 mobile / 708-397-2674 x 397 office
312-758-0307 (alternate mobile)
william.slater@Gehenomsoft.com
Cyber Security
41/148
Appendix A Detailed List of the August 22, 2008 Events Related to the Security Breach at Gehenomsoft
Downers Grove, IL
Event No. Time
Description
Comments
6:00 PM
12:00 Noon I worked in the Wrigley Conference Room at Gehenomsoft See Diagram 2.
7:00 PM
Downers Grove
My sole purpose for being
at the Gehenomsoft
Downers Grove office
was to get five new staff
members trained in an
online Security course,
via a cabled network
connection using my
laptop to access the
course
training
that
was on Gehenomsofts
corporate network. Such
access was not possible
where I normally work
at the Gehenomsoft
Chicago Data Center in
Northlake, IL.
7:05 PM
I got ready to go home for the evening. I went to the Mens See Diagram 2
Restroom on the third floor. As I approached the restroom, in
the hallway not far from the restroom, I saw the first person I
saw in almost 90 minutes.
Event No.
Time
Description
7:10 PM
When I left the restroom, I saw this person again. He approached See Diagram 2
me and said he worked for Gehenomsoft. He asked me to help him
gain access to the office area on the third floor. He said he had been
out on assignment for a few months and that his badge had stopped
working. I asked to see his badge and he presented a Gehenomsoft
badge that had the name DJ Roosevelt on it. I asked him where
he worked and he said he worked in the State and Local Area. He
looked like any other Gehenomsoft employee who might be dressed
casually on a Friday, wearing blue jeans and a colored t-shirt. So I
used my badge to help him enter the office area.
7:15 PM
When I returned to the Wrigley Room, I started to have a funny See Diagram 2
feeling about this person, so I looked him up in the Gehenomsoft
Global Address List using my laptop. He didnt exist. I quickly
shutdown and packed up my computer and proceeded to the
office area that he had just entered at 7:10 PM.
Comments
Cyber Security
42/148
Event No.
Time
Description
Comments
7:18 PM
See Diagram 2.
7:20 PM
This person decided to take the long way around the office area See Diagram 2
on the south side of the third floor.
7:20 PM
I started for the nearest exit (on the south side) to go take the See Diagram 2
elevator and see the Security Guard downstairs.
7:21 PM
As I entered the elevator, I told this person that he and I would See Diagram
be stopping to have a chat with the building Security Guard. At Diagram 3.
the time, I forgot that the Security Guard was on the SECOND
FLOOR and not the FIRST FLOOR. I thought our destination
would take us to where the Security Guard was and that would
provide me with assistance.
When the elevator door closed, the following transpired:
He leaned up against the area where the elevator controls
where and said: Im telling you man, you better not mess with
me. If you do, Im gonna fuck you up. Do you understand?
Then he lunged at me as if to throw a punch. Then he said, Do
you want me to fuck you up? You better not mess with me. I
mean it, I will fuck you up. Do you hear me?
I said, Yes. And I was extremely shook up over these verbal
assaults.
7:22 PM
Much to my surprise, when the elevator reached the FIRST See Diagram 3
FLOOR, there was no building Security Guard to assist. The
person exited the elevator and proceeded at a very fast pace
down the walkway to the First Floor Parking Area.
10
7:23 PM
and
Cyber Security
43/148
11
7:23 PM
Asked the 911 Operator to please dispatch the Downers Grove See Diagram 4
Police Department as quickly as possible.
12
7:24 PM
The person exited through the doors to the First Floor Parking See Diagram 4
Lot. I tried to follow but, expecting the door to open outward, I
was pushing the door rather than pulling it and, finding it wouldnt
open, thought it had been locked or tampered with. This was
a result of my frustration and trying to continue to pursue the
individual and give details to the 911 operator at the same time.
13
7:24 PM
The person started his red, late model mini-SUV vehicle See Diagram 4
and rapidly drove away as I finally got the door to open and
tried in vain to get this persons license plate number. I was
unsuccessful in trying to get the number.
14
See Diagram 5.
Officer Wolfe told me
that this incident was not
unique in nature because
crimes like this are rather
common and on the
rise in office buildings in
the western suburbs of
Chicago.
Her contact numbers are
Voicemail:
630-434-5699 x 4783
General Phone:
630-434-5600
Her e-mail address is
kwolfe@downers.us
15
7:50 PM
Met with the 3025 Highland Parkway Building Engineer, the See Diagram 5
Building Security person and the DGPD Officers. The Building
Engineer assured us that the person who did this will show up
on video that was recorded to DVD. He double checked all the
times with me.
16
7:57 PM
I accompanied the Building Engineer and officers from the See Diagram 5
DGPD back up to the third floor to retrace the events involving
the person who portrayed himself as a Gehenomsoft employee.
I also pointed out the cabinet with office supplies that the person
used his keys to open.
17
8:13 PM
Went down to the Second Floor Security Guard and wrote out See Diagram 5
(by hand) an incident report for him.
18
8:25 PM
Called my Manager, George Ryan and left a message. I then See Diagram 6
called Rod Blaogjevich, our Security Manager.
19
8:40 PM
Cyber Security
44/148
20
8:48 PM
I called Rod Blaogjevich back, and as instructed, I also called See Diagram 6
the Gehenomsoft Global Security Operations Center.
21
9:05 PM
22
9:50 AM George Ryan called and asked for a detailed account of the (No diagram is associated
10:15 AM, security breach incident.
with this event.)
August 23,
2008
Diagram 1
Driveway
Second Floor
Parking Area
Elevators
Security
Desk
0
Front
Entrance
Elevators
North
Diagram 1 of 6
(Approximate Floorplan
Not drawn to scale.)
Cyber Security
45/148
Diagram 2
Wrigley
Conference
Room
Elevators
Elevators
Reception
Desk
Womens
Restroom
Mens
Restroom
North
Diagram 2 of 6
(Approximate Floorplan
Not drawn to scale.)
Cyber Security
46/148
Diagram 3
Elevators
9
10
Elevators
North
Diagram 3 of 6
(Approximate Floorplan
Not drawn to scale.)
Cyber Security
47/148
Diagram 4
Elevators
12
First Floor
Parking Area
11
13
Elevators
North
Diagram 4 of 6
(Approximate Floorplan
Not drawn to scale.)
Cyber Security
48/148
Diagram 5
Driveway
Second Floor
Parking Area
Elevators
17
15
16
Front
Entrance
Elevators
North
14
Diagram 5 of 6
(Approximate Floorplan
Not drawn to scale.)
Cyber Security
49/148
Diagram 6
Driveway
Second Floor
Parking Area
Elevators
Security
Desk
Front
Entrance
Elevators
18
19
20
North
Diagram 6 of 6
(Approximate Floorplan
Not drawn to scale.)
Cyber Security
Appendix B Summary and Analysis
50/148
Cyber Security
51/148
Cyber Security
52/148
Cyber Security
53/148
Cyber Security
54/148
Cyber Security
55/148
Cyber Security
56/148
Cyber Security
57/148
Introduction
One of the main disadvantages of the hyper-connected world of the 21st century is the very real danger that countries,
organizations, and people who use networks computer resources connected to the Internet face because they are at
risk of cyberattacks that could result in anything ranging from denial service, to espionage, theft of confidential data,
destruction of data, and/or destruction of systems and services. As a recognition of these dangers, the national leaders
and military of most modern countries have now recognized that the potential and likely eventuality of cyberwar is
very real and many are preparing to counter the threats of cyberwar with modern technological tools using strategies
and tactics under a framework of cyberdeterrence, with which they can deter the potential attacks associated with
cyberwarfare.
What is Cyberwarfare?
During my studies prior to and as a student in this DET 630 Cyberwarfare and Cyberdeterrence course at Bellevue
University, it occurred to me that considering the rapid evolution of the potentially destructive capabilities of cyberweapons
and the complex nature of cyberdeterrence in the 21st century, it is now a critical priority to integrate the cyberwarfare
and cyberdeterrence plans into the CONOPS plan. Indeed, if the strategic battleground of the 21st century has now
expanded to include cyberspace, and the U.S. has in the last five years ramped up major military commands, training,
personnel, and capabilities to support cyberwarfare and cyberdeterrence capabilities, the inclusion of these capabilities
should now be a critical priority of the Obama administration if has not already happened.
Cyber Security
58/148
Is it problematic for these countries in the same ways or is there variation? What kind?
Every country that is modern enough to have organizations, people, and assets that are connected to computers and
the Internet faces similar challenges of planning and managing cyberweapons and cyberdeterrence, and the poorer the
country, the more significant the challenges. For example, when a small group of hackers from Manila in the Philippines
unleashed the ILOVEYOU worm on the Internet in 2000, it caused over $2 billion in damages to computer data
throughout the world. Agents from the FBI went to Manila to track down these people and investigate how and why the
ILOVEYOU worm catastrophe occurred. To their surprise, they learned that each of these hackers who were involved
could successfully escape prosecution because there were no laws in the Philippines with which to prosecute them. So
actually most countries lack the technological and legal frameworks with which to successfully build a coordinated effort
to manage the weapons and strategies of cyberwarfare and cyberdeterrence, despite the fact that most now embrace
cyberspace with all the positive economic benefits it offers for commerce and communications.
What are the consequences to the U.S. and others if this threat is left unchecked?
As stated earlier, without the careful integration of cyberwarfare and cyberdeterrence technologies, strategies, and
tactics into the CONOPS Plan, the national command authorities run a grave risk of launching a poorly planned offensive
cyberwarfare operation that could precipitate a global crisis, impair relationships with its allies, and potentially unleash
a whole host of unintended negative and potentially catastrophic consequences.
Has this threat evolved or changed over time or is it relatively constant? If it has evolved
or changed, exactly how has that change happened and what political consequences have
emerged from them?
The threat has certainly rapidly evolved over time. Since Stuxnet was released in 2010, countries and the general public
are now aware of some of the offensive, strategic and destructive capabilities and potential of cyberweapons (Gelton,
T., 2011).
The changes that produced Stuxnet and other recent, more modern cyberweapons were a national resolve to excel in the
cyberwarfare area, coupled with excellent reconnaissance on desired targets, and partnering with computer scientists
in Israel. The political consequences are not well understood yet, except to say that the U.S. and Israel are probably
less trusted and suspected of even greater future capabilities, as well as having the will to use them. Again, having wellplanned cyberwarfare and cyberdeterrence strategies and tactics defined in the CONOPS Plan might indeed, restrain
such possibly reckless decisions as to unleash cyberweapon attacks without what the world might consider the correct
provocation.
Cyber Security
59/148
future unleash such a devastating cyberattack that it could cripple the enemys ability to communicate surrender. I think
that the moral implications of such circumstances need to be justly considered as a matter of the laws of war, because
if a country continues to attack an enemy that has indicated that they are defeated and want to surrender, this shifts the
moral ground from which the U.S. may have it was conducting its cyberwarfare operations. This is one other unintended
consequence of cyberwarfare and one that needs to be carefully considered.
To further understand the relationship of threats, counter-measures, and exposures in cyberspace, I have included this
diagram by Jaquith, shown below.
Cyber Security
60/148
The most common type of attack for zombie computers is known as the distributed denial of service attack or DDoS
attack. In February 2000, the first sensational wave of DDoS attacks were launched from zombie computers that
were physically located at major universities in California. The following figures provide some of the details about those
attacks and which companies were the targets.
Figure 2 Denial of Service Attack diagram from ABC news in February 2000
Figure 3 Denial of Service Attack Victims diagram from ABC news in February 2000
Cyber Security
61/148
Figure 4 Denial of Service Attack Zombies diagram from ABC news in February 2000
Wireshark
Wireshark is a free, open source packet analysis tool that evolved from its predecessor, Ethereal. Wireshark is notable
for its ability to quickly, capture and display traffic in a real time sequential way, and allow this traffic to be displayed,
broken down at the packet level by each level of the OSI model, from the physical layer up through the application
layer. The traffic can also shows the senders and the receivers of each packet, and can be easily summarized with the
selection of a few menu choices. The first figure below is from a table in the Wireshark documentation, and the figures
that follow are from an actual Wireshark session where about 500,000 packets were collected for summarization and
analysis. All this data can also be saved for later analysis.
Wireshark will run on both Windows-based platforms and Mac OS X platforms. This is the website location where you
can find Wireshark: http://www.wireshark.org/download.html.
Cyber Security
62/148
Cyber Security
Figure 6 Wireshark Opening Screenshot after a Network Interface Has Been Selected for Packet Capture
63/148
Cyber Security
64/148
Cyber Security
65/148
Ostinato
Ostinato is a free, open source-based packet generator that can be used to conduct network experiments, particularly
for packet analysis in conjunction with a tool such as Wireshark. It is easy to install, configure and use. Figure 9 below
shows a screenshot from Ostinato.
Ostinato will run on Windows-based platforms and several other platforms. This is the website location where you can
find Ostinato: http://code.google.com/p/ostinato/.
Cyber Security
66/148
TCPView
TCPView is an excellent analysis program that shows what is happening on your computer at layer four of the OSI
networking model. If you remember, this is where TCP and UDP activities take place. TCPView allows the user to view
and sort data by process, PID, protocol (TCP or UDP), local address, remote address, port number, TCP state, sent
packets, sent bytes, received packets, and received bytes. The data can also be saved for later analysis.
TCPView was originally written by Mark Russinovich and Bryce Cogswell and was published and distributed for free
by their company, Sysinternals. In 2006, Microsoft acquired Sysinternals and TCPView and many other tools that were
created by Sysinternals continue to be updated and distributed by Microsoft for free.
TCPView will only run on Windows-based platforms and this is the website location where you can find TCPView and
many other great Sysinternals tools: http://technet.microsoft.com/en-us/sysinternals.
Figure 11 TCPView in operation, with records sorted by sent packets, in descending order
Traffic to Watch
By far the most interesting and dangerous external traffic to watch on most networks is ICMP traffic. ICMP is the
Internet Control Messaging Protocol, and there are eight types of ICMP messages. Hackers can easily use ICMP
(PING) messages to create DDOS attacked. A tool like Simple Nomads icmpenum can issue ICMP messages such as
ICMP_TIMESTAMP_REQUEST and ICMP_INFO and make it possible to map a network inside of a firewall (K, 2011).
Outbound traffic is just as important as inbound traffic if not more so (Geers, 2011). It is not uncommon for programs
like botnets to take up residence and open up secure channels to transmit data to remote servers in places like China,
Russia, Eastern Europe and even North Korea.
Programs that are unrecognizable should be suspected as possible malware and should be quickly researched to
determine if they are hostile. If they cannot be easily identified, that is a bad sign and they should probably be uninstalled.
Cyber Security
67/148
The Future
Without trying to present a gloomy picture of the cyberspace environment that is composed of the Internet and all the
computers, smart phones and other devices attached to it, it appears that for the time being, the bad guys far outnumber
the good guys and it appears that they are winning. But it is also apparent that that now more free information and free
tools are available than ever before. For the foreseeable future, every person who uses the Internet should seek to
educate themselves about the dangers in cyberspace and the ways to protect themselves from these dangers.
Conclusion
This article has briefly reviewed the topic of cyberwarfare and presented some information about free network analysis
tools that can help you better understand your network traffic.
The good news is that President Obama and his Administration have an acute awareness of the importance of the
cyberspace to the American economy and the American military. The bad news is that because we are already in some
form of cyberwarfare that appears to be rapidly escalating, it remains to be seen what effects these cyberattacks and
the expected forthcoming Executive Orders that address cybersecurity will have on the American people and our way of
life. I believe it will be necessary to act prudently, carefully balancing our freedoms with our need for security, and also
considering the importance of enabling and protecting the prosperity of the now electronically connected, free enterprise
economy that makes the U.S. the envy of and the model for the rest of the world.
Cyber Security
References
1.
2.
3.
4.
5.
6.
7.
8.
68/148
Andreasson, K. (Ed.). (2012). Cybersecurity: Public Sector Threats and Responses. Boca Raton, FL: CRC Press.
Andress, J. and Winterfeld, S. (2011). Cyber Warfare: Techniques and Tools for Security Practitioners. Boston, MA: Syngress.
Arndreasson, K. (ed.). (2012). Cybersecurity: Public Sector Threats and Responses. Boca Raton, FL: CRC Press.
Barnett, M. B. and Finnemore, M. (2004). Rules for the World: International Organizations in Global Politics. Ithaca, NY: Cornell University Press.
Bayles, A., et al. (2007). Penetration Testers Open Source Toolkit, Volume 2. Burlington, MA: Syngress.
Blitz, A. (2011). Lab Manual for Guide to Computer Forensics and Investigations, fourth edition. Boston, MA: Course Technology, Cengage Learning.
Bousquet, A. (2009). The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. New York, NY: Columbia University Press.
Brancik, K. (2008). Insider Computer Fraud: An In-Depth Framework for Detecting and Defending Against Insider IT Attacks. Boca Raton, FL:
Auerbach Publications.
9. Britz, M. T. (2009). Computer Forensics and Cyber Crime: An Introduction, second edition. Upper Saddle River, NJ: Prentice-Hall.
10. Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative (CNCI). Published by the White House January 2008. Retrieved from http://www.
whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative on January 5, 2012.
11. Calder, A. and Watkins, S. (2010). IT Governance: A Managers Guide to Data Security and ISO27001/ISO27002, 4th edition. London, UK: Kogan
Page.
12. Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
13. Carrier, B. (2005). File System Forensic Analysis. Upper Saddle River, NJ: Addison-Wesley.
14. Carvey, H. (2009). Windows Forensic Analysis DVD Toolkit, second edition. Burlington, MA:
15. Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, third edition. New York, NY: Elsevier.
16. Chappell, L. (2010). Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide, first edition. San Jose, CA: Chappell
University.
17. Cialdini, R. B. (2009). Influence: Science and Practice, fifth edition. Boston, MA: Pearson Education.
18. Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security and What to Do About It. New York, NY: HarperCollins
Publishers.
19. CNBC. (2012) Cyber Espionage: The Chinese Threat. A collection of articles about the cyber threats posed by Chinese hackers. Retrieved from http://
www.cnbc.com/id/47962207/ on July 10, 2012.
20. Cole, E. and Ring, S. (2006). Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Present Employees and Contractors from Stealing
Corporate Data. Rockland, MA: Syngress Publishing, Inc.
21. Cole, E., et al. (2009). Network Security Bible, second edition. Indianapolis, IN: Wiley Publishing, Inc.
22. Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
23. Davidoff, S. and Ham, J. (2012). Network Forensics: Tracking Hackers Through Cyberspace. Upper Saddle River, NJ: Prentice-Hall.
24. Dhanjani, N. (2009). Hacking: The Next Generation. Sebastopol, CA: OReilly.
25. Edwards, M. and Stauffer, T. (2008). Control System Security Assessments. A technical paper presented at the 2008 Automation Summit A Users
Conference, in Chicago. Retreived from the web at http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
26. Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.org/
journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012.
27. Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillan.
28. Friedman, G. (2004). Americas Secret War: Inside the Hidden Worldwide Struggle Between America and Its Enemies. New York, NY: Broadway
Books.
29. Geers, K. (2011). Strategic Cyber Security. A Cybersecurity technical paper published at DEFCON 20.
30. Georgetown University. (2012). International Engagement in Cyberspace part 1. A YouTube video. Retrieved from http://www.youtube.com/watch?v=R
1lFNgTui00&feature=related on September 21, 2012.
31. Gerwitz, D. (2011). The Obama Cyberdoctrine: tweet softly, but carry a big stick. An article published at Zdnet.com on May 17, 2011. Retrieved from
http://www.zdnet.com/blog/government/the-obama-cyberdoctrine-tweet-softly-but-carry-a-big-stick/10400 on September 25, 2012.
32. Gjelten, T. (2010). Are Stuxnet Worm Attacks Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved from the web at http://
www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet on December 20, 2011.
33. Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from the web at
http://www.npr.org/templates/story/story.php?storyId=130260413 on December 20, 2011.
34. Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from the web at
http://www.npr.org/templates/story/story.php?storyId=130260413 on December 20, 2011.
35. Gjelten, T. (2011). Security Expert: U.S. Leading Force Behind Stuxnet. An article published at NPR.org on September 26, 2011. Retrieved from the
web at http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force 36. behind-stuxnet on December 20, 2011.
37. Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from the web at
http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
38. Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from the web at
http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
39. Glenny, M. (2011). Dark Market: Cyberthieves, Cybercops and You. New York, NY: Alfred A. Knopf.
40. Grabo, C. M. (2004). Anticipating Surprise: Analysis for Strategic Warning. Lanham, MD: University Press of America, Inc.
41. Guerin, J. (2010). The Essential Guide to Workplace Investigations: How to Handle Employee Complaints & Problems. Berkeley, CA: Nolo.
42. Guerin, J. (2010). The Essential Guide to Workplace Investigations: How to Handle Employee Complaints & Problems. Berkeley, CA: Nolo.
43. Harper, A., et al. (2011). Gray Hat Hacking: The Ethical Hackers Handbook, third edition. New York, NY: McGraw Hill.
44. Hintzbergen, J., el al. (2010). Foundations of Information Security Based on ISO27001 and ISO27002, second edition. Amersfoort, NL: Van Haren
Publishing.
45. Honkers Union of China. (2012). Honkers Union of China website. Retrieved from http://www.huc.me/ on September 21, 2012.
46. Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
47. Jones, K. J., et al. (2006). Real Digital Forensics: Computer Security and Incident Response. Upper Saddle River, NJ: Addison-Wesley.
48. Jones, R. (2006). Internet Forensics: Using Digital Evidence to Solve Computer Crime. Cambridge, MA, CA: OReilly.
49. K., Dr. (2011). Hackers Handbook, fourth edition. London, U.K.: Carlton.
50. Kaplan, F. (1983), The Wizards of Armagedden: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on
How to Use the Bomb. Stanford, CA: Stanford University Press.
51. Kerr, D. (2012). Senator urges Obama to issue cybersecurity executive order. An article published at Cnet.com on September 24, 2012 Retrieved
from http://news.cnet.com/8301-1009_3-57519484-83/senator-urges-obama-to-issue-cybersecurity-executive-order/ on September 26, 2012.
Cyber Security
69/148
52. Knapp, E D. (2011). Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control
Systems. Waltham, MA: Syngress, MA.
53. Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
54. Landy, G. K. (2008). The IT/Digital Legal Companion: A Comprehensive Business Guide to Software, IT, Internet, Media, and IP Law. Burlington, MA:
Syngress.
55. Langer, R. (2010). Retrieved from the web at http://www.langner.com/en/blog/page/6/ on December 20, 2011.
56. Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
57. Lockhart, A. (2007). Network Security Hacks: Tips & Tools for Protecting Your Privacy, second edition. Sebastopol, CA: OReilly.
58. Logicalis. (2011). Seven Ways to Identify a Secure IT Environment. Published at IT Business Edge in 2011. Retrieved from http://www.itbusinessedge.
com/slideshows/show.aspx?c=92732&placement=bodycopy in May 5, 2011.
59. Long, J., et al. (2008). Google Hacking for Penetration testers, Volume 2. Burlington, MA: Syngress Publishing, Inc.
60. Long, J., et al. (2008). No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Burlington, MA: Syngress Publishing,
Inc.
61. Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28,
2009. Retrieved from http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all on June 28, 2009.
62. Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks target three major banks, using Muslim outrage as cover. An article published on
September 22, 2012 at Poltix.Topix.com. Retrieved from http://politix.topix.com/homepage/2214-iran-attacks-us-banks-in-cyber-war on September
22, 2012.
63. McBrie, J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION AND CLOSING THE STANCE. A scholarly paper published by the USAWC
STRATEGY RESEARCH PROJECT. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA423774 on September 30, 2012.
64. Middleton, B. (2005). Cyber Crime Investigators Field Guide, second edition. Boca Raton, FL: Auerbach Publications.
65. Mitnick, K. and Simon, W. (2002). The Art of Deception: Controlling the Human Element Security. Indianapolis, IN: Wiley Publishing, Inc.
66. Mitnick, K. and Simon, W. (2006). The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers. Indianapolis, IN: Wiley
Publishing, Inc.
67. Nelson, B., Et al. (2010). Guide to Computer Forensics and Investigations, fourth edition. Boston, MA: Course Technology, Cengage Learning.
68. Northcutt, S. and Novak, J. (2003). Network Intrusion, third edition. Indianapolis, IN: New Riders.
69. Obama, B. H. (2012). Defense Strategic Guidance 2012 Sustaining Global Leadership: Priorities for 21st Century Defense. Published January 3,
2012. Retrieved from http://www.defense.gov/news/Defense_Strategic_Guidance.pdf on January 5, 2012.
70. Obama, B.H. (2011). INTERNATIONAL STRATEGY for Cyberspace. Published by the White House on May 16, 2011. Retrieved from http://www.
whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf on May 16, 2011.
71. Osborne, M. (2006). How to Cheat at Managing Information Security. Rockland, MA: Syngress.
72. Parker, T., et al. (2004). Cyber Adversary Characterization: Auditing the Hacker Mind. Rockland, MA: Syngress Publishing, Inc.
73. Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a New Direction. Lexington, KY: The University of Kentucky Press.
74. Philipp, A., et al. (2010). Hacking Exposed Computer Forensics: Secrets and Solutions, second edition. New York, NY: McGraw-Hill.
75. Pry, P. V. (1999). War Scare: Russia and America on the Nuclear Brink. Westport, CT: Praeger Publications.
76. Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An article published in SC Magazine, September 4, 2012. Retrieved from http://www.
scmagazine.com/cyber-cold-war-espionage-and-warfare/article/254627/ on September 7, 2012.
77. Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.
78. Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.
79. Rogers, R., et al. (2008). Nessus Network Auditing, second edition. Burlington, MA: Syngress.
80. Rosenbaum, R. (2011). How the End Begins: The Road to a Nuclear World War III. New York, NY: Simon and Schuster.
81. RT. (2012). Iran may launch pre-emptive strike on Israel, conflict could grow into WWIII senior commander. An article published at RT.com on
September 23, 2012. Retrieved from http://rt.com/news/iran-strike-israel-world-war-803/ on September 24, 2012.
82. Sanger, D. E. (2012). Confront and Coneal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
83. Schell, B. H., et al. (2002). The Hacking of America: Whos Doing It, Why, and How. Westport, CT: Quorum Press.
84. Schlesinger, J. (2012). Chinese Espionage on the Rise in US, Experts Warn. An article published at CNBC.com on July 9, 2012. Retrieved from http://
www.cnbc.com/id/48099539 on July 10, 2012.
85. Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data Security. N. Potomoc, MD: Larstan Publishing, Inc.
86. Schmitt, E. and Shanker, T. (2011). U.S. Debated Cyberwarfare in Attack Plan on Libya. An article published in the New York Times on October 17,
2011. Retrieved from http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html on October 17, 2011.
87. Seagren, E. (2007). Secure Your Network for Free: Using NMAP, Wireshark, SNORT, NESSUS, and MRTG. Rockland, MA: Syngress.
88. Seagren, E. (2007). Secure Your Network for Free: Using NMAP, Wireshark, SNORT, NESSUS, and MRTG. Rockland, MA: Syngress.
89. SEM. (2011). The Hackers Underground. Retrieved from http://serpentsembrace.wordpress.com/2011/05/17/the-hackers-underground/ on September
21, 2012.
90. Simpson, M. T., et al. (2011). Hands-On Ethical Hacking and Network Defense. Boston, MA: Course Technology.
91. Skpudis, E. and Liston, T. (2006). Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, second edition. Upper
Saddle River, NJ: Prentice-Hall.
92. Soloman, M. G., et al. (2011). Computer Forensics Jump Start, second edition. Indianapolis, IN: Wiley Publishing, Inc.
93. Stallings, W. (2011). Network Security Essentials: Applications and Standards, fourth edition. Boston, MA: Prentice Hall.
94. Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government Institutes.
95. Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks Expose Vulnerabilities. An article published at BusinessWeek..com on September
28, 2012 Retrieved from http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability on
September 30, 2012.
96. Technolytics. (2011). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.
com on April 16, 2011.
97. The Hackers Underground. An article published at the Serpents Embrace blog. Retrieved from http://serpentsembrace.wordpress.com/tag/honkerunion-of-china/ on September 21, 2012.
98. Trost, R. (2010). Praaactical Intrusion Analysis: Prevention and Detection for the Twenty-First Century. Boston, MA: Addison-Wesley.
99. Vacca, J. R. (2002). Computer Forensics: Computer Crime Scene Investigation. Hingham, MA: Charles River Media.
100. van Wyk, K. R. and Forno, R. (2001). Incident Response. Cambridge, MA, CA: OReilly.
101. Verizon. (2012). The 2012 Verizon Data Breach Investigations Report. Retrieved from http://www.verizonbusiness.com/resources/reports/rp_databreach-investigations-report-2012_en_xg.pdf on September 17, 2012.
102. Version. (2012). The 2012 Verizon Data Breach Investigations Report. Retrieved from http://www.verizonbusiness.com/resources/reports/rp_databreach-investigations-report-2012_en_xg.pdf on September 17, 2012.
Cyber Security
70/148
103. Volonino, L. and Anzaldua, R. (2008). Computer Forensics for Dummies. Hoboken, NJ: Wiley Publishing, Inc.
104. Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia: ANU E Press.
105. Whitman, M. E. and Mattord, H. J. (2007). Principles of Incident Response & Disaster Recovery. Boston, MA: Course Technology Cengage
Learning.
106. Wikipedia Commons. (2011). Stuxnet Diagram. Retrieved from the web at http://en.wikipedia.org/wiki/File:Step7_communicating_with_plc.svg on
December 20, 2011.
107. Wiles, J., et al. (2007). Low Techno Securitys Guide to Managing Risks: For IT Managers, Auditors, and Investigators. Burlington, MA: Syngress
Publishing, Inc.
108. Wiles, J., et al. (2012). Low Tech Hacking: Street Smarts for Security Professionals. Waltham, MA: Syngress Publishing, Inc.
109. Wilhelm, T. and Andress, J. (2011). Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques. Burlington, MA: Syngress Publishing,
Inc.
110. Zalewski, M. (2005). Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks. San Francisco, CA: No Starch Press.
111. Zetter, K. (2011). How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History. An article published on July 11, 2011 at Wired.
com. Retrieved from the web at http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 on December 20, 2011.
112. Zittrain, J. (2012). Professor Zittrain Q&A Hacktivism: Anonymous, lulzsec, and Cybercrime in 2012 and Beyond. A YouTube video. Retrieved from
http://www.youtube.com/watch?v=CZWjfxY8nmU&feature=related on September 21, 2012.
Cyber Security
71/148
Cyber Security
72/148
Introduction
This Audit Project Plan will provide the Charter, Scope, Statement of Work, Communications Management Plan, Quality
Management Plan, and other associated IT Infrastructure project-related information to audit Dalton, Walton, and
Carltons entire infrastructure.
Assumptions
1. We will performing this audit work as a certified security specialist in accordance with the best practices described
under ISO 19011:2011 Guidelines for Auditing Management Systems. Therefore we will not be actually
touching or logging into any IT equipment that belongs to Dalton, Walton, & Carlton. Nor will we be using our own
equipment to log into any computer network that belongs to Dalton, Walton, & Carlton.
2. Estimated times are estimates only. If the activities require less time, that is the only time that will be logged.
Conversely, if any activities take less time, that is the time that will be logged.
Conclusion
This IT infrastructure audit should take approximately five days. If management has the necessary requested
documentation and evidence of controls, the audit process should go well. If not, this audit may require multiple visits
and take longer than the management team planned. Nevertheless, the end result should be that Dalton, Walton, &
Carlton will have a better understanding of the effectiveness of its Security relative to its infrastructure.
Best regards,
Table of Contents
Project Charter
Executive Summary
Dalton, Walton & Carlton, INC. has chosen Slater Technologies, Inc. to perform a detailed IT Infrastructure audit on it its
IT Infrastucture and submit its findings and recommendations.
Introduction
This is Project Charter for the IT Infrastructure Audit Project.
Project Name
IT Infrastructure Audit Project at DALTON, WALTON & CARLTON, Inc.
Description
DALTON, WALTON & CARLTON will use this project to determine the state of its IT Infrastructure.
Cyber Security
73/148
Purpose
DALTON, WALTON & CARLTON s customers and business partners are inquiring with increasing regularity about
DALTON, WALTON & CARLTON s posture and progress in the area of Information Security, because in many cases
they too have adopted their own Information Security framework for their internal business policies, processes, and
procedures. This audit will provide the necessary information related to the current state of DALTON, WALTON &
CARLTON s IT Infrastructure.
Resource Budget
The budget for this project is not published.
Team Members
TBA
IT Manager
TBA
CFO
TBA
CIO
Chief of Staff
TBA
Director of HR
TBA
Accounting Manager
TBA
TBA
TBA
Web Master
TBA
TBA
TBA
Assumptions
The Audit Project Manager will be provided the time, asset information, business process information, and other
associated resources, as well as access to the people and the information required to successfully complete this project
within the allotted time.
Constraints
Time, Budget, and Schedule comprise the standard constraints of every project. In addition, the following project risks
and business risks have been identified:
Cyber Security
74/148
Project Risks
Not accomplishing this IT Infrastructure Audit as quickly as possible to meet the needs and requirements of
DALTON, WALTON & CARLTON
Minimize Negative Business Impacts
Understanding:
DALTON, WALTON & CARLTON Culture
Needs, Politics, and Customer and Business Pressures on the Business Leaders
Enable Project requirements with minimal Business Impact to DALTON, WALTON & CARLTON
Accurate collection, classification of asset data and information
Accurate identification of Business Data Processes, and Data and Information Owners
Accurate risk assessment (threats and vulnerabilities) of asset data
Accurate application and documentation of controls to asset data
Successful implementation of the ISMS and the Information Security Awareness Program
Survive being the Bearer of Bad News
Business Risks
Any negative impacts related to the IT Infrastructure Audit could negatively impact the business operations of
DALTON, WALTON & CARLTON.
In the 21st Century, the Business Risks and negative consequences related to substandard Information Security
practices now exceed the efforts required to protect data and information. Example: Resource Skills and Training
Requirements
The Audit Team will bring its own experience, knowledge, resource tools and laptop to the project. They will be given
access to a Dalton, Walton & Carlton e-mail account (OFFICE 360). They will also be given access to the DALTON,
WALTON & CARLTON documentation, especially documents related to corporate policies, guidelines, processes, and
procedures.
A network accessible portal (Sharepoint Server?) will be established on DALTON, WALTON & CARLTON s network as
an Audit Document Repository.
Approvals
As of February 18, 2013, both the President at DALTON, WALTON & CARLTON and the Managing Director at DALTON,
WALTON & CARLTON approved this Audit Project.
Objectives
Determine the following with regards Dalton, Walton, and Carltons entire infrastructure:
Existence of company policies related to asset usage
Cyber Security
75/148
Cyber Security
76/148
Existence and effectiveness of service management and service level agreement(s) related to employee e-mail
usage
Statement of Work
Audit Steps
Member of the Slater Technologies Audit Team will:
1. Conduct a pre-audit meeting, and discuss the audit plan and request the following
Existence of company policies related to Internet usage
Existence of company policies related to e-mail usage
Existence of other company controls related to Internet usage
Existence of other company controls related to e-mail usage
Existence of other company controls related to data and Internet usage
Existence of other company controls related to data and e-mail usage
Effectiveness other company controls related to data and Internet usage
Effectiveness other company controls related to data and e-mail usage
Existence of security awareness training related to Internet usage and e-mail usage
Existence of records related to employee participation in security awareness training
Existence of records related to employee disciplinary actions related to misuse of Internet and/or e-mail
Existence of Infrastructure documentation and provider usage related to Internet usage
Existence of Infrastructure documentation and provider usage related to e-mail usage
Existence of Infrastructure documentation related to Internet security
Existence of Infrastructure documentation related to e-mail security
Existence of documentation related to employee Internet usage
Existence of documentation related to employee e-mail usage
Existence of service management artifacts and service level agreement(s) related to, asset usage, Internet
usage, and e-mail usage
2. Discuss the roles and responsibilities
3. Present an audit schedule with workflow diagrams, tests and procedures.
4. Conduct the audit on the list of artifacts gathered. Collect evidence for each item.
5. Prepare the audit findings report
6. Prepare recommendations
7. Conduct the audit close-out meeting and present the report with the audit findings and recommendations
Cyber Security
77/148
Cyber Security
78/148
Understanding:
Dalton, Walton & Carlton Culture
Needs, Politics, and Customer and Business Pressures on the Business Leaders
Enable Project Needs with minimal Business Impact
Accurate collection, classification of asset data and information
Successful Auditing of the Dalton, Walton & Carlton IT Infrastructure
Survive being the Bearer of Bad News
Business Risks
Customers who have Information Security Compliance Frameworks will expect the same from their business
partners
In the 21st Century, the Business Risks and negative consequences related to substandard Information Security
practices now exceed the efforts required to protect data and information.
Head of Information
Assurance
Start
Risk Committee
Risk Owner
Take
Action:
Mitigate
Accept
Transfer
Avoid
Bi-Weekly Review
Meeting
Investigate
Risk
Identify
Risk
Assigned
Owner?
IS Incident Response
Team
No
Yes
Decide Risk
Management
Strategy:
Mitigate
Accept
Transfer
Avoid
Update
Risk List
Notify Incident
Response
Team
Initiate
Incident
Response
Plan
No
Credible?
Risk Item
Resolved?
Yes
Yes
Input Risk to IS
Risk List
(See instructions)
Emergency
Imminent?
Update
Risk List
No
Notify
Management
Assign Appropriate
Risk Owner
Update Risk
Parameters and
Risk Owner in
Risk List
No
Communicate
Details to Risk
Owner
Phase: PLAN
Yes
Stop
Communications Plan
Team Members:
TBA
IT Manager
Cyber Security
79/148
TBA
CFO
TBA
CIO
Chief of Staff
TBA
Director of HR
TBA
Accounting Manager
TBA
TBA
TBA
Web Master
TBA
TBA
TBA
Frequency
Description
Outcome
Comments
W e e k l y Weekly
Project Status
Management
Meetings
S e n i o r As needed.
Management
Meetings
Cyber Security
80/148
Schedule change:
Budget change:
Scope change:
Project document changes:
Change Control Board
Name
Role
Responsibility
TBA
IT Project Manager
Authority
TBA
TBA
CFO
TBA
CIO
Cyber Security
81/148
Every change will be documented using the form shown above and then submitted
for review and approval.
Changes will be reviewed for approval by the Audit Project Change Control Board.
Non-Compliance
Errors, defects, issues, deviations, and noncompliance in regards to requirements specified in individual task orders
must be itemized, documented, tracked to closure, and reported by DALTON, WALTON & CARLTON Management.
The DALTON, WALTON & CARLTON Project Manager and Slater Technologies must verify all problems are tracked
to closure and must provide continuing feedback to management and if necessary, the Project Team and Stakeholders
concerning the status of the problem.
Performance Improvement
During the period of performance, if Slater Technologies performance is found to be below DALTON, WALTON &
CARLTON expectations per the expectations of the Statement of Work, Slater Technologies may initiate a performance
improvement plan.
If Slater Technologies can quickly resolve the deficiency with a solution acceptable to DALTON, WALTON & CARLTON,
SLATER TECHNOLOGIES may forego the remainder of the performance improvement process at DALTON, WALTON
& CARLTONs discretion. SLATER TECHNOLOGIES shall submit a plan to the COTR within five (5) working days of
the identification of the deficiency. SLATER TECHNOLOGIES shall submit the plan which consists of the following
components listed below:
Problem Identification
Improvement Alternatives
Recommended Solution
Solution Implementation
DALTON, WALTON & CARLTON will provide a response to SLATER TECHNOLOGIES within five (5) working days.
Upon DALTON, WALTON & CARLTON approval of the improvement plan, SLATER TECHNOLOGIES shall immediately
commence with implementing the solution.
Cyber Security
82/148
Quality of Performance
Completeness: Contractor addressed all of the requirements relating to the deliverable.
Content: The deliverable under review shows evidence of comprehensive research and provides a thorough treatment
of the deliverables topic.
Professionalism: The deliverable under review is written clearly.
Timeliness Delivered according to schedule established in the contract or as modified by the CO.
Internal Quality Control Extent to which SLATER TECHNOLOGIES identifies problems and/or deficiencies in the
deliverables and corrects them.
Cyber Security
83/148
The DALTON, WALTON & CARLTON Project Manager will forward copies of completed evaluation forms to Slater
Technologies by the close of five (5) business days from the date each deliverable is received by the DALTON, WALTON
& CARLTON Project Manager.
For the purpose of documentation, SLATER TECHNOLOGIES may respond in writing to any unacceptable score within
five working days after receipt of the form. However, this does not mean that the DALTON, WALTON & CARLTON
Project Manager will change his scores.
SLATER TECHNOLOGIES will review each key deliverable evaluation form prepared by the DALTON, WALTON &
CARLTON Project Manager. When appropriate, the CO may investigate the event further to determine if all the facts and
circumstances surrounding the event were considered in the opinions outlined on the forms. Discussion with SLATER
TECHNOLOGIES of the unacceptable deliverable does not negate the DALTON, WALTON & CARLTON s right to
terminate SLATER TECHNOLOGIES for default or poor performance.
Performance meets all and exceeds many STATEMENT OF WORK requirements. Products
are of the highest quality with no technical issues. Product effectively addresses all technical
questions enabling timely and efficient decision making by the customer.
Satisfactory
Performance meets most STATEMENT OF WORK requirements. Products are of good quality
meeting minimal technical requirements. Product addresses most technical questions.
Unsatisfactory
Performance meets few STATEMENT OF WORK requirements with poor technical content and
did not adequately address the technical issue.
Grammar: Does the product contain grammar errors such as poor spelling or poor sentence structure?
Table for Grammar (Gr) Performance Standards
Grammar (Gr)
Exceptional
Performance meets all and exceeds many STATEMENT OF WORK requirements. Products are
of the highest quality with no grammatical issues to include, no misspelled words, no undefined
acronyms and document was delivered in proper format.
Satisfactory
Performance meets most STATEMENT OF WORK requirements. Products are of good quality
meeting minimal grammatical expectations to include few misspelled words, most acronyms
defined and minimal issues with document format.
Unsatisfactory
Performance meets few STATEMENT OF WORK requirements with poor technical content and
excessive grammatical errors in spelling, use of acronyms and format.
Rework: Does the contractor consistently require excessive work to accomplish assigned task.
Cyber Security
84/148
Performance meets all and exceeds many STATEMENT OF WORK requirements. Products
are of the highest quality with no rework required prior to acceptance by customer.
Satisfactory
Performance meets most STATEMENT OF WORK requirements. Products are of good quality
and required minimal rework prior to acceptance by customer.
Unsatisfactory
Performance meets few STATEMENT OF WORK requirements with poor technical content and
excessive rework was required prior to acceptance by customer.
Each of these quality measures are graded using the Phase Performance Report. All scores will include examples of
contractor Quality Performance. The scores will be consolidated to establish a consolidated quality score for the task
order.
Quality Performance (QP): Technical Proficiency + Grammar Performance + Rework Performance.
Cyber Security
85/148
Performance meets all and exceeds many STATEMENT OF WORK requirements. All formally
identified requests are resolved in a timely and efficient manner.
Satisfactory
Unsatisfactory
Performance meets few STATEMENT OF WORK requirements. Few formally identified requests
are resolved in a timely or efficient manner.
Timeliness (TiP) is a measure of the contractors ability to deliver products in a timely manner. Delivery schedule in a
service environment is primarily determined upon assignment of the task. Both the Dalton, Walton & Carlton and the
contractor should make every effort to obtain written agreement on delivery schedule at time of assignment, but a lack of
written delivery date does not prohibit Dalton, Walton & Carlton from grading timeliness for each period of performance.
Table for Timeliness Performance Standards
Timeliness Performance (TiP)
Exceptional
Performance meets all and exceeds many STATEMENT OF WORK requirements. All formally
defined delivery dates and informally defined delivery schedules are met.
Satisfactory
Performance meets most STATEMENT OF WORK requirements. Few formally defined delivery
dates are missed and most informally defined delivery schedules are met.
Unsatisfactory
Performance meets few STATEMENT OF WORK requirements. Most defined delivery dates are
missed and an excessive number of informally defined delivery schedules are missed.
The following process will be utilized to collect, validate, consolidate and analyze Quality, Responsiveness and Timeliness
Performance effectiveness by SOW task.
a. The DALTON, WALTON & CARLTON Project Manager will initiate the process with a request to Slater
Technologies for Quality performance with sample supporting data for each quality measure. The DALTON,
WALTON & CARLTON Project Manager will utilize a Contract Performance Survey to capture input from multiple
members of the DALTON, WALTON & CARLTON team supported by Statement of Work task deliverable.
b. Upon receipt of the Performance Survey performance data from the Dalton, Walton & Carlton team, the DALTON,
WALTON & CARLTON Project Manager will review performance and grade the performance using the guidelines
established in the Quality Management Plan.
c. Once completed, the DALTON, WALTON & CARLTON Project Manager will submit the completed Performance
Report to SLATER TECHNOLOGIES.
d. Generation of monthly Contractor Performance Reports (CPR) will be accomplished. The CPR will be a
consolidated report as defined in this document (Contractor Performance Report Generation).
e. Quality, Responsiveness, Timeliness and Teamwork Performance is a calculated score comprised of the summed
values of each of the performance areas defined in this section. The scoring system is defined below in the
Contractor Performance Report Generation Portion of this document.
Quality, Responsiveness, and Timeliness (QRT) = Quality Performance (QP) + Responsiveness Performance (RP)
+ Timeliness Performance (TiP).
Cyber Security
86/148
Cyber Security
87/148
Surveillance Approach
Purpose
This section details the method to be used in verifying contractor compliance with the contract requirements. The key
elements of this process are the contractors quality control program and Dalton, Walton & Carltons identified high risk
and critical operational requirements.
Surveillance Approach
The intent of the surveillance approach is to allow DALTON, WALTON & CARLTON to gain confidence in SLATER
TECHNOLOGIESs way of doing business and then adjust the level of oversight to a point that maintains that confidence
while minimizing administrative cost to the DALTON, WALTON & CARLTON. With this intent, the surveillance approach
may not be one that stays the same throughout the duration of the contract.
Cyber Security
88/148
Surveillance Folder
A surveillance folder will be developed and maintained to accomplish contract quality assurance for a performance
requirement. The folder is typically contained in hardcopy, but may be maintained in a computer database provided that
there is adequate backup of the data to preclude accidental loss. The surveillance folder must contain the following sections,
but may contain any other sections or information that the DALTON, WALTON & CARLTON Project Manager finds useful.
Surveillance Methods
100 Percent Inspection
Surveillance based on 100% inspection is considered the most appropriate method for infrequent tasks or activities
with stringent performance requirements. 100% inspection is used for rigorous performance requirements when safety
and health are on the line, or passing this Audit is at stake. Based on resource constraints and cost impact, DALTON,
WALTON & CARLTON exercises this method of surveillance in cases where outputs and/or deliverables define integral
aspects of critical program elements.
Random Sampling
This is often the most appropriate method for recurring tasks. With random sampling, services are sampled to determine
if the level of performance is acceptable. Random sampling works best when the number of instances of the services
being performed is very large and a statistically valid sample can be obtained. Computer programs may be available to
assist in establishing sampling procedures.
Cyber Security
89/148
Periodic Inspection
This method, sometimes called planned sampling, consists of the evaluation of tasks selected on other than a 100
percent or random basis. It may be appropriate for tasks that occur infrequently and where 100 percent inspection is
neither required nor practicable. A predetermined plan for inspecting part of the work is established using subjective
judgment and analysis of agency resources to decide what work to inspect and how frequently to inspect it.
Customer Input
Although usually not a primary method, this is a valuable supplement to more systematic methods. For example, in a case
where random sampling indicates unsatisfactory service, customer complaints can be used as substantiating evidence.
In certain situations where customers can be relied upon to complain consistently when the quality of performance is
poor, e.g. building services, customer surveys and customer complaints may be a primary surveillance method and
customer satisfaction an appropriate performance standard. In all cases, complaints should be documented, preferably
on a standard form.
Data Tracking
Spreadsheets and database applications can be used as surveillance methods. Summaries of such data tracking metrics
can be distributed to management in weekly, monthly, quarterly, biannually, or annual intervals.
Walkthrough
Walkthroughs are beneficial for evaluating plans, documentation, and other deliverables. They serve to orient staff
members to new technology products and services. Walkthroughs will be conducted internally and on an as-needed
basis. They will be used to present plans, documentation, or other deliverables for review and approval, work being
performed, deliverable due dates, major milestones and critical paths, and/or scheduled reports. This particular method
of surveillance will be conducted consistent with other appropriate monitoring techniques to validate the results of the
evaluation, reinforce other measures of performance, and ensure consistency.
Cyber Security
90/148
Feedback for the process improvement will be received and processed at the meetings described in the Communications
Plan section of this document.
______________________________________
TBA, President
Cyber Security
91/148
Description of Change
Approval
Date of Issue
Initial issue
President
Day 1
3/5/2013
Day 2
3/6/2013
Day 3
3/7/2013
Day 4
3/8/2013
Day 5
3/9/2013
07:30 AM
07:59 AM
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
08:00 AM
08:59 AM
Task 1.0
Task 3.0
Task 4.0
Task 5.0
Task 6.0
09:00 AM
09:59 AM
Task 2.0
Day 6
3/12/2013
Day 7
3/13/2013
Arrive
at
Dalton,
Walton, and
Carlton and
get processed in.
Task 7
Task 8
010:00 AM
010:59 AM
011:00 AM
011:59 AM
012:00 Noon
012:59 PM
*** Lunch *** *** Lunch *** *** Lunch *** *** Lunch *** *** Lunch ***
001:00 PM
001:59 PM
002:00 PM
002:59 PM
Task 9
003:00 PM
003:59 PM
004:00 PM
004:59 PM
Task 10
Cyber Security
92/148
Estimate
Time in
Hours
1.0
.5
3/5/2013
2.0
Audit Work
7.5
3/5/2013
3.0
Audit Work
8.0
3/6/2013
4.0
Audit Work
8.0
3/7/2013
5.0
Audit Work
8.0
3/8/2013
6.0
Audit Work
8.0
3/9/2013
7.0
Analysis of results
8.0
3/12/2013
8.0
3/13/2013
9.0
3/13/2013
10.0
3/13/2013
Total
Actual
Date
60.0
Comments
Estimated Total
Item
Slater
Technologies,
Inc.
Comments
1.0
TBD
William Slater
2.0
Audit Work
TBD
William Slater
3.0
Audit Work
TBD
William Slater
4.0
Audit Work
TBD
William Slater
5.0
Audit Work
TBD
William Slater
6.0
Audit Work
TBD
William Slater
7.0
Analysis of results
TBD
William Slater
8.0
William Slater
9.0
TBD
William Slater
10.0
TBD
William Slater
Cyber Security
93/148
Cyber Security
94/148
Risk
Category
References
Risk
Description
Probability
Impact
Detection
RPN
Risk
Management
Strategy
Contingency
Summary
Anderson, R. (2008). Security Engineering, second edition. Indianapolis, IN: John Wiley.
Davis, C., et al. (2011). IT Auditing: Using Controls to Protect Information Assets, second edition. New York, NY: McGraw-Hill.
Senft, S., et al. (2013). Information Technology Control and Audit, fourth edition. Boca Raton, FL: CRC Press.
Risk
Owner(s)
Status
Cyber Security
Threat Assessment
in Cyberwarfare and Cyberdeterrence
95/148
Cyber Security
96/148
Cyber Security
97/148
up to date. In the dynamic world of cyberspace with its constantly shifting landscape of new capabilities, threats and
vulnerabilities, the coordination of the constant refresh and testing of a CONOPS Plan that integrated these cyberwarfare
and cyberdeterrence capabilities would be no small feat. In addition, constant intelligence gathering and reconnaissance
would need to be performed on suspected enemies to ensure that our cyberweapons and cyberdeterrence capabilities
would be in constant state of being able to deliver the intended effects for which they were designed.
What are the consequences to the U.S. and others if this threat is left unchecked?
As stated earlier, without the careful integration of cyberwarfare and cyberdeterrence technologies, strategies, and
tactics into the CONOPS Plan, the national command authorities run a grave risk of launching a poorly planned offensive
cyberwarfare operation that could precipitate a global crisis, impair relationships with its allies, and potentially unleash
a whole host of unintended negative and potentially catastrophic consequences.
Cyber Security
98/148
Cyber Security
References
99/148
Andress, J. and Winterfeld, S. (2011). Cyber Warfare: Techniques and Tools for Security Practitioners. Boston, MA: Syngress.
Arndreasson, K. (ed.). (2012). Cybersecurity: Public Sector Threats and Responses. Boca Raton, FL: CRC Press.
Bousquet, A. (2009). The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. New York, NY: Columbia University Press.
Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to national Security and What to Do About It. New York, NY: HaperCollins
Publishers.
Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
Edwards, M. and Stauffer, T. (2008). Control System Security Assessments. A technical paper presented at the 2008 Automation Summit A Users
Conference, in Chicago. Retreived from http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillian.
Friedman, G. (2004). Americas Secret War: Inside the Hidden Worldwide Struggle Between America and Its Enemies. New York, NY: Broadway
Books.
Gjelten, T. (2010). Are Stuxnet Worm Attacks Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved from http://www.npr.
org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet on December 20, 2011.
Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from http://www.
npr.org/templates/story/story.php?storyId=130260413 on December 20, 2011.
Gjelten, T. (2011). Security Expert: U.S. Leading Force Behind Stuxnet. An article published at NPR.org on September 26, 2011. Retrieved from
http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-forcebehind-stuxnet on December 20, 2011.
Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011.
Grabo, C. M. (2004). Anticipating Surprise: Analysis for Strategic Warning. Lanham, MD: University Press of America, Inc.
Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
Jaquith, A. (2007). Security Metrics. Boston, MA: Addison Wesley.
Kaplan, F. (1983), The Wizards of Armageddon: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on
How to Use the Bomb. Stanford, CA: Stanford University Press.
Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
Langer, R. (2010). Retrieved from http://www.langner.com/en/blog/page/6/ on December 20, 2011.
Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28,
2009. Retrieved from http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all on June 28, 2009.
Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a New Direction. Lexington, KY: The University of Kentucky Press.
Pry, P. V. (1999). War Scare: Russia and America on the Nuclear Brink. Westport, CT: Praeger Publications.
Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An article published in SC Magazine, September 4, 2012. Retrieved from http://www.
scmagazine.com/cyber-cold-war-espionage-and-warfare/article/254627/ on September 7, 2012.
Retrieved from http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.
Rosenbaum, R. (2011). How the End Begins: The Road to a Nuclear World War III. New York, NY: Simon and Schuster.
Sanger, D. E. (2012). Confront and Coneal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
Schell, B. H., et al. (2002). The Hacking of America: Whos Doing It, Why, and How. Westport, CT: Quorum Press.
Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data Security. N. Potomoc, MD: Larstan Publishing, Inc.
Schmitt, E. and Shanker, T. (2011). U.S. Debated Cyberwarfare in Attack Plan on Libya. An article published in the New York Times on October 17,
2011. Retrieved from http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html on October 17, 2011.
Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government Institutes.
Swiderski, F. and Snyder, W. (2004). Threat Modeling. Redmond, WA. Microsoft Press.
Technolytics. (2011). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.
com on April 16, 2011.
Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia: ANU E Press.
Wikipedia Commons. (2011). Stuxnet Diagram. Retrieved from http://en.wikipedia.org/wiki/File:Step7_communicating_with_plc.svg on December 20,
2011.
Zetter, K. (2011). How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History. An article published on July 11, 2011 at Wired.
com. Retreived from http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 on December 20, 2011.
Cyber Security
100/148
Cyber Security
101/148
Honkers Union of China. (2012). Honkers Union of China website. Retrieved from http://www.huc.me/ on September 21, 2012.
Schlesinger, J. (2012). Chinese Espionage on the Rise in US, Experts Warn. An article published at CNBC.com on July 9, 2012. Retrieved from http://
www.cnbc.com/id/48099539 on July 10, 2012.
CNBC. (2012) Cyber Espionage: The Chinese Threat. A collection of articles about the cyber threats posed by Chinese hackers. Retrieved from http://
www.cnbc.com/id/47962207/ on July 10, 2012.
The Hackers Underground. An article published at the Serpents Embrace blog. Retrieved from http://serpentsembrace.wordpress.com/tag/honkerunion-of-china/ on September 21, 2012.
SEM. (2011). The Hackers Underground. Retrieved from http://serpentsembrace.wordpress.com/2011/05/17/the-hackers-underground/ on September
21, 2012.
Cyber Security
102/148
In the case of the first Principle No. 1, the network needs to have defenses that protect it from hosts that are possibly
infected.
In the case of the first Principle No. 2, each host needs to have defenses that protect them from other hosts and from
anything else attached to the network that could possibly be infected.
In the case of the first Principle No. 3, each host and the network and all applications need to have defenses that protect
them from other hosts and from anything else attached to the network that could possibly be infected. This is also
applying the concept of least privilege, in which every user is only allowed access to the required data and resources in
a computer networked environment (Compare Business Products, 2010).
Ironically, when doing effective security control analysis and security risk analysis, most organizations take it a bit further
than these three principles described above. In fact, they usually agree that an asset is secure if it is able to satisfy these
criteria:
Is Confidentiality guaranteed?
Is Integrity guaranteed?
Is Availability guaranteed?
These are often referred to as the CIA Triad. And if the answer to any of these questions is NO, then the asset is not
considered secure and the control that is designed to secure that asset must be reevaluated.
However, one of the founding fathers of the computer security field, Mr. Donn Parker, also established three additional
simple criteria that truly augment the CIA concept of security.
Is the asset under the owners control?
Is the asset authentic?
Is the asset usable?
And if the answer to any of these additional three questions is NO, then the asset is not considered secure and the
control that is designed to secure that asset must be reevaluated. These three additional concepts together with CIA
form what is now commonly referred to as the Parkerian Hexad, in honor of Mr. Parker (Hintzbergen, J., el al., 2010).
Finally, here is a short checklist for having some quick idea if an organization is practicing good information security
principles:
How to Identify a Secure Environment
1. Do they have an established Security Program?
2. Are data and Information are classified according to their importance and sensitivity?
3. Do they have well-defined Security Policies?
4. Do they have clear Guidelines for Acceptable Use of Assets?
5. Do they have a companywide Security Awareness Education Program?
6. Are Risks Identified and Managed via a Risk Management Program?
7. Does an Incident Response Plan exist?
If the answer to each of these questions is YES, the organization is probably pretty serious about Information Security
(Logicalis, 2011).
Cyber Security
103/148
References
Compare Business Products. (2010). Three Simple Security Principles. An article published at Compare Business Products on February 2, 2010.
Retrieved from http://www.comparebusinessproducts.com/briefs/three-simple-security-principals on September 21, 2012.
Hintzbergen, J., el al. (2010). Foundations of Information Security Based on ISO27001 and ISO27002, second edition. Amersfoort, NL: Van Haren
Publishing.
Logicalis. (2011). Seven Ways to Identify a Secure IT Environment. Published at IT Business Edge in 2011. Retreived from http://www.itbusinessedge.
com/slideshows/show.aspx?c=92732&placement=bodycopy in May 5, 2011.
Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
Koushal Blog. (2009). What is GhostNet and How It Works. Retrieved from http://koushalblog.blogspot.com/2009/03/what-is-ghostnet-and-how-itworks.html on September 21, 2012.
Cyber Security
104/148
Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security and What to Do About It. New York, NY: HaperCollins
Publishers.
Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
Edwards, M. and Stauffer, T. (2008). Control System Security Assessments. A technical paper presented at the 2008 Automation Summit A Users
Conference, in Chicago. Retrieved from the web at http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillian.
Friedman, G. (2004). Americas Secret War: Inside the Hidden Worldwide Struggle Between America and Its Enemies. New York, NY: Broadway
Books.
Gjelten, T. (2010). Are Stuxnet Worm Attacks Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved from the web at http://
www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet on December 20, 2011.
Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from the web at
http://www.npr.org/templates/story/story.php?storyId=130260413 on December 20, 2011.
Gjelten, T. (2011). Security Expert: U.S. Leading Force Behind Stuxnet. An article published at NPR.org on September 26, 2011. Retrieved from the
web at http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force behind-stuxnet on December 20, 2011.
Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from the web at
http://www.npr.org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
Grabo, C. M. (2004). Anticipating Surprise: Analysis for Strategic Warning. Lanham, MD: University Press of America, Inc.
Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
Kaplan, F. (1983), The Wizards of Armagedden: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on
How to Use the Bomb. Stanford, CA: Stanford University Press.
Knapp, E D. (2011). Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control
Systems. Waltham, MA: Syngress, MA.
Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
Langer, R. (2010). Retrieved from the web at http://www.langner.com/en/blog/page/6/ on December 20, 2011.
Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks target three major banks, using Muslim outrage as cover. An article published on
September 22, 2012 at Poltix.Topix.com. Retrieved from http://politix.topix.com/homepage/2214-iran-attacks-us-banks-in-cyber-war on September
22, 2012.
Cyber Security
105/148
Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a New Direction. Lexington, KY: The University of Kentucky Press.
Pry, P. V. (1999). War Scare: Russia and America on the Nuclear Brink. Westport, CT: Praeger Publications.
Reynolds, G. W. (2012). Ethics in Information Tehnology, 4th edition. Boston, MA: Course Technology.
Rosenbaum, R. (2011). How the End Begins: The Road to a Nuclear World War III. New York, NY: Simon and Schuster.
RT. (2012). Iran may launch pre-emptive strike on Israel, conflict could grow into WWIII senior commander. An article published at RT.com on
September 23, 2012. Retrieved from http://rt.com/news/iran-strike-israel-world-war-803/ on September 24, 2012.
Sanger, D. E. (2012). Confront and Coneal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
Technolytics. (2011). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.
com on April 16, 2011.
Wikipedia Commons. (2011). Stuxnet Diagram. Retrieved from the web at http://en.wikipedia.org/wiki/File:Step7_communicating_with_plc.svg on
December 20, 2011.
Zetter, K. (2011). How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History. An article published on July 11, 2011 at Wired.
com. Retrieved from the web at http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 on December 20, 2011.
In your weeks 3 and 4 videos, you get diametrically opposite issues hacking vs. establishing norms. Reflecting upon these two video together, explain
what you consider to be some of the chief issues that make hacking a chronic
problem to those looking to establish international norms of cyber behavior
I enjoyed both of these videos, but I liked all speakers and the structure of the second video much better than the one
with Professor Jonathan Zittrain. They were all brilliant and accomplished and well-researched and credentialed, but I
felt that Professor Zittrain was trying too much to be ironic and funny at the same time.
After viewing both videos, these are some of the chief issues that I think are making hacking a chronic problem:
1. The hacking problem is not well understood either in this country or internationally.
2. The hackers know and understand their world better than others understand the world of cyberspace.
3. The hackers are MUCH more evil and determined and malicious than people realize. A great example is all the evil
things that Anonymous attackers did to HBGary.
4. The hackers have a strange mindset and enjoy bragging about their exploits.
5. The hackers do what they do in a fearless manner, knowing that there is little or no chance that that will be caught.
6. The hackers are actually well-organized and can skillfully plan out and organize and execute precision attacks.
7. There are lot more well-organized hackers out there who well understand cyberspace and the good guys than
there are good guys who understand the hackers.
8. The hackers revel in the stupidity and relative helplessness of their victims.
9. The hackers can and will strike from anywhere, at any time and in numbers and in ways that are not expected or
can be accurately predicted.
10. I believe that the good guys should enlist skilled hackers into their cause to fight foreign hostiles, but I sincerely
believe that the good guys dont have the skills or the diplomatic know how to do that.
11. The good guys believe that international agreements can be attained to define and agree on what cyberwarfare is
and what cyberweapons are, and how to assess the effects of the damage of cyberweapons. They also seem to
believe that 2012 would be the decisive year in which the groundwork for legislation and policy was laid to deal
with cyberwarfare issues. The hackers do not even consider this a remote possibility, in my estimation.
References
Georgetown University. (2012). International Engagement in Cyberspace part 1. A YouTube video. Retrieved from http://www.youtube.com/watch?v=R
1lFNgTui00&feature=related on September 21, 2012.
Zittrain, J. (2012). Professor Zittrain Q&A Hacktivism: Anonymous, lulzsec, and Cybercrime in 2012 and Beyond. A YouTube video. Retrieved from
http://www.youtube.com/watch?v=CZWjfxY8nmU&feature=related on September 21, 2012.
Cyber Security
106/148
Cyber Security
107/148
How long has this policy been in place? Have any changes occurred to the
policy over the years?
This policy has evolved from the Comprehensive National Cybersecurity Initiative (CNCI) that was published by President
George W. Bush in January 2008. The three primary tenets of the CNCI policy were:
To establish a front line of defense against todays immediate threats by creating or enhancing shared
situational awareness of network vulnerabilities, threats, and events within the Federal Government and
ultimately with state, local, and tribal governments and private sector partners and the ability to act quickly
to reduce our current vulnerabilities and prevent intrusions.
Cyber Security
108/148
To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and
increasing the security of the supply chain for key information technologies.
To strengthen the future cybersecurity environment by expanding cyber education; coordinating and
redirecting research and development efforts across the Federal Government; and working to define and
develop strategies to deter hostile or malicious activity in cyberspace (Bush, 2008)
Though the Obama Administration reviewed and approved Bushs CNCI policy in May 2009, Obama, who is regarded
as the most technology-savvy president that has ever occupied the White House, went much further to acknowledge the
importance of cyberspace to the American economy and the American military, and the importance of defending the U.S.
from adversaries that could threaten us via cyberspace. Obamas policy also acknowledges the reality that future wars
will be fought on the realm of cyberspace, and has thus funded the preparation of the U.S. armed forces to prepare for
conflict in cyberspace (Gerwitz, 2011).
Conclusion
The good news is that President Obama and his Administration have an acute awareness of the importance of the
cyberspace to the American economy and the American military. The bad news is that because we are already in some
form of cyberwarfare that appears to be rapidly escalating, it remains to be seen what effects these cyberattacks and
Cyber Security
109/148
the expected forthcoming Executive Orders that address cybersecurity will have on the American people and our way of
life. I believe it will be necessary to act prudently, carefully balancing our freedoms with our need for security, and also
considering the importance of enabling and protecting the prosperity of the now electronically connected, free enterprise
economy that makes the U.S. the envy of and the model for the rest of the world.
References
Andress, J. and Winterfeld, S. (2011). Cyber Warfare: Techniques and Tools for Security Practitioners. Boston, MA: Syngress.
Andreasson, K. (ed.). (2012). Cybersecurity: Public Sector Threats and Responses. Boca Raton, FL: CRC Press.
Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative (CNCI). Published by the White House January 2008. Retrieved from http://www.
whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative on January 5, 2012.
Bousquet, A. (2009). The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. New York, NY: Columbia University Press.
Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security and What to Do About It. New York, NY: HarperCollins
Publishers.
Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.org/
journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012.
Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillian.
Gerwitz, D. (2011). The Obama Cyberdoctrine: tweet softly, but carry a big stick. An article published at Zdnet.com on May 17, 2011. Retrieved from
http://www.zdnet.com/blog/government/the-obama-cyberdoctrine-tweet-softly-but-carry-a-big-stick/10400 on September 25, 2012.
Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
Kaplan, F. (1983), The Wizards of Armageddon: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on
How to Use the Bomb. Stanford, CA: Stanford University Press.
Kerr, D. (2012). Senator urges Obama to issue cybersecurity executive order. An article published at Cnet.com on September 24, 2012 Retrieved
from http://news.cnet.com/8301-1009_3-57519484-83/senator-urges-obama-to-issue-cybersecurity-executive-order/ on September 26, 2012.
Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28,
2009. Retrieved from http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all on June 28, 2009.
McBrie, J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION AND CLOSING THE STANCE. A scholarly paper published by the USAWC
STRATEGY RESEARCH PROJECT. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA423774 on September 30, 2012.
Obama, B. H. (2012). Defense Strategic Guidance 2012 Sustaining Global Leadership: Priorities for 21st Century Defense. Published January 3,
2012. Retrieved from http://www.defense.gov/news/Defense_Strategic_Guidance.pdf on January 5, 2012.
Obama, B.H. (2011). INTERNATIONAL STRATEGY for Cyberspace. Published by the White House on May 16, 2011. Retrieved from http://www.
whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf on May 16, 2011.
Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An article published in SC Magazine, September 4, 2012. Retrieved from http://www.
scmagazine.com/cyber-cold-war-espionage-and-warfare/article/254627/ on September 7, 2012.
Sanger, D. E. (2012). Confront and Conceal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government Institutes.
Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks Expose Vulnerabilities. An article published at BusinessWeek..com on September
28, 2012 Retrieved from http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability on
September 30, 2012.
Technolytics. (2011). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.
com on April 16, 2011.
Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia: ANU E Press.
Cyber Security
110/148
Cyber Security
111/148
What Other Countries / Regions of the World Are Concerned with This Same
Threat Issue?
The countries that are primarily concerned with cyberwarfare and cyberdeterrence threat issues are the same countries
that already have the greatest cyberwarfare capabilities and also the most to lose in the event of a full-scale cyberwarfare
attack.
The diagram below from 2009 shows the comparative cyberwar capabilities of the 66 largest countries in the world.
Cyber Security
112/148
Countries Regions of the World That Do Not Place a High Priority on This
Threat Issue
Countries that are more focused on the survival and welfare of their citizens, coupled with the fact that they are largely
consumers of Internet and computer capabilities versus being able to afford to channel resources into the development
of cyberweapons or the resources required to develop a credible cyberdeterrence strategy. It is also ironic that the U.K.
with its stature and status does not rank higher on the list shown in table 1.
Some of the Current Policies Being Employed by These Other States / Regions
in Regards to the Threat
China, Russia, and India, each of which are in the top four of the countries listed in Table 1, have well-defined cyberwarfare
policies and strategies. Ironically, the U.S., which occupies the number 2 position in that same table, does not yet have
well-defined cyberwarfare policies and strategies. For comparison, Table 2 below shows a summary of the policies and
strategies of China, Russia and India.
Cyber Security
113/148
Country
Policy
Strategy
China
China supports cyberwarfare capabilities, especially providing The Chinese will wage unrestricted
such capabilities in the Peoples Liberation Army.
warfare and these are the principles:
Omni-directionality
Synchrony
Limited objectives
Unlimited measures
Asymmetry
Minimal consumption
Multi-dimensional coordination
Adjustment, control of the entire process
(Hagestad, 2012).
Russia
Russia supports cyberwarfare capabilities, especially providing The ability to achieve cyber superiority
is essential to victory in cyberspace.
such capabilities in the Russian Army.
The nature of cyberwarfare and information warfare requires (Fayutkin, 2012).
that the development of a response to these challenges must be
organized on an interdisciplinary basis and include researchers
from different branches political analysts, sociologists,
psychologists, military specialists, and media representatives
(Fayutkin, 2012)..
India
Table 2 Summary of Cyberwarfare Policies and Strategies of China, Russia, and India
Successes and Failures of the Various Alternative Policies Around the Globe
Despite some of the negative press from the Stuxnet virus, this collaborative effort by the U.S. and Israel has been
looked at with both fascination and as an event that has quickly and successfully heralded in a new age of warfare, the
age of cyberwarfare. However, many still feel that in the absence of publically defined policies and strategies by the
Obama Administration, it invites a secretive and even random appearance of and the continued use of cyberweapons
(Sanger, 2012).
Is There One State in Particular That Seems to Be Doing a Better Job Than the
United States Related to Dealing with This Threat Issue?
China is probably doing a better job than the realm of cyberwarfare for three reasons: 1) the government has invested
considerable resources into their cyberwarfare capabilities; 2) the number of personnel devoted to cyberwarfare efforts
is reportedly in the tens of thousands; and 3) the Chinese government is able to easily operate under a cloak of secrecy
and conduct operations without fear of cyberwarfare activities being leaked to Chinese press agencies.
Cyber Security
114/148
In August 1945, the dramatic destruction of both Hiroshima and Nagasaki not only resulted in the surrender of Japan
and effectively ended World War II, it ushered in the age of nuclear warfare. Yet, it was years until the U.S. had the policy
and unified strategic plan, the SIOP, with which to centrally control the use of nuclear weapons in wartime situations, as
well as conduct a national policy of strategic nuclear deterrence.
It is not unreasonable to assume that the path towards a cohesive U.S. policy and set of strategies regarding the
use of cyberweapons will follow a path that is similar to the strategic war plan maturity path from Hiroshima to the
SIOP. Today, in the absence of any clear policy on the use of cyberweapons, Crosston advocates the agreement on a
policy of Mutually Assured Debilitation in which everyone with cyberweapons would come to a general understanding
that the use of these weapons would result in the expectation that massive destruction would be unleashed on every
participants assets (Crosston, 2011). This makes perfect sense considering that the Mutually Assured Destruction
nuclear deterrence policy was effective and worked well during the Cold War from the 1950s to 1980s.
Yet, today, I believe that once a cohesive U.S. policy on cyberwarfare and cyberweapons is defined by the National
Command Authorities, there is an eight-step process that could result in the development and rapid maturation of a
strong national strategy U.S. Cyberwarfare:
1. Define the doctrines and principles related to cyberwarfare and the needs under which cyberwarfare would be
conducted.
2. Create the policies that embody these doctrines and principles.
3. Conduct the intelligence gathering to accurately understand the landscape of the cyber battlefield.
4. Perform the analysis to create the strategy
5. Create the strategic plan and tactics
6. Conduct regular war games, at least twice yearly to test the strategic plan and tactics
7. Analyze and document the results of the cyberwarfare war games.
8. Refine the strategies and tactics for cyberwarfare and cyberdeterrence based on the results of analyzing the
outcomes of the cyberwarfare war games
Note that it is also essential to continually assess the capabilities of Information Technology so that tools that our
cyberwarfare fighters are using are state of the art and that they are effective and perform well as they are integrated
into the cyberwar war fighting environment.
Conclusion
This paper has presented a brief strategic comparative analysis of countries with cyberwarfare capability and presented
a set of processes by which the U.S. can quickly catch up where it is lagging behind in policies and strategies that will
define its ability to conduct cyberwarfare and cyberdeterrence in the future.
Cyber Security
References
115/148
Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
Crosston, M. (2011). World Gone Cyber MAD: How Mutually Assured Debilitation Is the Best Hope for Cyber Deterrence. An article published in the
Strategic Studies Quarterly, Spring 2011. Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf on October 10, 2012.
Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.org/
journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012.
Hagestad, W. T. (2012). 21st Century Chinese Cyberwarfare. Cambridgeshire, U.K.: IT Governance.
Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
Kaplan, F. (1983), The Wizards of Armageddon: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on
How to Use the Bomb. Stanford, CA: Stanford University Press.
Kramer, F. D. (Ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
Saini, M. (2012). Preparing for Cyberwar A National Perspective. An article published on July 26, 2012 at the Vivikanda International Foundation.
Retrieved from http://www.vifindia.org/article/2012/july/26/preparing-for-cyberwar-a-national-perspective on October 14, 2012.
Sanger, D. E. (2012). Confront and Conceal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
Technolytics. (2012). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict, third edition. Purchased and downloaded on
September 26, 2012.
Cyber Security
116/148
Cyber Security
117/148
Information provided in the November 2011 Potomac Institute for Policy Studies set of lectures on Russian Cyber
Capabilities was an excellent, authoritative indoctrination for understanding the mindset of the Russian leaders toward
cyberwarfare, as well as understanding the history and foundation of these perspectives. Specifically, it showed that
Russian leaders frame their cyberwarfare capabilities and ideas under the idea of Information Security of the Russian
Federation. Analysis of their mindset and activities reveals the following:
Putin is indeed very tech-savvy
The Russian military has successfully waged punishing cyberwar operations against both Estonia and Georgia
The mindset of the Russian leaders is often described as a 19th century geopolitical perspective
The Russian people are still unhappy with the outcome of the fall of the Soviet Empire, which is regarded as the
greatest geopolitical failure of the 20th century
The Russian leaders and its military have the will and the capability to wage cyberwar if necessary to achieve
whatever national political objectives are deemed as necessary for the benefit of the Rodina (The Motherland)
Regarding their own people, Putins Information Security Doctrine of September 2010 empowers the state to
control information to accomplish these objectives:
Protect strategically important information
Protect against deleterious foreign information
Inculcate patriotism and values
Though it has not been widely publicized, as far back, as 1982 and again in 2000, the Russians were themselves
attacked by cyberattacks in the control systems associated with their remote Siberian gas pipelines (2011, Tsang).
As mentioned earlier, the punishing Russian cyberattacks on Estonia in 2007 and Georgia in 2008, demonstrated an
effective and visible cyberwarfare capability not previously witnessed, and ironically there was no attempt to conceal
these (Czosseck and Geers, 2009).
In the article, Russia Now 3 and 0 in Cyber Warfare, it was revealed that apparently, in January 2009, Russia launched
its third massive set of DDoS cyberattacks on Kyrgyzstan, which is also one of its neighbors. So in each of the years
between 2007 and 2009, Russia showed that it was able, willing, and very capable in conducting effective cyberwarfare
operations to achieve their desired military and national objectives in the cyberspace shared with its neighbors (Carrol,
2009).
In 2009, it was also noted that Russia and the U.S. have fundamental disagreements on what the nature of treaties
should be to prevent cyberwarfare. At that time, Russian leaders, recognizing the reportedly favored a total cyberweapon
disarmament. The U.S. vehemently disagreed with this position, stating that it was necessary to concentrate on strong
cyberdefensive capabilities due to the fact that they were seeing as many as 50,000 attacks per day (Markoff and
Kramer, (2009). It became clear at this time that the inability for these two cyber superpowers to reach an agreement
on the use of cyberweapons would likely result in a cyberweapons arms race and increase the danger and possibility
of a cyberwar.
Yet, as late as 2011, specific cyber capabilities of what the Russians either currently possess or are in the process of
developing became publically known. Despite official denials to the contrary, Russian documents were obtained and
translated. These documents show that there is active research on development of cyberattack tools and capabilities in
the following areas:
Means of effect on components of electronic equipment and its associated power supply
Temporary or irreversible disabling of components of electronic systems
Means of power electronic suppression: ultra-powerful microwave generators
Cyber Security
118/148
Cyber Security
119/148
Country
Policy
Strategy
Russia
Russia supports cyberwarfare capabilities, especially The ability to achieve cyber superiority is
providing such capabilities in the Russian Army.
essential to victory in cyberspace. (Fayutkin,
The nature of cyberwarfare and information warfare requires 2012).
that the development of a response to these challenges
must be organized on an interdisciplinary basis and include
researchers from different branches political analysts,
sociologists, psychologists, military specialists, and media
representatives (Fayutkin, 2012).
So what does it all mean? Obviously Russians have progressively demonstrated that they have the will, the vision, the
doctrines, the tools, the knowledge, and experience with which to successfully wage serious cyberwarfare. Russia is
now and should be regarded for the foreseeable future, as a potential and worthy adversary, and it should be considered
to me cyberweapon superpower on the battlefield of cyberspace.
References
Carrol, W. (2009). Russia Now 3 and 0 in Cyber Warfare. Retrieved from http://defensetech.org/2009/01/30/russia-now-3-and-0-in-cyber-warfare/ on
October 21, 2012.
Czosseck, C. and Geers, K. (Editors) (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.org/
journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012.
K., Dr. (2011). Hackers Handbook, fourth edition. London, U.K.: Carlton.
Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28,
2009. Retrieved from http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all on June 28, 2009.
The Potomac Institute for Policy Studies. (2011). Russian Cyber Capabilities: Policy and Practice. A conference video posted at YOUTUBE.com.
Retrieved from http://www.youtube.com/watch?v=ZVwVhegU1S4&feature=related on October 19, 2012.
Tsang, R. (2009). Cyberthreats, Vulnerabilities, and Attacks of SCADA Networks. A scholarly paper published at the University of California at
Berkley. Retrieved from http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf on October 21, 2012.
Cyber Security
Conflict Resolution
in Cyberwarfare and Cyberdeterrence
120/148
Cyber Security
121/148
Cyber Security
122/148
the outputs that lead to understanding the operational environment of conflict, and it compares somewhat to the OODA
figure shown earlier:
Figure 3 Understanding the Interconnected Nature of the Realms Related to the Operational Environment of Conflict
and the Nature of the Systems Analysis Required for Decision Making (U.S. DoD, JCS, 2006)
Cyber Security
123/148
The JCS also described the environment of conflict as a place where simultaneity of operations would and this
environment would include the information environment and cyberspace:
Simultaneity refers to the simultaneous application of military and nonmilitary power against the enemys
key capabilities and sources of strength.
Simultaneity in joint force operations contributes directly to an enemys collapse by placing more demands
on enemy forces and functions than can be handled. This does not mean that all elements of the joint
force are employed with equal priority or that even all elements of the joint force will be employed. It refers
specifically to the concept of attacking appropriate enemy forces and functions throughout the OA (across
the physical domains and the information environment [which includes cyberspace]) in such a manner as
to cause failure of their moral and physical cohesion (U.S. DoD, JCS, 2006).
Therefore, the JCS also created a Course of Action framework for determining the best courses of action in a conflict
environment, and here again, cyberspace is included in that realm of options in which a course of action could and would
be developed (U.S. DoD, JCS, 2006).
Options in Conflict
Based on the current state of where the U.S. stands with the lack of coherent and cohesive incorporated into its National
CONOPSPLAN, and the potential for unintended consequences where the unilateral use of cyberweapons can and will
occur, I see three possible options for the U.S., and each of these options has advantages and disadvantages.
Cyber Security
Option Description
124/148
Advantage
Disadvantage
Create policies that mandate the inclusion Prevents unintended consequences Takes time, politics, skills,
of cyberwarfare and cyberdeterrence of unilateral use or unplanned use knowledge, and money
into the U.S. National CONOPS Plan
of cyberweapons
Limited creation and application of Prevents some possible unintended Still requires some time,
policies that mandate the inclusion of consequences of unilateral use or political wrangling, skills,
knowledge, and money
cyberwarfare and cyberdeterrence into unplanned use of cyberweapons
the U.S. National CONOPS Plan
Do nothing whatsoever related to Saves time, political wrangling, and Unintended consequences
cyberweapons and U.S. National money
of unilateral use or unplanned
CONOPS Plan. Just continue to the
use of cyberweapons
present trend to continue to conduct
cyberwarfare operations on an ad hoc
basis in secrecy, and allow the situation
with current cyberwarfare threats to
continue (Sanger, 2012).
Table 1 Comparing Options for Incorporating Cyberwar and Cyberdeterrence Policies and Strategies into the U.S.
National CONOPS Plan.
Conclusion
This paper has presented a brief look at the U.S. Militarys recognition of cyberspace as an extension of the operational
environment of conflict and a comparison of the options that exist for resolving the issues that threaten Americas ability
to create the coherent and cohesive policies and strategies that will define its ability to effectively conduct cyberwarfare
and cyberdeterrence in the future.
References
Andress, J. and Winterfeld, S. (2011). Cyber Warfare: Techniques and Tools for Security Practitioners. Boston, MA: Syngress.
Bousquet, A. (2009). The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. New York, NY: Columbia University Press.
Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
Crosston, M. (2011). World Gone Cyber MAD: How Mutually Assured Debilitation Is the Best Hope for Cyber Deterrence. An article published in the
Strategic Studies Quarterly, Spring 2011. Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf on October 10, 2012.
Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.org/
journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012.
Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
Kramer, F. D. (Ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks target three major banks, using Muslim outrage as cover. An article published on
September 22, 2012 at Poltix.Topix.com. Retrieved from http://politix.topix.com/homepage/2214-iran-attacks-us-banks-in-cyber-war on September
22, 2012.
Saini, M. (2012). Preparing for Cyberwar A National Perspective. An article published on July 26, 2012 at the Vivikanda International Foundation.
Retrieved from http://www.vifindia.org/article/2012/july/26/preparing-for-cyberwar-a-national-perspective on October 14, 2012.
Sanger, D. E. (2012). Confront and Conceal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
Technolytics. (2012). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict, third edition. Purchased and downloaded on
September 26, 2012.
Turzanski, E. and Husick, L. (2012). Why Cyber Pearl Harbor Wont Be Like Pearl Harbor At All... A webinar presentation held by the Foreign Policy
Research Institute (FPRI) on October 24, 2012. Retrieved from http://www.fpri.org/multimedia/2012/20121024.webinar.cyberwar.html on October 25,
2012.
U.S. Department of Defense, JCS. (2006). Joint Publication (JP) 5-0, Joint Operation Planning, updated on December 26, 2012. Retrieved from http://
www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on October 25, 2012.
Cyber Security
125/148
Policy Generation
Related to Cyberwarfare and Cyberdeterrence
Cyber Security
126/148
Cyber Security
127/148
1. Define the doctrines and principles related to cyberwarfare and the needs under which cyberwarfare would be
conducted.
2. Create the policies that embody these doctrines and principles.
3. Conduct the intelligence gathering to accurately understand the landscape of the cyber battlefield.
4. Perform the analysis to create the strategy
5. Create the strategic plan and tactics
6. Conduct regular war games, at least twice yearly to test the strategic plan and tactics
7. Analyze and document the results of the cyberwarfare war games.
8. Refine the strategies and tactics for cyberwarfare and cyberdeterrence based on the results of analyzing the
outcomes of the cyberwarfare war games
Note that it is also essential to continually assess the capabilities of Information Technology so that tools that our
cyberwarfare fighters are using are state of the art and that they are effective and perform well as they are integrated
into the cyberwar war fighting environment.
Cyber Security
128/148
Idea
Explanation
Effective policies will not be created by a single person or entity, but they require
centralized leadership to unify their direction and intent.
Recognizing that one size does not fit all, specialized policies need to be created
for varies infrastructures and industries to ensure maximum protection.
A workable Federal policy must have the involvement of state and local authorities
to be effective
Mandate
Effective
Systems Ensure that there is a realization and commitment for the need to have higher
Engineering for Infrastructure- minimum standards for the quality of software that is related to infrastructure.
related Software
Dont Take No for an Answer
Ensure that stakeholders and those responsible participants realize the resolute,
unwavering commitment toward a workable policy solution
Establish and Implement Clear This will ensure the best allocation of financial and management resources.
Priorities
Inform the Public Clearly and The public needs to understand the efforts being made to protect the U.S.
Accurately
Conduct a Continuing Program of Keep the policy updated and relevant to changing technologies.
Research
Table 1 A 10-step Remedy toward the Creation of National Policy (Kramer, et al, 2009)
Conclusion
This paper has presented a brief look at the importance of creating a set of publicly available, coherent and cohesive
national policies and strategies that will address its intentions and capabilities to effectively conduct cyberwarfare and
cyberdeterrence operations now and in the future. At the present moment, the lack of such policies effectively represents
a window of risk and uncertainty during a time when cyber threats and cyber attacks are growing at an exponential
rate. That has the elements of a real potential for a cyber disaster if this weak policy situation is not resolved as soon
as possible. Here, I presented a set of processes by which the U.S. can quickly address the national challenges of
effectively creating the urgently needed national policies and integrated strategies for conducting cyberwarfare and
cyberdeterrence operations now and in the future.
References
Crosston, M. (2011). World Gone Cyber MAD: How Mutually Assured Debilitation Is the Best Hope for Cyber Deterrence. An article published in the
Strategic Studies Quarterly, Spring 2011. Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf on October 10, 2012.
Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28,
2009. Retrieved from http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all on June 28, 2009.
Obama, B. H. (2012). Defense Strategic Guidance 2012 Sustaining Global Leadership: Priorities for 21st Century Defense. Published January 3,
2012. Retrieved from http://www.defense.gov/news/Defense_Strategic_Guidance.pdf on January 5, 2012.
Turzanski, E. and Husick, L. (2012). Why Cyber Pearl Harbor Wont Be Like Pearl Harbor At All... A webinar presentation held by the Foreign Policy
Research Institute (FPRI) on October 24, 2012. Retrieved from http://www.fpri.org/multimedia/2012/20121024.webinar.cyberwar.html on October 25,
2012.
U.S. Army. (1997). Toward Deterrence in the Cyber Dimension: A Report to the Presidents Commission on Critical Infrastructure Protection. Retrieved
from http://www.carlisle.army.mil/DIME/documents/173_PCCIPDeterrenceCyberDimension_97.pdf on November 3, 2012.
Cyber Security
129/148
Cyber Security
130/148
Cyber Security
131/148
North Korea, but what is perhaps less understood is the degree to which they have been successful in integrating
cyberwarfare and cyberdeterrence capabilities into their own national war plans. Nevertheless, due to the previous
extensive experience of Russia and the U.S. with strategic war planning, it is more likely that each of these countries
stand the greatest chance of making integrating cyberwarfare and cyberdeterrence capabilities into their respective war
plans. Yet, as recently as June 2009, it was clear that the U.S. and Russia were unable to agree on a treaty that would
create the terms under which cyberwarfare operations could and would be conducted (Markoff and Kramer, 2009).
Is it problematic for these countries in the same ways or is there variation? What kind?
Every country that is modern enough to have organizations, people, and assets that are connected to computers and
the Internet faces similar challenges of planning and managing cyberweapons and cyberdeterrence, and the poorer the
country, the more significant the challenges. For example, when a small group of hackers from Manila in the Philippines
unleashed the ILOVEYOU worm on the Internet in 2000, it caused over $2 billion in damages to computer data
throughout the world. Agents from the FBI went to Manila to track down these people and investigate how and why the
ILOVEYOU worm catastrophe occurred. To their surprise, they learned that each of these hackers who were involved
could successfully escape prosecution because there were no laws in the Philippines with which to prosecute them. So
actually most countries lack the technological and legal frameworks with which to successfully build a coordinated effort
to manage the weapons and strategies of cyberwarfare and cyberdeterrence, despite the fact that most now embrace
cyberspace with all the positive economic benefits it offers for commerce and communications.
What are the consequences to the U.S. and others if this threat is left unchecked?
As stated earlier, without the careful integration of cyberwarfare and cyberdeterrence technologies, strategies, and
tactics into the CONOPS Plan, the national command authorities run a grave risk of launching a poorly planned offensive
cyberwarfare operation that could precipitate a global crisis, impair relationships with its allies, and potentially unleash
a whole host of unintended negative and potentially catastrophic consequences.
Cyber Security
132/148
Cyber Security
133/148
Cyber Security
134/148
What is the effectiveness of current policy when it concerns this particular threat issue?
The Obama Administrations policies have been effective in raising the awareness of the U.S. population as to the
importance of protecting assets that are connected in cyberspace. These policies have also been effective in providing
for the preparation of the U.S. military to deal with conflict in cyberspace.
However, the present policy has not been effective as a deterrence to cyber threats presented by potential national
enemies and non-state actors. As recently as September 23, 2012 September 30, 2012, cyber attacks in the form of
distributed denial of service (DDOS) attacks from the Middle East against several major U.S. banks based have publicly
demonstrated the ire of the attackers and also the vulnerabilities of banks with a customer presence in cyberspace
(Strohm and Engleman, 2012).
Part 2 Conclusion
The good news is that President Obama and his Administration apparently have an acute awareness of the importance
of the cyberspace to the American economy and the American military. The bad news is that because we are already in
some form of cyberwarfare that appears to be rapidly escalating, it remains to be seen what effects these cyberattacks
and the expected forthcoming Executive Orders that address cybersecurity will have on the American people and our
way of life. Nevertheless, it will be necessary to act prudently, carefully balancing our freedoms with our need for security,
and also considering the importance of enabling and protecting the prosperity of the now electronically connected, free
enterprise economy that makes the U.S. the envy of and the model for the rest of the world.
Cyber Security
135/148
What Other Countries / Regions of the World Are Concerned with This Same Threat Issue?
The countries that are primarily concerned with cyberwarfare and cyberdeterrence threat issues are the same countries
that already have the greatest cyberwarfare capabilities and also the most to lose in the event of a full-scale cyberwarfare
attack.
The diagram below from a 2009 study shows the comparative cyberwar capabilities of the 66 largest countries in the
world.
Countries Regions of the World That Do Not Place a High Priority on This Threat Issue
Countries that are more focused on the survival and welfare of their citizens, coupled with the fact that they are largely
consumers of Internet and computer capabilities versus being able to afford to channel resources into the development
of cyberweapons or the resources required to develop a credible cyberdeterrence strategy. It is also ironic that the U.K.
with its stature and status does not rank higher on the list shown in table 1.
Cyber Security
136/148
Some of the Current Policies Being Employed by These Other States / Regions in Regards
to the Threat
China, Russia, and India, each of which are in the top four of the countries listed in Table 1, have well-defined cyberwarfare
policies and strategies. Ironically, the U.S., which occupies the number 2 position in that same table, does not yet have
well-defined cyberwarfare policies and strategies. For comparison, Table 2 below shows a summary of the policies and
strategies of China, Russia and India.
Country
Policy
Strategy
China
China supports cyberwarfare capabilities, especially The Chinese will wage unrestricted warfare and
providing such capabilities in the Peoples Liberation these are the principles:
Army.
Omni-directionality
Synchrony
Limited objectives
Unlimited measures
Asymmetry
Minimal consumption
Multi-dimensional coordination
Adjustment, control of the entire process
(Hagestad, 2012).
Russia
Russia supports cyberwarfare capabilities, especially The ability to achieve cyber superiority is essential to
victory in cyberspace. (Fayutkin, 2012).
providing such capabilities in the Russian Army.
The nature of cyberwarfare and information warfare
requires that the development of a response to these
challenges must be organized on an interdisciplinary
basis and include researchers from different branches
political analysts, sociologists, psychologists,
military specialists, and media representatives
(Fayutkin, 2012).
India
India supports cyberwarfare capabilities, especially Strategies are still under development, but will follow
providing such capabilities in the Indian Army.
the guidance of policies related to the conduct of war.
It is essential for efficient and effective conduct of (Saini, 2012)
war including cyber-war. The war book therefore
needs to specify as how to maintain no-contact cyber
war and when the government decide to go for fullcontact or partial-contact war then how cyber war will
be integrated to meet overall war objectives (Saini,
2012).
Table 1 Summary of Cyberwarfare Policies and Strategies of China, Russia, and India
Successes and Failures of the Various Alternative Policies around the Globe
Despite some of the negative press from the Stuxnet virus, this collaborative effort by the U.S. and Israel has been
looked at with both fascination and as an event that has quickly and successfully heralded in a new age of warfare, the
age of cyberwarfare. However, many still feel that in the absence of publically defined policies and strategies by the
Obama Administration, it invites a secretive and even random appearance of and the continued use of cyberweapons
(Sanger, 2012).
Areas of Joint Communication / Operation / Cooperation that Exist or Should Exist Across
Countries Dealing with This Threat Issue
Apparently, the U.S. has already created one or more rather sophisticated cyberweapons with the help of Israeli
cyberweapon experts. At least one of these cyberweapons, the Stuxnet Worm, was effectively used to impede the
development of Irans nuclear material refinement program from 2009 to 2010 (Langer, 2010).
Cyber Security
137/148
It is likely however, that through the auspices of the United Nations, or perhaps some G20 accord, there may be some
general consensus on the importance of defining the appropriate uses cyberweapons. There also needs to be some
agreement on types of response to cyberattacks, and effective methods of cyberdeterrence.
Part 3 Conclusion
This paper has presented a brief strategic comparative analysis of countries with cyberwarfare capability.
Intellectual Positions and Theoretical Explanations That Have Been Staked Out
on This Threat Problem
As recently as the 2008 2009 timeframe, John Boyds conflict model known as Observe Orient Decide Act
(OODA) began to be applied to analyze the ideas of cybernetic warfare and net-centric warfare. The model itself
has been analyzed for its ability to simply demonstrate the nature of the complexity of conflict, complete with factors of
ambiguity, unpredictability, and so the model has also been used to define the nature of life itself. Yet, the model is also
impacted by the chaotic nature of life and reality. The further shows the similarity between actual cyberwarfare events
and this model. Other characteristics of the OODA loop model are its continuous nature and the feedback loops that
provide data on which to base some form (or forms) of decision and action. The OODA Loop model is shown in the
diagram below:
Cyber Security
138/148
However, one key distinction between Boyds OODA model and cybernetic warfare is Boyds focus on the conditions
of emergence transformation of systems through information rather than merely the manner in which information is
processed by a fixed organizational schema. Boyd would argue that Claude Shannon and others tend to overemphasize
the view of information related to structure as opposed to information as a process (Bousquet, 2009).
Cyber Security
139/148
Figure 5 Understanding the Interconnected Nature of the Realms Related to the Operational Environment of Conflict
and the Nature of the Systems Analysis Required for Decision Making (U.S. DoD, JCS, 2006)
The JCS also described the environment of conflict as a place where simultaneity of operations would and this
environment would include the information environment and cyberspace:
Simultaneity refers to the simultaneous application of military and nonmilitary power against the enemys
key capabilities and sources of strength.
Simultaneity in joint force operations contributes directly to an enemys collapse by placing more demands
on enemy forces and functions than can be handled. This does not mean that all elements of the joint
force are employed with equal priority or that even all elements of the joint force will be employed. It refers
specifically to the concept of attacking appropriate enemy forces and functions throughout the OA (across
the physical domains and the information environment [which includes cyberspace]) in such a manner as
to cause failure of their moral and physical cohesion (U.S. DoD, JCS, 2006).
Therefore, the JCS also created a Course of Action framework for determining the best courses of action in a conflict
environment, and here again, cyberspace is included in that realm of options in which a course of action could and would
be developed (U.S. DoD, JCS, 2006).
Cyber Security
140/148
Options in Conflict
Based on the current state of where the U.S. stands with the lack of coherent and cohesive incorporated into its National
CONOPSPLAN, and the potential for unintended consequences where the unilateral use of cyberweapons can and will
occur, I see three possible options for the U.S., and each of these options has advantages and disadvantages.
Option Description
Advantage
Disadvantage
Create policies that mandate the inclusion of Prevents unintended consequences Takes time, politics,
cyberwarfare and cyberdeterrence into the of unilateral use or unplanned use skills, knowledge, and
U.S. National CONOPS Plan
of cyberweapons
money
Do
nothing
whatsoever
related
to Saves time, political wrangling, and Unintended
consecyberweapons and U.S. National CONOPS money
quences of unilateral
Plan. Just continue to the present trend to
use or unplanned use
continue to conduct cyberwarfare operations
of cyberweapons
on an ad hoc basis in secrecy, and allow the
situation with current cyberwarfare threats to
continue (Sanger, 2012).
Table 2 Comparing Options for Incorporating Cyberwar and Cyberdeterrence Policies and Strategies into the U.S.
National CONOPS Plan.
Part 4 Conclusion
This section has presented a brief look at the U.S. Militarys recognition of cyberspace as an extension of the operational
environment of conflict and a comparison of the options that exist for resolving the issues that threaten Americas ability
to create the coherent and cohesive policies and strategies that will define its ability to effectively conduct cyberwarfare
and cyberdeterrence in the future.
Cyber Security
141/148
Cyber Security
142/148
Yet, today, I believe that once a coherent and cohesive U.S. policy on cyberwarfare and cyberweapons is defined by the
National Command Authorities, there should be an eight-step process that could result in the development and rapid
maturation of a strong national strategy U.S. Cyberwarfare:
1. Define the doctrines and principles related to cyberwarfare and the needs under which cyberwarfare would be
conducted.
2. Create the policies that embody these doctrines and principles.
3. Conduct the intelligence gathering to accurately understand the landscape of the cyber battlefield.
4. Perform the analysis to create the strategy
5. Create the strategic plan and tactics
6. Conduct regular war games, at least twice yearly to test the strategic plan and tactics
7. Analyze and document the results of the cyberwarfare war games.
8. Refine the strategies and tactics for cyberwarfare and cyberdeterrence based on the results of analyzing the
outcomes of the cyberwarfare war games
Note that it is also essential to continually assess the capabilities of Information Technology so that tools that our
cyberwarfare fighters are using are state of the art and that they are effective and perform well as they are integrated
into the cyberwar war fighting environment.
Cyber Security
143/148
Explanation
Effective policies will not be created by a single person or entity, but they
require centralized leadership to unify their direction and intent.
Recognizing that one size does not fit all, specialized policies need to
be created for varies infrastructures and industries to ensure maximum
protection.
A workable Federal policy must have the involvement of state and local
authorities to be effective
Mandate Effective Systems Engineering for Ensure that there is a realization and commitment for the need to have
Infrastructure-related Software
higher minimum standards for the quality of software that is related to
infrastructure.
Dont Take No for an Answer
The public needs to understand the efforts being made to protect the
U.S.
Conduct a Continuing Program of Research Keep the policy updated and relevant to changing technologies.
Table 3 A 10-step Remedy toward the Creation of National Policy (Kramer, et al, 2009)
Part 5 Conclusion
This section has presented a brief look at the importance of creating a set of publicly available, coherent and cohesive
national policies and strategies that will facilitate U.S. capabilities to effectively conduct cyberwarfare and cyberdeterrence
operations now and in the future. At the present moment, the lack of such policies effectively represents a window of
risk and uncertainty during a time when cyber threats and cyber attacks are growing at an exponential rate. That has
the elements of a real potential for a cyber disaster if this weak policy situation is not resolved as soon as possible.
Here, I presented a set of processes and a framework by which the U.S. can quickly address the national challenges
of effectively creating the urgently needed national policies and integrated strategies for conducting cyberwarfare and
cyberdeterrence operations now and in the future.
Conclusion
This paper has presented a brief look at the importance of creating a clear set of publicly available, coherent and cohesive
national policy. It then advocated the incorporation of strategies that will address U.S. intentions and capabilities to
effectively conduct cyberwarfare and cyberdeterrence operations now and in the future, into the U.S. CONOPS Plan.
Cyber Security
References
144/148
Bousquet, A. (2009). The Scientific Way of Warfare: Order and Chaos on the Battlefields of Modernity. New York, NY: Columbia University Press.
Bush, G. W. (2008). Comprehensive National Cybersecurity Initiative (CNCI). Published by the White House January 2008. Retrieved from http://www.
whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative on January 5, 2012.
Carr, J. (2012). Inside Cyber Warfare, second edition. Sebastopol, CA: OReilly.
Clarke, R. A. and Knake, R. K. (2010). Cyberwar: the Next Threat to National Security and What to Do About It. New York, NY: HarperCollins
Publishers.
Crosston, M. (2011). World Gone Cyber MAD: How Mutually Assured Debilitation Is the Best Hope for Cyber Deterrence. An article published in the
Strategic Studies Quarterly, Spring 2011. Retrieved from http://www.au.af.mil/au/ssq/2011/spring/crosston.pdf on October 10, 2012.
Czosseck, C. and Geers, K. (2009). The Virtual battlefield: Perspectives on Cyber Warfare. Washington, DC: IOS Press.
Edwards, M. and Stauffer, T. (2008). Control System Security Assessments. A technical paper presented at the 2008 Automation Summit A Users
Conference, in Chicago. Retrieved from http://www.infracritical.com/papers/nstb-2481.pdf on December 20, 2011.
Fayutkin, D. (2012). The American and Russian Approaches to Cyber Challenges. Defence Force Officer, Israel. Retrieved from http://omicsgroup.org/
journals/2167-0374/2167-0374-2-110.pdf on September 30, 2012.
Freedman, L. (2003). The Evolution of Nuclear Strategy. New York, NY: Palgrave Macmillan.
Gerwitz, D. (2011). The Obama Cyberdoctrine: tweet softly, but carry a big stick. An article published at Zdnet.com on May 17, 2011. Retrieved from
http://www.zdnet.com/blog/government/the-obama-cyberdoctrine-tweet-softly-but-carry-a-big-stick/10400 on September 25, 2012.
Gjelten, T. (2010). Are Stuxnet Worm Attacks Cyberwarfare? An article published at NPR.org on October 1, 2011. Retrieved from http://www.npr.
org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet on December 20, 2011.
Gjelten, T. (2010). Stuxnet Computer Worm Has Vast Repercussions. An article published at NPR.org on October 1, 2011. Retrieved from http://www.
npr.org/templates/story/story.php?storyId=130260413 on December 20, 2011.
Gjelten, T. (2011). Security Expert: U.S. Leading Force Behind Stuxnet. An article published at NPR.org on September 26, 2011. Retrieved from
http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-forcebehind-stuxnet on December 20, 2011.
Gjelten, T. (2011). Stuxnet Raises Blowback Risk In Cyberwar. An article published at NPR.org on December 11, 2011. Retrieved from http://www.npr.
org/2011/11/02/141908180/stuxnet-raises-blowback-risk-in-cyberwar on December 20, 2011.
Hagestad, W. T. (2012). 21st Century Chinese Cyberwarfare. Cambridgeshire, U.K.: IT Governance.
Hyacinthe, B. P. (2009). Cyber Warriors at War: U.S. National Security Secrets & Fears Revealed. Bloomington, IN: Xlibris Corporation.
Jaquith, A. (2007). Security Metrics. Boston, MA: Addison Wesley.
Kaplan, F. (1983), The Wizards of Armageddon: The Untold Story of a Small Group of Men Who Have Devised the Plans and Shaped the Policies on
How to Use the Bomb. Stanford, CA: Stanford University Press.
Kerr, D. (2012). Senator urges Obama to issue cybersecurity executive order. An article published at Cnet.com on September 24, 2012. Retrieved
from http://news.cnet.com/8301-1009_3-57519484-83/senator-urges-obama-to-issue-cybersecurity-executive-order/ on September 26, 2012.
Kramer, F. D. (ed.), et al. (2009). Cyberpower and National Security. Washington, DC: National Defense University.
Langer, R. (2010). A Detailed Analysis of the Stuxnet Worm. Retrieved from http://www.langner.com/en/blog/page/6/ on December 20, 2011.
Libicki, M.C. (2009). Cyberdeterrence and Cyberwar. Santa Monica, CA: Rand Corporation.
Markoff, J. and Kramer, A. E. (2009). U.S. and Russia Differ on a Treaty for Cyberspace. An article published in the New York Times on June 28,
2009. Retrieved from http://www.nytimes.com/2009/06/28/world/28cyber.html?pagewanted=all on June 28, 2009.
Mayday, M. (2012). Iran Attacks US Banks in Cyber War: Attacks target three major banks, using Muslim outrage as cover. An article published on
September 22, 2012 at Poltix.Topix.com. Retrieved from http://politix.topix.com/homepage/2214-iran-attacks-us-banks-in-cyber-war on September
22, 2012.
McBrie, J. M. (2007). THE BUSH DOCTRINE: SHIFTING POSITION AND CLOSING THE STANCE. A scholarly paper published by the USAWC
STRATEGY RESEARCH PROJECT. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA423774 on September 30, 2012.
Obama, B. H. (2012). Defense Strategic Guidance 2012 Sustaining Global Leadership: Priorities for 21st Century Defense. Published January 3,
2012. Retrieved from http://www.defense.gov/news/Defense_Strategic_Guidance.pdf on January 5, 2012.
Obama, B.H. (2011). INTERNATIONAL STRATEGY for Cyberspace. Published by the White House on May 16, 2011. Retrieved from http://www.
whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf on May 16, 2011.
Payne, K. B. (2001). The Fallacies of Cold War Deterrence and a New Direction. Lexington, KY: The University of Kentucky Press.
Pry, P. V. (1999). War Scare: Russia and America on the Nuclear Brink. Westport, CT: Praeger Publications.
Radcliff, D. (2012). Cyber cold war: Espionage and warfare. An article published in SC Magazine, September 4, 2012. Retrieved from http://www.
scmagazine.com/cyber-cold-war-espionage-and-warfare/article/254627/ on September 7, 2012.
Saini, M. (2012). Preparing for Cyberwar A National Perspective. An article published on July 26, 2012 at the Vivikanda International Foundation.
Retrieved from http://www.vifindia.org/article/2012/july/26/preparing-for-cyberwar-a-national-perspective on October 14, 2012.
Sanger, D. E. (2012). Confront and Coneal: Obamas Secret Wars and Surprising Use of America Power. New York, NY: Crown Publishers.
Schmidt, H. S. (2006). Patrolling Cyberspace: Lessons Learned from Lifetime in Data Security. N. Potomac, MD: Larstan Publishing, Inc.
Schmitt, E. and Shanker, T. (2011). U.S. Debated Cyberwarfare in Attack Plan on Libya. An article published in the New York Times on October 17,
2011. Retrieved from http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html on October 17, 2011.
Stiennon, R. (2010). Surviving Cyber War. Lanham, MA: Government Institutes.
Strohm, C. and Engleman, E. (2012). Cyber Attacks on U.S. Banks Expose Vulnerabilities. An article published at BusinessWeek.com on September
28, 2012. Retrieved from http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability on
September 30, 2012.
Technolytics. (2012). Cyber Commanders eHandbook: The Weaponry and Strategies of Digital Conflict, third edition. Purchased and downloaded on
September 26, 2012.
Turzanski, E. and Husick, L. (2012). Why Cyber Pearl Harbor Wont Be Like Pearl Harbor At All... A webinar presentation held by the Foreign Policy
Research Institute (FPRI) on October 24, 2012. Retrieved from http://www.fpri.org/multimedia/2012/20121024.webinar.cyberwar.html on October 25,
2012.
U.S. Army. (1997). Toward Deterrence in the Cyber Dimension: A Report to the Presidents Commission on Critical Infrastructure Protection. Retrieved
from http://www.carlisle.army.mil/DIME/documents/173_PCCIPDeterrenceCyberDimension_97.pdf on November 3, 2012.
U.S. Department of Defense, JCS. (2006). Joint Publication (JP) 5-0, Joint Operation Planning, updated on December 26, 2012. Retrieved from http://
www.dtic.mil/doctrine/new_pubs/jp5_0.pdf on October 25, 2012.
Waters, G. (2008). Australia and Cyber-Warfare. Canberra, Australia: ANU E Press.
Cyber Security
145/148
Cyber Security
146/148
[ GEEKED AT BIRTH ]
Whilst every effort has been made to ensure the high quality of the
magazine, the editors make no warranty, express or implied, concerning
the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are reserved by the
companies which own them.
DISCLAIMER!
The techniques described in our articles may only be used in
private, local networks. The editors hold no responsibility for
misuse of the presented techniques or consequent data loss.