03 June 2012

NLE 2012: Trustworthiness of the System...

The National Level Exercise (NLE) 2012 Capstone will soon be taking place and the private sector is embracing for potential cyber domain blowback.  NLE 2012 is based upon an exercise scenario that is not only timely, but also an expanding Operational Risk to the U.S. critical infrastructure.  This comes months after the secure communications channel has been established between Washington and Moscow, in the event of a damaging digital attack to prevent any escalation to full hostilities.

National Level Exercise (NLE) 2012 is part of a series of congressionally mandated preparedness exercises designed to educate and prepare participants for potential catastrophic events. The NLE 2012 process will examine the nation’s ability to coordinate and implement prevention, preparedness, response and recovery plans and capabilities pertaining to a significant cyber event or a series of events. NLE 2012 will examine national response plans and procedures, including the National Response Framework (NRF), NRF Cyber Incident Annex, Interim National Cyber Incident Response Plan (NCIRP) and the International Strategy for Cyberspace. Unique to NLE 2012 will be an emphasis on the shared responsibility among all levels of government, the private sector and the international community to secure cyberspace and respond together to a significant cyber incident.

Simultaneously, the  U.N.'s International Telecommunication Union (I.T.U.) is mediating the future of the Internet.  Hamadoun Toure will be meeting in Dubai as I.T.U. secretary-general later this year as 193 nation states debate the new rules of engagement.   The lines have already been drawn in the sand between rogue groups and Western democracies, private companies, law enforcement and hacktivists.

As strategic media leaks are continuously debated and clandestine operations are exposed, the Operational Risks for the private sector continue to soar.  Whether it is the threat to the Olympic Games in London this summer or the covert "Olympic Games" in cyberspace, there continues to be a set of consistent taxonomy developed years ago by Sandia Labs researchers, that this blog has highlighted before:
"Attackers use tools to exploit vulnerabilities, to create an action on a target, that produces an unauthorized result to obtain their objective."
The three areas that you need to focus on continue to be:
  • Design
  • Implementation
  • Configuration

Whether it is through physical attack, information exchange, user commands, scripts, programs, autonomous agents, toolkits or data taps you can be assured that these tools are being utilized to exploit you. They are being directed at the design, implementation or configuration of your "Controls" in order to achieve the action they desire:

  • Probe
  • Scan
  • Flood
  • Authenticate
  • Bypass
  • Spoof
  • Read
  • Copy
  • Steal
  • Modify
  • Delete
All of these actions are directed at their target. Accounts, people, processes, data, components, computers, networks or internetworks. They are looking for and unauthorized result:
  • Increased Access
  • Disclosure of Information
  • Corruption of Information
  • Denial of Service
  • Theft of Resources
And sadly, when you boil it down to the reasons or objectives they seek to achieve; it usually falls into one of four categories:
  • Challenge, Status, Thrill
  • Political Gain
  • Financial Gain
  • Damage
Once you understand the entire taxonomy of an "Incident", you are far better equipped to prevent and preempt attacks on your valuable corporate assets.
Now the question to be answered is, who is your adversary?  Answering this question and putting a face on those who are attacking you, somehow seems to be more important these days by some.  Attribution is only one key facet of asymmetric warfare.



at·tri·bu·tion

  [a-truh-byoo-shuhn]  Show IPA
noun
1.
the act of attributing ascription.
2.
something ascribed; an attribute.
3.
Numismatics a classification for a coin, based on itsdistinguishing features, as date, design, or metal.
4.
Archaic authority or function assigned, as to a ruler,legislative assembly, delegate, or the like.


at·trib·ute

  [v. uh-trib-yoot; n. a-truh-byoot]  Show IPA
verb, at·trib·ut·ed, at·trib·ut·ing, noun
verb (used with object)
1.
to regard as resulting from a specified cause; consider ascaused by something indicated (usually followed by to ): She attributed his bad temper to ill health.
2.
to consider as a quality or characteristic of the person, thing, group, etc., indicated: He attributed intelligence to his colleagues.
3.
to consider as made by the one indicated, especially withstrong evidence but in the absence of conclusive proof: to attribute a painting to an artist.
4.
to regard as produced by or originating in the time, period, place, etc., indicated; credit; assign: to attribute a work to particular period; to attribute a discovery to a particular country.
noun
5.
something attributed as belonging to a person, thing, group,etc.; a quality, character, characteristic, or property:Sensitivity is one of his attributes.


Regardless of the ability to attain the identity of your attacker, your focus should remain on your trusted systems and your resilience factor.  The trustworthiness of the system requires evaluation and a trust decision to use the system.  "The risk calculus evaluates whether the probability that the services as a result of using the system, will exceed the risks that may occur as valued by a user.  The cost component of a trust decision includes an evaluation that the use of a system will occur at an acceptable cost and will produce economically acceptable results."  [US 7240213]

No comments:

Post a Comment