Rees, L. P., Deane, J. K., Rakes, T. R., &Baker, W. H. (2011). Decision support for Cybersecurity risk planning. Decision Support Systems, 51(3), 493-505. doi:10.1016/j.dss.2011.02.013 [full text in ScienceDirect database]
“Security countermeasures help ensure the confidentiality, availability, and integrity of information systems by preventing or mitigating asset losses from Cybersecurity attacks. Due to uncertainty, the financial impact of threats attacking assets is often difficult to measure quantitatively, and thus it is difficult to prescribe which countermeasures to employ. In this research, we describe a decision support system for calculating the uncertain risk faced by an organization under cyber attack as a function of uncertain threat rates, countermeasure costs, and impacts on its assets. The system uses a genetic algorithm to search for the best combination of countermeasures, allowing the user to determine the preferred tradeoff between the cost of the portfolio and resulting risk. Data collected from manufacturing firms provide an example of results under realistic input conditions.”
United States. Department of Commerce. Internet Policy Task Force. (2011, June). Cybersecurity, innovation and Internet economy. Retrieved from
http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf
“The following report – or green paper – recommends consideration of a new framework for addressing internet security issues for companies outside the orbit of critical infrastructure or key resources. While securing energy, financial, health and other resources remain vital, the future of the innovation and the economy will depend on the success of Internet companies and ensuring that these companies are trusted and secure is essential. This is the area of our focus.”
United States. Department of Commerce. National Institute of Standards and Technology. (2011, July). Security and privacy controls for federal information systems and organizations: Draft Appendix J (Special Publication 800-53). Retrieved from http://csrc.nist.gov/publications/drafts/800-53-Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf
“The National Institute of Standards and Technology (NIST) announces the initial public draft of Special Publication 800-53, Appendix J, Privacy Control Catalog. With the increasing dependency on information systems, dramatic advances in information technologies, and significant growth in new applications of those technologies in such areas as cloud computing, smart grid, and mobile computing, information security and privacy are taking on new levels of importance in the public and private sectors. Privacy, with respect to personally identifiable information, is a core value that can be achieved only with appropriate legislation, policies, and associated controls to ensure compliance with requirements….Appendix J, Privacy Control Catalog, is a new addition to NIST’s family of standards and guidelines that will be incorporated into the 2011 update to Special Publication 800-53, Revision 4, projected for release in December 2011. Due to the importance and special nature of the material in this Appendix, it is being publicly vetted separately from the other changes to the publication which will be released later this year. The objectives of the Privacy Appendix are fourfold:
• Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance;
• Establish a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements which may overlap in concept and in implementation within federal information systems, programs, and organizations;
• Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment, and monitoring of privacy controls deployed in federal information systems, programs, and organizations; and
• Promote closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards, and guidance.
The public comment period for NIST Special Publication 800-53, Appendix J, is July 19 through September 2, 2011.Please send comments to sec-cert@nist.gov.”
United States. Department of Defense. (2011, July). Department of Defense strategy for operating in cyberspace. Retrieved from http://www.defense.gov/news/d20110714cyber.pdf
“The Department and the nation have vulnerabilities in cyberspace. Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity – the security of the technologies that we use each day. Moreover, the continuing growth of networked systems, devices, and platforms means that cyberspace is embedded into an increasing number of capabilities upon which DoD relies to complete its mission. Today, many foreign nations are working to exploit DoD unclassified and classified networks, and some foreign intelligence organizations have already acquired the capacity to disrupt elements of DoD’s information infrastructure. Moreover, non-state actors increasingly threaten to penetrate and disrupt DoD networks and systems. We recognize that there may be malicious activities on DoD networks and systems that we have not yet detected.”
Friday, July 22, 2011
Thursday, July 14, 2011
July 15, 2011
Manjak, M. (2011, June 8). Social engineering your employees to information security. Retrieved from http://www.sans.org/reading_room/whitepapers/awareness/social-engineering-employees-information-security_1686
"This paper will examine the role and value of Information Security Awareness efforts in the organization. I will discuss the various threats (e.g., social engineering tactics) targeting employees that an InfoSec Awareness campaign is designed to counter. We will review some of the obstacles to implementing a program, offer some tools and strategies for developing effective materials, and lastly look at two case studies of Information Security Awareness campaigns at the University at Albany, SUNY."
Rice, M. J. (2011). Monitoring critical infrastructure assets and strategic signaling to deter aggression in cyberspace (doctoral dissertation). Retrieved from Dissertations and Theses database. [Full text.]
"... [this] dissertation focuses on three components. First, it describes government monitoring scenarios and outlines the constitutional authorities and principal legal issues associated with government monitoring of private critical infrastructure assets. Second, it presents a signaling framework based on adversary-defender interactions that can be used to help deter aggression in cyberspace. Finally, it discusses the application of deception techniques to shield cyberspace sensors. Well-executed and nuanced deception with regard to the deployment and use of sensors can help a defender gain tactical and strategic superiority in cyberspace."
Rutkowski, A. (2011). Public international law of the international telecommunications instruments: Cyber security treaty provisions since 1850. info, 13(1), 13-31. doi:10.1108/14636691111101856 [Full text available in the Emerald Fulltext and Management Reviews database.]
"This paper aims to describe the history of cyber security public international law since 1850 that is found in treaty instruments developed by the signatory nations of what is now known as the International Telecommunication Union (ITU). Because of the esoteric nature of the subject and, until recently, the very difficult access to reference materials, knowledge of these provisions was confined to a handful of scholars. ... What the material reveals is a 150-year history of cybersecurity law that is not only relevant to significant developments today, but also controlling as a set of obligations that virtually every nation has accepted."
Schwartz, A. (2011). Identity management and privacy: A rare opportunity to get it right. Communications of the ACM, 54(6), 22-24. doi:10.1145/1953122.1953134 [Full text available in the ACM Digital Library database.]
"Since 1976, when Whitfield Diffie and Martin Hellman first surmised the possibilities for the potential uses for digital signatures, there has been ongoing discussion of building an online identity management structure. As use of the Internet has become more central to daily life and our financial and physical security has become intertwined with cyber security, the calls to authenticate and identify individual users have increased. However, we still have not seen a single set of answers to these issues that offer a path to an interoperable identity management system that will achieve the goals of authenticating users at different levels of risk, keeping the Internet as an innovative and growing hub for the world’s interactions, and building trust among Internet users. Therefore, it is easy to be doubtful and even cynical that we can build an identity management infrastructure that is voluntary, privacy-protective, secure, and interoperable. Over the next few years, we have a rare opportunity to build such a system, and this opportunity may be our last."
Vanderwerken, J., & Ubell, R. (2011, June). Training on the cyber security front lines. T&D, 65(6), 46-50. Retrieved from http://www.astd.org/TD/ [Full text available in the Academic Search Complete database.]
"... according to a Booz Allen Hamilton survey, the nation's cyber defense is seriously challenged by shortages of highly skilled cyber-security experts. The report notes that 40 percent of chief information officers, chief information security officers, and IT managers are unsatisfied with the quality of cybersecurity job applicants, and according to SANS Institute Research Director Alan Paller, more than 30,000 specialists are needed today."
Friday, July 8, 2011
July 8, 2011
Censer, M. (2011, July 3). Maryland sees its moment in cybersecurity. Washington Post. Retrieved from http://www.washingtonpost.com/business/capitalbusiness/maryland-sees-its-moment-in-cybersecurity/2011/06/17/AGyPTSwH_story.html
"As Fort Meade increasingly becomes a stronghold for federal cybersecurity, Maryland officials and business advocates are trying to take advantage of what they see as a critical opportunity for the state to own one of the most-watched industries. ... For Maryland officials and backers, the moment looks right for the state to not only become the home base of a potentially very lucrative industry ..."
Flick, T., & Morehouse, J. (2011). Securing the smart grid: Next generation power grid security. Waltham, MA: Syngress. [Full text available in the Books 24x7 database]
"Discussing current security initiatives and how they fall short of what is needed, this comprehensive guide details how old and new hacking techniques can be used against the grid and how to defend against them."
Gao, H., Hu, J., Huang, T., Wang, J., & Chen, Y. (2011). Security issues in online social networks. IEEE Internet Computing, 14(5), 55-63. doi:10.1109/MIC.2011.50 [Full text available in IEEE Computer Society Digital Library database]
"This article surveys the current state [as of July 2011] of security issues and available defense mechanisms regarding popular online social networks. It covers a wide variety of attacks and the corresponding defense mechanisms, if available. The authors organize these attacks into four categories — privacy breaches, viral marketing, network structural attacks, and malware attacks — and focus primarily on privacy concerns. They offer an in-depth discussion of each category and analyze the connections among the different security issues involved."
Howless, T., Romanowski, C., Mishra, S., & Raj, R. K. (2011, June 7-8). A holistic, modular approach to infuse cybersecurity into undergraduate computing degree programs. Paper presented at the Annual Symposium on Information Assurance, Albany, NY. Retrieved from http://www.albany.edu/iasymposium/proceedings/2011/ASIA11Proceedings.pdf#page=76
"In response to societal change and national educational objectives, a holistic, modular approach to Cybersecurity education is presented in this paper. This approach is characterized by a set of reusable, self-contained modules that can be embedded in existing classes in several computing disciplines. The intent is to introduce these modules across computing disciplines, and throughout the undergraduate years to ensure a greater understanding of security issues among diverse computing majors. The ultimate goal is to address the societal need for computing professionals who are educated and experienced in diverse aspects of computing security and information assurance."
Spitzer, L. (2011, June 29). Securing the human. Retrieved from https://www.sans.org/webcasts/securing-human-94549
"Organizations have traditionally invested most of their security in technology, with little effort in protecting their employees. As a result, many attackers today target the weakest link, the human. Awareness, not just technology, has become key to reducing risk and remaining compliant. This high-level [webcast] designed for management explains why humans are so vulnerable, how they are being actively exploited, and what organizations can do about it." [Free registration required].
Friday, July 1, 2011
July 1, 2011
Bertino, E., Martino, L., Paci, F., & Squicciarini, A. (2010). Security for web services and service-oriented architectures. New York, NY: Springer. [Full text available in Books 24x7 database.]
"Featuring illustrative examples and analyses of critical issues, this ... book covers in detail all recent standards that address Web service security, and explains how they implement means for identification, authentication, and authorization with respect to security aspects."
Nicol, D. M. (2011, July). Hacking the lights out. Scientific American, 305(1), 70-75. Retrieved from http://www.sciam.com [Full text available in the Academic Search Complete database.]
"[This] article discusses cybersecurity and the potential for a cyberattack on the U.S. electric power grid. ... Topics include an overview of the Stuxnet virus that infected Iran's nuclear program, which according to the author, revealed how vulnerable machines could be to a well-developed electronic virus, similar vulnerabilities in the U.S. grid, and efforts by the U.S. to increase security to prevent an attack on the U.S. electrical grid."
Pearson, I. L. G. (2011). Smart grid cyber security for Europe. Energy Policy [preprint]. doi:10.1016/j.enpol.2011.05.23 [Full text available in the Science Direct database.]
"In Europe, environmental and economic considerations are driving a revolution in power transmission and distribution. Specifically of interest to this paper, utility companies are increasingly using information and communication technology to increase the efficiency and reliability of the grid, as well as to incorporate smaller-scale sources of intermittent wind and solar power into our electricity supply. ... This paper argues that the European Union has the opportunity to mitigate ... vulnerabilities by virtue of its strengthening regulatory position inthe European market, and its record of promoting energy technology research. However, theorganization will need to act now in recognizing that cyber security as an essential dimension of its energy policy. This paper recommends that the Commission acts now to appoint a coordinator to accelerate the adoption of sensitive institutional changes in this vein. It also suggests that the EU would benefit from cooperation with the United States a country with strong cyber capabilities that would complement the European program."
"This report is part of a broader ... study into Future Global Shocks, examples of which could include a further failure of the global financial system and large-scale pandemics. The authors have concluded that very few single cyber-related events have the capacity to cause a global shock. Governments nevertheless need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services. In addition, reliable Internet and other computer facilities are essential in recovering from most other large-scale disasters."
Subscribe to:
Comments (Atom)