Securing Cyber-Physical Critical Infrastructure (Book Review)

Handbook on Securing Cyber-Physical Critical Infrastructure: Foundations and Challenges

Das, Kant and Zhang have done a brilliant job editing Securing Cyber-Physical Critical Infrastructure, bringing together a who's who list of researchers and practitioners. Das is a University distinguished Scholar Professor of Computer Science and Engineering at the University of Texas Arlington with more than 500 published papers, three books and the editorship at Elsevier's Pervasive and Mobile Computing journal. Kant is a research professor at the Center for Secure Information Systems at George Mason University, Fairfax, VA. Kant comes equipped with many years of academic experience and industry exposure at Bell Labs, Telcordia and Intel, as well as government positions including at the National Science Foundation (NSF). Finally, Zhang, the third editor, was an assistant professor of Computer Science and Engineering at the University of Texas at Arlington from 2006 to 2008 and is currently researching databases and information security/privacy. Zhang received the prestigious NSF CAREER award in 2008.

This 800+ page handbook is divided into eight parts and contains thirty chapters, ideal for either an advanced undergraduate or graduate course in security. At the heart of this handbook is how we might go about managing both physical and cyber infrastructures, as they continue to become embedded and enmeshed, through advanced control systems, and new computing and communications paradigms.

Part I provides theoretical foundations in the area of control theory, game theory and epidemic theory as applied to cyber-physical infrastructure management. Part II focuses on security for wireless mobile networks. Robert Brammer who wrote the foreword of the handbook, emphasized the successes of the New York City Wireless Network (NYCWiN), motivated partly by the events of 9/11. NYCWiN became operational in 2009 and its cyber-physical systems architecture has addressed issues in the control of transport, public health, environmental quality and communications during critical emergencies. Part III covers security for sensor networks which are fast becoming integral for monitoring and controlling cyber-physical systems. These systems provide much of the feedback mechanism, forewarning or alerting to subsystems when things go wrong. As we increasingly become reliant on sensor networks, we need to ensure that they are as secure and reliable.

Parts IV and V position the importance of platform security, and address cloud computing and data security. The section on platform security includes chapters on traditional hardware and software vulnerabilities and presents solutions that could be employed to make it even more difficult for large-scale systems to be penetrated. The section on cloud computing makes sure to emphasize how systems are changing in terms of outsourcing to companies whose core competency is information technology infrastructure, platforms and services. The cloud, mobile devices, and online social networks are particularly creating opportunities for hackers toward data breaches, and this is discussed in detail.

Part VI and VII are on event monitoring and situation awareness, as well as policy issues in security management. These chapters provide approaches to systems monitoring, discovery and tracking patterns of interest in security data streams, discontinuous clustering, sequencing, geo-spatial temporal correlations and other event detections mechanisms. For those seeking examples of how such systems monitoring occur, there are equations, algorithms, proofs, process flows, physical infrastructure layout maps, pictorial evidence, graphs, tables, and example simulation outputs to spend hours and hours exploring further. Finally, policies, access control and formal analysis methods for overseeing security in cyber-physical critical infrastructure are also shown.

The biggest highlight for me personally was the coming together of Parts I–VII in the security issues in real-world systems presented in Part VIII which brings home the relevance and timeliness of this handbook today. Chapters 25–30 could have been a book in their own right for their depth of insight into emerging smart infrastructures – including smart grids, automotive information technology, mobile health care systems, internet infrastructure, emergency vehicular networks, and more broadly unified telecommunications infrastructure using Voice over Internet Protocol (VoIP). It is not too difficult to see the complexities of these big systems needing to interact with each other and the security and privacy concerns this might raise.

As noted by the authors, the handbook could be used to cover courses on security and robustness of computer networks, the security in physical infrastructure, or even the security in cyber infrastructure. Today, we are witnessing a paradigm shift toward autonomous systems, and despite most physical infrastructure being considered legacy, even the old wires and cables are becoming “switched onto” the cyber. An understanding of both these elements is crucial in engineering and maintaining better working and resilient systems for the future.

Citation: Katina Michael, [Book Review]: Handbook on Securing Cyber-Physical Critical Infrastructure: Foundations and Challenges, by S.K. Das, K. Kant, N. Zhang. Elsevier|Morgan Kaufmann, Volume 31, Issue 8, November 2012, p. 1013: DOI: https://doi.org/10.1016/j.cose.2012.07.007

Hacking: The Next Generation (book review)

Hacking: The Next Generation demonstrates just how hackers continue to exploit “back doors”. New ways of working and new ways of communicating have meant that the number of attack vectors continue to rise rapidly. This provides hackers with a greater number of opportunities to penetrate systems using blended approaches while organizations struggle to come up to speed with the latest technology developments and commensurate security capabilities. Dealing with anticipated threats is a lot harder than dealing with known threats.

Dhanjani, Rios and Hardin are skillful in their analysis of hacking in the next generation, providing coverage of classic traditional attacks, as well as emerging threats in the cloud, mobile devices, and social networking. Emphasis is placed on phishing attacks, targeted attacks versus opportunistic attacks, and the well-known but increasingly troublesome insider attacks. The threesome are especially equipped with security-related knowledge – Dhanjani now a senior manager at Ernst & Young was previously the senior director of Application Security and Assessments at Equifax, Rios is a security engineer with Microsoft, and Hardin a security research Lead with McAfee.

On June 6, LinkedIn, the largest professional social network was hacked and 6.5 million unique hashed passwords appeared on a Russian cybercrime forum. Within the first 24 h, it was purported that more than 200,000 passwords had been cracked. And not long after that, dating agency eHarmony and music site Lastfm.com also discovered that passwords of a small fraction of its user base had been compromised. As individuals scramble to remember passwords for a diverse array of online applications, the possibility that anyone having access to the leaked passwords could penetrate personal accounts of other online applications was very high. This book does not shy away from dealing with potential security breaches of this magnitude, and demonstrates how hackers might go about orchestrating such an attack.

Beyond a doubt, all the technical know-how proliferating in the hacker community is cause for concern but the traditional art of social engineering is developing just as fast in complexity and methodological rigor, as shown in this book. Coercion, manipulation and influence are just some of the tools of persuasion used by hackers against employees of organizations. But even more brazen has been the efforts of hackers against executives who may have a wealth of strategic business knowledge but little in the way of street sense when it comes to technology and more specifically non-technical security attacks. In fact, most executives today feel overwhelmed by the amount of organizational communications (and spam) they receive and happily grant their personal assistants access to a number of collaborative applications, including web conferencing, email and social media.

Critical data is also being leaked outside the organization using non-traditional tools, meaning that perimeter-based defense models are just not effective. These data leaks, while difficult to quantify unless penetration testing is regularly conducted, cost organizations significant losses annually. But it is the “unknown” component of these losses which is especially worrying to organizations whose business models dictate an agile workforce through mobile and cloud solutions, connectivity between stakeholders for relationship management, and similar extensions.

What you can expect from this book is to learn new things about hacking that you were not aware of. I personally tested some of the scenarios and cases described in this book with an executive who initially did not believe that these were realistic hacking techniques that hackers would perform but who soon admitted to their possibility and potentiality.

The book is armored with excellent freely available online reference sources, commands that can be literally typed into an operating system, including programming source code, and typical scenarios and role play dialogues, and many supporting illustrations. It is bound to make you think differently about hacking as you might understand it in the new threat landscape.

Citation: Katina Michael, [Book Review] "Hacking: The Next Generation", by N. Dhanjani, B. Rios, B. Hardin. O'Reilly, Computers and Security, Vol. 31, No. 6, Sept 2012, p. 79, https://doi.org/10.1016/j.cose.2012.06.005

    Securing the Cloud (book review)

    Securing the Cloud: Cloud Computer Security Techniques and Tactics

      With so much buzz around Cloud Computing, books like this one written by Winkler are much in demand. Winkler's experience in the computing business shines through and as readers we are spoiled with a great deal of useful strategic information – a jam packed almost 300 page volume on securing the cloud.

      Winkler, presently a senior associate at Booz Allen Hamilton has had more than 30 years of experience servicing U.S. Government clients, and as Chief Technologist for Security for the Sun Microsystems Public Cloud, in applications engineering, and IT operations and management in a number of organizations. Winkler has numerous technical conference publications, and among his many achievements, he was a visiting cyber security expert authoring the Information Security policy for the Government of Malaysia.

      The book begins with a well-needed introduction for those who are new to cloud computing. Winkler describes how the cloud works, the importance of securing the cloud, and its fundamental architecture.

      Chapter 2 goes into greater detail on the cloud reference architecture, introducing cloud service and deployment models and differentiating between public, private, community and hybrid clouds, and the cloud software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) models.

      To be commended, before entering an in-depth discussion on how to architecture a secure cloud, Winkler spends chapter 3 discussing security concerns, risk issues, and legal aspects. As a privacy specialist myself, it is very heartening to see that Winkler addresses those very difficult questions that every client asks about privacy and confidentiality concerns, data ownership and locale concerns, and other aspects like emerging threats, third parties, data privacy and litigation.

      Chapters 4–6 are all about ways in which we can secure the cloud – the underlying architecture, data security, and key strategies and best practices. These chapters are at the heart of the book as we are taken on a guided tour about standards and policies, honeypots, sandboxes, network and cabling patterns and the like. For the important area of data security within the cloud we are introduced to the idea of control over data and public cloud economics, ownership and custodianship, data encryption and its limitations, and access control techniques for data categorization. The deletion of data within the cloud is also discussed, something that is becoming vital from the lessons learnt in the social media environment. Key strategies and best practices in securing the cloud are presented in chapter 6 from first principals. NIST definitions are given in security controls and unclassified and classified models are compared. Security monitoring by the CIA is addressed and the emphasis is placed on reliable streams of data – a notion introduced as MaaS – Monitoring as a Service.

      Chapter 7 and 8 look at security criteria with respect to building an internal cloud (i.e. private cloud) versus selecting an external cloud provider. The internal cloud choice is based on the security implications offset between a shared versus dedicated resources solution. Criteria for ensuring a secure private cloud include: network considerations, data center considerations, operational security considerations, and regulation. For the selection of an external cloud provider a discussion is given on assurance and how to verify independently the claims made by a given vendor.

      Chapter 9 is about evaluating your cloud security using an information security framework. Checklists are provided to help cloud personnel evaluate the stealth of their given solution, including a manner for placing metrics against the checklists.

      Chapter 10 is about operating a cloud and is very much intended for the manager who is in charge of the business case toward a cloud solution. Processes, efficiency and cost are all covered aspects as well as security operations activities that typically are related to business continuity and recovery.

      As a former pre-sales engineer, what I loved most about this book was the obvious hands-on strategic and technical experience that Winkler bought to every aspect of it. It is really a practitioner's guide to cloud computing security. I appreciated the descriptive figures, the tips, the warnings, the notes, the tools, the stories of failures and successes but most of all the comprehensive nature of the real world descriptions.

      Citation: Katina Michael, [Book Review] "Securing the Cloud: Cloud Computer Security Techniques and Tactics" by Vic (J.R.) Winkler. Computers & Security,  Vol. 31, No. 4, June 2012, Page 633, Syngress|Elsevier, https://doi.org/10.1016/j.cose.2012.03.006

      The Basics of Information Security (book review)

      Dr Jason Andress (ISSAP, CISSP, GPEN, CEH) has written a timely book on Information Security. Andress who is a seasoned security professional with experience in both the academic and business worlds, categorically demonstrates through his book that underlying the operation of any successful business today is how to protect your most valuable asset – “information”. Andress completed his doctorate in computer science in the area of data protection, and presently works for a major software company, providing global information security oversight and performing penetration testing and risks assessment.

      In the last 12 months we have all witnessed a variety of large scale attacks on corporations and public sector agencies via hacking groups like Anonymous, who have used SQL injections, distributed denial of service (DDoS) attacks, advanced persistent threats (APT), and zero-day exploits to penetrate systems. Less visible and quantifiable have been insider attacks where data leakage has occurred as a result of industrial espionage.

      Mobile computing, social networking, and cloud computing have all acted to heighten information security concerns prompting chief information officers (CIO) to reflect on their business practices. Of great significance today within an organizational setting, is the knowledge of how information is gathered, stored, and accessed by all staffing levels.

      From the outset Andress offers models for discussing security issues – beginning with the confidentiality, integrity, and availability triad known as CIA. After doing so he describes the various types of attacks including interception, interruption, modification, and fabrication. He also introduces the difference between threats, vulnerabilities, and risk and discusses approaches to mitigating risks such as physical controls, logical controls, and administrative controls. While this is commonplace in most security fundamentals books, it is helpful to get the brief summary version so succinctly.

      Chapter 1 ends with a discussion on a strategy common to military maneuvers known as “defense in depth”. A range of suggestions are made on how to ensure that each layer in defense in depth should be protected. Among these solutions are penetration testing, vulnerability analysis, backup, access control, encryption, content filtering, password hashing, logging, auditing, antivirus, firewalls, intrusion detection and prevention systems, stateful packet inspection, proxy, demilitarized zones and the like. This “defense in depth” approach with corresponding solutions forms the basis for segmentation of the book at large.

      Chapter 2 introduces the reader to the fundamental concept of identification and describes various ways of authenticating a system user, from multifactor authentication to biometrics and hardware tokens. Chapter 3 describes authorization and access control lists (ACLs) with an emphasis on readwrite, and execute permissions. This chapter ends by discussing a variety of ACL models including: discretionary access control, mandatory access control, role-based access control and attribute-based access control. Chapter 4 is a brief chapter focusing on auditing and accountability, touching on the themes of non-repudiation, deterrence, intrusion detection and prevention, and the admissibility of records.

      Chapter 5 covers cryptography and the cryptographic tools that are available for protecting data “at rest”, “in motion” and “in use”. The distinction is made in this chapter between protecting the data itself versus protecting the connection. Symmetric and asymmetric keys are described as well as other cryptographic tools such as hash functions, digital signatures, and certificates.

      Chapters 6 and 7 offer some practical insights into operations security and physical security. In these chapters the reader is introduced to the importance of identifying which data in their corporation is of value. The operations security process begins with the identification of critical information, an analysis of threats and vulnerabilities and risks, and ends with an application of countermeasures. The emphasis is on (1) knowing the threats, (2) knowing what is of value to protect, and (3) the knowledge that if something of value is left unprotected, then inevitably it will be taken. Chapter 7 on physical security is about physical security controls, protecting people/data and equipment. It is mainly about infrastructure and the potential for physical threats and how the threats can be curbed through physical security controls. These controls are divided into three types: deterrent, detective and preventive. The chapter is comprehensive at looking at how businesses should choose appropriate sites for their particular type of work, people, data and equipment.

      Chapters 8 through to Chapter 10 address network security, operating system security, and application security. The latter chapter is focused on how attackers might take advantage of very exposed online applications such as business-to-consumer electronic commerce self-service systems. Software development vulnerabilities, web security, and database security are each described in the final chapter.

      The book includes illustrations and figures demonstrating key information security ideas, alerts to make the reader aware of particular insights, more advanced details for those wishing to do their own research above and beyond the contents of the book, and real world example summaries pertaining to key terms throughout the book. There is also an accessible bibliography mainly made up of online resources. The exercises at the end of each chapter also make this a good book for a first year security college class. It does not however include any practical exercises whatsoever, and so hands-on laboratory sessions would need to be developed to give the prospective student some idea of how some of these information security solutions would actually work in practice. All in all, this book is for those new to information security and for persons who are looking to learn about underlying concepts which underpin what is at the heart of information security in organizations. It is not an overly sophisticated book but it does achieve its purpose.

      Citation: Katina Michael, [Book Review] "The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice, J. Andress. Syngress Elsevier", Computers & Security, Volume 31, Issue 4, June 2012, Pages 634-635 DOI: https://doi.org/10.1016/j.cose.2012.03.005

      Security Risk Management (book review)

      Security Risk Management: Building an Information Security Risk Management Program from the Ground Up

      In an age of outsourcing tasks that are not considered to be a core competency of the business, organisations have often relied on external consultants for matters pertaining to security. In actual fact, most companies could have utilized existing skill-sets in-house to produce a security risk management program, if only they knew what steps to take, and how to go about it all. Evan Wheeler in his book on information security risk management does just that he equips professionals tasked with security, with the thinking required to create a program that is more preoccupied with the complex strategic-level questions than the technical or operational level skills required to execute particular tools and applications. Wheeler, a practicing security consultant himself, asks the big questions which technicians usually cannot answer beginning with the “why” question. From Wheeler’s perspective it is important that those who have been given the role to manage security, have the upper management support to act as “internal” consultants with clear roles and responsibilities defined from the outset, given resource allocation limitations. Wheeler’s book offers a simple to understand risk management lifecycle where the business owners are empowered to manage their own risks with the security team playing a supporting role as policymaker and overseer. Security thus becomes everyone’s problem.

      Wheeler organizes his book in three very accessible parts. The first part provides an introduction to risk management which positions security within an organizational context as well as introduces the risk management lifecycle. The second part which is on risk assessment and analysis techniques, includes chapters on risk profiling, formulating a risk, risk exposure, security control, risk evaluation and reporting. And the final third part is on building and running a risk management program, with a focus on generating a blueprint for security. What is practical about this book is that there are quick guides to follow with detailed descriptions for each part, sub-part, and individual steps in the stages of the risk management workflow. The numerous template pro-formas included in the book also presents another tangible way for practitioners to get involved in risk management, providing an approach toward identifying and mapping an organisation’s risks and mitigating them. The book also contains generic case studies wherever appropriate. The appendices which include example profiles and questionnaires are additionally supported by partly-filled out tabular forms in the main body of the text. Sample worksheets, workflow diagrams, tips and tricks, and associated warning signals along the way are also illustrative, helping the information security professional to get started straight away without falling into recognized pitfalls. One thing that makes this book so useful is the style that it has been written in, a credit to Wheeler that it allows for direct engagement and is easily digestible by any one at any level in the organisation.

      A distinct omission in Wheeler’s book is an acknowledgment of the importance of the existence of international standards, such as the International Standards Organisation’s (ISO) 27000 series of standards on information security matters, and also other IT governance related frameworks, such as CoBIT. While the claim is made that Wheeler offers a new approach in his book, shaking up old paradigms, it is probably more correct to say that Wheeler has taken tried and tested elements in security management, and has presented them in a more accessible way to the professional who might not necessarily have a security background. The success of the book is in its presentation of the security risk management lifecycle.

      With the admission that the qualitative versus quantitative approach to risk assessment continues to be debated by the industry, Wheeler spends some time describing the implementation of each approach, tending toward a little bit of this, and a little bit of that, in his self-professed cookbook of risk management. But for the greater part, Wheeler is obviously encouraging of the qualitative assessment given the length of space attributed to this approach in the book. One criticism of solely using either a qualitative approach or a quantitative approach to risk assessment has very much to do with how to interpret the meaning behind the results. Take for example a quantitative assessment based on annualized loss expectancy (ALE). It is very likely to have two risks end up with exactly the same dollar figure. The fallback position in this situation is to a qualitative assessment result to weigh up which is more significant to the given organizational context when addressing the risk concerns. Innovative modeling approaches which utilize a hybrid approach are now being implemented in many organisations. The absence of this discussion from the book is noted, Wheeler taking the perspective that most organisations use a qualitative approach alone because the quantitative assessment approach relies on too many historical facts which are usually unknown, and based upon complex equations.

      Another detail that seems to have not been addressed is that security risk requires business owners to consider interdependencies at a variety of layers. These layers can be considered as categories of resources, i.e., applications, infrastructure, environment, facility, business unit and vendor, each of which have impacts at the financial, legal, reputational or regulatory levels. The failure to recognize interdependencies as being an integral dimension of risk assessments can lead to detrimental effects in any risk management program. Scenario analyses conducted to gauge the consequences of negative effects on a crucial element in the security value chain might mean that controls and mechanisms to protect that element are of greater significance than another element that might have a bigger risk exposure but is not underlying most other processes. Much of this work on interdependencies was begun in the critical infrastructure protection (CIP) domain but has been applied in many other areas, including in the banking sector which has been preoccupied with risk appetite since consumers have begun to use emerging technologies do conduct their transactions.

      Wheeler’s book is predominantly a practitioner’s guide to security risk management but can also be used as a teaching text to help engineers, students of security, information assurance, or information systems more broadly. The key message that Wheeler is emphasizing is that risk is at the core of security, and at the heart of every business. Despite that the book lacks key referencing from academic literature, it can still be used as the basis for setting a large-scale team assignment on devising a risk management program from the ground up for a real organisation. Security professionals in banks will particularly find the book relevant, with examples from this sector discussed or alluded to.

      Citation: [Book Review]: Katina Michael, Security Risk Management: Building an Information Security Risk Management Program from the Ground Up, E. Wheeler.  Volume 31, Issue 2, March 2012, pp. 249-250, Syngress, Elsevier. Accepted 22 December 2011, Available online 5 January 2012, DOI: https://doi.org/10.1016/j.cose.2011.12.011