Cybersecurity and the Art of Cyberwar

Description

The art of war is of vital importance to the state. It is a matter of life or death. Hence, it is a subject which can on no account be neglected. — Sun Tzu Why are we calling this war? It’s because the conflict in cyberspace is a matter of national concern, and we are, most assuredly, losing the current struggle. So, what do we do? The person who best understands war is a 2,300-year-old... Read more

The art of war is of vital importance to the state. It is a matter of life or death. Hence, it is a subject which can on no account be neglected.
—Sun Tzu

Why are we calling this war? It’s because the conflict in cyberspace is a matter of national concern, and we are, most assuredly, losing the current struggle. So, what do we do? The person who best understands war is a 2,300-year-old Chinese general who saw conflict as more about process and strategy than fighting. Which, in essence, is the holistic concept.

Hence, this book is founded on two principles. First, cybersecurity is a state, not a technical solution. Accordingly, people and organizations must take active steps to both design and sustain a consistently secure operational process. Second, it’s given that you have not attained the desired state if you have failed to deploy all of the controls necessary to achieve it.

The catch-all term for such an approach is “holistic.” A holistic control architecture is the only way to achieve adequate protection. Therefore, holistic cyber defenses embody a single, unified system of electronic, behavioral, and physical controls that enforce continuous security across all common attack surfaces.

Why does the solution need to be holistic? It is because the cybersecurity function is responsible for securing three distinct and disparate types of attacks – electronic, human, and physical. And just as in war, the adversary doesn’t care which attack surface they breach. They only want your stuff, and they will do whatever it takes to get it. In that respect, then, the only practical approach to cybersecurity is to create an integrated, appropriately tailored defense against any viable threat… electronic, human, or physical.

This book describes the lifecycle process for conceptualizing, implementing, and maintaining a holistic control solution. It centers on a well-defined process for planning, building, and ensuring comprehensive, in-depth cyber defense. In that respect, then, we will demonstrate why holistic security is the only way for an organization to identify and address all valid threats to its digital resources.

Read less

Chapter One - Introduction: Holistic Security A. The Ongoing Disaster in Cyberspace – this documents the general challenge of securing virtual space B. Electronic Solutions are not a Solution – this explains why a solely electronic approach is by definition inadequate by itemizing the other legitimate categories of attack and providing a taxonomy of the various legitimate methods of attack. C. Why We Need a Holistic Approach – this outlines the necessity for a context-based, total solution, and as well as the process for building cybersecurity systems D. The Cybersecurity Process – this presents a unique three-domain, meta-process for holistic solutions and explains/justifies the logic behind why that process has to be followed Chapter Two – Three Legitimate Attack Surfaces and their Different Challenges A. Electronic Attack Surface Elements and Controls – characteristics, strengths and weaknesses of the electronic elements of the system and their common mitigations. B. Human Attack Surface Elements and Controls – characteristics, strengths and weaknesses of the human behavioral elements of the system and their common mitigations. C. Physical Attack Surface Elements and Controls - characteristics, strengths and weaknesses of the physical elements of the system and their common mitigations. D. Architecture: Ensuring Synergy Between Attack Surfaces – this describes the process for integrating control solutions for each interface into a single holistic response Chapter Three – Common Best Practice Standards for Holistic Security A. What is Best Practice and Why is it Important – description of how best practice for the profession of cybersecurity evolves over time and the resulting standard frameworks B. Commonly Accepted Best Practice Frameworks – discussion of the standard models for implementing holistic cybersecurity and how they specifically apply in real world practice. a) ISO 27000 – international specification of the cybersecurity process elements b) FIPS 200/NIST 800-53 – specification of the U.S. requirements for cybersecurity c) COBIT – the most commonly adopted commercial standard l for cybersecurity d) ISO 12207 – international specification of the software process elements Chapter Four - Practical Defence in Depth: Integration of Best Practice into a Holistic Response A. Explanation of the Strategic Concept of Defence in Depth – What is the purpose of defence in depth? What are the roles of coherent perimeters in defining it B. Use of a Standard Model to Implement Specific Protection Needs – the universal process for selection and deployment of best practice control sets C. Why Top Down Development is Essential? – how an iterative process of top down refinement can be used to adapt abstract principles to a specific practical solution D. Integrating Control Sets into a Holistic System – how common control categories can be utilized to validate the correctness of a real world holistic solution Chapter Five – Creating the Solution: Architectural Concerns and Tailoring A. Building Real Architecture Out of Tailored Control Sets – how to create a substantive individualized protection system for real world organizational application B. What is Tailoring and Why is It Necessary – the generally accepted method for adapting a standard’s general best practice recommendations to a given specific instance C. Ensuring Synergistic Responses – methods for building proper interdependence and interactive synergy into the composition of a tailored architecture. D. The Tailoring Process: Examples – this provides detailed specific examples of the tailoring process for two common standards (ISO 27000 and FIPS 200/NIST 800-53) Chapter Six – Maintaining a Holistic Solution: Evaluation and Evolution A. Practical Control Baselines: How are they Created and Maintained - a practical methodology for building substantive control baselines for a given instance B. Ensuring Effective Control Performance – examples of common methodologies for validating and verifying control baseline effectiveness. C. Assessing Control Performance in the Operational Setting – method for ensuring that the status of the control baseline is always known and validated as correct D. Control Architecture Change Management and Evolution – method for effective operational management of changes to organizational control architectures Chapter Seven – Practical Considerations for the Board Room: Changing the Culture A. We Don’t do it That Way: The Problem of Organizational Culture – large scale strategies for overcoming corporate inertia and resistance to change B. The Role and Accountability of Leadership in Obtaining Practical Results – five large scale governance factors that must be recognized and enforced by corporate leadership C. The Capable Organization and How You Get There – a staged approach to development of a capable organizational security response D. Education and Training – a method for implementing education and training programs to ensure the continuing security behaviour of individuals in the corporate environment.

Author(s)

Biography

Dan Shoemaker has 15 prior books with McGraw Hill, Cengage and T&F – Distinguished Visitor of the IEEE and Member of the Editorial Board of Computers and Security. National Chair of Workforce Training and Education for the Software Assurance Initiative at the Department of Homeland Security (DHS). Professor and Director of the National Security Agency Center of Academic Excellence in Cyber Defence Education (CAE/CDE) Graduate Program at The University of Detroit Mercy. 50 years of experience in the profession.

Amir Jabri is a seasoned information security and technology leader with over two decades of experience designing cybersecurity and technology strategies for highly regulated industries including aerospace, healthcare, semiconductors, and government. He holds a Master’s in Information Assurance and a Bachelor’s in Information Technology with a security focus, complemented by elite certifications such as CISSP, CISM, and CRISC. Amir excels in risk management, cloud technology and security across AWS, Azure, incident response, governance and compliance frameworks like NIST and ISO 27001, mentoring teams to enable secure digital transformation. LinkedIn: https://www.linkedin.com/in/amirjabri

Cybersecurity and the Art of Cyberwar

Description

Table of Contents

Author(s)

Biography

SOCIAL NETWORKS

Secure Shopping Payment Options