Survey of Cyber Security Frameworks



Similar documents
Cyber Security Assessment Framework: Case of Government Ministries in Kenya

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28),

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Lessons from Defending Cyberspace

ITU National Cybersecurity/CIIP Self-Assessment Tool

National Cyber Security Policy -2013

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

CyberSecurity Solutions. Delivering

No. 33 February 19, The President

S. ll IN THE SENATE OF THE UNITED STATES

Internet Safety and Security: Strategies for Building an Internet Safety Wall

CYBER SECURITY, A GROWING CIO PRIORITY

ITU Global Cybersecurity Agenda (GCA)

WRITTEN TESTIMONY OF

Remarks by. Thomas J. Curry Comptroller of the Currency. Before a Meeting of CES Government. Washington, DC April 16, 2014

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Cyber Security Operations Centre Reveal Their Secrets - Protect Our Own Defence Signals Directorate

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

Legislative Language

Developing a National Strategy for Cybersecurity FOUNDATIONS FOR SECURITY, GROWTH, AND INNOVATION. Cristin Flynn Goodwin J.

Cyber Security Strategy of Georgia

Hearing before the House Permanent Select Committee on Intelligence. Homeland Security and Intelligence: Next Steps in Evolving the Mission

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

Cyber Terrorism and Australia s Terrorism Insurance Scheme. Physically Destructive Cyber Terrorism as a Gap in Current Insurance Coverage

THE WHITE HOUSE Office of the Press Secretary

Microsoft s cybersecurity commitment

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

How To Manage Risk On A Scada System

Middle Class Economics: Cybersecurity Updated August 7, 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Cyber-Security. FAS Annual Conference September 12, 2014

FINAL // FOR OFFICIAL USE ONLY. William Noonan

Cybersecurity Global status update. Dr. Hamadoun I. Touré Secretary-General, ITU

Information Security in Business: Issues and Solutions

Testimony of. Before the United States House of Representatives Committee on Oversight and Government Reform And the Committee on Homeland Security

Cyber-Security: Private-Sector Efforts Addressing Cyber Threats

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

A Detailed Strategy for Managing Corporation Cyber War Security

THE CRITICAL ROLE OF EDUCATION IN EVERY CYBER DEFENSE STRATEGY

CYBER SECURITY STRATEGY OF THE CZECH REPUBLIC FOR THE PERIOD

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

TUSKEGEE CYBER SECURITY PATH FORWARD

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

ENSURING SECURITY IN AND FACILITATING INTERNATIONAL TRADE. Measures toward enhancing maritime cybersecurity. Submitted by Canada SUMMARY

INFORMATION SECURITY STRATEGIC PLAN

Secure Data Centers For America A SOLUTION TO

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Cyber security standard

Perspectives on Cybersecurity in Healthcare June 2015

CYBER SECURITY THREATS AND RESPONSES

Actions and Recommendations (A/R) Summary

Harmful Interference into Satellite Telecommunications by Cyber Attack

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

Keynote Speech. Beth Dugan Deputy Comptroller for Operational Risk. The Clearing House s First Operational Risk Colloquium

How To Write A National Cybersecurity Act

Cybersecurity for ALL

Qatar Computer Emergency Team

C DIG COMMITTED TO EXCELLENCE IN CYBER DEFENCE. ONE MISSION. ONE GROUP. CSCSS / DEFENCE INTELLIGENCE GROUP

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Promoting a cyber security culture and demand compliance with minimum security standards;

The Dow Chemical Company. statement for the record. David E. Kepler. before

Keynote. Professor Russ Davis Chairperson IC4MF & Work Shop Coordinator for Coordinator for Technology, Innovation and Exploitation.

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Cybersecurity: What CFO s Need to Know

GOVERNMENT OF THE REPUBLIC OF LITHUANIA

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Introduction to Cybersecurity Overview. October 2014

FACT SHEET: Ransomware and HIPAA

Top 5 Global Bank Selects Resolution1 for Cyber Incident Response.

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance

CSIS/DOJ Active Cyber Defense Experts Roundtable March 10, 2015

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

Emerging risks for internet users

Cyber Security Strategy

The virtual battle. by Mark Smith. Special to INSCOM 4 INSCOM JOURNAL

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

Cybersecurity Awareness. Part 1

El Camino College Homeland Security Spring 2016 Courses

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September Co-Chair s Summary Report

Legislative Language

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

STATE OF CYBER SECURITY IN ETHIOPIA

TYPES, PREVALENCE, AND PREVENTION OF CYBERCRIME. Haya Fetais & Mohammed Shabana. Saint Leo University COM- 510

Government of Kenya Ministry of Information Communications and Technology Telposta Towers, 10th Floor, Kenyatta Ave Nairobi, Kenya

FISMA Implementation Project

Government Decision No. 1139/2013 (21 March) on the National Cyber Security Strategy of Hungary

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

GAO CRITICAL INFRASTRUCTURE PROTECTION. Significant Challenges in Developing Analysis, Warning, and Response Capabilities.

The European Response to the rising Cyber Threat

Transcription:

Survey of Cyber Security Frameworks Alice Nambiro Wechuli (Department of Computer Science, Masinde Muliro University of Science and Technology, Kenya alicenambiro@yahoo.com) Geoffrey Muchiri Muketha (Department of Information Technology, Meru University of Science and Technology, Kenya gimuchiri@gmail.com) Nahason Matoke (Department of Computer Science, Masinde Muliro University of Science and Technology, Kenya nahason@gmail.com) Abstract: In a digital world, the national economy and welfare have grown critically dependent on the cyber infrastructure due to the capabilities and opportunities the Internet provides. This leaves organizations open to various forms of malicious attack by cybercriminals which has overwhelmed some current methodologies used for tracking cyber attacks and vulnerabilities. This paper presents a review of literature on cyber security status, challenges to cyber security, and existing cyber security frameworks. Findings indicate that though efforts are in place to bring about effective assessment of cyber security, there is no single accepted framework to offer a lasting solution to the cyber security assessment challenge. Key Words: Cyber Security, Internet, Vulnerability, Threat, Cyber Attack, Cyber crime 1. Introduction The way of carrying out business in the world today is changing rapidly with new technologies taking the center stage. Both government and the private sector are increasingly adopting the emerging technologies to modernize their service delivery. According to the US President s Information Technology Advisory Committee [1], innovations in ICT have created a whole new industry through the ubiquitous interconnectedness first exhibited by the Internet. This revolution of interconnectivity has brought with it an increased potential of opportunities, including risk and uncertainties, especially for those cyber criminals who can now cause harm with catastrophic impact from remote locations, while equipped with only a computer and the knowledge needed to identify and exploit vulnerabilities [1]. As a result of increasing interconnectivity, information systems and networks are now exposed to a growing number and a wider variety of threats and vulnerabilities which raise new security issues for all. Throughout the world, governments, defense industries, and companies in finance, power, and telecommunications are increasingly targeted by overlapping surges of cyber attacks from criminals and nation-states seeking economic or military advantage [2]. The number of attacks is now so large and their sophistication so great, that many organizations are having trouble determining which new threats and

vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first. The Australian government has made effort to address the cyber security issues in industry although further development is needed in terms of the rights of an individual company to take action against a threat source [3]. United States, General Accounting Office [4] states that long-term efforts are needed, such as the development of standards, research into cyber security vulnerabilities and technological solutions for the cyber security problems, and the transition of research results into commercially available products. 2. Defining Cyber Security There isn t a single definition of the term cyber security in existence but the different existing definitions encompass a set of concepts which include availability, confidentiality and secure sharing of information. Cyber security refers to three things: measures to protect information technology; the information it contains, processes, and transmits, and associated physical and virtual elements; the degree of protection resulting from application of those measures; and the associated field of professional endeavor [5]. Cyber security is Measures relating to the confidentiality, availability and integrity of information that is processed, stored and communicated by electronic or similar means [3], [6]. Cyber security refers to a measure for protecting computer systems, networks, and information from disruption or unauthorized access, use, disclosure, modification or destruction [7]. In the context of this paper, cyber security is to be understood as the collection of policies, security safeguards, security concepts, risk management approaches, guidelines, technologies, actions and training that can be used to protect the organization and cyber environment together with the user s assets. 3. Current Status of Cyber Security According to Cole et al. [8], only a few countries had additional security measures apart from legislation. The researchers indicate in their study that Malawi had hardly any cyber security initiatives taking place at national level. A study by the World Economic Forum found Malawi to be amongst the bottom 15 of 133 countries surveyed for ICT networked readiness [9]. Malaysia is one of Asia s most alluring countries for cyber criminals [10]. According to Lt Col Prof Datuk Husin Jazri, the Cyber Security Malaysia chief executive officer, until August 2011, there were 10,000 cases reported every month in Malaysia [11]. The researcher also indicated that the Cyber Early Warning System that had been set up by Cyber security Malaysia detected over 5,000,000 security threats. This is hard evidence that shows cyber crimes are increasing at an alarming rate. As Kenya s internet connectivity blossoms, so are the cyber security threats which are becoming more dynamic and sophisticated [12]. The researcher indicates that most organizations in Kenya don t know enough about the threats or their own security posture to defend themselves adequately. Stating an example that they can t see signs of an attack because they haven t sufficiently analyzed data on the latest attack techniques. The researcher further quotes the Kenya s Information Permanent Secretary, Dr Bitange Ndemo, who stated that with high speed internet comes increased security risks therefore there is need to develop policies both to ensure wider access and the safety of internet users. 4. Cyber Security Challenges

Security of cyberspace is complicated because it involves the increasing dependence on information networks that, in turn, introduce vulnerabilities and create opportunities to be exploited by criminals, adversaries and others. 4.1. Organized Criminal Activities New challenges to data and communications networks are evolving as rapidly as the spread of high-speed Internet infrastructure. It has been argued that the more significant the volume of revenues that flow over ICT based networks, the greater will be the incentive for organized criminals to corrupt or economically exploit high-value data resources [13]. A global black economy has been found to be found to be capable of generating finances for terrorism, as well as off-budget funding for military, police, or national security agencies of nation states [14]. 4.2. Weak Links in the Global Information Infrastructure A poorly secured network is potentially the weakest link in the cyber security chain [15], [16]. For example, malware in an out of date network can become a botnet through which other systems could be attacked. Internet Service Providers are usually not proactive in identifying and removing botnets in view of the cost implications [17]. Significant weaknesses within the industry need to be addressed, including the lack of effective governance, poor understanding of the cyber threat, and the sharing of data. However, many boards fail to understand and, therefore, address the business risks in the cyber environment [3]. 4.3. Constant Evolution of the Nature of Cyber Threats In [18], the ability of governments to gauge threats to critical infrastructures has traditionally been contingent upon their ability to evaluate a malicious actor s intent and that actor s ability to carry out a deliberate action. She further states that due to the global nature of information networks, attacks can be launched from anywhere in the world, and discovering the origin of attacks remains a major difficulty, if, indeed, they are detected at all. Compared to traditional security threat analysis, which consists of analyses of actors, their intentions, and their capabilities, cyber-threats have various features that make such attacks difficult to monitor, analyze, and counteract [19]. 4.4. Insufficient Funding A secondary but nonetheless significant issue is the funding of cyber security research and development. Researchers have established that departments and agencies outside of defense do not have dedicated research funds to apply to cyber security [3]. The security threats faced in the cyber domain need to be addressed with a coherent integrated and funded research program in advance of the threat and not just in reaction to it. 5. Cyber Security Frameworks Cyber security is important for competitiveness of organizations now that most of them have gone digital. In order to remain undisrupted, a deeper research on cyber security assessment was necessary. The paper identified some cyber security frameworks which are discussed in the subsequent sections.

5.1. Cyber Security Workforce Framework The National Initiative for Cyber security Education (NICE) is an interagency effort coordinated by the National Institute of Standards and Technology and focused on cyber security awareness, education, training and professional development [20]. NICE came up with the cyber security workforce framework. The framework organizes cyber security into seven categories, each comprising several specialty areas as follows: i. Securely Provision which is concerned with conceptualizing, designing, and building Information Technology systems. ii. Operate and Maintain which is responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient Information Technology system performance and security. iii. Protect and Defend which is responsible for the identification, analysis, and mitigation of threats to internal Information Technology systems or networks. iv. Investigate which is responsible for the investigation of cyber events and/or crimes of Information Technology systems, networks, and digital evidence. v. Operate and Collect which is responsible for the highly specialized collection of cyber security information that may be used to develop intelligence. vi. Analyze which is responsible for highly specialized review and evaluation of incoming cyber security information to determine its usefulness for intelligence. vii. Support that provides support so that others may effectively conduct their cyber security work. This framework has limitations although it might have worked to satisfaction during the time it was developed. First, the cyber security workforce framework has put its emphasis on awareness which basically is through training. This ensures secure cyber infrastructure as explained in the framework. The framework has not considered the fact that the technologies are ever emerging rapidly which brings about the challenge of increased cyber security threats. For this reason, there must be adequate cyber security policies and standards which should be reviewed frequently. Also the framework has not considered the fact that threats do exploit vulnerabilities thus risk management strategy should be put into place. Furthermore the framework has not considered the fact that some cyber criminals like hawkers who have malicious intentions have a broad range of knowledge in the cyber security area. Thus cyber crime legislation was not put in place to bring the criminals to book. Then, for any cyber security initiative to be a success, there be a driving force which is sufficient funding. This framework has not presented any budget for the training. 5.2. U.S. GAO Cyber Security Framework The United States, General Accounting Office [21] puts it forth that the use of an overall cyber security framework that can assist in the selection of technologies to protect critical infrastructure against cyber attacks. It further proposes that an overall cyber security framework includes determining the business requirements for security and performing risk assessments. Also, establishing a security policy, implementing a cyber security solution and continuously monitoring and managing security are part of the framework [21]. Risk assessments, which are central to this framework, help organizations to determine which assets are most at risk and to identify countermeasures to mitigate those risks. Risk assessment is based on a consideration of threats and vulnerabilities that could be exploited to inflict damage.

The U.S GAO cyber security framework has considered the issue of security policies and standards. It has also presented the necessity for risk management because technologies are rapidly evolving for example the use of mobile computing and the cyber threats are on the rise. However, the framework stresses on putting risk management on the fore front but no end user education is considered which may lead to commitment of some cyber crimes due to lack of knowledge. The framework has too not presented review of the management structure that is whether it is centralized or decentralized because a centralized management structure brings about challenges like lack of team work thus no effective implementation of any initiative. Also, the framework does not consider assessment of the services provided by third party service providers like the internet service providers. This is because the services provided might create vulnerabilities which are exploited by cyber criminals. Also, cyber crime legislation to deal with cyber criminals is not presented and finally, funding, be it from insurance agencies or self for any cyber security initiative is not presented. 5.3. Framework for Assessing Cyber Security Initiatives in Africa A study on cyber security in Africa has established the need for measures which include standards and policies regarding the technical security measures, accreditation for said systems, legislation to criminalize cybercrime, international cybercrime legislation harmonization, and a national computer emergency and response team to provide these national security systems with analysis of potential vulnerabilities and quick incident response [8]. The security perspectives of these measures depend on their target organizations and systems. There should also be higher education cyber security programs provide increased opportunities for technical jobs and industry. They also serve as the necessary workforce for all cyber security initiatives across all of the security concerns. Also cyber security education for the end user helps individuals to protect their private information. The framework has well presented the need for awareness, cyber security policies and standards together with the cyber legislation. It has also considered the need for a computer emergency response team. However, it has not presented a review of the management structure because this contributes to implementation of effective cyber security assessment framework. Also, the paper has not presented whether there is assessment of services provide by third party service providers. Finally, no budget is reviewed to ensure sufficient funding available to initiate the cyber security assessment program. 6. Discussion Ensuring cyber security is a very important aspect both globally and to an organization in particular. Thus several researches have been going on to act as guides to cyber security assessment. Based on the review of the literature concerning the cyber security frameworks, several cyber security issues have been raised. This implies that there is much to be done in order to come up with an overall acceptable cyber security framework. In the cyber security workforce framework, the framework needs an inclusion of the cyber security policies that are to be reviewed frequently. Also a risk management plan should be put in place and implemented. The cyber crime legislation should be put in place to deal with the cyber criminals. Finally, a budget must be presented stating how much each cyber security initiative should be allocated. The U.S. GAO cyber security framework has stressed on the need for risk management without any consideration of the end user education. This proves cyber security measures to be unsuccessful because for success to be achieved, all levels of management must participate. Since there is no assessment of

services provided by third party service providers, then it is certain that some of the services provided are unsecure. Also cyber criminals can go unpunished because there is no cyber crime legislation. Finally, there is need to include the budget with sufficient funds. In the framework for assessing cyber security initiatives in Africa, it implies that effective cyber security is achievable without involving all the levels of management which can t be because the management structure is not presented. Also, services provided by the third party service providers need to be assessed for security. Finally, for any cyber security initiative to be successful, adequate funds must be available to support it. 7. Conclusions We have looked at the status of cyber security and the challenges encountered during implementation of cyber security programs. We have also looked at the existing cyber security frameworks after which we discussed the implications of these limitations in the previous section. Since all the frameworks had some limitations, this provides a basis on the need of further research on the cyber security assessment framework that will provide a lasting solution to the ever arising cyber security assessment challenge. 8. References [1] President's Information Technology Advisory Committee (PITAC). Cyber-Security: A Crisis of Prioritization. 2005, National Coordination Office for Information Technology Research and Development, Arlington, VA. [2] Billo, C. and Chang, W. "Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States". 2004, Institute for Security Technology Studies, Dartmouth College. [3] Blackburn, J.and Waters, G. Optimizing Australia's Response to the Cyber Challenge.Kokoda Foundation. 2011. [4] United States, General Accounting Office. Technology assessment cybersecurity for critical infrastructure protection. 2004, Washington, D.C. U.S. General Accounting Office. [5] Fischer, E. A. Creating a National Framework for Cybersecurity: An Analysis of Issues and Options. 2005, Congress Research Service (CRS). [6] Australian Government. Cyber Security Strategy. 2009, Canberra:Attoney-General's Department; retrieved from http://www.ag.gov.au/www/agd/rwpattach.nsf/vap/%284ca02151f94ffb778adaec2e6ea8653d%29~ag+cyber+ Security+Strategy+-+for+ website.pdf/$file/ag+cyber+security+strategy+-+for+website.pdf, accessed 14 May 2010. [7] Gallaher, M. P., Link, N. A. and Rowe, R. B. Cyber Security. 2008, Cheltenham: Edward Elgar Publishing Limited. [8] Cole, K., Chetty, M., LaRosa, C., Rietta, F., Schmitt, D. and Goodman, S.E. Cybersecurity in Africa: An Assessment. 2008, Sam Nunn School of International Affairs, Georgia Institute of Technology Atlanta, GA US. [9] World Economic Forum. The Global Information Technology Report 2009 2010. 2010. Available at http://www.weforum.org/en/initiatives/gcp/global%20information%20 Technology%20Report/index.htm [Accessed 7 March 2011]. [10] Muniandy, L. and Muniandy, B. State of Cyber Security and the Factors Governing its Protection in Malaysia. International Journal of Applied Science and Technology, 2012. 2(4). [11] Timbuong, J. Cybercrimes continue to rise. 2011. Retrieved November 3, 2011, from http://www.apecdoc.org/site/malaysia/2011/09/26/cybercrimes- continue-to-rise. [12] Itosno, S. Kenya: Cyber criminals becoming untamable. BiztechAfrica, 2012.

[13] Krebs, B. "Three Worked the Web to Help Terrorists". The Washington Post, 2007. [14] Sipress, A. 'An Indonesian's Prison Memoier Takes Holy War Into Cyberspace'. Washington Post 2004, 14 December, from http://www.washingtonpost.com/wp-dyn/articles/a62095-2004dec13.html. [15] Allison, I. and Strangwick, C. Computer Security, Privacy and Politics: Current Issues, Challenges and Solutions. IRM Press, 2008. [16] Anderson, R. and Moore, T. "The Economics of Information Security." Science 314, 2006: 610-613. [17] Bauer, M.J. and vaneeten, G.J. Cyber-Security: Stakeholders incentives, externalities and policy options.telecommunication Policy. 2009, 33 (10). [18] Dunn, M. A Comparative Analysis of Cybersecurity Initiatives Worldwide. WSIS ThematicMeeting on Cybersecurity (Geneva: International Telecommunications Union) 2005. [19] Dunn, M. Threat Frames in the US Cyber-Terror Discourse. British International Studies Association (BISA) conference. Warwick, 2004. [20] National Institute of Standards and Technology (NIST). Cybersecurity workforce framework issued for public comment. ScienceDaily, 2011. Retrieved July 26, 2012, from http://www.sciencedaily.com /releases/2011/11/111109161347.htm [21] United States, General Accounting Office. Technology assessment cybersecurity for critical infrastructure protection. Washington, D.C. U.S. General Accounting Office, 2004.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information