Individual Assignment # 4

Julio LuzquinosJulio Luzquinos[Draw your reader in with an engaging abstract. It is typically a short summary of the document. When you're ready to add your content, just click here and start typing.][Draw your reader in with an engaging abstract. It is typically a short summary of the document. When you're ready to add your content, just click here and start typing.]Individual assignment # 4[Document subtitle]Individual assignment # 4[Document subtitle]
Julio Luzquinos
Julio Luzquinos


[Draw your reader in with an engaging abstract. It is typically a short summary of the document. When you're ready to add your content, just click here and start typing.]
[Draw your reader in with an engaging abstract. It is typically a short summary of the document. When you're ready to add your content, just click here and start typing.]
Individual assignment # 4
[Document subtitle]
Individual assignment # 4
[Document subtitle]


Table of Contents

Introduction 1
I. The Merits and Challenges of Cyber Security Standards 3
II. Cyber Security Legislative Initiatives 3
III. Cyber Security Challenges 5
A. Security for Different Situations 6
1. Odds of a Breach 6
2. Means for Enforcing Security 6
IV. Methods and Goals of Security Standards 7
A. Criteria Standards 7
B. Technical Standards 9
V. Proprietary and Open Source Security Products 10
A. Proprietary Technologies 10
B. Open Source Technologies 10
1. Proprietary products 11
2. Open source products 11
VI. Securing Critical Infrastructure 11
VII. Global Standards 12











Introduction

Today, almost all aspects of modern everyday life, public and private, are conducted via the use of the Internet. Work activities on all industries, commerce, health, financial, and other industries work related activities and transactions are conducted electronically and through the use of a network connected to the Internet. These activities and transactions are comprised of digitized data, with their resulting records being kept and stored in electronic databases. These databases in turn are linked to the Internet, through which new data can be accessed and added.
Before the advent of the Internet, digitized data, and digitized databases, all things of value could be kept secured mainly providing physical security. Walls gave way to metal vaults; guards gave way to locks; and locks became more sophisticated as metallurgical technologies evolved. Information was transferred mainly through paper. Financial transactions used letters of credit, paper money or bank notes, and stock trades were realized on "physical trading floors." (Updegrove, 2009). Real property was bought and transferred with the aid and support of paper recording transactions and standards. The records of all of these activities and transactions were physical copies in custody of the parties involved in them. Today, we still provide security to our assets with physical measures, such as keys, locks and walls. But, as individuals and organizations, private and public, we are transferring our most valuable assets into the realm of electronically stored and digitized data. These include our personal identifiable information, health, work, financials, and social records, preferences, including opinions become digitized data records. As a result, billions of activities and transactions are conducted per day that end up electronically stored in databases linked to the Internet. The nature of the security measures needed to protect these digitized valuable assets therefore have changed because the nature of those, our most valuable assets has changed as well. We live in a new paradigm.
The Merits and Challenges of Cyber Security Standards

As our new digitized world activities and transactions are conducted using the Internet, "each is potentially vulnerable to exposure in transit", and the "databases at each end of the relationship are potentially exposed as well." As the Internet becomes the "single backbone to which everything connects, everything is therefore potentially vulnerable." Recently past cyber-attacks have shown the vulnerabilities of networks, private and public, and the increased sophistication of attackers. Security methodologies have not kept pace with technological advances, with their added dimensions of risk. First it was inexpensive and vulnerable wireless products that enable "drive by" access to unprotected information. Then came mobile devices like "notebooks, smartphones and tablet computers", linked through telecommunications and open Wi-Fi feeds, adding nodes needing protection. (Updegrove, 2009). Now we have the "cloud", which requires that data be transfer back and forth from owners of the data to the cloud's remote locations, an environment in which enterprise users must have constant interaction with data stored beyond the firewalls directly under their control. Because of this, and because new technological progress will warrant new techniques and standards of security at best it will be difficult to stay ahead with the design and implementation of security standards.
Cyber Security Legislative Initiatives

There have been legislative initiatives, where laws find increasingly applications in cybersecurity. These include the Sarbanes-Oxley Act of 2002, which addresses financial information; the Health Insurance Portability and Accountability Act (HIPPA), which protects the privacy of health care personal data or Electronic Health Records (HER). States have had their own initiatives enacting laws mandating the reporting of data breaches to affected persons. Two examples of State legislative initiatives are the State of New York and the State of California. The State of New York law provides "that persons or businesses conducting business in New York must disclose any breaches of computerized data, including private information. Further, section 208 of the State's Technology Law, provides that State entities subject to this law experiencing digitized data breaches that include private information notify the State's Attorney General; Division of Consumer Protection of the State; the Office of Information Technology. (Office of Information Technology Services Enterprise Information Security Office Breach Notification, n.d.) The State of California was the first State to adopt a law with application to Cyber Security standards with the California Privacy Laws, which have had nationwide implications because they affect any business doing business with California which obtains personal information from California residents. Assembly Bill 1950 requires businesses to have "reasonable security standards" for personal information but does not define those standards. This law reviews how businesses may perform risk management analysis, and emulate security standards from two federal laws, the Gramm-Leach-Bliley Act, and the HIPPA. (Milewski, 2006)
Governments and industry have been much slower at adapting security measures in comparison to how fast they have adopted connections to the Internet. But complacency has given way to alarm, and there are numerous public and private efforts to contain the risks. These "efforts will rely heavily on standards of many types" that will include, identity verifications, give or deny access, make data more convenient, and other requirements.


Cyber Security Challenges

The benefits that the Internet offers are also its greatest security challenges. Access to common information presents its greatest risk, requiring complex solutions. The Internet's most value is to interconnect as many users or people as possible, and "to as much information as possible." Business models have been created using this value, driving to maximize the number of users that can access valuable data. Here, business decisions are made regarding who should have access to what data, in what conditions, and for what purposes. Here again, the challenges are not only technical with regards to software and hardware designs, but the resulting system must be fraud proof so that unauthorized access is prevented, or quickly discovered if there is a breach. In the physical realm intrusions are rather easy to detect with a physical inspection, but in the digitized realm data breaches are not easy to prevent, and "hard to discover." (Updegrove, 2009)
Securing information technology and information or cyber security solutions present significant challenges to information technology professionals and security standard developers. Design, development and implementation of security tools and standards are expensive programs, so, how is security improved while maintaining costs of doing business low? How do security solutions make it convenient to access information while effectively securing it? What level or type of information use is given priority when designing security measures: owner's sporadic use of their own information, or those that need the information for professional use? Is security more important than readily accessible access? All of these questions and challenges require different solutions and designs to be able to reach the desired security. Achieving levels of convenience, cost, and security will always be mutually exclusive goals, so compromises will have to be made and accepted to balance them out. Because of the costs incurred when security measurements fail will be bored by consumers that consumed the products and services that were supposed to be provided within an environment of security, those costs will have to be compensated, when and if they are, by judicial review or by regulatory frameworks. Yet, those costs in the end will end up being bored by consumers, as costs will always be passed on to them. To reduce these costs, IT service and products, hardware or software, systems and networks, and their owners and operators must take a realistic approach when evaluating threats so security and access decisions are made in a cost-effective way, for the sake of both, businesses and consumers. (Updegrove, 2009)
Security for Different Situations

Odds of a Breach

Different environments will require different security measurements or solutions. Securing data will be a function of the nature of the data, its sensitivity, and desirability. Financial data is more attractive to be stolen than electronic health records. Although, health records contain personal identifiable identification such as social security numbers. By realistically considering the level of threat, security and access decisions can be made cost-effectively.
Means for Enforcing Security

Being able to achieve security within one single organization is difficult, and more so across many enterprises. When you consider the private sector adversity to regulations, which make it more difficult to achieve holistic security, the hurdles to achieve security are higher. One example of private sector commitment to approach cyber security risks and threats overall as an industry is the payment card industry (PCI). It created the Payment Card Industry Security Standard Council (PCI SSC) in 2006, which approaches cyber security as an "environmental" threat and takes a holistic approach to addresses it. It proceeded to create a complex, global security infrastructure with process standards for those involved in the industry, like payment collectors, storage and transmission payment card data, and included technical standards for those that manufacture the technology to conduct electronic payments. It has also developed standards for auditors of compliance of security requirements, and certifications to be obtained that give proof of compliance.
Methods and Goals of Security Standards

The scope of standards needed to achieve durable security across all industries and sectors is extensive to say the least. They include technical and design, evaluative and procedural standards with guides, and best practices for documenting aspects of security development, implementation, operation and evaluation. As these security standards are designed, developed, implemented and evaluated, the following criteria must be included:
Criteria Standards

Risk management, risks need to be identified, assessed, and solutions, roles and responsibilities, with remedies must be decided.
Change management, changes can facilitate threats, so, change standards protect the "system" as it goes through those changes.
Physical, threats are not limited to IT threats, as they can be physical such as fire, natural disasters or fire, or a physical attack.
Availability, data should be accessed when needed throughout systems.
Architectural, security is best achieve when is imbedded in the design or development of the product as opposed to with after-thought patches, when they are most operationally obstructive and expensive to add. External and after design security solutions also make it difficult and more expensive to integrate components from different suppliers.
Identity and authentication, how does a system knows who you are? With different components from different suppliers, with different identity and authentication standards, the costs increase as well as the discomfort to users.
Non-repudiation, in e-commerce consumers need to comply with their intended commitment by acknowledging that they will be responsible for their transactions as buyers. Digital signatures accepting terms of transactions support this requirement.
Access, access to data should be on a need-to-know-basis. To achieve this standard, technical as well as non-technical standards must be developed.
Encryption, renders data unreadable and should be implemented not only during data transmission, but also during storage.
Integrity, those with access to data must have limited ability to add, modify, and remove data. Data already archived should not be allowed to be changed.
Assurance, can the data be trusted to be the original. The greater the security provided the greater data assurance.
Auditability, requires that data is kept intact; breaches can be detected, be able to determine when they occurred, how and from where.
Specific standards, there have been many standards developed to address specific environments or industries, and many that reach throughout industries. Examples are: of the latest, the ISO/IEC 27000-series, that provides guidance to firms of all types that use IT networks, within the scope or concept of Information Security Management System (ISMS). Of the former, the Payment Card Industry Data Security Standard (PCI DSS), for those involved in the processing of credit or debit card payments.
Technical Standards

At the machine level several security standards are needed to implement security. Some of them are:
Security Assertion Markup Language (SAML), allows exchange of data for authentication and authorization, enabling single sign-on.
OpenID, a standard that also enables single sign-on and on-line identity.
Public Key Infrastructure, a certificate authority that provides and certifies public and private authentication and authorization keys through public key certificates.
(Ferrarini, 2003)
The persistence of threats in cyber space demand that decisions about standards be made and adapted in increasingly short periods of time. As in the cases of the health care and card payment industries, complex standards providing effective security have already been developed, so the case can be made that, making new decisions about standards for other industries is a matter of adaptability and consensus making. This refers directly to the source from which security technologies and products are chosen or acquired from, whether commercial, proprietary or off-the-shelf, or open source products.


Proprietary and Open Source Security Products

In her article in the Computer Technology Review of 2003, Elizabeth M. Ferrarini states that as organizations are more depending on the Internet to do business, it is imperative to be able to lock down the perimeter of their networks from outside networks. Perimeter security, she states, must focus on six areas: "Access Control; Authentication; Secure Remote Access; Content Security; Traffic Encryption; and Alarming or Intrusion Detection." (Ferrarini, 2003)
Proprietary Technologies

Proprietary or commercial technologies, also known as off-the-shelf products, are those specifically designed for enterprise specific operations, and are either as off-the-shelf products or provided and designed through a buyer-supplier relationship (BSR). Proprietary products are tailored to specific client's or buyer's requirements, and in many cases, can enable sustainable competitive advantage by providing a tool that improves productivity, lowers costs, and increase quality. They are "inimitable, valuable and non-substitutable." (Yan Jin, 2013)
Open Source Technologies

Open Source or generic products are non-proprietary, developed by contributing developers for reasons other than monetary or for profit, and mostly free for downloading from a website. The Open Source Software Foundation set up unofficial guidelines for developers that want to contribute writing and distributing open source software. The most used open source product is the Linus Operating Systems which is getting increased use by businesses and government agencies. In her article of 2003, Ferrarini also mentions an article by John Pescatore, a security analyst with the Gartner Group that states that this trend of increased use of the Linux OS has spill over into more open source security tools, and that there are "hundreds" of open source products for each of the six categories mentioned above for perimeter security. (Ferrarini, 2003)
Network administrators securing their perimeters usually focus on hard parameters, such as security features, purchase price, performance, and certifications. But, soft parameters are just as important. Reliability and honesty, ease of setup and update, and all-in-one approach products. The last presents the following characteristics:
Proprietary products

All vendors do not offer a full line of security products. It is expensive to develop all security features into one product, and time consuming, so vendors concentrate in one perimeter security area.
Open source products

With Linux as your OS, security products can be downloaded, including those that include all areas of perimeter security. A characteristic of open source products that stands out is they get updated quicker and more openly than proprietary products. With proprietary products, vendors don't fix vulnerabilities usually unless there has been a significant breach exposing its vulnerabilities.
Securing Critical Infrastructure

Richard Alan Clarke, security expert from the George H.W. Bush administration, wrote an article for Bloomberg Businessweek on counterterrorism, titled Richard Clarke's Four Steps to Cybersecurity. These steps included, getting serious about espionage, specifically industrial; quarantining information; building, not buying, security. In other words, building proprietary security tools; signing an international treaty that places banking off limits when it comes to cyber-attacks. (Clarke, 2010) The point here is, security standards are increasingly central to high level organization and institutional governing policy in both private and public sectors. The urgency to act cannot be overstated. There are, as shown above, existing standard practices that can be adopted by other industries, or emulated fitted to their own specific requirements, so it is a matter of will and budgetary commitment for them to either, design, adapt, and implement security standards. President Obama stated, immediately after his 60 day review on the state of the nation's critical infrastructure information and information technology that he would not impose regulations on the private sector but that he would work with them to secure the nation's critical infrastructure.
Global Standards

The Need for a Human-Centric View of Cybersecurity

The significant speed by which cyberspace has affected our lives, how societies interact, the way companies bring products and services to market among other activities, including how they must be governed has become alarmingly imbedded in cyberspace, with its risks and threats increasingly affecting national security as well. National critical infrastructures, and the global economy are exposed to threats of cyber-espionage, and cyber-crime. Some examples here are: the attacks on Estonia, Georgia and the deployment of Stuxnet provide evidence of cyberspace strategic significance on national security. So far, cybersecurity has been approached through a number of disciplines that have contributed to "the debate about the nature of cyber-security." (Liaropoulos, 2015) Because of this, "states have defined cyber-space in their military and security doctrines as a new domain of conflict." (Liaropoulos, 2015) and cybersecurity is conceived as a matter of national security. Large amounts of money is being spend to write governmental reports, create entities that aid in the management of cyberspace born risks and threats justifiably so. But Andrew Liaropoulos on a 2015 conference at the University of Piraeus, Greece presented that these approaches are not sufficient to combat cyber-treats and cyber-crimes. Liaropoulos proposes that cybersecurity "should not only address the security needs of the state, but also that (if not primarily) of the people." (Liaropoulos, 2015) Cyberspace, said Liaropoulos, is loosely defined and without an explicit and agreed upon universal definition, and because of this, cybersecurity is as well inconsistently defined. When defining cyberspace, Liaropoulos proposes, we should not only see it as a global network of hardware, software and information systems but also of people and their social interactions taking place within these systems. The plethora of terms that are used to talk about different aspects of cybersecurity add to the uncertainty and confusion about the subject in reference. Information security, ICT security, network security are but a few that refer to different types and levels of risk in cyberspace, more so when used in different contexts like when used within the political field, where cybersecurity is related to national security, but not related to technical or legal concerns. National security and national cybersecurity is approached differently by different states, and these approaches depend on needs, priorities and capabilities including those of their industries and peoples. Approaches may include defending against hackers, terrorists, and other states, and may include data and information manipulation. Lizropoulos tells us that the approach, however, should be to provide the states' citizenry with a secure cyber environment, or that the purpose of a national cybersecurity policy should to provide a secure cyber environment, or in policy terms, it would be the" protection of critical national infrastructures." (Liaropoulos, 2015)
Further, Liaropoulos states that the concentration on the protection of the national critical infrastructure neglects the rights of citizens as cyber-attacks are seen as threats to information infrastructures and not as violations to privacy rights, nor freedom of speech. In his discussion about classical security, Liaropoulos writes that there is anarchy in the international system, and that there are two levels in the security dilemma, first, how to interpret the actions of "adversaries" stated, and second, how to react to what these "adversary" states do when they beef up their security, being this what is known as the interpretation and the decision levels. Nations therefore, fall into a spiral of security/insecurity. This dilemma manifests itself in cyberspace, and state nations build their cybersecurity defenses increasingly within this security/insecurity spiral. This spiral of insecurity that causes a buildup of defenses not only manifests itself among competing nation states, but it also manifests itself within a single state against its citizens, as they become not beneficiaries but victims of cybersecurity policies. Some of the resulting effects are, the reduction of access to Internet sites, and surveillance that monitors online activities. These policies have significant "effect on privacy, anonymity, and security." (Liaropoulos, 2015) The Snowden event revealed the "global surveillance" program by the U.S.A. National Security Agency (NSA) in its claim to protect the homeland against terrorism. Should then, the approach to cybersecurity be different? Should it be centered on the human needs of privacy and their security?
As it has been generally used, the term human security is associated with "organized crime, human rights, arms conflict, genocide, global health and development" (Williams, 2008) Advocates for human security are critical of traditional approaches to international security which are state-oriented, and want the focus to be on human needs. This does not mean that states do not consider their citizens among its subject of protection, but rather that their "priorities might deemphasize certain human needs" and that "in the absence of global governance" only the single nation state has the "authority and capability to secure human needs" (Liaropoulos, 2015) Among many definitions on human security, Liaropoulos writes, can be "perceived as the policies and practices that safeguard and empower the people to exercise their human rights freely and secure." But that this concept is lacking within the cybersecurity debate. The concept of state-centered cybersecurity rests on the belief that states provide security for its citizens. This concept may have well applied before the advent of the Internet. Cyberspace is different in that it is a domain that crosses international borders and where nations are trying to "exercise their sovereignty."

In an article on Fortune.com on October 2013, Michal Lev-Ram wrote about the push by Huawei, the Chinese manufacturer of telecommunications equipment, for international cooperation developing global cyber security standards. Huawei has been blocked from doing business in the U.S. market because of alleged ties to the Chinese government. Huawei has tried without success to bid for contracts in the United States of America. Concerns about the security of critical infrastructure in the U.S.A. that would render them to cyber-espionage are one of the main reasons for the ban. Huawei, therefore, has engage in a lobbying and public relations campaign to advocate and proof its products do not present a threat to U.S. networks. During the time of the referenced article, "Huawei published a white paper, titled "Cyber Security Perspectives" advocating a wide set of security standards." The white paper "calls for corporations and regulators to work together on setting global cybersecurity standards." To start, Huawei "has shared some its own best practices." It is not known if Huawei is serious about playing a leading role on the development of a global cyber security framework. What is clear is the Huawei will show patience in its quest to enter the U.S.A. market. (Lev-Ram, 2013)
Efforts aimed at reducing risks and combating cybersecurity threats by the U.S.A. Congress and multilateral initiatives have obtained limited results, and courts and regulators have been using common law and statutes to hold firms accountable for cyber-attacks. However, these judicial and regulatory actions have been inconsistent partly because of the confusion about what are standards of cybersecurity care. (Scott J. Shackelford, 2015) The National Institute of Standards and Technology (NIST) Cybersecurity Framework is providing cybersecurity standards that have the potential to influence the shaping of standards not only for critical infrastructure but to the general private sector as well.