Cybersecurity and the Art of Cyberwar by Shoemaker, Dan; Shoemaker, Tamara; Jabri, Amir;

Short description:

“The art of war is of vital importance to the state. It is a matter of life or death. Hence, it is a subject which can on no account be neglected.” Sun Tzu 

Why are we calling this war? It’s because the conflict in cyberspace is a matter of national concern, and we are, most assuredly, losing the current struggle. 

Long description:

The relevant statistic for this book is that only twenty-nine percent of the annual, overall loss to cyber exploits is attributable to purely electronic attacks. The remaining human and physical exploits account for seventy-one percent. Hence, it is self-evident that effective cyber-protection requires an appropriately tailored and synergistic electronic, human, and physical security control system.
The problem is that the industry doesn't view it that way. Over the past thirty years, cyber protection has been viewed as a purely electronic computer-based problem. That thinking might even have made sense before the advent of sophisticated social engineering and other kinds of non-electronic attacks. But now that significant losses from exploits such as insider theft or phishing can occur, any cyber defence that relies solely on an electronic solution is, almost by definition, doomed to failure. That is because the modern adversary is smart.
That is why reconnaissance is the hacker's first principle. Before any attack begins, the aim is to identify the places in the defence that are insufficiently secured or lack appropriate controls. Hence, in practical terms, investing in intricate electronic solutions is a waste of time. That's because they only encourage your adversary to try something else. Saltzer and Schroeder called this phenomenon the "work factor."
In practical terms, the work factor principle means that the hacker will follow the path of least resistance. So, it is irrelevant whether the attack is elegant or brute force—if it succeeds in breaching the protection. Consequently, if there are robust electronic elements protecting your system, the intruder will simply go to exploits like social engineering, subverting an insider, accessing an unattended endpoint, or simply stealing the device.
A proper defence requires all the fort's walls to be present and properly designed and implemented. So, robust human and physical controls must also be integrated into the solution. That requirement—e.g., no apparent gaps in the defence—is the justification for this book.
The book will present the basic principles of holistic security. Holistic security is based on developing a complete architecture of synergistic controls tailored to specifically address the actual concerns of a given protection target. It is a strategic reconnaissance design and implementation process, not a head-down focus on deploying electronic controls.

Table of Contents:

Chapter One - Introduction: Holistic Security
A. The Ongoing Disaster in Cyberspace – this documents the general challenge of securing virtual space
B. Electronic Solutions are not a Solution – this explains why a solely electronic approach is by definition inadequate by itemizing the other legitimate categories of attack and providing a taxonomy of the various legitimate methods of attack.
C. Why We Need a Holistic Approach – this outlines the necessity for a context-based, total solution, and as well as the process for building cybersecurity systems
D. The Cybersecurity Process – this presents a unique three-domain, meta-process for holistic solutions and explains/justifies the logic behind why that process has to be followed
Chapter Two – Three Legitimate Attack Surfaces and their Different Challenges
A. Electronic Attack Surface Elements and Controls – characteristics, strengths and weaknesses of the electronic elements of the system and their common mitigations.
B. Human Attack Surface Elements and Controls – characteristics, strengths and weaknesses of the human behavioral elements of the system and their common mitigations.
C. Physical Attack Surface Elements and Controls - characteristics, strengths and weaknesses of the physical elements of the system and their common mitigations.
D. Architecture: Ensuring Synergy Between Attack Surfaces – this describes the process for integrating control solutions for each interface into a single holistic response
Chapter Three – Common Best Practice Standards for Holistic Security
A. What is Best Practice and Why is it Important – description of how best practice for the profession of cybersecurity evolves over time and the resulting standard frameworks
B. Commonly Accepted Best Practice Frameworks – discussion of the standard models for implementing holistic cybersecurity and how they specifically apply in real world practice.
a) ISO 27000 – international specification of the cybersecurity process elements
b) FIPS 200/NIST 800-53 – specification of the U.S. requirements for cybersecurity
c) COBIT – the most commonly adopted commercial standard l for cybersecurity
d) ISO 12207 – international specification of the software process elements
Chapter Four - Practical Defence in Depth: Integration of Best Practice into a Holistic Response
A. Explanation of the Strategic Concept of Defence in Depth – What is the purpose of defence in depth? What are the roles of coherent perimeters in defining it
B. Use of a Standard Model to Implement Specific Protection Needs – the universal process for selection and deployment of best practice control sets
C. Why Top Down Development is Essential? – how an iterative process of top down refinement can be used to adapt abstract principles to a specific practical solution
D. Integrating Control Sets into a Holistic System – how common control categories can be utilized to validate the correctness of a real world holistic solution
Chapter Five – Creating the Solution: Architectural Concerns and Tailoring
A. Building Real Architecture Out of Tailored Control Sets – how to create a substantive individualized protection system for real world organizational application
B. What is Tailoring and Why is It Necessary – the generally accepted method for adapting a standard’s general best practice recommendations to a given specific instance
C. Ensuring Synergistic Responses – methods for building proper interdependence and interactive synergy into the composition of a tailored architecture.
D. The Tailoring Process: Examples – this provides detailed specific examples of the tailoring process for two common standards (ISO 27000 and FIPS 200/NIST 800-53)
Chapter Six – Maintaining a Holistic Solution: Evaluation and Evolution
A. Practical Control Baselines: How are they Created and Maintained - a practical methodology for building substantive control baselines for a given instance
B. Ensuring Effective Control Performance – examples of common methodologies for validating and verifying control baseline effectiveness.
C. Assessing Control Performance in the Operational Setting – method for ensuring that the status of the control baseline is always known and validated as correct
D. Control Architecture Change Management and Evolution – method for effective operational management of changes to organizational control architectures
Chapter Seven – Practical Considerations for the Board Room: Changing the Culture
A. We Don’t do it That Way: The Problem of Organizational Culture – large scale strategies for overcoming corporate inertia and resistance to change
B. The Role and Accountability of Leadership in Obtaining Practical Results – five large scale governance factors that must be recognized and enforced by corporate leadership
C. The Capable Organization and How You Get There – a staged approach to development of a capable organizational security response
D. Education and Training – a method for implementing education and training programs to ensure the continuing security behaviour of individuals in the corporate environment.