Protecting the Homeland Group 1 Team USA University of Maryland Global Campus

Document Content and Description Below

Protecting the Homeland Group 1 Team USA University of Maryland Global Campus 2 PROTECTING THE HOMELAND Abstract The Cyber Security industry is built upon a collaboration of many individuals w... ith varying degrees of expertise and background. This is no exception to the individuals pursuing a masters in Cyber Security. Members of CYB 670 the Capstone in Cybersecurity began their journey in this course assigned to a nation in the Five Eyes intelligence alliance, comprised of the United States, United Kingdom, Australia, Canada, and New Zealand. As a nation team, members collaborated to represent and defend the cybersecurity policies and postures of their assigned nations. Our team in particular was assigned to the United States team. We were also assigned to the critical infrastructure sector that is known as the United States Government, which we represented in completing the Executive Leadership In Tabletop Exercises (ELITE) activity. This report is comprised of a series of events that transpired before, during, and after a Global Economic Summit (GES) scenario along with ELITE. In this report we used the knowledge of key findings from the GES and ELITE to propose recommendations to mitigate risks and strengthen the United States’ cyber infrastructure. 3 PROTECTING THE HOMELAND Table of Content Abstract..................................................................................................................................2 Table of Content......................................................................................................................3 Introduction............................................................................................................................5 Federal and State Policy Comparison.......................................................................................5 Team Sector Brief....................................................................................................................9 Cybersecurity Enhancement Act of 2014............................................................................9 Federal Information Security Modernization Act (FISMA)............................................11 Education and Training Policies.........................................................................................11 Impact of Policy on Research and Development.......................................................................12 NIST Standards for Cloud Computing......................................................................................14 Essential Characteristics.....................................................................................................14 Service Models.....................................................................................................................14 Deployment Models.............................................................................................................15 Cloud Computing and the US Government......................................................................15 Cost Savings.........................................................................................................................15 Flexibility..............................................................................................................................16 Cloud Computing Security Benefits...................................................................................16 Compilation Report-Out........................................................................................................16 Project 1 - Global Economic Summit........................................................................................17 Determine Bad Actors............................................................................................................17 Policy Matrix Comparison.....................................................................................................18 Network Security...................................................................................................................18 System Security Risk and Vulnerability Assessment............................................................20 Analysis of the Security Baseline of the GES.......................................................................22 International Domain and Regulations Analysis...................................................................23 Key International Initiatives..................................................................................................25 Cybersecurity Policy and Baseline Analysis Report.............................................................25 Project 2 - Nations Behaving Badly..........................................................................................26 Attack Vectors........................................................................................................................26 Vulnerability Assessment Matrix...........................................................................................30 4 PROTECTING THE HOMELAND Best Practices, Countermeasures, and Cybersecurity Risk Assessment................................31 Incident Response..................................................................................................................32 Cyber Defense Information Analysis.....................................................................................36 Data Exfiltration Service-Level Agreement (SLA)...............................................................40 Forensic Report......................................................................................................................42 Deliverable.............................................................................................................................44 Project 3 - Lockdown.................................................................................................................44 Systems Locked Down Ransomware Response....................................................................45 SITREP..................................................................................................................................47 Software Development Life Cycle........................................................................................48 Business Continuity Plan.......................................................................................................50 Intelligence Debriefing..........................................................................................................51 Lessons Learned Video..........................................................................................................51 Next Steps for the Computer Security Incident Response.....................................................52 Deliverable.............................................................................................................................53 Expert Testimony Video.........................................................................................................53 Cyber Sector Risk Profile........................................................................................................58 Risk Profile................................................................................................................................59 Threat Type 1.......................................................................................................................59 Threat Type 2.......................................................................................................................60 Threat Type 3.......................................................................................................................62 Risk Mitigation Strategies...................................................................................................63 Federal Government Sector................................................................................................66 Lessons Learned from ELITE Report........................................................................................67 ELITE Rounds – Events, Decisions and Results.......................................................................68 Round 1.................................................................................................................................68 Round 2.................................................................................................................................72 Round 3.................................................................................................................................75 Lessons Learned........................................................................................................................78 Conclusion.............................................................................................................................82 Appendix...............................................................................................................................84 References...........................................................................................................................142 5 PROTECTING THE HOMELAND Introduction As members of the FVEY, team members prepare to participate in a Global Economic Summit held in the United Kingdom. In preparations for the summit our team first compared federal policies with individual state standards that might exist to see how we can establish a relationship amongst various sectors to ensure profitability, national security, and ensure limited downtime. A team sector brief was then provided to set the tone for what the United States Federal Government expects from a relationship with the Five Eyes (FVEY) Alliance which is also comprised of the United Kingdom, Australia, Canada, and New Zealand. A compile out report is provided to outline tasks and steps taken prior to, during, and after the global economic summit. Following the compile out, our digital forensic investigator will provide an expert testimony on the information and data collected throughout this course. It will be used to evaluate national cybersecurity policies and present well-reasoned conclusions, based. We then detail the United States Federal Government risk profile and make recommendations by implementing the lessons we have learned through our participation of ELITE. Federal and State Policy Comparison In a digital dependent economy, federal and state agencies must develop cybersecurity policies to promote and protect the use and sharing of digital information. The federal government has made great strides in developing cyber policies. However, they are often not tailored to the needs of the individual States. As such, State legislatures have also placed immense focus on improving cybersecurity practices within the state government and increasing resources and training to combat cyberthreats. The Congressional Research Services (2018) has identified several policy issues that are currently affecting the US Federal Government. See Table 1 - Cybersecurity: Selected Issues for the 115th Congress. These issues have forced individual states to develop their own policies to address federal shortcomings. For the purpose 6 PROTECTING THE HOMELAND of this report we will compare Federal and state policies as it relates to Critical Infrastructure (CI), data breaches and data security, and education and training. According to Frederick, Greenberg & Gruwell (2019), in 2019 there were 43 states and Puerto Rico that either introduced or considered close to 300 bills or resolutions that specifically address cybersecurity. The list of legislations includes:  Requiring government agencies or businesses to implement training or specific types of security policies and practices  Creating task forces or commissions  restructuring government for improved security  studying the use of blockchain for cybersecurity  providing for the security of utilities and critical infrastructure  exempting cybersecurity operations information from public records laws  addressing the security of connected devices  regulating cybersecurity within the insurance industry  Providing funding for improved security measures  Addressing cybersecurity threats to elections A main area of concern for the Federal government is critical infrastructure (CI) policy. Due to increased risk of attacks, specific sectors such as the chemical and financial sectors fall under federal regulation. However, regulations of sectors such as the information technology sector remains voluntary (Congressional Research Services, 2018). In 2014 the Cybersecurity Enhancement Act of 2014 was authorized by congress to address CI concerns. According to the Congressional Research Services (2018), the act consisted of 3 factors: 1. A core set of activities and outcomes applicable to all the sectors, organized into five functions (identify, protect, detect, respond, and recover) 7 PROTECTING THE HOMELAND 2. A profile describing an entity’s current and target cybersecurity postures; and 3. implementation tiers that characterize the entity’s current and intended practices. However, the act remains voluntary in nature. In a response to protect critical infrastructures, Virginia along with 12 other states (Indiana, Iowa, Kentucky, Louisiana, Mississippi, Missouri, North Dakota, Oklahoma, South Dakota, Tennessee, Texas, and West Virginia) “have passed laws that either criminalize unlawful entry to critical infrastructure facilities or enhance the penalties associated with those offenses” (Greenberg, 2020). Virginia statute VA S 378 criminalizes and prohibits computer trespass if done through intentionally deceptive means and without authority. VA House Joint Resolution 64 outsources to Information Technology Agencies to study the Commonwealth's susceptibility, preparedness, and ability to respond to ransomware attacks at the state and local levels of government. While federal policy focuses on what needs to be done, the State level legislations allow for deterrence as well as action on the state level to protect critical infrastructures. With organizations moving to a digital data storage posture, data breech and data security must take precedence in order to protect consumers. According to Stevens (2010), “no single federal law or regulation governs the security of all types of sensitive personal information”. It is the responsibility of the entity or sector that collected the information to determine which laws are applicable. For example, the Federal Information Security Management Act (FISMA) grants authority to federal agencies such as the National Institute of Standards and Technology (NIST) and the Office of Management and Budget to research and reduce information technology risks on the federal level. On the state level, 45 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation that mandates business and state government agencies to notify 8 PROTECTING THE HOMELAND affected parties of all security breaches involving personal information. Some states also require affected businesses to offer information security programs to protect the security, confidentiality, and integrity of victims of breaches (Stevens, 2010). Unlike federal law, States such as California, Connecticut, Illinois, Massachusetts, Minnesota, New Jersey, Texas, and Wisconsin are considering legislation to hold retailers financially liable for data breaches. This further encourages retailers to take interest in data security and breach prevention. The ever changing nature digital information processing requires extensive training to ensure usability and breach prevention. As such, the federal government in conjunction with the National Initiative for Cybersecurity Education (NICE), which is the federal coordinating body for cybersecurity education, training, and workforce development, have placed much effort into developing training policies and programs. The federal government has allocated much funding and partnership in developing training programs such as CyberPatriot and the National Collegiate Cyber Defense Competition, CyberCorps, and College of Cyber and the Federal Virtual Training Environment. According to the Congressional Research Services (2018), much of the federal training programs are tailored into attracting and retaining federal, military, and civilian cybersecurity workers. In conjunction with Federal efforts, many States have developed cybersecurity training for the executive branch state employees. Training mandate varies by state. Hawaii does not have a formal training program, while Maryland takes advantage of training provided by the Department of Homeland Security. Many other States have developed their own training programs based off of Federal requirements. Frederick (2017) offers a full list of State policies regarding cyber training and education by States. See Table 3 - Employee Cybersecurity Training by State. 9 PROTECTING THE HOMELAND Team Sector Brief As a member of FVEY the US is dedicated to keeping the popular sentiment in the U.S. high, in relation to matters of cybersecurity. Additionally, the US is dedicated to ensuring the nation’s cybersecurity remains strong. At the Federal level, the US established the Cyber Security Command (CSC), a branch of the Department of Homeland Security (DHS), to unify cybersecurity responses. CSC aims to prepare for, prevent, and respond to cyber emergencies. CSC also supports state and local governments in cybersecurity as well as assist in improving abilities to identify and protect against cyber threats. CSC has three primary focuses:  Prescribe a uniform technical setup for federal agencies across the United States  Define operational cybersecurity policies for federal agencies across the United States  Control the areas of technical advisories, co-operation with the private sector, and funding cybersecurity research. Much of the focus upon cybersecurity policy research and development has both a direct and indirect impact on cybersecurity technology decisions. Below is a brief analysis of recent Federal bills that were introduced specifically for the improvement of cybersecurity systems and technology decisions. Cybersecurity Enhancement Act of 2014 S.1353 - Cybersecurity Enhancement Act of 2014 empowers the National Institute for Standards and Technology (NIST) in continue to develop the voluntary Cybersecurity Framework. The bill focuses on five key areas in which to promote cybersecurity research. First, under the direction of NIST, it instructs the Secretary of Commerce to focus on facilitating and supporting the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure within the private/public sector collaboration on cybersecurity. Second, CEA focuses on cybersecurity research and development by first directing 10 PROTECTING THE HOMELAND the National Science and Technology Council (NSTC) and the Networking and Information Technology Research and Development Program (NITRDP) to guide the research and development for improved information technology and networking systems. CEA also directs certain federal agencies and departments to conduct studies to determine how to design and build complex software-intensive systems, how to test and verify that software and hardware is free of security flaws. NIST can also solicit help from both the private industry and academia. Third, CEA focuses on education and workforce development through empowering the Department of Commerce, the National Science Foundation (NSF), and the Secretary of Department of Homeland Security (DHS), in conjunction with the Director of the Office of Management and Budget (OMB) to promote completion in an effort to seek individuals with innovative cybersecurity ideas for infrastructure ideas. Fourth, CEA promotes cybersecurity awareness and preparedness through empowering the director of NIST to continue national cybersecurity awareness and preparedness campaigns that will increase public awareness and understanding of cybersecurity risks. Last, in order to promote advancement of cybersecurity technical standards, CEA instructs NIST to coordinate with federal agencies in the development of international technical standards related to information security. NIST must also work with OMB and other stakeholders, to promote the implementation of cloud computing services on the federal government. CEA also requires NIST to promote and improve interoperability among identity management technologies. Federal Information Security Modernization Act (FISMA) FISMA 2014 was introduced to improve the outdated FISMA 2002. It grants the Department of Homeland Security the “authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices” (CISA, 2020). FISMA allows DHS the ability to: 11 PROTECTING THE HOMELAND  provide operational and technical assistance to other federal Executive Branch civilian agencies  Deploy DHS technologies to other agencies' networks  Directs OMB to revise policies regarding notification of federal agency data breaches  Mandate immediate reporting of major information security incidents and data breaches to Congress Education and Training Policies There are many Federal policies developed specifically for the promotion and implementation of cybersecurity education and training on the Federal. State, Local, and private sectors. According to CISA (n.d.), “The Department of Homeland Security (DHS) is committed to providing the nation with access to cybersecurity training and workforce development efforts to develop a more resilient and capable cyber nation”. The training covers various aspects such as Continuous Diagnostics and Mitigation (CDM), the Identify Mitigate and Recover (IMR) webinar, and cyber range challenges. Training is conducted utilizing the Federal Virtual training Environment (FedVTE). Participants can engage in certification prep courses to prepare and train for certifications in Ethical Hacker, Cybersecurity Analyst (CySA+), Network +, Security +, Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP). Impact of Policy on Research and Develop References A Guide to Cyber Attribution. (2018, September 14). Retrieved from https://www.dni.gov/files/CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf Ashcroft, J. Daniels, D. J., & Hart, S. V. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. Office of Justice Programs National Institute of Justice. https://www.ncjrs.gov/pdffiles1/nij/199408.pdf Ashjian, L. (n.d.). Incident Response Team: What are the Roles and Responsibilities? . Retrieved from https://cybersecurity.att.com/resource-center/ebook/insider-guide-to-incidentresponse/arming-your-incident-response-team Bidgoli, H. (2006). Handbook of information security: Threats, vulnerabilities, prevention, detection, and management. http://indexof.es/Hack/Wiley.Handbook.of.Information.Security.Vol.3%20(2006).pdf Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide: Special publication 800-61, Revision 2. National Institute of Standards and Technology. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf CISA. (2020). Federal Information Security Modernization Act. Retrieved from https://www.cisa.gov/federal-information-security-modernization-act Congressional Research Service. (2018, March 09). Cybersecurity: Selected Issues for the 115th Congress. Retrieved from https://www.everycrsreport.com/reports/R45127.html 144 PROTECTING THE HOMELAND EC-Council. (2020, March 17). Phases of an Incident Response Plan: EC-Council Official Blog. Retrieved from https://blog.eccouncil.org/phases-of-an-incident-response-plan/ Federal Rules of Evidence. (n.d.). Rule 702: Testimony by expert witnesses. http://federalevidence.com/rules-of-evidence Frederick, S., Greenberg, P., & Gruwell, A. (2019, November). State and Federal Efforts to Enhance Cybersecurity. Retrieved from https://www.ncsl.org/research/telecommunications-and-information-technology/stateand-federal-efforts-to-enhance-cybersecurity.aspx Frederick, S. P. (2017, October 11). State Cybersecurity Training for State Employees. Retrieved from https://www.ncsl.org/ncsl-in-dc/standing-committees/law-criminal-justice-andpublic-safety/state-cybersecurity-training-for-state-employees.aspx Fruhlinger, J. (2020, February 12). The OPM hack explained: Bad security practices meet China's Captain America. Retrieved from https://www.csoonline.com/article/3318238/the-opm-hack-explained-bad-securitypractices-meet-chinas-captain-america.html GAO. (2019). High Risk: Ensuring the Cybersecurity of the Nation. Retrieved from https://www.gao.gov/highrisk/ensuring_the_security_federal_government_information_systems/why_did_study    Greenberg, P. (2020, September 13). Cybersecurity Legislation 2020. Retrieved from https://www.ncsl.org/research/telecommunications-and-informationtechnology/cybersecurity-legislation-2020.aspx  145 PROTECTING THE HOMELAND Kleijssen, J & Perri, P. (n.d.). Cybercrime, Evidence and Territoriality: Issues and Options. Retrieved from https://rm.coe.int/cybercrime-evidence-and-territoriality-issues-andoptions/168077fa98 Kuhn, D. R., Hu, V. C., Polk, W. T., Chang, S. (2001). Introduction to public key technology and the federal PKI infrastructure. National Institute of Standards and Technology, U.S. Department of Commerce. http://csrc.nist.gov/publications/nistpubs/800-32/sp800-32.pdf Lindsay, J.R. (2015, November 28). Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack. Retrieved from https://academic.oup.com/cybersecurity/article/1/1/53/2354517 National Institute of Standards and Technology (NIST) (2015). Security and privacy controls for federal information systems and organizations. NIST Special Publication 800-12Revision 4, 1-462. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf Networking and Information Technology Research and Development (NITRD, (December, 2019). Federal Cybersecurity Research and Development Strategic Plan. Retrieved from https://www.nitrd.gov/pubs/Federal-Cybersecurity-RD-Strategic-Plan-2019.pdf Office of the Director of National Intelligence. (2018, September 14). A Guide to Cyber Attribution. Retrieved from https://www.dni.gov/files/CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf Pomerleau, M. (2015, August 17). State vs. non-state hackers: Different tactics, equal threat? Defense Systems. Retrieved from https://defensesystems.com/Articles/2015/08/17/Cyberstate-vs-non-state-haclers-tactics.aspx Roadmap Working Group. (2013, July). NIST Cloud Computing Standards Roadmap. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-291r2.pdf S.1353 - 113th Congress (2013-2014): Cybersecurity Enhancement Act of 2014. (2014, December 18). Retrieved from https://www.congress.gov/bill/113th-congress/senatebill/1353/text Schmidlin, K., Clough-Gorr, K. M., Spoerri, A. (2015). Privacy Preserving Probabilistic Record Linkage (P3RL): a novel method for linking existing health-related data. BMC Medical Research Methodology. https://bmcmedresmethodol.biomedcentral.com/articles/10.1186/s12874-015-0038-6 Shea, D. (2020, July 21). State Policy Trend: Protecting Critical Infrastructure and Peoples' Right to Protest. Retrieved from https://www.ncsl.org/research/energy/state-policy-trendprotecting-critical-infrastructure-and-peoples-right-to-protest-magazine2020.aspx Simmons, R. (2017, December). SANS Institute Information Security Reading Room. Retrieved from https://www.sans.org/reading-room/whitepapers/mobile/byod-securityimplementation-small-organizations-38230 Stevens, G. (2010, January 28). Federal Information Security and Data Breach Notification Laws. Retrieved from https://fas.org/sgp/crs/secrecy/RL34120.pdf 147 PROTECTING THE HOMELAND Tecapi.com. (n.d.). List of Attack Vectors. Retrieved from http://www.tecapi.com/public/relativevulnerability-rating-gui.jsp UMGC. (n.d.). Intrusion Motives/Hacker Psychology. Retrieved from https://lti.umuc.edu/contentadaptor/topics/byid/8f23085b-78c1-4e62-a4bf-cf04e45f846b United States Computer Emergency Readiness Team (US-CERT). (2018). Securing Network Infrastructure Devices. Security Tip (ST18-001).Retrieved from https://www.uscert.gov/ncas/tips/ST18-001 United States Computer Emergency Readiness Team (US-CERT). (2018). CISA Cyber Infrastructure. Understanding Denial of Service Attacks. Retrieved July 20, 2019, from https://www.us-cert.gov/ncas/tips/ST04-015 Vermeer, J.D., Woods, D. & Jackson, B.A. (2018). Identifying Law Enforcement Needs for Access to Digital Evidence in Remote Data Centers. Retrieved from https://www.rand.org/content/dam/rand/pubs/research_reports/RR2200/RR2240/RAND_RR2240.pdf    [Show More]

Last updated: 1 year ago

Preview 1 out of 148 pages