Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time

Cover
Title Page
Copyright Page
About the Author
Contents at a Glance
Contents
Foreword
Acknowledgments
Introduction
Part I What Do You Want?
	Chapter 1 What’s the Problem?
		Overview
			Learning Objectives
		1.1 Baking in Trustworthiness: Design-Time
			1.1.1 What Is Trust?
			1.1.2 Trust and Belief
			1.1.3 Engineering
			1.1.4 Why Trust?
		1.2 Operational Perspective: Basic Questions
			1.2.1 Am I Under Attack?
			1.2.2 What Is the Nature of the Attack?
			1.2.3 What Is the Mission Impact So Far?
			1.2.4 What Is the Potential Mission Impact?
			1.2.5 When Did It Start?
			1.2.6 Who Is Attacking?
			1.2.7 What Are They Trying to Do?
			1.2.8 What Is the Attacker’s Next Step?
			1.2.9 What Can I Do About It?
			1.2.10 What Are My Options and How Effective Will Each Option Be?
			1.2.11 How Will My Mitigation Actions Affect Operation?
			1.2.12 How Do I Better Defend Myself in the Future?
		1.3 Asymmetry of Cyberspace Effects
			1.3.1 Dimensionality
			1.3.2 Nonlinearity
			1.3.3 Coupling
			1.3.4 Velocity
			1.3.5 Manifestation
			1.3.6 Detectability
		1.4 The Cybersecurity Solution Landscape
			1.4.1 Information Assurance Science and Engineering
			1.4.2 Defensive Mechanisms
			1.4.3 Cybersensors and Exploitation
			1.4.4 Cyber Situation Understanding
			1.4.5 Cyber Actuation
			1.4.6 Cyber Command and Control
			1.4.7 Cyber Defense Strategy and Tactics
		1.5 Ounces of Prevention and Pounds of Cure
		Conclusion
		Questions
	Chapter 2 Cybersecurity Right-Think
		Overview
			Learning Objectives
		2.1 It’s About Risk
		2.2 The Cybersecurity Trade-off: Performance and Functionality
			2.2.1 User-Friendliness
			2.2.2 Time to Market
			2.2.3 Employee Morale
			2.2.4 Missed Opportunity
			2.2.5 Opportunity Cost
			2.2.6 Quantity of Service or Product
			2.2.7 Quality of Service or Product
			2.2.8 Cost of Service or Product
			2.2.9 Limited Resources
		2.3 Theories of Security Come from Theories of Insecurity
		2.4 They Come at You Through the Weeds
		2.5 Top-Down Meets Bottom-Up
		2.6 Cybersecurity Is a Live Orchestra, Not a Recorded Instrument
		Conclusion
		Questions
	Chapter 3 Value and Mission: Know Thyself
		Overview
			Learning Objectives
		3.1 Focus on Mission and Value
			3.1.1 Avoid Concentrating Value
			3.1.2 Beware the Complacency of Trust
		3.2 Confidentiality: Value of Secrecy from Adversaries
			3.2.1 Acquired-Knowledge Secrets
			3.2.2 Planning Secrets
			3.2.3 Stolen Secrets
			3.2.4 Means-of-Stealing-Secrets Secrets
		3.3 Confidentiality: Beware the Tyranny of Secrecy
			3.3.1 Secrecy Is Tenuous
			3.3.2 Secrecy Is Expensive
			3.3.3 Secrecy Can Be Self-Defeating
			3.3.4 Secrecy Is Self-Breeding
			3.3.5 Secrecy Creates a Form of Corrupting Power and Impediment to Operation
		3.4 Confidentiality: Changing the Value Proposition
			3.4.1 Minimize Secrecy and Dependency on Secrecy
			3.4.2 Minimize Impact of Loss of Secrecy
		3.5 Integrity: The Root of All Trustworthiness Value
		3.6 Availability: An Essential Yet Tenuous Value
		Conclusion
		Questions
	Chapter 4 Harm: Mission in Peril
		Overview
			Learning Objectives
		4.1 Focus on Strategic Risks
			4.1.1 What Is Strategic Risk?
			4.1.2 Expected Harm
			4.1.3 The Range of Risks
			4.1.4 The Meaning of Focus
		4.2 Harm Is About Mission
			4.2.1 Elicitation of Harm
			4.2.2 Aggregating Harm Statements
			4.2.3 Representative Harm Lists
		4.3 Critical Asset Inventory: Data
			4.3.1 Data Asset Types
			4.3.2 Data Value Spectrum
			4.3.3 Criticality Classes
			4.3.4 Criticality Levels
		4.4 A Template for Exploring Mission Harm
		4.5 Harm Is in the Eye of the Beholder
			4.5.1 Gravity of Harm: Consensus
			4.5.2 Drawing Conclusions
		4.6 Sometimes Belief Is More Powerful than Truth
			4.6.1 Destroying Value
			4.6.2 Frustrating to Address: Life Is Unfair
		Conclusion
		Questions
	Chapter 5 Approximating Reality
		Overview
			Learning Objectives
		5.1 The Complexity of State: Why Model?
		5.2 Levels of Abstraction: At What Levels
		5.3 What to Model and Why
			5.3.1 The Target System
			5.3.2 Users
			5.3.3 Adversaries
			5.3.4 Measures/Countermeasures
		5.4 Models Are Always Wrong, Sometimes Useful
			5.4.1 Incompleteness of Essentials
			5.4.2 Inaccuracy
			5.4.3 Non-Timeliness
		5.5 Model Views
			5.5.1 Defender’s View
			5.5.2 Adversary’s View
			5.5.3 Attacking the Views Themselves
		5.6 Defense Models Must Consider Failure Modes
		5.7 Assume Adversaries Know Defender’s System
		5.8 Assume Adversaries Are Inside Defender’s System
		Conclusion
		Questions
Part II What Could Go Wrong?
	Chapter 6 Adversaries: Know Thy Enemy
		Overview
			Learning Objectives
		6.1 Know Your Adversaries
			6.1.1 Intentions
			6.1.2 Capabilities
			6.1.3 Attacker Resources and Defender Resources
			6.1.4 Risk Tolerance
			6.1.5 Strategic Goals
			6.1.6 Tactics
		6.2 Assume Smart Adversaries
		6.3 Assume Adversaries Don’t Play Fair
			6.3.1 Going Around Security Controls
			6.3.2 Going Beneath Security Controls
			6.3.3 Attacking the Weakest Link
			6.3.4 Violating a Design Assumption
			6.3.5 Using Maintenance Modes
			6.3.6 Using Social Engineering
			6.3.7 Using Bribery and Blackmail to Subvert Insiders
			6.3.8 Taking Advantage of Temporary Bypasses
			6.3.9 Taking Advantage of Temporary Connections
			6.3.10 Taking Advantage of Natural System Failure
			6.3.11 Exploiting Bugs You Did Not Even Know You Had
			6.3.12 Compromising External Systems that a System Trusts
		6.4 Anticipate Attack Escalation
		6.5 Red Teams
			6.5.1 Opposing Force
			6.5.2 Red Team Characteristics
			6.5.3 Other Types of Red Teams
		6.6 Cyberspace Exercises
			6.6.1 Red Versus Blue
			6.6.2 Pure Versus Hybrid
			6.6.3 Purple Collaboration
		6.7 Red Team Work Factor: Measuring Difficulty
		Conclusion
		Questions
	Chapter 7 Forests of Attack Trees
		Overview
			Learning Objectives
		7.1 Attack Trees and Forests
			7.1.1 Attack Tree Structure
			7.1.2 Deriving Attack Scenarios
			7.1.3 From Trees to Forests
		7.2 System Failures Predict Cybersecurity Failures
			7.2.1 Inspirational Catastrophes
			7.2.2 The 10x Rule
			7.2.3 Feigning Failure
		7.3 Understanding Failure Is the Key to Success: The Five Whys
			7.3.1 Why Five Whys?
			7.3.2 Projecting Fishbones
		7.4 Forests Should Be Representative, Not Exhaustive
		7.5 Drive Each Attack Tree Layer by Asking How
		7.6 Go as Deep as Needed and No Deeper
		7.7 Beware of External Dependencies
			7.7.1 Just in Time
			7.7.2 Information Dependency
			7.7.3 Creating Redundancy
		Conclusion
		Questions
Part III What Are the Building Blocks of Mitigating Risk?
	Chapter 8 Countermeasures: Security Controls
		Overview
			Learning Objectives
		8.1 Countermeasures: Design to Purpose
		8.2 Ensure Attack-Space Coverage (Defense in Breadth)
		8.3 Defense in Depth and Breadth
		8.4 Multilevel Security, Trusted Code, Security Kernels
			8.4.1 Multilevel Security
			8.4.2 Trusted Code
			8.4.3 Security Kernel and the Reference Monitor
		8.5 Integrity and Type Enforcement
			8.5.1 Multilevel Integrity
			8.5.2 Type Enforcement
		8.6 Cybersecurity Usability
			8.6.1 Invisible
			8.6.2 Transparent
			8.6.3 Clear
			8.6.4 Easy to Understand
			8.6.5 Reliable
			8.6.6 Fast
			8.6.7 Reversible
			8.6.8 Adaptable
			8.6.9 Traceable
			8.6.10 Reviewable
		8.7 Deploy Default Secure
		8.8 Costs
			8.8.1 Cost Always Matters
			8.8.2 Time-to-Deploy Matters
			8.8.3 Impact to Mission Matters
			8.8.4 Pareto Rule: 80/20
			8.8.5 Opportunity Cost Is a Key Part of Cost
			8.8.6 How Much to Invest in Cybersecurity
			8.8.7 Optimizing Zero-Sum Cybersecurity Budgets
		Conclusion
		Questions
	Chapter 9 Trustworthy Hardware: Bedrock
		Overview
			Learning Objectives
		9.1 Foundation of Trust
		9.2 Instruction Set Architectures
		9.3 Supervisors with Rings and Things
		9.4 Controlling Memory: Mapping, Capabilities, and Tagging
			9.4.1 Memory Mapping
			9.4.2 Capabilities
			9.4.3 Tagging
		9.5 Software in Hardware
			9.5.1 Microcode
			9.5.2 Firmware
			9.5.3 Secure Bootstrapping
		9.6 Buses and Controllers
		Conclusion
		Questions
	Chapter 10 Cryptography: A Sharp and Fragile Tool
		Overview
			Learning Objectives
		10.1 What Is Cryptography?
		10.2 Key Space
		10.3 Key Generation
		10.4 Key Distribution
			10.4.1 Transmission to Intended Recipients
			10.4.2 Storage
			10.4.3 Loading
		10.5 Public-Key Cryptography
			10.5.1 The Math
			10.5.2 Certificates and Certificate Authorities
			10.5.3 Performance and Use
			10.5.4 Side Effect of Public-Key Cryptography
		10.6 Integrity
		10.7 Availability
			10.7.1 Positive Effects
			10.7.2 Negative Effects
		10.8 Chinks in the Cryptographic Armor
			10.8.1 Quantum Cryptanalytics: Disruptive Technology
			10.8.2 P=NP
		10.9 Cryptography Is Not a Panacea
		10.10 Beware of Homegrown Cryptography
		Conclusion
		Questions
	Chapter 11 Authentication
		Overview
			Learning Objectives
		11.1 Entity Identification: Phase 1 of Authentication
		11.2 Identity Certification: Phase 2 of Authentication
		11.3 Identity Resolution: Phase 3 of Authentication
		11.4 Identity Assertion and Identity Proving: Phases 4 and 5 of Authentication
		11.5 Identity Decertification: Phase 6 of Authentication
		11.6 Machine-to-Machine Authentication Chaining
		Conclusion
		Questions
	Chapter 12 Authorization
		Overview
			Learning Objectives
		12.1 Access Control
			12.1.1 Discretionary Access Control
			12.1.2 Mandatory Access Control
			12.1.3 Covert Channels
			12.1.4 Identity-Based Access Control
			12.1.5 Attribute-Based Access Control
		12.2 Attribute Management
			12.2.1 User Attributes and Privilege Assignment
			12.2.2 Resource Attribute Assignment
			12.2.3 Attribute Collection and Aggregation
			12.2.4 Attribute Validation
			12.2.5 Attribute Distribution
		12.3 Digital Policy Management
			12.3.1 Policy Specification
			12.3.2 Policy Distribution
			12.3.3 Policy Decision
			12.3.4 Policy Enforcement
		12.4 Authorization Adoption Schemas
			12.4.1 Direct Integration
			12.4.2 Indirect Integration
			12.4.3 Alternative Integration
		Conclusion
		Questions
	Chapter 13 Detection Foundation
		Overview
			Learning Objectives
		13.1 The Role of Detection
		13.2 How Detection Systems Work
		13.3 Feature Selection
			13.3.1 Attack Manifestation in Features
			13.3.2 Manifestation Strength
			13.3.3 Mapping Attacks to Features
			13.3.4 Criteria for Selection
		13.4 Feature Extraction
		13.5 Event Selection
		13.6 Event Detection
		13.7 Attack Detection
		13.8 Attack Classification
		13.9 Attack Alarming
		13.10 Know Operational Performance Characteristics for Sensors
		Conclusion
		Questions
	Chapter 14 Detection Systems
		Overview
			Learning Objectives
		14.1 Types of Detection Systems
			14.1.1 Signature-Based
			14.1.2 Anomaly Detection
		14.2 Detection Performance: False Positives, False Negatives, and ROCs
			14.2.1 Feature Selection
			14.2.2 Feature Extraction
			14.2.3 Event Selection
			14.2.4 Attack Detection
			14.2.5 Attack Classification
			14.2.6 Attack Alarming
		14.3 Drive Detection Requirements from Attacks
		14.4 Detection Failures
			14.4.1 Blind Sensors
			14.4.2 Below Noise Floor
			14.4.3 Below Alert Threshold
			14.4.4 Improper Placement
			14.4.5 Natural Failure
			14.4.6 Successfully Attacked
			14.4.7 Blocked Sensor Input
			14.4.8 Blocked Report Output
		Conclusion
		Questions
	Chapter 15 Detection Strategy
		Overview
			Learning Objectives
		15.1 Detect in Depth and Breadth
			15.1.1 Breadth: Network Expanse
			15.1.2 Depth: Network Expanse
			15.1.3 Breadth: Attack Space
			15.1.4 Depth: Attack Space
		15.2 Herd the Adversary to Defender’s Advantage
		15.3 Attack Epidemiology
		15.4 Detection Honeypots
		15.5 Refining Detection
			15.5.1 Running Alerts to Ground
			15.5.2 Learning More About an Attack
		15.6 Enhancing Attack Signal and Reducing Background Noise
			15.6.1 Reducing the Noise Floor
			15.6.2 Boosting Attack Signal
			15.6.3 Lowering the Alert Threshold
		Conclusion
		Questions
	Chapter 16 Deterrence and Adversarial Risk
		Overview
			Learning Objectives
		16.1 Deterrence Requirements
			16.1.1 Reliable Detection: Risk of Getting Caught
			16.1.2 Reliable Attribution
			16.1.3 Meaningful Consequences
		16.2 All Adversaries Have Risk Thresholds
		16.3 System Design Can Modulate Adversary Risk
			16.3.1 Detection Probability
			16.3.2 Attribution Probability
			16.3.3 Consequence Capability and Probability
			16.3.4 Retaliation Capability and Probability
			16.3.5 Risky Behavior
		16.4 Uncertainty and Deception
			16.4.1 Uncertainty
			16.4.2 Deception
		16.5 When Detection and Deterrence Do Not Work
		Conclusion
		Questions
Part IV How Do You Orchestrate Cybersecurity?
	Chapter 17 Cybersecurity Risk Assessment
		Overview
			Learning Objectives
		17.1 A Case for Quantitative Risk Assessment
		17.2 Risk as a Primary Metric
		17.3 Why Measure?
			17.3.1 Characterize
			17.3.2 Evaluate
			17.3.3 Predict
			17.3.4 Improve
		17.4 Evaluate Defenses from an Attacker’s Value Perspective
		17.5 The Role of Risk Assessment and Metrics in Design
		17.6 Risk Assessment Analysis Elements
			17.6.1 Develop Mission Model
			17.6.2 Develop System Model
			17.6.3 Develop Adversary Models
			17.6.4 Choose Representative Strategic Attack Goals
			17.6.5 Estimate Harm Using Wisdom of Crowds
			17.6.6 Estimate Probability Using Wisdom of Crowds
			17.6.7 Choose Representative Subset
			17.6.8 Develop Deep Attack Trees
			17.6.9 Estimate Leaf Probabilities and Compute Root
			17.6.10 Refine Baseline Expected Harm
			17.6.11 Harvest Attack Sequence Cut Sets => Risk Source
			17.6.12 Infer Attack Mitigation Candidates from Attack Sequences
		17.7 Attacker Cost and Risk of Detection
			17.7.1 Resources
			17.7.2 Risk Tolerance
		Conclusion
		Questions
	Chapter 18 Risk Mitigation and Optimization
		Overview
			Learning Objectives
		18.1 Develop Candidate Mitigation Packages
		18.2 Assess Cost of Mitigation Packages
			18.2.1 Direct Cost
			18.2.2 Mission Impact
		18.3 Re-estimate Leaf Node Probabilities and Compute Root Node Probability
		18.4 Optimize at Various Practical Budget Levels
			18.4.1 Knapsack Algorithm
			18.4.2 Sensitivity Analysis
		18.5 Decide Investment
		18.6 Execute
		Conclusion
		Questions
	Chapter 19 Engineering Fundamentals
		Overview
			Learning Objectives
		19.1 Systems Engineering Principles
			19.1.1 Murphy’s Law
			19.1.2 Margin of Safety
			19.1.3 Conservation of Energy and Risk
			19.1.4 Keep It Simple, Stupid
			19.1.5 Development Process
			19.1.6 Incremental Development and Agility
		19.2 Computer Science Principles
			19.2.1 Modularity and Abstraction
			19.2.2 Layering
			19.2.3 Time and Space Complexity: Understanding Scalability
			19.2.4 Focus on What Matters: Loops and Locality
			19.2.5 Divide and Conquer and Recursion
		Conclusion
		Questions
	Chapter 20 Architecting Cybersecurity
		Overview
			Learning Objectives
		20.1 Reference Monitor Properties
			20.1.1 Functional Correctness
			20.1.2 Non-Bypassable
			20.1.3 Tamperproof
		20.2 Simplicity and Minimality Breed Confidence
		20.3 Separation of Concerns and Evolvability
		20.4 Security Policy Processing
			20.4.1 Policy Specification
			20.4.2 Policy Decision Making
			20.4.3 Policy Enforcement
		20.5 Dependability and Tolerance
			20.5.1 Cybersecurity Requires Fail Safety
			20.5.2 Expect Failure: Confine Damages Using Bulkheads
			20.5.3 Tolerance
			20.5.4 Synergize Prevention, Detect-Response, and Tolerance
		20.6 Cloud Cybersecurity
		Conclusion
		Questions
	Chapter 21 Assuring Cybersecurity: Getting It Right
		Overview
			Learning Objectives
		21.1 Cybersecurity Functionality Without Assurance Is Insecure
		21.2 Treat Cybersecurity Subsystems as Critical Systems
		21.3 Formal Assurance Arguments
			21.3.1 Cybersecurity Requirements
			21.3.2 Formal Security Policy Model
			21.3.3 Formal Top-Level Specification
			21.3.4 Security-Critical Subsystem Implementation
		21.4 Assurance-in-the-Large and Composition
			21.4.1 Composition
			21.4.2 Trustworthiness Dependencies
			21.4.3 Avoiding Dependency Circularity
			21.4.4 Beware of the Inputs, Outputs, and Dependencies
			21.4.5 Violating Unstated Assumptions
		Conclusion
		Questions
	Chapter 22 Cyber Situation Understanding: What’s Going On
		Overview
			Learning Objectives
		22.1 Situation Understanding Interplay with Command and Control
		22.2 Situation-Based Decision Making: The OODA Loop
		22.3 Grasping the Nature of the Attack
			22.3.1 What Vulnerability Is It Exploiting?
			22.3.2 Which Paths Are the Attacks Using?
			22.3.3 Are the Attack Paths Still Open?
			22.3.4 How Can the Infiltration, Exfiltration, and Propagation Paths Be Closed?
		22.4 The Implication to Mission
			22.4.1 Increased Risk
			22.4.2 Contingency Planning
			22.4.3 Nature and Locus Guiding Defense
		22.5 Assessing Attack Damages
		22.6 Threat Assessment
		22.7 The State of Defenses
			22.7.1 Health, Stress, and Duress
			22.7.2 Status
			22.7.3 Configuration Maneuverability
			22.7.4 Progress and Failure
		22.8 Dynamic Defense Effectiveness
		Conclusion
		Questions
	Chapter 23 Command and Control: What to Do About Attacks
		Overview
		Learning Objectives
		23.1 The Nature of Control
			23.1.1 Decision Cycle
			23.1.2 Speed Considerations
			23.1.3 Hybrid Control
		23.2 Strategy: Acquiring Knowledge
			23.2.1 Analogy
			23.2.2 Direct Experience
			23.2.3 Vicarious Experience
			23.2.4 Simulation
		23.3 Playbooks
			23.3.1 Game Theory
			23.3.2 Courses of Action in Advance
			23.3.3 Criteria for Choosing Best Action
			23.3.4 Planning Limitations
		23.4 Autonomic Control
			23.4.1 Control Theory
			23.4.2 Role of Autonomic Control
			23.4.3 Autonomic Action Palette
		23.5 Meta-Strategy
			23.5.1 Don’t Overreact
			23.5.2 Don’t Be Predictable
			23.5.3 Stay Ahead of the Attackers
		Conclusion
		Questions
Part V Moving Cybersecurity Forward
	Chapter 24 Strategic Policy and Investment
		Overview
			Learning Objectives
		24.1 Cyberwar: How Bad Can Bad Get?
			24.1.1 Scenario
			24.1.2 Call to Action
			24.1.3 Barriers to Preparation Action
			24.1.4 Smoking Gun
		24.2 Increasing Dependency, Fragility, and the Internet of Things
			24.2.1 Societal Dependency
			24.2.2 Just-in-Time Everything
			24.2.3 The Internet of Things
			24.2.4 Propagated Weakness
		24.3 Cybersecurity in the Virtual World: Virtual Economy
			24.3.1 Booming Game Economy: Virtual Gold Rush
			24.3.2 Digital Currency Such as Bitcoin
			24.3.3 Virtual High-Value Targets
			24.3.4 Start from Scratch?
		24.4 Disinformation and Influence Operations: Fake News
			24.4.1 What’s New?
			24.4.2 Hacking Wetware
			24.4.3 Polluting the Infosphere
		Conclusion
		Questions
	Chapter 25 Thoughts on the Future of Cybersecurity
		Overview
			Learning Objectives
		25.1 A World Without Secrecy
			25.1.1 Timed Release
			25.1.2 Minimize Generation
			25.1.3 Zero-Secrecy Operations
		25.2 Coevolution of Measures and Countermeasures
		25.3 Cybersecurity Space Race and Sputnik
			25.3.1 Gaining the Ultimate Low Ground
			25.3.2 Stuxnet and the Cyberattack Genie
			25.3.3 Georgia and Hybrid Warfare
			25.3.4 Estonia and Live-Fire Experiments
			25.3.5 Responsibility for Defending Critical Information Infrastructure
		25.4 Cybersecurity Science and Experimentation
			25.4.1 Hypothesis Generation
			25.4.2 Experimental Design
			25.4.3 Experiment Execution
		25.5 The Great Unknown: Research Directions
			25.5.1 Hard Research Problems
			25.5.2 Are Cybersecurity Problems Too Hard?
			25.5.3 Research Impact and the Heilmeier Catechism
			25.5.4 Research Results Dependability
			25.5.5 Research Culture: A Warning
			25.6 Cybersecurity and Artificial Intelligence
		Conclusion
		Questions
Part VI Appendix and Glossary
	Appendix Resources
	Glossary
Index
	A
	B
	C
	D
	E
	F
	G
	H
	I
	J
	K
	L
	M
	N
	O
	P
	Q
	R
	S
	T
	U
	V
	W
	Z