Aspects and Pillars of Cyber Security

Learning Outcomes

After completing these activities you should be able to:

Cyber Aspects Cyber Pillars

Discussion

What we are Studying in this Course

The cyber domain is a big field that overlaps many disciplines. The August 2009 initial report of the Dean's Cyber Warfare Ad Hoc Committee included the following:

Cyber Warfare is a somewhat unusual topic in that it involves a technical academic core of tightly inter-related subject matter, as well as a wide range of important topics that, while dependent on the technical core for fullest appreciation, are not dependent on each other. Stated another way, cyber warfare is comprised of, first, a foundational component, dealing with a set of interconnected fundamental technical concepts, and, second, a wide range of interdisciplinary topics, touching upon the areas of law, political science, strategy and tactics, policy, ethics, and the study of foreign languages and culture.

SY110 is an introduction to the technical core described in the excerpt. The material we cover is organized into three sections:

  1. Cyber Battlefield

    This portion of the course will teach you about the basic components that constitute what is generally called cyberspace. Starting with digital data, the physical computer, operating systems, and programs; and continuing with the Web, the Internet, and both wired and wireless networks.

  2. Cyber Security Tools

    There are some theoretical underpinnings to what it is we are protecting (or attacking) in the cyber domain, and how we make rational decisions about security in the cyber domain (cyber security). Additionally, there are a few broad categories of tools — firewalls, encryption, hashing, policies and procedures — that we combine in different ways to meet different security goals.

  3. Cyber Operations

    In this portion of the course we study digital forensics, cyber reconnaissance, cyber attack, and cyber defense. The last three labs actually have you and your classmates conducting cyber operations in a controlled environment — i.e. actually mapping out an opponent's network, actually performing and defending against cyber attacks.

The Cyber Domain

Aspects of the Cyber Domain

Based on your current understanding what do you think comprises the cyber domain? You probably agree that your laptop is a part of the cyber domain, and you are correct. But are there other aspects of the cyber domain beyond computers? The answer is yes. The cyber domain is comprised of much more than just computers connected to a network. The cyber domain also consists of physical systems connected to computers. The location of the those systems is a part of the cyber domain — the system of interest on the USNA grounds, is the system in the U.S., is the system in Australia , is the system in Turkey, is the system in China.

There is a human factor to the cyber domain, and it is not just the geopolitical aspect of the cyber domain. We continually see that the human is the weakest link in the cyber domain. Human nature has driven many technological advances, but human nature has also been the initial attack vector in many cyber security incidents.

The cyber domain is comprised of the users (generally humans at this point) [persona], devices and software that users interact with [interface], logic used by devices and software systems [logic], circuits that provide paths for logic to flow [circuit], and location of the circuits, physical systems, and users [geographic].

The cyber domain is founded in technical principles. The cyber domain is a part of our world. We must be able to operate in the cyber domain as individuals, as organizations, and as defenders of nations. As we become more interconnected we become more dependent on the cyber domain.

Persona Aspects

Guccifer 2.0 is an example of a Cyber Persona you might have seen. Guccifer 2.0 Wired Article Link
Persona Layer

Persona Aspects represent users that have a role (persona) in the cyber domain. At different times a single person may have multiple personas in the cyber domain. By the nature of you reading and interacting with this website you are a part of the cyber domain.

Interface Aspects

Interface Layer

Interface Aspects represent the hardware devices and software that users interact with to provide input into other components in the cyber domain. Historical interface devices included keyboards and mice, today touch screens, microphones, and even cameras are common place. In the future the interface may be long term implants inside our bodies.

Data Aspects

Logic Layer

Data Aspects represent the information that is stored within the information systems; i.e. the meaning of the raw data that are flowing between or stored in systems in the cyber domain.

Network Aspects

Circuit Layer

Network Aspects represent the paths that data flow across between systems or systems that store data; i.e. the raw data.

Geographic Aspects

Geographic Layer

Geographic Aspects represent the physical location of the user, system, or data paths. Geographic aspects include natural boundaries and geopolitical boundaries (borders separating human defined regions).

Interaction of Cyber Domain Aspects

Cyber Domain Aspect Interaction

In a standard layer model there are clearly defined interactions between adjacent layers, and typically a layer only interacts with the layer directly above or below it. The cyber domain is more complex than a simple layer model. In the cyber domain entities associated with one aspect can have many simultaneous interactions with adjacent aspects. Additionally, interactions can skip traditional layers and interact with non-adjacent aspects.

Furthermore the interactions between the aspects are continually changing in number of interactions, and how the interactions are occurring. The same interaction that was safe yesterday might not be safe today. Nonetheless, we must operate in the cyber domain.

For example:

  • A user can be connected to the cyber domain via more than one interface. Society (persona aspect) defines the geopolitical boundaries that comprise geographic aspects.
  • A mode of operation may be safe today, but a vulnerability may be discovered overnight that makes the same mode of operation unsafe tomorrow.
In Jan 2015 Mr. Chris Inglis, former Deputy Director of the National Security Agency, gave a guest lecture discussing the cyber domain and its importance to military operations.

The cyber domain is too complex and large to cover all of the areas in a single course, much less all of the areas in great detail. In this course we will focus on the technical foundations from a cyber security view point. Primarily Persona Aspects, Interface Aspects, and Data Aspects. There will be times when we discuss Network Aspects and Geographic Aspects, but future courses in your time at the Naval Academy will cover those aspects in greater detail.


DoD Cyber Security emblem (formerly Information Assurance)

The Pillars of Cyber Security

During the course, we will learn about the Cyber Battlefield — digital data, computers, operating systems, programs, networks, the Internet, systems of programs communicating over networks (with the world wide web as the biggest example). We will see lots of examples of things that can go wrong in the cyber domain — things that we recognize as dangerous, things that we recognize we need to defend against. But what, actually, are we actually defending?

This is a deeper question than it might first appear. Understanding the answer will help us understand what attacks are, how to defend against them, and even help us understand what we really want when we ask for "security".

  1. We are not interested in just protecting computers. If you really wanted to protect your computer, you'd simply turn it off and stick it in a fireproof/waterproof safe.
  2. We are not interested in just protecting data. If you really wanted to protect some piece of data, you'd disconnect your hard drive, and stick it in a fireproof/waterproof safe.

What then? We have information systems that store, process, and transmit data to different parts of the system in order to provide services — what service depends on the system. For example, Skype is a system that provides video, telephone, and chat services. Security for Skype means the on-going ability to provide their service while maintaining the following key attributes:

This is Ciana.
ciana
www.flickr.com/photos/jimfischer/4540646854/
She'll be your mnemonic for the five Pillars of Cyber Security!

These attributes are referred to as the Pillars of Cyber Security (formerly Pillars of Information Assurance). And for almost any information system, they describe the fundamental properties that must be maintained. Essentially, these properties are what we want to protect (or attack, if you're on the other side). Information Assurance (IA) is the practice of managing risks while maintaining these properties. Malicious human threats are not the only kind information assurance considers — a hungry squirrel might gnaw through a cable and bring down a server. Protecting against this is information assurance, though not really cyber security. We'll focus on the cyber security related aspects of IA. [More seriously: IA includes concerns like could extreme weather take down the Internet?]

A New Unmanned Aerial Surveillance Platform


The MQ-4C "Triton" BAMS UAS, a new unmanned aerial surveillance platform, is finishing development and initial operational capability is planned for 2018. The MQ-4C BAMS "will enhance battlespace awareness, shortening the sensor-to-shooter kill chain".
MQ-4C
This UAV is clearly a component in a larger information system, not only the system that tells it where to fly, but also this "sensor-to-shooter kill chain". Think about how the five pillars apply to this system? What kind of bad things could an enemy accomplish by attack on the Integrity of this system? Availability? Confidentiality? Authentication?

As with with any domain there are specific definitions for terms; the following are the definitions for the Pillars of Cyber Security.

  • Confidentiality: Protection of information from disclosure to unauthorized individuals, systems, or entities. Confidentiality is data oriented.
  • Integrity: Protection of information, systems, and services from unauthorized modification or destruction. Integrity is data oriented.
  • Availability: Timely, reliable access to data and information services by authorized users. Availability is service oriented.
  • Non-repudiation: The ability to correlate, with high certainty, a recorded action with its originating individual or entity. Non-repudiation is entity oriented.
  • Authentication: The ability to verify the identity of an individual or entity. Authentication is entity oriented.

There is some overlap between the Pillars of Cyber Security. In many cases a defensive measure will protect more than one pillar. In many cases a particular attack will violate more than one. Often the question of what pillars were violated by an action is somewhat subjective, and depends on the viewpoint from which you are asking.

There is a close relationship between non-repudiation and authentication, but they are separate. Authentication is compromised when an attacker has the ability to pose as another individual or system, often by stealing valid authentication credentials. In contrast, non-repudiation reflects our ability to prove later, after the fact, that an action is associated with a specific individual or entity. Very often, log entries or digital signatures of events (which we will cover later) are used to provide non-repudiation, so a violation occurs when the logging or signature mechanism is compromised. One example is the digital signature you can place on a document, using something that is associated with you (a digital certificate, for example). Non-repudiation establishes that, later on, an analysis of the signed document can show, with high certainty, that it must have been signed by someone who possessed that digital certificate.

Some organizations and publications limit their discussion of Cyber Security pillars to confidentiality, integrity, and availability; other organizations list many more. While the overall number of pillars/attributes that must be maintained in supporting information assurance is debated, the inclusion of confidentiality, integrity, and availability is nearly universal. In this course, we also include non-repudiation and authentication as distinct pillars.

Examples

Understanding something as an attack requires understanding which of the five pillars are violated — which properties are lost. Let's consider some examples.

  • Confidentiality
    • In December 2013, national retailer, Target, reported the theft of records for 40 million credit and debit cards used at its stores. Not long after the breach, the card data was being sold in underground forums to thieves. The credit card data was supposed to be confidential, but confidentiality of the data was not preserved.
  • Integrity
    • In 2010, the Stuxnet computer worm was used to infiltrate the computer systems controlling Iran's nuclear enrichment centrifuges. The Stuxnet code modified the programmable logic controller (PLC) software, causing the centrifuges to spin out of control, while giving the console operators only normal indications. The integrity of the PLC software was violated in this attack.
  • Availability
    • In 2008, computer systems supporting banks, media, communications, transportation, and other infrastructure in the nation of Georgia experienced a widespread denial-of-service attack originating from Russia. At the time, a dispute had flared up between Georgia and Russia over control of areas along the Georgia-Russia border. The availability of critical systems through Georgia's (entire country) connection to the Internet was greatly diminished.
  • Non-repudiation

    Although there aren't many publicized examples of non-repudiation violations, or 'repudiation attacks,' the following are some general examples:

    • Unauthorized manipulation of e-commerce transaction logs (making it hard or impossible to later prove a company performed an action, such as an equipment purchase or a stock market trade).
    • Unauthorized manipulation of administrator access logs on any computer (making it hard or impossible to later prove who was logged on, and when).
  • Authentication
    • In 2011, a company called RSA, which provides security services, acknowledged its proprietary authentication system, which is employed by some defense contractors and other high-security industries, was compromised. As a result, the attackers were also able to log into systems at Lockheed Martin, and other companies, using the stolen credentials of legitimate users.

Review Questions

  1. What is comprised of digital data, the physical computer, operating systems, and programs; and continuing with the Web, the Internet, and both wired and wireless networks?
  2. What are the five aspects of the Cyber Domain?
  3. What are the five Pillars of Cyber Security and how do they interact with the five aspects of the Cyber Domain?
  4. How do the Pillars of Cyber Security correlate with Information Assurance in the Cyber Domain?
  5. Define Cyber Warfare using the terms Cyber Battlefield, Cyber Security Tools, and Cyber Operations.

References

2009. Initial Report of the Dean's Cyber Warfare Ad Hoc Committee. Annapolis: August 21, 2009.

Committee on National Security Systems. 2015. Committee on National Security Systems (CNSS) Glossary. Ft. Meade, MD: April 6, 2015.

Department of Defense. 2014. DodI 8500.01: Cybersecurity. Washington: March 14, 2014.

Fruhlinger, Josh. 2017. "What Is Stuxnet, Who Created It and How Does It Work?" CSO Online, August 22, 2017.
https://www.csoonline.com/article/3218104/what-is-stuxnet-who-created-it-and-how-does-it-work.html

Krebs, Brian. 2013. "Cards Stolen in Target Breach Flood Underground Markets." Krebs on Security, December 20, 2013.
https://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/

Krebs, Brian. 2013. "Sources: Target Investigating Data Breach." Krebs on Security, December 18, 2013.
https://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/

Joint Force Development. 2018. Joint Publication 3-12: Cyberspace Operations. June 8, 2018.

Markoff, John. 2008. "Before the Gunfire, Cyberattacks" New York Times, August 12, 2008.
https://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=0&mtrref=undefined&gwh=5BD96825979E1BE8F3EB2B4052BF4378&gwt=pay

Richmond, Riva. 2011. "The RSA Hack: How They Did It" New York Times, April 2, 2011.
https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/?mtrref=undefined&gwh=D96240BD4AE2D9E4FC8888A25D4D9286&gwt=pay

U.S. Code. 2012. Title 44 - Public Printing and Documents Section 3542. Washington: Government Printing Office, January 3, 2012.