IT Discussion 6, Siemens, computer science homework help

  

1.) Siemens (2009) identified five categories of impediments to the effective management of technology (see Challenges on pages 3-4).Choose one of the impediments or pitfalls and then discuss how it could prevent companies from finding, evaluating, and adopting new cybersecurity technologies required to protect the firm’s intellectual property.Post your analysis as 250+ word response to this message. Include APA format citations and references as appropriate to the information used and the sources from which you obtained that information.ReferenceSiemens. (2009). Research, development and technology management: A best practice brief. Retrieved from https://web.archive.org/web/20140621145227/https://www.plm.automation.siemens.com/pt_br/Images/7915_tcm882-4603.pdf2.)The RAND document provides a foundation for identifying vulnerabilities in systems. What are common issues that need to be considered as a security baseline?Rand Document : RAND Document.pdfPost your analysis as 250+ word response to this message. Include APA format citations and references as appropriate to the information used and the sources from which you obtained that information.3.)People are factors that contribute to vulnerabilities and threats. What behaviors do you need to be aware of in security awareness? Name three and discuss. Post your analysis as 250+ word response to this message. Include APA format citations and references as appropriate to the information used and the sources from which you obtained that information.
rand_document.pdf

Unformatted Attachment Preview

Don't use plagiarized sources. Get Your Custom Essay on
IT Discussion 6, Siemens, computer science homework help
Just from $10/Page
Order Essay

Finding and Fixing Vulnerabilities in Information Systems
The
Vulnerability
ssessment
&
A itigation
M
Methodology
Philip S. Antón
Robert H. Anderson
Richard Mesic
Michael Scheiern
Prepared for the Defense Advanced Research Projects Agency
R
National Defense Research Institute
Approved for public release; distribution unlimited
The research described in this report was sponsored by the Defense Advanced
Research Projects Agency. The research was conducted in RAND’s National Defense
Research Institute, a federally funded research and development center supported
by the Office of the Secretary of Defense, the Joint Staff, the unified commands, and
the defense agencies under Contract DASW01-01-C-0004.
Library of Congress Cataloging-in-Publication Data
Finding and fixing vulnerabilities in information systems : the vulnerability assessment and
mitigation methodology / Philip S. Anton … [et al.].
p. cm.
“MR-1601.”
ISBN 0-8330-3434-0 (pbk.)
1. Computer security. 2. Data protection. 3. Risk assessment. I. Anton, Philip S.
QA76.9.A25F525 2003
005.8—dc21
2003012342
RAND is a nonprofit institution that helps improve policy and decisionmaking
through research and analysis. RAND ® is a registered trademark. RAND’s publications do not necessarily reflect the opinions or policies of its research sponsors.
Cover design by Barbara Angell Caslon
© Copyright 2003 RAND
All rights reserved. No part of this book may be reproduced in any form by any
electronic or mechanical means (including photocopying, recording, or information
storage and retrieval) without permission in writing from RAND.
Published 2003 by RAND
1700 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138
1200 South Hayes Street, Arlington, VA 22202-5050
201 North Craig Street, Suite 202, Pittsburgh, PA 15213-1516
RAND URL: http://www.rand.org/
To order RAND documents or to obtain additional information, contact Distribution
Services: Telephone: (310) 451-7002; Fax: (310) 451-6915; Email: order@rand.org
PREFACE
Vulnerability assessment methodologies for information systems have been weakest
in their ability to guide the evaluator through a determination of the critical vulnerabilities and to identify appropriate security mitigation techniques to consider for
these vulnerabilities. The Vulnerability Assessment and Mitigation (VAM) methodology attempts to fill this gap, building on and expanding the earlier RAND methodology used to secure a system’s minimum essential information infrastructure (MEII).
The VAM methodology uses a relatively comprehensive taxonomy of top-down
attributes that lead to vulnerabilities, and it maps these vulnerability attributes to a
relatively comprehensive list of mitigation approaches. The breadth of mitigation
techniques includes not only the common and direct approaches normally thought
of (which may not be under one’s purview) but also the range of indirect approaches
that can reduce risk. This approach helps the evaluator to think beyond known vulnerabilities and develop a list of current and potential concerns to head off surprise
attacks.
This report should be of interest to individuals or teams (either independent of or
within the organization under study) involved in assessing and mitigating the risks
and vulnerabilities of information systems critical to an organization’s functions—
including the discovery of vulnerabilities that have not yet been exploited or encountered. The report may also be of interest to persons involved in other aspects of
information operations, including exploitation and attack.
This report refers to, in multiple places, a prototype spreadsheet that implements the
methodology using Microsoft Excel 2000. Readers may obtain a copy of this spreadsheet online at www.rand.org/publications/MR/MR1601/.
Unpublished RAND research by the authors of this report explored the issues in
applying VAM methodology to military tactical information systems. This research
may be available to authorized government individuals by contacting Philip Antón
(anton@rand.org) or Robert Anderson (anderson@rand.org).
This study was sponsored by the Information Technology Office (ITO) of the Defense
Advanced Research Projects Agency (DARPA). It was conducted in the Acquisition
and Technology Policy Center of RAND’s National Defense Research Institute, a federally funded research and development center (FFRDC) sponsored by the Office of
the Secretary of Defense, the Joint Staff, the unified commands, and the defense
agencies.
iii
CONTENTS
Preface ……………………………………………..
iii
Figures ……………………………………………..
ix
Tables………………………………………………
xi
Summary ……………………………………………
xv
Acknowledgments………………………………………
xxiii
Acronyms ……………………………………………
xxv
Chapter One
INTRODUCTION ……………………………………
Who Should Use the VAM Methodology? …………………….
Previous Research ……………………………………
Structure of This Report………………………………..
1
1
2
3
Chapter Two
CONCEPTS AND DEFINITIONS ………………………….
Security ………………………………………….
Information Systems ………………………………….
System Object Types ………………………………….
On the Use of the “Object” Concept ………………………
Attributes as Sources of Vulnerabilities ……………………..
Security Techniques…………………………………
5
5
5
5
6
6
7
Chapter Three
VAM METHODOLOGY AND OTHER DoD PRACTICES IN RISK
ASSESSMENT ………………………………………
Overview of the VAM Methodology ………………………..
Step 1. Identify Essential Information Functions ………………
Step 2. Identify Essential Information Systems ……………….
Step 3. Identify System Vulnerabilities …………………….
Step 4. Identify Pertinent Security Techniques from Candidates
Given by the VAM Methodology ……………………….
Step 5. Select and Apply Security Techniques ………………..
Step 6. Test for Robustness Under Threat …………………..
Other DoD Vulnerability Assessment Methodologies …………….
v
9
9
10
11
12
15
16
17
18
vi
Finding and Fixing Vulnerabilities in Information Systems: VAM Methodology
OCTAVE ………………………………………..
ISO/IEC 15408: Common Criteria ………………………..
ISO/IEC 17799: Code of Practice for Information
Security Management ……………………………..
Operations Security …………………………………
Operational Risk Management ………………………….
Integrated Vulnerability Assessments ……………………..
The VAM Methodology Techniques Fill Critical Needs in
Other Methodologies ………………………………
Chapter Four
VULNERABILITY ATTRIBUTES OF SYSTEM OBJECTS ……………
Vulnerability Attribute Categories …………………………
A Vulnerability Checklist and Example ………………………
Insider Threat …………………………………….
Inability to Handle Distributed Denial-of-Service Attacks ………..
IP Spoofing ………………………………………
Inability to Detect Changes to IP Net, Making IP Masking Possible ….
Centralized Network Operations Centers …………………..
Common Commercial Software and Hardware Are Well Known
and Predictable ………………………………….
Standardized Software ……………………………….
Weaknesses in Router or Desktop Applications Software …………
Electronic Environmental Tolerances ……………………..
Description of Vulnerability Attributes ………………………
Design and Architecture Attributes……………………….
Behavioral Attributes ………………………………..
General Attributes ………………………………….
How Vulnerability Properties Combine in Common Threats ………..
Chapter Five
DIRECT AND INDIRECT SECURITY TECHNIQUES ……………..
Security Technique Categories and Examples………………….
Resilience and Robustness …………………………….
Intelligence, Surveillance, Reconnaissance, and
Self-Awareness ………………………………….
Counterintelligence; Denial of ISR and Target Acquisition ………..
Deterrence and Punishment …………………………..
How Security Techniques Combine in Common
Security Approaches ………………………………
Chapter Six
GENERATING SECURITY OPTIONS FOR VULNERABILITIES ……….
Mapping Vulnerabilities to Security Techniques………………..
Security Techniques That Address Vulnerabilities ……………..
Security Techniques That Incur Vulnerabilities ……………….
Vulnerability Properties Can Sometimes Facilitate
Security Techniques……………………………….
19
19
20
21
22
22
23
25
25
25
25
26
26
29
29
29
29
30
30
30
30
32
32
33
37
37
37
42
43
43
44
49
49
49
51
52
Contents
Striking a Balance ………………………………….
Design and Usage Considerations ……………………….
Refining the Security Suggestions …………………………
Evaluator Job Roles …………………………………
Attack Components …………………………………
Attack Stage Relevance by Evaluator Job Role ………………..
Example Security Options Arising from the Use of the Methodology …..
Insider Threat …………………………………….
Inability to Handle Distributed Denial-of-Service Attacks ………..
IP Spoofing ………………………………………
Inability to Detect Changes to IP Net, Making IP Masking Possible ….
Centralized Network Operations Centers …………………..
Common Commercial Software and Hardware Are Well Known
and Predictable ………………………………….
Standardized Software ……………………………….
Weaknesses in Router or Desktop Applications Software …………
Electronic Environmental Tolerances ……………………..
Chapter Seven
AUTOMATING AND EXECUTING THE METHODOLOGY:
A SPREADSHEET TOOL………………………………..
Initial Steps Performed Manually………………………….
Vulnerabilities Guided by and Recorded on a Form ……………..
The Risk Assessment and Mitigation Selection Spreadsheet ………..
Specifying the User Type and Vulnerability to Be Analyzed ……….
Evaluating the Risks for Each Attack Component ……………..
Considering and Selecting Mitigations …………………….
Rating Costs and the Mitigated Risks ……………………..
Chapter Eight
NEXT STEPS AND DISCUSSION ………………………….
Future Challenges and Opportunities ………………………
Guiding the Evaluation of Critical Functions and Systems ………..
Additional Guidance and Automation: Spreadsheet and
Web-Based Implementations …………………………
Prioritizing Security Options …………………………..
Quantitative Assessments of Threats, Risks, and Mitigations ………
Integrating VAM Functions into Other
Assessment Methodologies ………………………….
Using VAM to Guide Information Attacks …………………..
Applications of VAM Beyond Information Systems …………….
What Vulnerability Will Fail or Be Attacked Next? ……………….
Usability Issues ……………………………………..
Why Perform Security Assessments? ……………………….
Chapter Nine
SUMMARY AND CONCLUSIONS …………………………
vii
52
53
53
54
56
57
59
59
61
62
63
63
64
65
65
66
69
69
70
70
70
73
75
76
79
79
79
79
80
80
80
81
81
81
81
82
83
viii Finding and Fixing Vulnerabilities in Information Systems: VAM Methodology
Appendix
VULNERABILITY TO MITIGATION MAP VALUES …………………
85
Bibliography ………………………………………….
115
FIGURES
S.1. Security Mitigation Techniques ………………………..
S.2. The Concept of Mapping Vulnerabilities to Security Mitigation
Techniques ……………………………………..
S.3. Values Relating Vulnerabilities to Security Techniques …………
S.4. User and Attack Component Filtering in the VAM Tool …………
3.1. Example Functional Decomposition of JFACC Information
Functions ………………………………………
3.2. Example Information Systems Supporting the JFACC
Information Functions ……………………………..
3.3. Identifying Which Vulnerabilities Apply to the Critical System ……
3.4. The Concept of Mapping Vulnerabilities to Security Mitigation
Techniques ……………………………………..
3.5. Identifying Security Techniques to Consider ……………….
3.6. Test the Revised System Against (Simulated) Threats ………….
3.7. The Core of the VAM Methodology Can Be Used in Other
Traditional Methodologies …………………………..
4.1. Properties Leading to Vulnerabilities …………………….
4.2. Vulnerabilities Enabling Distributed Denial of Service …………
4.3. Vulnerabilities Enabling Firewall Penetrations ………………
4.4. Vulnerabilities Enabling Network Mapping ………………..
4.5. Vulnerabilities Enabling Trojan Horse Attacks ………………
5.1. Categories of Security Mitigation Techniques……………….
5.2. Security Techniques Supporting INFOCONs ……………….
5.3. Security Techniques Supporting I&W ……………………
5.4. Security Techniques Supporting CERTs …………………..
5.5. Security Techniques Used in Firewalls ……………………
5.6. Security Technique Incorporating Encryption and PKIs ………..
5.7. Security Technique Incorporating Isolation of Systems ………..
6.1. Values Relating Vulnerabilities to Security Techniques …………
7.1. The VAM Methodology Spreadsheet Tool………………….
7.2. Specifying the User Type and Vulnerability to Be Analyzed ……..
7.3. Evaluating the Risks for Each Attack Component …………….
7.4. Considering and Selecting Mitigations ……………………
7.5. Rating Costs and the Mitigated Risks …………………….
ix
xviii
xix
xix
xx
11
12
15
16
17
18
23
26
34
34
35
36
38
45
45
46
47
47
48
51
71
72
73
75
76
TABLES
S.1.
3.1.
4.1.
4.2.
6.1.
6.2.
6.3.
6.4.
6.5.
A.1.
A.2.
A.3.
A.4.
A.5.
A.6.
A.7.
A.8.
A.9.
A.10.
A.11.
A.12.
A.13.
A.14.
A.15.
A.16.
The Vulnerability Matrix …………………………….
Vulnerability Matrix: Attributes of Information System Objects ……
Matrix of Vulnerability Attributes and System Object Types ……..
Example Completed Vulnerability Checklist………………..
The Vulnerability to Security Technique Matrix ……………..
Resilience and Robustness Techniques for Evaluator Job Roles
and Attack Components …………………………….
ISR, CI, and Deterrence Techniques for Evaluator Job Roles and
Attack Components………………………………..
Methods for Accomplishing Each Component of an Attack ………
Vulnerability Exploitation by Attack Component …………….
Mitigation Techniques That Address Singularity……………..
Mitigation Techniques That Address Uniqueness …………….
Mitigation Techniques That Address or Are Facilitated
by Centrality …………………………………….
Mitigation Techniques That Address or Are Facilitated
by Homogeneity ………………………………….
Mitigation Techniques That Address or Are Facilitated
by Separability …………………………………..
Mitigation Techniques That Address Logic or Implementation
Errors, Fallibility ………………………………….
Mitigation Techniques That Address or Are Facilitated by Design
Sensitivity, Fragility, Limits, or Finiteness …………………
Mitigation Techniques That Address Unrecoverability …………
Mitigation Techniques That Address Behavioral Sensitivity
or Fragility ……………………………………..
Mitigation Techniques That Address Malevolence ……………
Mitigation Techniques That Address Rigidity ……………….
Mitigation Techniques That Address Malleability …………….
Mitigation Techniques that Address Gullibility, Deceivability,
or Naiveté ………………………………………
Mitigation Techniques That Address Complacency …………..
Mitigation Techniques That Address Corruptibility
or Controllability………………………………….
Mitigation Techniques That Address Accessible, Detectable,
Identifiable, Transparent, or Interceptable …………………
xi
xvii
13
27
28
50
55
56
58
60
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
xii
Finding and Fixing Vulnerabilities in Information Systems: VAM Methodology
A.17. Mitigation Techniques That Address Hard to Manage or Control ….
A.18. Mitigation Techniques That Address Self-Unawareness
or Unpredictability ………………………………..
A.19. Mitigation Techniques That Address or Are Facilitated
by Predictability ………………………………….
A.20. Vulnerabilities That Can Be Incurred from Heterogeneity ……….
A.21. Vulnerabilities That Can Be Incurred from Redundancy ………..
A.22. Vulnerabilities That Can Be Incurred from Centralization ……….
A.23. Vulnerabilities That Can Be Incurred from Decentralization ……..
A.24. Vulnerabilities That Can Be Incurred from VV&A,
Software/Hardware Engineering, Evaluations, Testing …………
A.25. Vulnerabilities That Can Be Incurred from Control of Exposure,
Access, and Output ………………………………..
A.26. Vulnerabilities That Can Be Incurred from Trust Learning and
Enforcement Systems ………………………………
A.27. Vulnerabilities That Can Be Incurred from Non-Repudiation …….
A.28. Vulnerabilities That Can Be Incurred from Hardening …………
A.29. Vulnerabilities That Can Be Incurred from Fault, Uncertainty,
Validity, and Quality Tolerance and Graceful Degradation ………
A.30. Vulnerabilities That Can Be Incurred from Static
Resource Allocation………………………………..
A.31. Vulnerabilities That Can Be Incurred from Dynamic
Resource Allocation………………………………..
A.32. Vulnerabilities That Can Be Incurred from
General Management ………………………………
A.33. Vulnerabilities That Can Be Incurred from Threat Response
Structures and Plans ……………………………….
A.34. Vulnerabilities That Can Be Incurred from Rapid Reconstitution
and Recovery ……………………………………
A.35. Vulnerabilities That Can Be Incurred from Adaptability
and Learning…………………………………….
A.36. Vulnerabilities That Can Be Incurred from Immunological
Defense Systems ………………………………….
A.37. Vulnerabilities That Can Be Incurred from Vaccination ………..
A.38. Vulnerabilities That Can Be Incurred from
Intelligence Operations ……………………………..
A.39. Vulnerabilities That Can Be Incurred from Self-Awareness,
Monitoring, and Assessments …………………………
A.40. Vulnerabilities That Can Be Incurred from Deception for ISR …….
A.41. Vulnerabilities That Can Be Incurred from Attack Detection,
Recognition, Damage Assessment, and Forensics (Self and Foe) …..
A.42. Vulnerabilities That Can Be Incurred from
General Counterintelligence ………………………….
A.43. Vulnerabilities That Can Be Incurred from Unpredictable
to Adversary …………………………………….
A.44. Vulnerabilities That Can Be Incurred from Deception for CI ……..
A.45. Vulnerabilities That Can Be Incurred from Deterrence …………
102
103
103
105
105
105
106
106
107
107
108
108
108
108
109
109
110
111
111
111
112
112
112
112
113
113

Purchase answer to see full
attachment

Place your order
(550 words)

Approximate price: $22

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
$26
The price is based on these factors:
Academic level
Number of pages
Urgency
Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more

Order your essay today and save 30% with the discount code ESSAYSHELP