Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

1. Give a specific example of a defense in depth strategy listing specific compo

ID: 3672999 • Letter: 1

Question

1. Give a specific example of a defense in depth strategy listing specific components and what their security functionality would be as well as the deficiency of each layer?

4: What are the 10 most common terms in cybersecurity and provide – in your own words – simple definitions.

3: Discuss the implications in 3 sentences or less of the difference between the definitions of “privacy” in the U.S. and EU laws. Are the U.S. laws more or less encompassing than the EU laws on privacy?

4. Discuss the implications in 3 sentences or less of the difference between the definition of “critical infrastructure” in the U.S. and EU (European Union) laws. Are the U.S. laws more or less encompassing than the EU laws on what constitutes critical infrastructure?

Explanation / Answer

(1) Security controls


            Security controls are technical or administrative safeguards or counter measures to avoid, counteract or minimize loss or unavailability due to threats acting on their matching vulnerability, i.e., security risk. Controls are referenced all the time in security, but they are rarely defined. The purpose of this section is to define technical, administrative/personnel, preventative, detective, and corrective compensating controls, as well as general controls.According to the GAO, "The control environment sets the tone of an organization,influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; and the way management assigns authority and organizes and develops its people.From this we can derive that some controls are the actions that people take, we call these administrative controls. Administrative controls are the process of developing and ensuring compliance with policy and procedures. They tend to be things that employees may do, or must always do, or cannot do. Another class of controls in security that are carried out or managed by computer systems, these are technical controls.

Activity phase controls can be either technical or administrative and are classified as follows:
• Preventative controls exist to prevent the threat from coming in contact with the weakness.
• Detective controls exist to identify that the threat has landed in our systems.
• Corrective controls exist to mitigate or lessen the effects of the threat being manifested.
These correspond to the life cycle phases of a security program. Firewalls are primarily preventative controls. IPS could be configured to be both preventative and detective. IDS is purely detective. Reloading an operating system suspected of having malware from the gold standard is a corrective control. These are all examples of technical controls. Forensics and incident response are examples administrative or personnel corrective controls.
Compensating controls are alternate controls designed to accomplish the intent of the original controls as closely as possible, when the originally designed controls can not be used due to limitations of the environment. These are generally required when our activity phase controls are not available or when they fail. According to Element Payment Services, "Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.

There is also probably a near infinite number of functional control categories. NIST lists 18. Many security experts feel the phase controls (protective, detective, reactive) make more sense in the real world. NIST lists the three primary categories as Administrative, Technical and Physical:

Administrative Technical Physical
- Preventive - Preventive - Preventive
- Detective - Detective - Detective
- Corrective - Corrective - Corrective

We are not going to make an attempt to list all of the functional controls, but a few are listed for consideration:

(2) CYBER CRIME/HACKER TERMINOLOGY

This glossary was made to help take some of the confusion out of the terms often used when referring to cyber crime. When dealing with crackers, black hats and hackers, what you don’t know can hurt you, so please take a moment to familiarize yourself with these terms and tools of their trade. And remember, the Global Digital Forensics team has dealt with all of this before, so please don’t hesitate to call if you have already become a victim of cyber crime, or just don’t want to be the next.

Adware – Adware is software designed to force pre-chosen ads to display on your system. Some adware is designed to be malicious and will pop up ads with such speed and frequency that they seem to be taking over everything, slowing down your system and tying up all of your system resources. When adware is coupled with spyware, it can be a frustrating ride, to say the least.

Back Door – A back door is a point of entry that circumvents normal security and can be used by a cracker to access a network or computer system. Usually back doors are created by system developers as shortcuts to speed access through security during the development stage and then are overlooked and never properly removed during final implementation. Sometimes crackers will create their own back door to a system by using a virus or a Trojan to set it up, thereby allowing them future access at their leisure.

Black Hat – Just like in the old westerns, these are the bad guys. A black hat is a cracker. To add insult to injury, black hats may also share information about the “break in” with other black hat crackers so they can exploit the same vulnerabilities before the victim becomes aware and takes appropriate measures… like calling Global Digital Forensics!

Bot – A bot is a software “robot” that performs an extensive set of automated tasks on its own. Search engines like Google use bots, also known as spiders, to crawl through websites in order to scan through all of your pages. In these cases bots are not meant to interfere with a user, but are employed in an effort to index sites for the purpose of ranking them accordingly for appropriate returns on search queries. But when black hats use a bot, they can perform an extensive set of destructive tasks, as well as introduce many forms of malware to your system or network. They can also be used by black hats to coordinate attacks by controlling botnets.

Botnet – A botnet is a network of zombie drones under the control of a black hat. When black hats are launching a Distributed Denial of Service attack for instance, they will use a botnet under their control to accomplish it. Most often, the users of the systems will not even know they are involved or that their system resources are being used to carry out DDOS attacks or for spamming. It not only helps cover the black hat’s tracks, but increases the ferocity of the attack by using the resources of many computer systems in a coordinated effort.

Cookies – A cookie is a small packet of information from a visited webserver stored on your system by your computer’s browser. It is designed to store personalized information in order to customize your next visit. For instance, if you visit a site with forms to fill out on each visit, that information can be stored on your system as a cookie so you don’t have to go through the process of filling out the forms each time you visit.

Cracker – When you hear the word hacker today, in reality it is normally referring to a cracker, but the two have become synonymous. With its origin derived from “safe-cracker” as a way to differentiate from the various uses of “hacker” in the cyber world, a cracker is someone who breaks into a computer system or network without authorization and with the intention of doing damage. A cracker may destroy files, steal personal information like credit card numbers or client data, infect the system with a virus, or undertake many others things that cause harm. This glossary will give you an idea of what they can do and some of the means they use to achieve their malicious objectives. These are the black hats.

Denial of Service Attack (DOS) – A Denial of Service attack is an attack designed to overwhelm a targeted website to the point of crashing it or making it inaccessible. Along with sheer numbers and frequency, sometimes the data packets that are sent are malformed to further stress the system trying to process the server requests. A successful Denial of Service attack can cripple any entity that relies on its online presence by rendering their website virtually useless.

Distributed Denial of Service Attack (DDOS) – A Distributed Denial of Service attack is done with the help of zombie drones (also known as a botnet) under the control of black hats using a master program to command them to send information and data packets to the targeted webserver from the multiple systems under their control. This obviously makes the Distributed Denial of Service attack even more devastating than a Denial of Service attack launched from a single system, flooding the target server with a speed and volume that is exponentially magnified. As is normally the case with zombie drones and botnets, this is often done without the user of the controlled system even knowing they were involved.

Dumpster Diving – The act of rummaging through the trash of an individual or business to gather information that could be useful for a cyber criminal to gain access to a system or attain personal information to aid them in identity theft or system intrusion. One person’s garbage can indeed be a cyber criminal’s treasure.

Easter Egg – A non-malicious surprise contained in a program or on a circuit board installed by the developer. It could be as simple as a text greeting, a signature, or an image embedded on a circuit board, or comprise a more complex routine, like a video or a small program. The criteria that must be met to be considered an Easter Egg are that it be undocumented, non-malicious, reproducible to anyone with the same device or software, not be obvious, and above all – it should be entertaining!

Firewall – A firewall is a security barrier designed to keep unwanted intruders “outside” a computer system or network while allowing safe communication between systems and users on the “inside” of the firewall. Firewalls can be physical devices or software-based, or a combination of the two. A well designed and implemented firewall is a must to ensure safe communications and network access and should be regularly checked and updated to ensure continued function. Black hats learn new tricks and exploit new techniques all the time, and what worked to keep them out yesterday may need to be adjusted or replaced over time.

Gray Hat – A gray hat, as you would imagine, is a bit of a white hat/black hat hybrid. Thankfully, like white hats, their mission is not to do damage to a system or network, but to expose flaws in system security. The black hat part of the mix is that they may very well use illegal means to gain access to the targeted system or network, but not for the purpose of damaging or destroying data: they want to expose the security weaknesses of a particular system and then notify the “victim” of their success. Often this is done with the intent of then selling their services to help correct the security failure so black hats can not gain entry and/or access for more devious and harmful purposes.

Hacker – This is the trickiest definition of the group and controversy has followed its use for decades. Originally, the term hacker had a positive connotation and it actually had nothing to do with computer systems. In 1946, the Tech Model Railroad Club of MIT coined the term to mean someone who applies ingenuity to achieve a clever result. Then, when computers came along, ”hacker” took on the meaning of someone who would “hack” away on a program through the night to make it better. But in the 80s everything changed, and Hollywood was the catalyst. When the personal computers onslaught started invading our daily lives, it didn’t take long for clever screen-writers to bring the black hat villains of the cyber world to the forefront of our collective consciousness, and they haven’t looked back since. They associated our deepest fears with the word hacker, making them the ones that unraveled our privacy, put our safety in jeopardy, and had the power to take everything from us, from our material possessions to our very identities. And they could do it all anonymously, by hacking away in a dark room by the dim light of a computer monitor’s glow. Needless to say, right or wrong, it stuck! Even many professionals in the computing field today have finally, albeit grudgingly, given in to the mainstream meaning of the word. “Hacker” has thus become the catch-all term used when in fact it should be “cracker.”

(3) Law is a system of rules that are enforced through social institutions to govern behavior. Laws can be made by a collective legislature or by a single legislator, resulting in statutes, by the executive through decrees and regulations, or by judges through binding precedent, normally incommon law jurisdictions. Private individuals can create legally binding contracts, including arbitration agreements that may elect to accept alternative arbitration to the normal court process. The formation of laws themselves may be influenced by a constitution, written or tacit, and therights encoded therein. The law shapes politics, economics, history and society in various ways and serves as a mediator of relations betweenpeople.

A general distinction can be made between (a) civil law jurisdictions (including Catholic canon law and socialist law), in which the legislature or other central body codifies and consolidates their laws, and (b) common law systems, where judge-made precedent is accepted as binding law. Historically, religious laws played a significant role even in settling of secular matters, which is still the case in some religious communities, particularly Jewish, and some countries, particularly Islamic. Islamic Sharia law is the world's most widely used religious law.

The adjudication of the law is generally divided into two main areas referred to as (i) Criminal law and (ii) Civil law. Criminal law deals with conduct that is considered harmful to social order and in which the guilty party may be imprisoned or fined. Civil law (not to be confused with civil law jurisdictions above) deals with the resolution of lawsuits (disputes) between individuals or organizations. These resolutions seek to provide a legal remedy (often monetary damages) to the winning litigant. Under civil law, the following specialties, among others, exist: Contract law regulates everything from buying a bus ticket to trading on derivatives markets. Property law regulates the transfer and title of personal property and real property. Trust law applies to assets held for investment and financial security. Tort law allows claims for compensation if a person's property isharmed. Constitutional law provides a framework for the creation of law, the protection of human rights and the election of political representatives. Administrative law governs what executive branch agencies may and may not do, procedures that they must follow to do it, and judicial review when a member of the public is harmed by an agency action. International law governs affairs between sovereign states in activities ranging from trade to military action. To implement and enforce the law and provide services to the public by public servants, a government's bureaucracy, military, and police are vital. While all these organs of the state are creatures created and bound by law, an independent legal profession and a vibrant civil society inform and support their progress.

Law provides a rich source of scholarly inquiry into legal history, philosophy, economic analysis and sociology. Law also raises important and complex issues concerning equality, fairness, and justice. There is an old saying that 'all are equal before the law', although Jonathan Swift argued that 'Laws are like cobwebs, which may catch small flies, but let wasps and hornets break through.' In 1894, the author Anatole France said sarcastically, "In its majestic equality, the law forbids rich and poor alike to sleep under bridges, beg in the streets, and steal loaves of bread.Writing in 350 BC, the Greekphilosopher Aristotle declared, "The rule of law is better than the rule of any individual."Mikhail Bakunin said: "All law has for its object to confirm and exalt into a system the exploitation of the workers by a ruling class".Cicero said "more law, less justice".Marxist doctrine asserts that law will not be required once the state has withered aways.

Mainstream definitions

Numerous definitions of law have been put forward over the centuries. The Third New International Dictionary from Merriam-Webster[9] defines law as: "Law is a binding custom or practice of a community; a rule or mode of conduct or action that is prescribed or formally recognized as binding by a supreme controlling authority or is made obligatory by a sanction (as an edict, decree, rescript, order, ordinance, statute, resolution, rule, judicial decision, or usage) made, recognized, or enforced by the controlling authority

The Dictionary of the History of Ideas published by Scribner's in 1973 defined the concept of law accordingly as: "A legal system is the most explicit, institutionalized, and complex mode of regulating human conduct. At the same time it plays only one part in the congeries of rules which influence behavior, for social and moral rules of a less institutionalized kind are also of great importance.

Whether it is possible or desirable to define law

There have been many attempts to produce "a universally acceptable definition of law". In 1972, one source indicated that no such definition could be produced. Glanville Williams said that the meaning of the word "law" depends on the context in which that word is used. He said that, for example, "early customary law" and "municipal law" were contexts where the word "law" had two different and irreconcilable meanings. Thurman Arnold said that it is obvious that it is impossible to define the word "law" and that it is also equally obvious that the struggle to define that word should not ever be abandoned. It is possible to take the view that there is no need to define the word "law" (e.g. "let's forget about generalities and get down to cases")

(4) Critical infrastructure is a term used by governments to describe assets that are essential for the functioning of a society and economy - the infrastructure. Most commonly associated with the term are facilities for:

Regional critical-infrastructure protection programmes

European Union

The European Programme for Critical Infrastructure Protection (EPCIP) has been laid out in EU Directives by the Commission (EU COM(2006) 786 final). It has proposed a list of European critical infrastructures based upon inputs by its Member States.

Each designated European Critical Infrastructures (ECI) will have to have an Operator Security Plan (OSP) covering the identification of important assets, a risk analysis based on major threat scenarios and the vulnerability of each asset, and the identification, selection and prioritisation of counter-measures and procedures.

United Kingdom

.In the UK, the Centre for the Protection of National Infrastructure provides information, personnel and physical security advice to the businesses and organisations which make up the UK's national infrastructure, helping to reduce its vulnerability to terrorism and other threats.It can call on resources from other government departments and agencies, including MI5, the Communications-Electronics Security Group and other Government departments responsible for national infrastructure sectors.

United States

The USA has had a wide-reaching Critical Infrastructure Protection Program in place since 1996. Its Patriot Act of 2001 defined critical infrastructure as those "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

These have identified a number of critical infrastructures and responsible agencies:

The National Infrastructure Protection Plan (NIPP) defines critical infrastructure sector in the US. Presidential Policy Directive 21 (PPD-21), issued in February, 2013 entitled Critical Infrastructure Security and Resilience mandated an update to the NIPP. This revision of the plan established the following 16 critical infrastructure sectors:

Related Questions

1. General Cereal common stock dividends have been growing atan annual rate of 7
Question #2770608
1. General Construction Incorporated (GCI) hires A-1 Contractors Incorporated to
Question #2733184
1. General The/Pale Qtions (5 lats tealrs 5 ninutel Please record your answer to
Question #3595727
1. General transcription factors -have a particular motif that allows them to in
Question #71873
1. Generally describe the cellular organization of a bacterial cell. 2. Describe
Question #172797
1. Generally describe the cellular organization of a bacterial cell. 2. Describe
Question #224459
1. Generally peaking, a beam of electrons within an oscilloscope is controlled _
Question #1276771
1. Generally speaking, a beam of electrons within an oscilloscope is controlled
Question #1276769

Navigate

Previous
1. Give a set of four quantum numbers that are not allowed: n=____ l=____ ml=___
Next
1. Give algorithms for implementing the following operations on a binary search

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.