Information Technology Reference
In-Depth Information
anticipate, defend, monitor, and respond. The following sections elaborate on each
phase in this cycle.
13.7.1
Anticipate
The IA operations cycle phase
anticipate
gives advance thought to business risk,
threat space, asset space, vulnerabilities, and what they mean for organizational
effectiveness, operations, and continued viability. Anticipation includes thought
experiments, study of vicarious experiences (e.g., industry reports), and empirical
evidence from the organizational environment. For example, a thought experi-
ment is a device of the imagination, a purely hypothetical set of circumstances. A
thought experiment may include using the threat taxonomies in this topic to specu-
late on potential and probable threats to your organization, what impact those
threats may have on your organization, and then considering how to best address
those threats. Thought experiment details may come from the real experiences of
others in magazine articles or Internet postings; again consider how the threats
may impact your organization and how you already address them, how current IA
projects will address them, or the need for new IA projects.
System or network penetration attempts are inevitable in a high-profile orga-
nization (e.g., U.S. military, Swiss bank). If monitoring detects no potential inci-
dents, check the robustness of monitoring services and mechanisms. In the event of
penetration, an analysis of this penetration is wise and should include how it was
discovered, symptoms experienced, how it was reported, the triage steps to iden-
tify potential severity, and how it was escalated, investigated, and treated. Having
resolved the issue at hand, root cause analysis (RCA) verifies that the resolution
addressed the real cause, not just symptoms.
“Successful penetrations are typically the result of successive compromises,
where two or more vulnerabilities are combined by the attacker to gain greater
than authorized access. A lot of systems still assume that an attacker will not get
to a certain point, and so they do not defend that point”;
anticipate the need for
defense-in-depth
.
Malware
is a contraction of
malicious software
and includes virus, worm, Tro-
jan horse, denial of service (DoS), distributed denial of service (DDoS), spyware,
and many variations on a theme, including macro viruses, remote access Trojans
(RATs), and spam. Malware may enter an organization via e-mail, Internet down-
loads, sneaker-net floppies and other removable/portable storage media, mobile
code, and bugs in the operating system and application software.
Anticipated malware plus malware discovered through vulnerability analysis
provide input to a defense-in-depth design. IA
2
includes defense-in-depth by defin-
ing a series of operational boundaries and trust relationships between boundaries.
Cobb, Stephen,
Notes on System Penetration.
