book

Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time

Name: Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time
Author: O. Sami Saydjari
ISBN: 9781260118186

by O. Sami Saydjari

August 2018

Intermediate to advanced

512 pages

17h 18m

English

McGraw-Hill

Read now

Unlock full access

Cover
Title Page
Copyright Page
Dedication
Contents
Foreword
Acknowledgments
Introduction
Part I What Do You Want?
Chapter 1 What’s the Problem?
OverviewLearning Objectives1.1 Baking in Trustworthiness: Design-Time1.1.1 What Is Trust?1.1.2 Trust and Belief1.1.3 Engineering1.1.4 Why Trust?1.2 Operational Perspective: Basic Questions1.2.1 Am I Under Attack?1.2.2 What Is the Nature of the Attack?1.2.3 What Is the Mission Impact So Far?1.2.4 What Is the Potential Mission Impact?1.2.5 When Did It Start?1.2.6 Who Is Attacking?1.2.7 What Are They Trying to Do?1.2.8 What Is the Attacker’s Next Step?1.2.9 What Can I Do About It?1.2.10 What Are My Options and How Effective Will Each Option Be?1.2.11 How Will My Mitigation Actions Affect Operation?1.2.12 How Do I Better Defend Myself in the Future?1.3 Asymmetry of Cyberspace Effects1.3.1 Dimensionality1.3.2 Nonlinearity1.3.3 Coupling1.3.4 Velocity1.3.5 Manifestation1.3.6 Detectability1.4 The Cybersecurity Solution Landscape1.4.1 Information Assurance Science and Engineering1.4.2 Defensive Mechanisms1.4.3 Cybersensors and Exploitation1.4.4 Cyber Situation Understanding1.4.5 Cyber Actuation1.4.6 Cyber Command and Control1.4.7 Cyber Defense Strategy and Tactics1.5 Ounces of Prevention and Pounds of CureConclusionQuestions

Chapter 2 Cybersecurity Right-Think
OverviewLearning Objectives2.1 It’s About Risk2.2 The Cybersecurity Trade-off: Performance and Functionality2.2.1 User-Friendliness2.2.2 Time to Market2.2.3 Employee Morale2.2.4 Missed Opportunity2.2.5 Opportunity Cost2.2.6 Quantity of Service or Product2.2.7 Quality of Service or Product2.2.8 Cost of Service or Product2.2.9 Limited Resources2.3 Theories of Security Come from Theories of Insecurity2.4 They Come at You Through the Weeds2.5 Top-Down Meets Bottom-Up2.6 Cybersecurity Is a Live Orchestra, Not a Recorded InstrumentConclusionQuestions
Chapter 3 Value and Mission: Know Thyself
OverviewLearning Objectives3.1 Focus on Mission and Value3.1.1 Avoid Concentrating Value3.1.2 Beware the Complacency of Trust3.2 Confidentiality: Value of Secrecy from Adversaries3.2.1 Acquired-Knowledge Secrets3.2.2 Planning Secrets3.2.3 Stolen Secrets3.2.4 Means-of-Stealing-Secrets Secrets3.3 Confidentiality: Beware the Tyranny of Secrecy3.3.1 Secrecy Is Tenuous3.3.2 Secrecy Is Expensive3.3.3 Secrecy Can Be Self-Defeating3.3.4 Secrecy Is Self-Breeding3.3.5 Secrecy Creates a Form of Corrupting Power and Impediment to Operation3.4 Confidentiality: Changing the Value Proposition3.4.1 Minimize Secrecy and Dependency on Secrecy3.4.2 Minimize Impact of Loss of Secrecy3.5 Integrity: The Root of All Trustworthiness Value3.6 Availability: An Essential Yet Tenuous ValueConclusionQuestions
Chapter 4 Harm: Mission in Peril
OverviewLearning Objectives4.1 Focus on Strategic Risks4.1.1 What Is Strategic Risk?4.1.2 Expected Harm4.1.3 The Range of Risks4.1.4 The Meaning of Focus4.2 Harm Is About Mission4.2.1 Elicitation of Harm4.2.2 Aggregating Harm Statements4.2.3 Representative Harm Lists4.3 Critical Asset Inventory: Data4.3.1 Data Asset Types4.3.2 Data Value Spectrum4.3.3 Criticality Classes4.3.4 Criticality Levels4.4 A Template for Exploring Mission Harm4.5 Harm Is in the Eye of the Beholder4.5.1 Gravity of Harm: Consensus4.5.2 Drawing Conclusions4.6 Sometimes Belief Is More Powerful than Truth4.6.1 Destroying Value4.6.2 Frustrating to Address: Life Is UnfairConclusionQuestions
Chapter 5 Approximating Reality
OverviewLearning Objectives5.1 The Complexity of State: Why Model?5.2 Levels of Abstraction: At What Levels5.3 What to Model and Why5.3.1 The Target System5.3.2 Users5.3.3 Adversaries5.3.4 Measures/Countermeasures5.4 Models Are Always Wrong, Sometimes Useful5.4.1 Incompleteness of Essentials5.4.2 Inaccuracy5.4.3 Non-Timeliness5.5 Model Views5.5.1 Defender’s View5.5.2 Adversary’s View5.5.3 Attacking the Views Themselves5.6 Defense Models Must Consider Failure Modes5.7 Assume Adversaries Know Defender’s System5.8 Assume Adversaries Are Inside Defender’s SystemConclusionQuestions
Part II What Could Go Wrong?
Chapter 6 Adversaries: Know Thy Enemy
OverviewLearning Objectives6.1 Know Your Adversaries6.1.1 Intentions6.1.2 Capabilities6.1.3 Attacker Resources and Defender Resources6.1.4 Risk Tolerance6.1.5 Strategic Goals6.1.6 Tactics6.2 Assume Smart Adversaries6.3 Assume Adversaries Don’t Play Fair6.3.1 Going Around Security Controls6.3.2 Going Beneath Security Controls6.3.3 Attacking the Weakest Link6.3.4 Violating a Design Assumption6.3.5 Using Maintenance Modes6.3.6 Using Social Engineering6.3.7 Using Bribery and Blackmail to Subvert Insiders6.3.8 Taking Advantage of Temporary Bypasses6.3.9 Taking Advantage of Temporary Connections6.3.10 Taking Advantage of Natural System Failure6.3.11 Exploiting Bugs You Did Not Even Know You Had6.3.12 Compromising External Systems that a System Trusts6.4 Anticipate Attack Escalation6.5 Red Teams6.5.1 Opposing Force6.5.2 Red Team Characteristics6.5.3 Other Types of Red Teams6.6 Cyberspace Exercises6.6.1 Red Versus Blue6.6.2 Pure Versus Hybrid6.6.3 Purple Collaboration6.7 Red Team Work Factor: Measuring DifficultyConclusionQuestions
Chapter 7 Forests of Attack Trees
OverviewLearning Objectives7.1 Attack Trees and Forests7.1.1 Attack Tree Structure7.1.2 Deriving Attack Scenarios7.1.3 From Trees to Forests7.2 System Failures Predict Cybersecurity Failures7.2.1 Inspirational Catastrophes7.2.2 The 10x Rule7.2.3 Feigning Failure7.3 Understanding Failure Is the Key to Success: The Five Whys7.3.1 Why Five Whys?7.3.2 Projecting Fishbones7.4 Forests Should Be Representative, Not Exhaustive7.5 Drive Each Attack Tree Layer by Asking How7.6 Go as Deep as Needed and No Deeper7.7 Beware of External Dependencies7.7.1 Just in Time7.7.2 Information Dependency7.7.3 Creating RedundancyConclusionQuestions
Part III What Are the Building Blocks of Mitigating Risk?
Chapter 8 Countermeasures: Security Controls
OverviewLearning Objectives8.1 Countermeasures: Design to Purpose8.2 Ensure Attack-Space Coverage (Defense in Breadth)8.3 Defense in Depth and Breadth8.4 Multilevel Security, Trusted Code, Security Kernels8.4.1 Multilevel Security8.4.2 Trusted Code8.4.3 Security Kernel and the Reference Monitor8.5 Integrity and Type Enforcement8.5.1 Multilevel Integrity8.5.2 Type Enforcement8.6 Cybersecurity Usability8.6.1 Invisible8.6.2 Transparent8.6.3 Clear8.6.4 Easy to Understand8.6.5 Reliable8.6.6 Fast8.6.7 Reversible8.6.8 Adaptable8.6.9 Traceable8.6.10 Reviewable8.7 Deploy Default Secure8.8 Costs8.8.1 Cost Always Matters8.8.2 Time-to-Deploy Matters8.8.3 Impact to Mission Matters8.8.4 Pareto Rule: 80/208.8.5 Opportunity Cost Is a Key Part of Cost8.8.6 How Much to Invest in Cybersecurity8.8.7 Optimizing Zero-Sum Cybersecurity BudgetsConclusionQuestions
Chapter 9 Trustworthy Hardware: Bedrock
OverviewLearning Objectives9.1 Foundation of Trust9.2 Instruction Set Architectures9.3 Supervisors with Rings and Things9.4 Controlling Memory: Mapping, Capabilities, and Tagging9.4.1 Memory Mapping9.4.2 Capabilities9.4.3 Tagging9.5 Software in Hardware9.5.1 Microcode9.5.2 Firmware9.5.3 Secure Bootstrapping9.6 Buses and ControllersConclusionQuestions
Chapter 10 Cryptography: A Sharp and Fragile Tool
OverviewLearning Objectives10.1 What Is Cryptography?10.2 Key Space10.3 Key Generation10.4 Key Distribution10.4.1 Transmission to Intended Recipients10.4.2 Storage10.4.3 Loading10.5 Public-Key Cryptography10.5.1 The Math10.5.2 Certificates and Certificate Authorities10.5.3 Performance and Use10.5.4 Side Effect of Public-Key Cryptography10.6 Integrity10.7 Availability10.7.1 Positive Effects10.7.2 Negative Effects10.8 Chinks in the Cryptographic Armor10.8.1 Quantum Cryptanalytics: Disruptive Technology10.8.2 P=NP 18510.9 Cryptography Is Not a Panacea10.10 Beware of Homegrown CryptographyConclusionQuestions
Chapter 11 Authentication
OverviewLearning Objectives11.1 Entity Identification: Phase 1 of Authentication11.2 Identity Certification: Phase 2 of Authentication11.3 Identity Resolution: Phase 3 of Authentication11.4 Identity Assertion and Identity Proving: Phases 4 and 5 of Authentication11.5 Identity Decertification: Phase 6 of Authentication11.6 Machine-to-Machine Authentication ChainingConclusionQuestions
Chapter 12 Authorization
OverviewLearning Objectives12.1 Access Control12.1.1 Discretionary Access Control12.1.2 Mandatory Access Control12.1.3 Covert Channels12.1.4 Identity-Based Access Control12.1.5 Attribute-Based Access Control12.2 Attribute Management12.2.1 User Attributes and Privilege Assignment12.2.2 Resource Attribute Assignment12.2.3 Attribute Collection and Aggregation12.2.4 Attribute Validation12.2.5 Attribute Distribution12.3 Digital Policy Management12.3.1 Policy Specification12.3.2 Policy Distribution12.3.3 Policy Decision12.3.4 Policy Enforcement12.4 Authorization Adoption Schemas12.4.1 Direct Integration12.4.2 Indirect Integration12.4.3 Alternative IntegrationConclusionQuestions
Chapter 13 Detection Foundation
OverviewLearning Objectives13.1 The Role of Detection13.2 How Detection Systems Work13.3 Feature Selection13.3.1 Attack Manifestation in Features13.3.2 Manifestation Strength13.3.3 Mapping Attacks to Features13.3.4 Criteria for Selection13.4 Feature Extraction13.5 Event Selection13.6 Event Detection13.7 Attack Detection13.8 Attack Classification13.9 Attack Alarming13.10 Know Operational Performance Characteristics for SensorsConclusionQuestions
Chapter 14 Detection Systems
OverviewLearning Objectives14.1 Types of Detection Systems14.1.1 Signature-Based14.1.2 Anomaly Detection14.2 Detection Performance: False Positives, False Negatives, and ROCs14.2.1 Feature Selection14.2.2 Feature Extraction14.2.3 Event Selection14.2.4 Attack Detection14.2.5 Attack Classification14.2.6 Attack Alarming14.3 Drive Detection Requirements from Attacks14.4 Detection Failures14.4.1 Blind Sensors14.4.2 Below Noise Floor14.4.3 Below Alert Threshold14.4.4 Improper Placement14.4.5 Natural Failure14.4.6 Successfully Attacked14.4.7 Blocked Sensor Input14.4.8 Blocked Report OutputConclusionQuestions
Chapter 15 Detection Strategy
OverviewLearning Objectives15.1 Detect in Depth and Breadth15.1.1 Breadth: Network Expanse15.1.2 Depth: Network Expanse15.1.3 Breadth: Attack Space15.1.4 Depth: Attack Space15.2 Herd the Adversary to Defender’s Advantage15.3 Attack Epidemiology15.4 Detection Honeypots15.5 Refining Detection15.5.1 Running Alerts to Ground15.5.2 Learning More About an Attack15.6 Enhancing Attack Signal and Reducing Background Noise15.6.1 Reducing the Noise Floor15.6.2 Boosting Attack Signal15.6.3 Lowering the Alert ThresholdConclusionQuestions
Chapter 16 Deterrence and Adversarial Risk
OverviewLearning Objectives16.1 Deterrence Requirements16.1.1 Reliable Detection: Risk of Getting Caught16.1.2 Reliable Attribution16.1.3 Meaningful Consequences16.2 All Adversaries Have Risk Thresholds16.3 System Design Can Modulate Adversary Risk16.3.1 Detection Probability16.3.2 Attribution Probability16.3.3 Consequence Capability and Probability16.3.4 Retaliation Capability and Probability16.3.5 Risky Behavior16.4 Uncertainty and Deception16.4.1 Uncertainty16.4.2 Deception16.5 When Detection and Deterrence Do Not WorkConclusionQuestions
Part IV How Do You Orchestrate Cybersecurity?
Chapter 17 Cybersecurity Risk Assessment
OverviewLearning Objectives17.1 A Case for Quantitative Risk Assessment17.2 Risk as a Primary Metric17.3 Why Measure?17.3.1 Characterize17.3.2 Evaluate17.3.3 Predict17.3.4 Improve17.4 Evaluate Defenses from an Attacker’s Value Perspective17.5 The Role of Risk Assessment and Metrics in Design17.6 Risk Assessment Analysis Elements17.6.1 Develop Mission Model17.6.2 Develop System Model17.6.3 Develop Adversary Models17.6.4 Choose Representative Strategic Attack Goals17.6.5 Estimate Harm Using Wisdom of Crowds17.6.6 Estimate Probability Using Wisdom of Crowds17.6.7 Choose Representative Subset17.6.8 Develop Deep Attack Trees17.6.9 Estimate Leaf Probabilities and Compute Root17.6.10 Refine Baseline Expected Harm17.6.11 Harvest Attack Sequence Cut Sets => Risk Source17.6.12 Infer Attack Mitigation Candidates from Attack Sequences17.7 Attacker Cost and Risk of Detection17.7.1 Resources17.7.2 Risk ToleranceConclusionQuestions
Chapter 18 Risk Mitigation and Optimization
OverviewLearning Objectives18.1 Develop Candidate Mitigation Packages18.2 Assess Cost of Mitigation Packages18.2.1 Direct Cost18.2.2 Mission Impact18.3 Re-estimate Leaf Node Probabilities and Compute Root Node Probability18.4 Optimize at Various Practical Budget Levels18.4.1 Knapsack Algorithm18.4.2 Sensitivity Analysis18.5 Decide Investment18.6 ExecuteConclusionQuestions
Chapter 19 Engineering Fundamentals
OverviewLearning Objectives19.1 Systems Engineering Principles19.1.1 Murphy’s Law19.1.2 Margin of Safety19.1.3 Conservation of Energy and Risk19.1.4 Keep It Simple, Stupid19.1.5 Development Process19.1.6 Incremental Development and Agility19.2 Computer Science Principles19.2.1 Modularity and Abstraction19.2.2 Layering19.2.3 Time and Space Complexity: Understanding Scalability19.2.4 Focus on What Matters: Loops and Locality19.2.5 Divide and Conquer and RecursionConclusionQuestions
Chapter 20 Architecting Cybersecurity
OverviewLearning Objectives20.1 Reference Monitor Properties20.1.1 Functional Correctness20.1.2 Non-Bypassable20.1.3 Tamperproof20.2 Simplicity and Minimality Breed Confidence20.3 Separation of Concerns and Evolvability20.4 Security Policy Processing20.4.1 Policy Specification20.4.2 Policy Decision Making20.4.3 Policy Enforcement20.5 Dependability and Tolerance20.5.1 Cybersecurity Requires Fail Safety20.5.2 Expect Failure: Confine Damages Using Bulkheads20.5.3 Tolerance20.5.4 Synergize Prevention, Detect-Response, and Tolerance20.6 Cloud CybersecurityConclusionQuestions
Chapter 21 Assuring Cybersecurity: Getting It Right
OverviewLearning Objectives21.1 Cybersecurity Functionality Without Assurance Is Insecure21.2 Treat Cybersecurity Subsystems as Critical Systems21.3 Formal Assurance Arguments21.3.1 Cybersecurity Requirements21.3.2 Formal Security Policy Model21.3.3 Formal Top-Level Specification21.3.4 Security-Critical Subsystem Implementation21.4 Assurance-in-the-Large and Composition21.4.1 Composition21.4.2 Trustworthiness Dependencies21.4.3 Avoiding Dependency Circularity21.4.4 Beware of the Inputs, Outputs, and Dependencies21.4.5 Violating Unstated AssumptionsConclusionQuestions
Chapter 22 Cyber Situation Understanding: What’s Going On
OverviewLearning Objectives22.1 Situation Understanding Interplay with Command and Control22.2 Situation-Based Decision Making: The OODA Loop22.3 Grasping the Nature of the Attack22.3.1 What Vulnerability Is It Exploiting?22.3.2 Which Paths Are the Attacks Using?22.3.3 Are the Attack Paths Still Open?22.3.4 How Can the Infiltration, Exfiltration, and Propagation Paths Be Closed?22.4 The Implication to Mission22.4.1 Increased Risk22.4.2 Contingency Planning22.4.3 Nature and Locus Guiding Defense22.5 Assessing Attack Damages22.6 Threat Assessment22.7 The State of Defenses22.7.1 Health, Stress, and Duress22.7.2 Status22.7.3 Configuration Maneuverability22.7.4 Progress and Failure22.8 Dynamic Defense EffectivenessConclusionQuestions
Chapter 23 Command and Control: What to Do About Attacks
OverviewLearning Objectives23.1 The Nature of Control23.1.1 Decision Cycle23.1.2 Speed Considerations23.1.3 Hybrid Control23.2 Strategy: Acquiring Knowledge23.2.1 Analogy23.2.2 Direct Experience23.2.3 Vicarious Experience23.2.4 Simulation23.3 Playbooks23.3.1 Game Theory23.3.2 Courses of Action in Advance23.3.3 Criteria for Choosing Best Action23.3.4 Planning Limitations23.4 Autonomic Control23.4.1 Control Theory23.4.2 Role of Autonomic Control23.4.3 Autonomic Action Palette23.5 Meta-Strategy23.5.1 Don’t Overreact23.5.2 Don’t Be Predictable23.5.3 Stay Ahead of the AttackersConclusionQuestions
Part V Moving Cybersecurity Forward
Chapter 24 Strategic Policy and Investment
OverviewLearning Objectives24.1 Cyberwar: How Bad Can Bad Get?24.1.1 Scenario24.1.2 Call to Action24.1.3 Barriers to Preparation Action24.1.4 Smoking Gun24.2 Increasing Dependency, Fragility, and the Internet of Things24.2.1 Societal Dependency24.2.2 Just-in-Time Everything24.2.3 The Internet of Things24.2.4 Propagated Weakness24.3 Cybersecurity in the Virtual World: Virtual Economy24.3.1 Booming Game Economy: Virtual Gold Rush24.3.2 Digital Currency Such as Bitcoin24.3.3 Virtual High-Value Targets24.3.4 Start from Scratch?24.4 Disinformation and Influence Operations: Fake News24.4.1 What’s New?24.4.2 Hacking Wetware24.4.3 Polluting the InfosphereConclusionQuestions
Chapter 25 Thoughts on the Future of Cybersecurity
OverviewLearning Objectives25.1 A World Without Secrecy25.1.1 Timed Release25.1.2 Minimize Generation25.1.3 Zero-Secrecy Operations25.2 Coevolution of Measures and Countermeasures25.3 Cybersecurity Space Race and Sputnik25.3.1 Gaining the Ultimate Low Ground25.3.2 Stuxnet and the Cyberattack Genie25.3.3 Georgia and Hybrid Warfare25.3.4 Estonia and Live-Fire Experiments25.3.5 Responsibility for Defending Critical Information Infrastructure25.4 Cybersecurity Science and Experimentation25.4.1 Hypothesis Generation25.4.2 Experimental Design25.4.3 Experiment Execution25.5 The Great Unknown: Research Directions25.5.1 Hard Research Problems25.5.2 Are Cybersecurity Problems Too Hard?25.5.3 Research Impact and the Heilmeier Catechism25.5.4 Research Results Dependability25.5.5 Research Culture: A Warning25.6 Cybersecurity and Artificial IntelligenceConclusionQuestions
Part VI Appendix and Glossary
Appendix Resources
Glossary
Index

Content preview from Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time

Glossary

*-property A multilevel security policy that prohibits processes operating on behalf of users from writing any data below the level of their clearance.

abstraction The act of representing essential features while hiding the details to reduce complexity.

access control list (ACL) A data structure that enumerates the access rights for all active entities (e.g., users) within a system.

access control matrix A two-dimensional matrix with active accessing entities (e.g., processes) on one dimension and resources (e.g., files) with access types (e.g., read, write, and execute) entries in the intersecting cells, indicating the access the active entity has to the corresponding resource.

access rights The privileges that an activity ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781260118186

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time

by O. Sami Saydjari

Glossary

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.