Fluent Essays

Much like a real battle against cyber criminals, the pace of ELITE is rapid, automated, and completely unforgiving of missed deadlines. As a team, you will review the security defense strategies you have determined for your sector. Conduct independent research on your assigned sector and share your findings with your team. After studying the supporting information of your sector, your team will determine and report the noted risks to your sector and your organization in the form of a two-page Risk Profile. Use the document attached and instructions to create a 2-page risk profile. Please let me know if you have any questions. As a team, think about security controls for your sector and use the team's group Discussion area to confer with your team regarding control selection. Your team should support your strategy by providing risk management techniques through the selection of security controls. These security controls will inform your risk profile and might also be used in ELITE. From previous projects that dealt in the international domain, include nation state actors that have been deemed threats to your team sector. You can use different sources of threat intelligence to gain deeper understanding of your sector and its methods for critical infrastructure protection. Many sectors are remotely monitored using industrial control systems (SCADA) and if this is found to be true in your team sector, this description should be included in the risk profile. Also, include an analysis of possible sources and situations of insider threats and if at any time your sector was exploited by an insider threat. Include how this was detected and what means were used to recover from that type of exploitation. These measures and countermeasures could be part of a security plan and may be incorporated in your selection of security controls in ELITE. When you have completed the Risk Profile, a designated team member should submit it for feedback. Attachments area Team Sector Brief Table of Contents 1. Table of Contents………………………………………………………………......Page. 1 3. Introduction……………………………………………………………..………… Page. 2 4. I. II. III. IV. a. i. 1. Introduction The Five Eyes intelligence alliance is composed of the United States, New Zealand, Canada, Australia and United Kingdom. The assigned critical infrastructures could be targeted by adversaries during the next summit. So, each nation, during the Executive Leadership in Tabletop Exercise (ELITE) will protect a business sector. The allied nations agreed to combine efforts and protect these sectors during the next Summit. During this exercise, the teams will engage with cyberattacks to learn risks and threats within the assigned sectors. Then, share new strategies from lessons learned. The nation/sector assignments are as follows (UMUC, 2013): FVEY Nation Assigned Sector Name of Organization Australia Power DTL Power Canada Telecommunications Avisitel New Zealand Defense Contractor Hytema United Kingdom Financial Services Mistral Bank United States Federal Government Federal Government Hytema Team 4 (New Zealand) was assigned Hytema, which is an American global aerospace, security and defense company with global interests. The headquarters is in Atlanta, Georgia. Hytema is one of the largest defense contractors with over 11,000 employees located, globally. Hytema CCS Framework (UMUC, 2013): · “Last year, 83 percent of Hytema's revenues came from military sales. It received 5.1 percent of the Department of Defense's expenditures. The company operates in four business segments. These include, with respective percentages of $55.4 billion in last year's total net sales, Aeronautics (27 percent), Electronic Systems (37 percent), Information Systems and Global Solutions (22 percent), and Space Systems (14 percent).” · “Last year's contracts with the U.S. government accounted for $37.4 billion (68 percent), foreign government contracts $1.8 billion (3 percent), and commercial and other contracts $16.2 billion (29 percent). The company has received the Collier Trophy twice, most recently receiving it 6 years ago for leading the team that developed the F-45 Raider fighter jet.” The following are assigned Team 4 roles for this exercise: · Greg: Chief Network Engineer · Peter: Chief Privacy Officer · Loic: Cyber Security Policy Analyst · Elaine: Chief Information Security Officer · Godson: Chief Technology Officer Federal and State Policy Comparison Unlike the U.S. with its federal and state governments construct, New Zealand is divided into eleven regions with a Head of State as the top governance. The State is very active in cyber security activities. It takes the lead and develops and publishes cybersecurity related strategies and policies. The New Zealand regions utilize the State’s efforts and incorporate them into their local policies. The New Zealand State Department published a Cyber Security Strategy in 2011 and updated the strategy in 2019. “The strategy emphasizes that the government needs to work with individuals, businesses, community organizations and the private sector, in order to minimize harm and disruption, and make the most of technological advances.” (Zealand, 2019) the strategy outlines the challenges to maintaining cyber security, and means to enabling New Zealand to thrive online. Its guiding principles are: 1. Builds and maintains trust 2. Be people-centric, respectful, and inclusive 3. Balances risk with being agile and adaptive 4. Use our collective strengths to deliver better results and outcomes 5. Be open and accountable. The strategy states that partnerships are crucial to effective cyber security. “Close partnerships are required with the private sector, non-government organizations and the international community.” (Cabinet, 2019) The document spells out the five priority areas within cyber security that New Zealand wants to to improve. Figure 1. (Five Areas to Improve) Figure 1. (Five Area to Improve) The New Zealand State Department released the New Zealand Information Security Manual (NZISM) in December of 2017. “The manual is intended for use by New Zealand Government departments, agencies and organizations. Crown entities, local government and private sector organizations are also encouraged to use this manual.” (Bureau, 2017). The document contains information about security within the government, along with their roles and responsibilites. It informs on system certification and accreditation, as well as security documentation, security monitoring, and how to handle information security incidents. It spells out means of physical and personnel security andinstructs on ways to secure infrastructure and systems and devices. The State Department employs a information and communications technology (ICT) Security and Related Services Panel (SRS Panel) which is a group of industry profesionals contracted to provide government agencies with ICT services and advice on a range of security and privacy practices. “Agency requirements for other types of security for example, physical, personnel, or intelligence-based, are not included in this panel.” (Manager, 2020)  Services available include: •InfoSec risk management and assessment •InfoSec security governance and strategy •InfoSec Assurance •source code, application review and technical testing •ICT forensics, investigation and security incident response. New Zealand State Department operates the National Cyber Security Centre (NCSC). It is part of the Government Communications Security Bureau. Its responsibility is to advise New Zealand’s most inportant public and private sector organisations on how to defend their information systems from advanced cyber-borne threats and to help mitigate incidents that have a serious impact on the commonwealth. Cloud Computing Cloud computing is used in both the civilian sector and within the DOD. The utilization of cloud computing is both cost effective and improves services. National Institute of Standards and Technology (NIST) standards and policies outlines the use of cloud computing. The cloud is a network accessible storage device. According to NIST (2011, September), the “cloud is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Analyze Key Elements of NIST Standards for Cloud Computing This cloud model is composed of three service models, five essential characteristics, and four deployment models. According to NIST, key elements for cloud computing include: · On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. · Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations); · Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth; · Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time; · Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service (2011, September). Service Models (NIST, 2011, September): · Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. · Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. · Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). Deployment Models: · Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. · Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. · Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. · Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). · Is cloud computing a good "fit" for your industry? Cloud computing has many benefits to industry that help with cost effectiveness. Businesses don`t have to pay for their own power servers, employees, maintenance, and data centers. A cloud computer company will provide network security and be responsible for protecting stored data information. However, data protection and storage capabilities need to be addressed, since there are regulatory restrictions. Additionally, the internet can be slow for some businesses and this can impede production, along with cloud use. How does it benefit a cybersecurity solution? Most cloud companies have multi-factor authentication, which most businesses don`t have the resources or skills to implement a higher secure capability other than a login and a password. Multi user factor authentication verifies identity with an additional step, which can be a fingerprint or a token. The cloud company has a significant IT team to cover the costs of extra security to the systems, to include physical security and employing individuals with certifications, whom are qualified and experienced in keeping data safe. Experienced and trained employees do their best with the data within the cloud to be secure. Should it apply across all industries? Although most cloud companies offer the best services, that is cost effective, internet downtime with cloud use can be a real problem. Also, the cloud can be hacked and any sensitive item can be subjected to theft or destruction. Every item on the internet is subject to attack or breach. Also, the cloud is entirely controlled by the service provider. Conclusion References National Institutes of Standards and Technology (NIST). (2013). Security and privacy controls for federal information systems. NIST special publication 800 51 rev. 4. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800 National Institutes of Standards and Technology (NIST). (2011, September). The nist definition of cloud computing. NIST Publication 800-145. Retrieved from: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf UMUC. (2013). Cybersecurity capstone simulation: Student manual. Retrieved from University of Maryland University College: http://www.umgc.edu 10