Cybersecurity and the Art of Cyberwar

Dan Shoemaker has 15 prior books with McGraw Hill, Cengage and T&F – Distinguished Visitor of the IEEE and Member of the Editorial Board of Computers and Security. National Chair of Workforce Training and Education for the Software Assurance Initiative at the Department of Homeland Security (DHS).Professor and Director of the National Security Agency Center of Academic Excellence in Cyber Defence Education (CAE/CDE) Graduate Program at The University of Detroit Mercy. 50 years of experience in the profession.

• Chapter One - Introduction: Holistic Security A. The Ongoing Disaster in Cyberspace – this documents the general challenge of securing virtual space B. Electronic Solutions are not a Solution – this explains why a solely electronic approach is by definition inadequate by itemizing the other legitimate categories of attack and providing a taxonomy of the various legitimate methods of attack. C. Why We Need a Holistic Approach – this outlines the necessity for a context-based, total solution, and as well as the process for building cybersecurity systems D. The Cybersecurity Process – this presents a unique three-domain, meta-process for holistic solutions and explains/justifies the logic behind why that process has to be followed Chapter Two – Three Legitimate Attack Surfaces and their Different Challenges A. Electronic Attack Surface Elements and Controls – characteristics, strengths and weaknesses of the electronic elements of the system and their common mitigations. B. Human Attack Surface Elements and Controls – characteristics, strengths and weaknesses of the human behavioral elements of the system and their common mitigations. C. Physical Attack Surface Elements and Controls - characteristics, strengths and weaknesses of the physical elements of the system and their common mitigations. D. Architecture: Ensuring Synergy Between Attack Surfaces – this describes the process for integrating control solutions for each interface into a single holistic response Chapter Three – Common Best Practice Standards for Holistic Security A. What is Best Practice and Why is it Important – description of how best practice for the profession of cybersecurity evolves over time and the resulting standard frameworks B. Commonly Accepted Best Practice Frameworks – discussion of the standard models for implementing holistic cybersecurity and how they specifically apply in real world practice. a) ISO 27000 – international specification of the cybersecurity process elements b) FIPS 200/NIST 800-53 – specification of the U.S. requirements for cybersecurity c) COBIT – the most commonly adopted commercial standard l for cybersecurity d) ISO 12207 – international specification of the software process elements Chapter Four - Practical Defence in Depth: Integration of Best Practice into a Holistic Response A. Explanation of the Strategic Concept of Defence in Depth – What is the purpose of defence in depth? What are the roles of coherent perimeters in defining it B. Use of a Standard Model to Implement Specific Protection Needs – the universal process for selection and deployment of best practice control sets C. Why Top Down Development is Essential? – how an iterative process of top down refinement can be used to adapt abstract principles to a specific practical solution D. Integrating Control Sets into a Holistic System – how common control categories can be utilized to validate the correctness of a real world holistic solution Chapter Five – Creating the Solution: Architectural Concerns and Tailoring A. Building Real Architecture Out of Tailored Control Sets – how to create a substantive individualized protection system for real world organizational application B. What is Tailoring and Why is It Necessary – the generally accepted method for adapting a standard’s general best practice recommendations to a given specific instance C. Ensuring Synergistic Responses – methods for building proper interdependence and interactive synergy into the composition of a tailored architecture. D. The Tailoring Process: Examples – this provides detailed specific examples of the tailoring process for two common standards (ISO 27000 and FIPS 200/NIST 800-53) Chapter Six – Maintaining a Holistic Solution: Evaluation and Evolution A. Practical Control Baselines: How are they Created and Maintained - a practical methodology for building substantive control baselines for a given instance B. Ensuring Effective Control Performance – examples of common methodologies for validating and verifying control baseline effectiveness. C. Assessing Control Performance in the Operational Setting – method for ensuring that the status of the control baseline is always known and validated as correct D. Control Architecture Change Management and Evolution – method for effective operational management of changes to organizational control architectures Chapter Seven – Practical Considerations for the Board Room: Changing the Culture A. We Don’t do it That Way: The Problem of Organizational Culture – large scale strategies for overcoming corporate inertia and resistance to change B. The Role and Accountability of Leadership in Obtaining Practical Results – five large scale governance factors that must be recognized and enforced by corporate leadership C. The Capable Organization and How You Get There – a staged approach to development of a capable organizational security response D. Education and Training – a method for implementing education and training programs to ensure the continuing security behaviour of individuals in the corporate environment.