**10. Implementing security**

A likely question at this stage is what can be done? How can we realistically and affordably protect our information under this continuous barrage of attacks? Often in these circumstances, managers may find themselves facing the responsibility to choose between large numbers of different technology-based solutions. This can quickly overwhelm, and actually create more problems than it solves. In order to implement effectual security controls, we must first understand the risks posed by different threats to our business model.

There is no shortage of security frameworks for analyzing risk and implementing security controls, and plenty of excellent books for a variety of audiences on this topic. For the purposes of this chapter, we shall present security implementation from a greatly simplified model that should enable an organization to effectively prepare and respond to security threats.

The Cyber Security space can be broken down into three areas, or domains. These are:


Cyber Security 31

The continual application of these three domains cannot be emphasized enough. External consultants who are experienced, certified security professionals can be invaluable resources in maintaining an effective cyber-security posture and ensuring our businesses remain

Historically the attackers have also had the advantage that the majority of home PC owners and many businesses have been lax in applying fixes and upgrading their platform software. Thus attackers can have years to find and exploit vulnerable machines. Buffer overflow and other code injection attacks often depend on the static layout of the code and data in memory for their effectiveness. Historically network risks were mitigated by building a fortress around systems. This approach led to network architectures with components with names like DMZ (Demilitarized Zone), a boundary location that has both public and private addresses so that "bastion hosts" could be hardened to live in the DMZ while normal systems would be deployed behind the "firewall". This provides a static environment that allows an attacker almost unlimited time to search for a vulnerability in the attack surface. The advent of APT attackers that patiently probe for years against a target of particular interest make these fortress designs vulnerable. Just as WEP-based wireless networking was vulnerable to attack because it used static encryption keys, static networks that can be mapped over time are more

In order to defeat these threats in a slowly evolving infrastructure, some new products and research results demonstrate that significant gains in security can be achieved by adding random dynamic behavior to systems. Starting with Windows Vista and improved in Windows 7 and Server 2008 SP1, the operating system loads the parts of the operating system into different random locations every time it boots (Microsoft, 2011). Microsoft does not claim that this eliminates the threat of attacks - it just makes it significantly more

Vendors have begun to sell network appliances that randomize the footprint of the network by using Network Address Translation (NAT) technology and randomizing outbound connections over a set of IP addresses, as well as other dynamic behavior (Masking

The military is looking at many similar approaches to improve the security of its networks, especially combat control systems (Baker et al, 2011; Jones, 2011; Okhravi, et al, 2011; Wright, 2011). In November 2011, the Defense Advanced Projects Research Agency (DARPA) announced plans to increase cyber-security research by 50%

The next generation of networks may be significantly more robust, as could hardware and software systems. This will probably be accomplished by introducing more and more random behavior into the operational characteristics of systems which will overcome many of the disadvantages of our current environment of the majority of systems being identical platform software deployed on identical hardware connected in static networks

unhindered by an attack they were unprepared to handle.

**11. Current research** 

vulnerable than more dynamic designs.

difficult.

Networks, 2011).

(Hoover, 2011).
