CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY

&

Cybersecurity Vulnerabilities Facin IT Mana ers T!"ay Darin S#an Uni$ersity !% Marylan" Uni$ersity C!lle e

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY

Two factors increase the stakes of the cyber struggle. Tactically and operationally, the increasing dependence of modern technologically advanced forces (especially U.S. forces) on networks and information systems create new kinds of exploitable vulnerabilities. Second, as modern societies including the militaries that mirror them have continued to evolve, they have become ever more dependent on a series of interconnected, increasingly vulnerable critical infrastructures! for their effective functioning. These infrastructures not only have significantly increased the day"to"day efficiency of almost every part of our society, but they have also introduced new kinds of vulnerabilities. - Robert A. Miller and Daniel T. Kuehl Connectivity in the Modern World T!"ay' c!()uters c!nnect us t! !ur %inances t*r!u * !nline ban+in ' (utual %un" (ana e(ent' st!c+ tra"in ser$ices' an" a $ariety !% !t*er !nline a))licati!ns t*at )r!$i"e access t! acc!unts t#enty %!ur *!urs a "ay, Bey!n" %inancial ser$ices' #e *a$e t*e ability t! c!nnect t! a #i"e $ariety !% in%!r(ati!n' inclu"in s!cial (e"ia c!ntent suc* as Faceb!!+' Y!uTube' an" T#itter' as #ell as (a a-ines' $i"e! a(es' an" !t*er .eb /,0 c!ntent, T*e interc!nnecti$ity !% suc* syste(s *as n!t !nly )r!$i"e" in"i$i"uals #it* access t! a #i"e $ariety !% "ata' but n!# businesses *a$e t*e ability t! le$era e t*e Internet as a )art !% t*eir "ay1t!1"ay !)erati!ns, .*et*er it be *u(an res!urces (ana e(ent' e(ail an" c!!r"inate" calen"ar syste(s' !r sales trac+in syste(s' t*e cl!u" !%%ers !))!rtunity t! businesses %!r 2uic+er' strea(line" )r!cesses an" )!tential c!st sa$in s, Furt*er(!re' t*e !$ern(ent uses interc!nnecte" c!()uter syste(s t! (ana e )ublic ser$ices suc* as ener y syste(s' c!!r"inate )ublic trans)!rtati!n l! istics' sync*r!ni-e e(er ency ser$ices' run #ater treat(ent %acilities' an" le$era e tec*n!l! y %!r a $ariety !% ser$ices bene%ittin t*e )ublic, 3!#e$er' )ers!nal' business' an" !$ern(ent use !% c!()uter syste(s' because !% t*eir inter1c!nnecte"ness' !)ens t*ese syste(s u) t! a $ariety !% acti$ities t*at t*ey #ere ne$er inten"e" %!r, Instea" !% a )ers!n ainin access t! *is %inancial "ata' a t*ir" )arty c!ul" be interce)tin suc* c!((unicati!n an" usin it t! bil+ s!(e!ne !% t*eir entire sa$in s, Si(ilarly' businesses c!ul" be st!rin t*eir tra"e

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY secrets !n t*eir internal %ile ser$ers an" a *ac+er c!ul" be "!#nl!a"in t*eir in%!r(ati!n #it* t*e intent !% sellin it t! !ne !% t*eir %!rei n c!()etit!rs, An" #it* res)ect t! !$ern(ent ser$ices' a state1s)!ns!re" attac+ c!ul" !ccur %r!( a %!rei n c!untry t! eit*er "eny certain ser$ices' steal in%!r(ati!n' !r t! ta+e c!ntr!l an" e4)l!it c!((an" an" c!ntr!l syste(s unbe+n!#nst t! lea"ers*i), Martin C, Libic+i' a n!te" aut*!rity !n in%!r(ati!n #ar%are at t*e RAND )!licy institute' *as #ritten #yberdeterrence and #yberwar 5/0067 a n!table #!r+ c!$erin t*e current an" %uture c*allen es ass!ciate" #it* t*e c!nnecte" #!rl", A(!n t*e c!nce)ts #it*in *is b!!+' Libic+i "iscusses security $ulnerabilities ass!ciate" #it* cybers)ace,

,,,In t*e!ry' all c!()uter (isc*ie% is ulti(ately t*e %ault !% t*e syste(8s !#ner9i% n!t because !% (isuse !r (isc!n%i urati!n' t*en because !% usin a syste( #it* security bu s in t*e %irst )lace, In )ractice' all c!()uter syste(s are susce)tible t! err!rs, T*e "i$er ence bet#een "esi n an" c!"e is a c!nse2uence !% t*e c!()le4ity !% s!%t#are syste(s an" t*e )!tential %!r *u(an err!r, T*e (!re c!()le4 t*e syste(9an" t*ey "! et c!ntinually (!re c!()le49t*e (!re )laces t*ere are in #*ic* err!rs can *i"e, 5), &:7 Connectedness and Vulnerability .*at Libic+i is re%errin t! is $ulnerability #it*in a syste( #*ic* a *ac+er c!ul" use t! ; ain access t! a syste( !r t! et it t! acce)t r! ue instructi!ns <#*ic*= is calle" an exploit> 5), &:7, A $ariety !% $ulnerabilities !ccur #it*in cybers)ace because !% *u(ans' *ar"#are' s!%t#are' an" c!nnecti!n )!ints t*at )r!$i"e access t! suc* syste(s, T*e Unite" States C!()uter E(er ency Rea"iness Tea( 5US1CERT7 *as )r!$i"e" a ;*i * le$el !$er$ie#> !% cyber $ulnerabilities %!r c!ntr!l syste(s, .it*in t*is !$er$ie#' US1CERT inclu"es t*e %!ll!#in $ulnerabilities? #ireless access )!ints' net#!r+ access )!ints' unsecure" S@L "atabases' )!!rly c!n%i ure" %ire#alls' interc!nnecte" )eer net#!r+s #it* #ea+ security' an" se$eral !t*ers, Si(ilarly' t*e Nati!nal Institute !% Stan"ar"s an" Tec*n!l! y 5NIST7 *as )ublis*e" t*e ;Ris+ Mana e(ent Gui"e %!r In%!r(ati!n Tec*n!l! y Syste(s> 5/00/7, T*is

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY

ui"e establis*es a (ulti1ste) syste( analysis #*ic* IT (ana ers can use t! assess t*eir net#!r+ $ulnerabilities' (easure t*e )!tential !% eac* $ulnerability !ccurrin #it* res)ect t! t*e t*reat8s s!urce' (!ti$ati!n' an" acti!ns' #*ilst "e$el!)in rec!((en"ati!ns an" "!cu(entati!n t! c!unteract t*e $ulnerabilities %!un" #it*in t*e assess(ent, T*e NIST ui"e $ie#s $ulnerabilities %r!( t*e )ers)ecti$e !% t*e )!tential c!nse2uence5s7 !% an e4)l!ite" $ulnerability, F!ll!#in t*e US1CERT !$er$ie# an" NIST ui"e can be *el)%ul %r!( an IT (ana e(ent )ers)ecti$e' as b!t* )r!$i"e enter)rise1le$el ui"ance !n structurin net#!r+ syste(s #it* res)ect t! $ulnerabilities an" b!t* a))ly a syste( le$el $ie# !% analy-in $ulnerability, 3!#e$er' b!t* are lac+in s)eci%icity' %r!( t*e sense !% *!# an e4ternal t*reat can tactically e4)l!it a syste(, Cybersecurity and Exploitation: Examples Brab*a+er Mateti' in t*e c*a)ter ;TCBCIB Suite> %r!( t*e $andbook of %nformation Security 5/00D7' )r!$i"es !$er %i%teen ty)es !% security e4)l!its relate" t! t*e TCBCIB suite t*at *ac+ers use t! attac+ syste(s' inclu"in ? sni%%in ' %in er)rintin ' Internet Br!t!c!l 5IB7 a""ress s)!!%in ' an" bu%%er !$er%l!#s 5)),/E1/67, Stuart McClure' F!el Sca(bray an" Ge!r e Gurt*a$e )r!$i"e" b!t* strate y an" tactics %!r i()le(entin Mateti8s n!table e4)l!itati!ns' a(!n st (any !t*ers' in t*eir se(inal #!r+ $acking &xposed' n!# in its si4t* e"iti!n, It is #*ere *ar"#are' s!%t#are' an" t*e *u(an ele(ent (eet #it*in a syste( t*at *ac+ers try t! ta+e c!ntr!l an" security s)ecialists )atc* $ulnerabilities t! "eny unaut*!ri-e" access an" t*e cycle a))ears t! be ne$er1en"in , Sniffing, Fingerprinting Footprinting

Fr!( t*e tactical $ie#)!int' #it*in t*e )a es !% $acking &xposed t*e aut*!rs )r!$i"e reci)es %!r e4)l!itin $ulnerabilities' as #ell as instructi!ns !n c!unterin e4)l!itati!ns, .it* re ar" t! sni%%in ' t*e te4t c!$ers a $ariety !% security #ea+nesses an" rec!((en"s se$eral

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY

s!%t#are a))licati!ns t*at can be use" t! %in" a net#!r+8s Ac*illes *eel, Cain an" GerbSni%% are t#! t!!ls in )articular t*at can be use" %!r ea$es"r!))in !n a net#!r+ )ass#!r" e4c*an e in t*e .in"!#s en$ir!n(ent 5McClure et al,' /006' )), &D61&I07, Furt*er(!re' net#!r+ sni%%in can be acc!()lis*e" by usin a))licati!ns suc* as tc)"u()' Sn!rt' an" .ires*ar+' #*ic* all!# any!ne #it* t*e (eans t! $ie# tra%%ic acr!ss a net#!r+, T*is can be *el)%ul %!r tryin t! "ebu net#!r+ )r!ble(s' but in t*e #r!n *an"s it can )r!$e t! be in$aluable in %!!t)rintin a syste( 5)), /IA1/IH7, .it* re ar" t! ter(in!l! y' Mateti uses t*e ter( %in er)rintin in *is te4t' #*ereas McClure et al re%er t! t*is tec*ni2ue as %!!t)rintin , T*!u * si(ilarities e4ist an" s!(e c!n%use t*e t#! ter(s' Mic*ael Gre )r!$i"es clarity in *is te4t #ertified &thical $acker &xam 'rep( Understanding )ootprinting and Scanning 5/00D7, 3e "e%ines %!!t)rintin as' ;T*e )r!cess !% accu(ulatin "ata re ar"in a s)eci%ic net#!r+ en$ir!n(ent' usually %!r t*e )ur)!se !% %in"in #ays t! intru"e int! t*e en$ir!n(ent> 5),:67, .*ereas %in er)rintin can be eit*er acti$e !r )assi$e in nature, ;Bassi$e %in er)rintin is t*e act !% i"enti%yin syste(s #it*!ut inJectin tra%%ic !r )ac+ets int! t*e net#!r+> an" acti$e %in er)rintin is t*e act !% usin t!!ls t! ;inJect stran ely cra%te" )ac+ets int! t*e net#!r+ t! (easure *!# syste(s res)!n"> 5Gre ' /00D' ), :67, <N!te? McClure et al, use t*e eneral ter( !% scannin $ersus %in er)rintin 5)), HH1II7,= Essentially' b!t* %in er)rintin an" %!!t)rintin are use" t! (a) accessible *ar"#are an" s!%t#are ser$ices #it*in a net#!r+, T*e in%!r(ati!n leane" %r!( suc* en"ea$!rs )r!$i"es acti!nable intelli ence !n #*at *ar"#are !r ser$ices are susce)tible t! c!((!n *ac+in atte()ts, By "eter(inin t*e easiest #ay t! ain access an" e4)l!it a syste( #*ile (ini(i-in ris+ !% "etecti!n' t*e *ac+er can ascertain #*ic* $ect!r !% attac+ is #!rt*y !% *is ti(e by usin a si()le c!st1bene%it analysis 5Gs*teri' /00D' )), AD1A:7, Micr!s!%t )r!$i"es eneral ui"ance !n c!unterin t*is t*reat t*r!u * t*eir !nline e"ucati!n "!cu(entati!n #it*in t*eir "e$el!)(ent

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY net#!r+, Micr!s!%t8s ui"ance inclu"es ;%ilter<in = inc!(in )ac+ets t*at a))ear t! c!(e %r!( an internal IB a""ress> an" ;%ilter<in = !ut !in )ac+ets t*at a))ear t! !ri inate %r!( an in$ali" l!cal IB a""ress> 5Meier' Mac+(an' Dunner' Vasire""y' Esca(illa' K Muru+an' /00A7, !" Spoofing .it* re ar" t! t*e !t*er Mateti re%erence" security e4)l!its' *e )!ints !ut t*at ;IB s)!!%in is an inte ral )art !% (any attac+s> 5), /D7, Matt*e# Tanase )r!$i"es a )ri(er !n IB s)!!%in at Sy(antec8s #ebsite #*ere *e !es int! t*e *ist!ry !% t*e tec*ni2ue an" *!# t*e

structure !% t*e TCBCIB )r!t!c!l suite an" )ac+et e4c*an es )er(it t*is )articular e4)l!itati!n t! !ccur 5/00A7, Tanase n!tes t*at t*ere are se$eral $ariati!ns !% IB s)!!%in ' *!#e$er t*ey all *a$e a c!((!n "en!(inat!r L ;an attac+er ains unaut*!ri-e" access t! a c!()uter !r a net#!r+ by (a+in it a))ear t*at a (alici!us (essa e *as c!(e %r!( a truste" (ac*ine by Ms)!!%in 8 t*e IB a""ress !% t*at (ac*ine,> C!()uter .!rl"8s F!nat*an 3assell *as )r!$i"e" an aut*!ritati$e $ie# !n #*at c!((!n attac+s are use" t*r!u * IB s)!!%in an" #*at can be "!ne t! )atc* t*e( in *is article ;T*e t!) %i$e #ays t! )re$ent IB s)!!%in > 5/00D7, T*e c!((!n attac+s )r!$i"e" by 3assell inclu"e Blin" S)!!%in ' N!nblin" s)!!%in ' Denial1!%1ser$ice 5D!S7 attac+' an" t*e Man1in1t*e1(i""le attac+, Blin" s)!!%in c!nsists !% a *ac+er !utsi"e !% t*e net#!r+ )eri(eter #*! is ;blin" t! *!# trans(issi!ns ta+e )lace !n t*is net#!r+>' s! *e (ust recei$e se2uence nu(bers %r!( t*e tar et "e$ice an" t*en %alsi%y #*! *e is by ;inJectin "ata int! t*e strea( !% )ac+ets #it*!ut *a$in t! aut*enticate *i(sel% #*en t*e c!nnecti!n #as %irst establis*e"> 53assell' /00D7, N!nblin" s)!!%in !ccurs #*en t*e *ac+er is insi"e !% t*e subnet an" can sni%% !ut e4istin trans(issi!n an" *iJac+ sessi!ns #it*!ut bein blin" t! t*e se2uence nu(bers, Denial1!%1ser$ice attac+ is #*en ;(ulti)le *!sts are sen"in c!nstant strea(s !% )ac+et <sic= t! t*e D!S tar et> 53assell7, T*is is essentially a %l!!" !% "ata t*at !$er#*el(s a

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY syste( t! t*e )!int its use is una$ailable !r in!)erable, Finally' t*e (an1in1t*e1(i""le attac+ is an interce)ti!n !% )ac+ets bet#een (ac*ines #*ere t*e )ac+ets are rea" by an aut*!ri-e" user

an" sent !n#ar" unbe+n!#nst t! eit*er )arties c!((unicatin , Barticularly tr!ublin is t*e %act t*at neit*er t*e !ri inatin sen"er !r inten"e" recei$er is a#are t*at in%!r(ati!n #as interce)te" "urin transit an" t*ere%!re i% secure in%!r(ati!n #as at*ere"' n! !ne' e4ce)t t*e ea$es"r!))er' +n!#s t*at "ata #as c!()r!(ise" 53assell7, #uffer $verflo%s ;3ist!rically' bu%%er !$er%l!#s *a$e been t*e (!st c!((!n ty)e !% $ulnerability, T*ey *a$e been )!)ular because bu%%er !$er%l!# e4)l!its can !%ten be carrie" !ut re(!tely an" lea" t! c!()lete c!()r!(ise !% a tar et> 5C*en K .als*' /006' )), EH1EE7, Since (any syste( ser$ices susce)tible t! bu%%er !$er%l!# are runnin at t*e *i *est le$el !% a"(inistrati!n )ri$ile es it is a))r!)riately attribute" as t*e ;c!u) "e race !% *ac+in > 5McClure et al,' /006' )), EE01EE&7, Essentially t*e *ac+er sen"s )ac+ets t! t*e tar et ser$ice +n!#in t*at (!re "ata is bein trans(itte" t*an is e4)ecte" by t*e tar et "urin c!((unicati!n, T*is e4tra in%!r(ati!n is "ealt #it* "i%%erently by "i%%erent ser$ices an" can eit*er be i n!re"' cras* t*e ser$ice !r syste(' !r' i% t*e tar et is susce)tible t! t*is ty)e !% $ulnerability' t*e ser$ice (ay use t*e e4tra )ac+et "ata' i% c!nstructe" c!rrectly by t*e *ac+er' t! run a"(inistrat!r1le$el c!"e an" all!# t*e *ac+er t! c!ntr!l s!(e !r all !% t*e tar et syste( 5Mateti' /00D' ) EE:7, E$en t*!u * t*e bu%%er !$er%l!# $ulnerability #as "!cu(ente" as a t*e!retical e4)l!it in &66E an" %ully substantiate" in &66D' un)atc*e" ser$ers c!ntinue t! )!)ulate t*e Internet t*at are still susce)tible t! t*is #ea+ness 5McClure et al,' /006' )), EE01EE&7, &he 'uman Element O$erl!!+e" as a security c!ncern by Mateti in *is essay !n ;TCBCIB Suite> $ulnerabilities

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY is t*e *u(an ele(ent, It is' a%ter all' t*e *u(an t*at (ana es cybers)ace an" )r!$i"e )*ysical access t! t*e ter(inals an" syste(s t*at are interc!nnecte", It is t*e *u(an t*at sets u) t*e Internet )r!t!c!ls use" "urin #eb c!((unicati!ns' sets t*e security )r!ce"ures t! be a"*ere" t!' c!"es t*e bac+1en" ser$er inte rati!n' creates t*e te()!rary )ass#!r"s t! access sensiti$e in%!r(ati!n' *!l"s resent(ent a ainst e()l!yers' %!r ets t! )atc* a +n!#n #ea+ness in

sen"(ail' an" "esires t! %in" c!n%i"ential' %inancial in%!r(ati!n t! sell t! t*e *i *est bi""er, It is t*e *u(an ele(ent t*at (atters' )er*a)s (!res! t*an any *ar"#are' s!%t#are' !r net#!r+ c!nnecti!n #*en it c!(es t! securin a syste(, T! (any' t*e *ac+er #*! *as ta+en !$er a syste( an" st!len a "atabase !% %inancial in%!r(ati!n %!r (!netary ain is n!r(ally c!nce)tuali-e" as a s!cial )aria*' li$in in *is (!t*er8s base(ent' starin at a (!nit!r all "ay an" ni *t' si))in ca%%einate" be$era es' (aintainin )!!r *y iene an" e4*ibitin antis!cial be*a$i!r, 3!#e$er' ;A (!"ern1"ay c!()uter cri(inal c!ul" be a "is runtle"' (i""le1a e"' #*ite1c!llar #!r+er sittin at a nice "es+ !n t*e %!urteent* %l!!r !% t*e *ea"2uarters buil"in !% a billi!n1"!llar s!%t#are (anu%acturer> 5Valacic* K Sc*nei"er' /0&/' ), H0A7, In C!n ressi!nal testi(!ny by F!se)* Ansanelli' a cybersecurity e4)ert' t! t*e Unite" States 3!use !% Re)resentati$es C!((ittee !n Financial Ser$ices 5/00A7' cite" a 3arris Interacti$e sur$ey i$en t! #!r+ers an" (ana ers t*at *an"le sensiti$e cust!(er in%!r(ati!n at #!r+, In t*is re)!rt' sur)risin ly' ;DDN say t*eir c!1#!r+ers' n!t *ac+ers' )!se t*e reatest ris+ t! c!nsu(er )ri$acy <an"= !nly &0N sai" *ac+ers #ere t*e reatest t*reat> 5), E7, Acc!r"in t! Valacic* an" Sc*nei"er 5/0&/7' c!((!nalities in c!()uter cri(inals *a$e been re$eale" t*r!u * stu"ies an" t*ese ten" t! be )e!)le t*at are current !r %!r(er e()l!yees' )e!)le #it* tec*nical +n!#le" e #*! use t*eir s+ills ille ally %!r )ers!nal ain' career cri(inals' an" crac+ers #*! c!((it intrusi!ns #it* n! )articular )ur)!se' but are (erely sn!!)in t*r!u * a syste( 5), H0E7,

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY Ulti(ately' *u(ans are susce)tible t! "ece)ti!n an" can )r!$i"e access t! syste(s by "iscl!sin

sensiti$e in%!r(ati!n t! *ac+ers #it*!ut reali-in t*eir acti!ns brin ab!ut terrible c!nse2uences, Widely "ublici(ed Vulnerabilities .i"ely )ublici-e" *ac+in #it*in t*e last "eca"e *as inclu"e" a ressi$e attac+s a ainst (ilitary (e(bers "urin t*e /0&& C*rist(as *!li"ay 5M!ntalban!' /0&&7' *ac+ers usin st!len RSA in%!r(ati!n t! breac* L!c+*ee"1Martin8s net#!r+s 5Mic+' /0&&7' secret U,S, De)art(ent !% State cables e4)!se" t*r!u * .i+iLea+s t*at #ere )r!$i"e" by a "is runtle" Ar(y )ri$ate 5Gnic+erb!c+er' /0&/7' t*e cyber attac+ a ainst Iran8s nuclear )r!cessin %acilities t*r!u * a uni2ue )iece !% (al#are calle" STUONET 5Mile$s+i' /0&&7' t*e /00: c!()r!(ise !% t*e (ilitary8s classi%ie" an" unclassi%ie" net#!r+ #*ic* !ccurre" "ue t! (alici!us c!"e %r!( a %las* "ri$e 5Lynn' /0&07' an" C*ina8s *ac+in !% G!! le Mail t*at tar ete" t*e )ers!nal acc!unts !% *i * ran+in U,S, !$ern(ent !%%icials 5E%rati K G!r(an' /0&&7, T*e re%erence" attac+s #ere +n!#n t! t*e )ublic n!t l!n a%ter eac* c!()r!(ise !ccurre" an" *a$e bec!(e case stu"ies %!r (any #it*in t*e in%!r(ati!n tec*n!l! y sect!r, T*e reality is t*at t*e (!re security breac* in%!r(ati!n in t*e )ublic "!(ain is !!" %!r t*e security )r!%essi!nal as it all!#s *i( t! u)"ate syste(s !r )re$ent %uture t*reats base" !n un"erstan"in e(er in attac+ $ect!rs, 3!#e$er' (any businesses an" !$ern(ent entities s*y a#ay %r!( re)!rtin intrusi!ns %!r %ear !% e4)!sure t! )ublic scrutiny an" because re$eale" e4)l!itati!ns (ay cause clients t! %lee' i()act )!tential ne# sales an" "a(a e t*eir st!c+ )rice, B!t* )ers)ecti$es are $ali"' but t*e trut* is t*at !r ani-ati!ns si()ly aren8t re)!rtin security breac*es, In t*e a)tly title" article' ;Security tru()s secrecy in cyber %i *t1)r!secut!r>' )ublis*e" by Reuters in Fanuary !% /0&/' it #as re)!rte" t*at ;cyber security e4)erts say t*at c!r)!rati!ns rarely ac+n!#le" e breac*es' an" !%ten +ee) t*e( secret %r!( la# en%!rce(entP>, 3!#e$er' t*ere is n!# a %ear !% )r!secuti!n

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY

&0

by t*!se c!()anies t*at re%use t! )ublically "iscl!se security c!()r!(ises i()actin sensiti$e )ers!nal an" %inancial "ata, T*e syste( !% "iscl!sure is c*allen in %!r businesses' as t*ere is n!t incenti$e #it*in t*e (ar+et t! !%%er %ull "iscl!sure' t*ere is !nly "is1incenti$e t! c!(e clean ab!ut breac*es, 3!#e$er' #it* (!re "iscl!sure )r!secuti!ns' t*e culture !% re$ealin c!()r!(ises (ay c*an e !$er ti(e, One c!()any8s "iscl!sure' c!ul" )re$ent *un"re"s !% %uture attac+s, By s*arin in%!r(ati!n it bec!(es a )art !% !)en s!urce c!llecti$e intelli ence' )r!$i"in IT a"(inistrat!r8s #it* t*e in%!r(ati!n necessary t! cl!se *!les #it*in t*eir syste(s t*at t*ey (ay ne$er *a$e been )ri$y t!! #it*!ut %ull "iscl!sure, Common Countermeasures .it* re%erence t! c!((!n attac+s t*r!u * t*e TCBCIB suite an" t*r!u * e%%ecti$e s!cial en ineerin ' security )r!%essi!nals nee" t! c!nstantly (aintain $i ilance, C!((!n c!unter(easures are )ut in )lace an" t*en are c!nstantly e$!l$in as ne# t*reats are re$eale", S!(e c!((!n c!unter(easures inclu"e' but are n!t li(ite" t!' usin str!n aut*enticati!n' a$!i"in st!rin sensiti$e "ata !r )ass#!r"s as )lainte4t' usin ta()er1resistant )r!t!c!ls' creatin secure au"it trails' usin str!n aut*!ri-ati!n' $ali"atin an" %ilterin net#!r+ in)uts' usin t*e )rinci)le !% least )ri$ile es' u)"atin s!%t#are an" %ir(#are as )atc*es bec!(e a$ailable' usin str!n )*ysical security %!r sensiti$e "e$ices an" syste( access )!ints' usin secure )r!t!c!ls "urin sessi!ns' e"ucatin users !n a))r!)riate security )r!t!c!ls' "isablin unnecessary ser$ices' an" )r!)erly installin an" c!n%i urin net#!r+ access )!ints' *ar"#are' an" s!%t#are 5Meier' Mac+(an' Dunner' Vasire""y' Esca(illa' an" Muru+an' /00A7, <N!te? See A))en"ices A an" B' #*ic* are tables )r!$i"e" by Micr!s!%t' t*at illustrate t*reats an" c!unter(easures %!r a $ariety !% +n!#n e4)l!itati!ns,= Ulti(ately' t*e security )r!%essi!nal (ust "eter(ine' base" !n ti(e' bu" et' an" !t*er $ariables' #*ere e%%!rts s*!ul" be )lace" in

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY i()le(entin c!unter(easures in )r!tectin c!()uter syste(s, As (enti!ne" )ri!r' NIST *as

&&

)r!$i"e" a %ra(e#!r+ %!r t*e c!()uter )r!%essi!nal t! c!nsi"er #*en securin syste(s base" !n $ulnerability' t*reat1s!urce' t*reat acti!n' t*reat li+eli*!!"' an" ris+ le$el 5St!neburner' G! uen' an" Ale4is' /00/7, It is t*e si(ilar c!st1bene%it analysis c!nun"ru( t*at %aces t*e IT )r!%essi!nal t*at %aces t*e *ac+er' alt*!u * t*e $ari!us $ariable an" incenti$es "i%%er, Most !mportant Security Vulnerability &oday T*e "ebate !% #*at is t*e sin le reatest t*reat t! cybers)ace is an !%t1"iscusse" t!)ic !nline an" !%%line, Bers)ecti$es "i%%er by )ers!n' business an" !$ern(ent security e4)ert, One (ust ta+e int! c!nsi"erati!n t*e $ulnerability' t*reat s!urce' an" )!ssible !utc!(e, F!r a )ers!n #it* a *!(e business' *is )ers)ecti$e !% a D!S attac+ !n *is *!(e c!()uter net#!r+ "i%%ers reatly %r!( a c!()any %!cusin s!lely !n ec!((erce, A""iti!nally' t*e Benta !n8s c!ncerns "i%%er %r!( t*at !% t*e ec!((erce c!()any, 3!#e$er' %r!( an enter)rise le$el )ers)ecti$e' t*e bi est t*reat %acin IT security e4)erts t!"ay is ensurin t*at *ar"#are "e$ices an" s!%t#are are )r!)erly u)"ate" an" )atc*e", Security )r!t!c!ls s*!ul" inclu"e r!utine researc* t! ensure syste(s are u)1t!1"ate #it* t*e (!st recent ser$ice )ac+s, T*is )ers)ecti$e #as ec*!e" "urin a recent inter$ie# #it* C!((an"er Cli%% Ne$e' t*e C*ie% !% Sta%% !% t*e Unite" States C!ast Guar" Cyber C!((an", ;T*e ans#er <t! M.*at is t*e bi est IT security c*allen e t!"ayQ8= isP un)atc*e" syste(s, I $ery' $ery *i *ly rec!((en" c*ec+in > !ut t*e Australian De%ence Si nals Direct!rate8s article ;Strate ies t! Miti ate Tar ete" Cyber Intrusi!ns> 5C"r, C, Ne$e' USCG Cyber C!((an"' )ers!nal c!((unicati!n' Fanuary A&' /0&/7, Many +n!#n $ect!rs !% attac+ are #ell "!cu(ente", I% an IT (ana er *as t*!usan"s !% c!()uters t! (!nit!r an" a )atc* because t*ey are n!t u)1t!1"ate' *is syste(s are at ris+ %r!( t*e %irst ti(e a ne# $ulnerability (a+es it t! t*e )ublic, 3!#e$er' (!st c!((!n attac+ $ect!rs *a$e been +n!#n

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY %!r years 5i,e, bu%%er !$er%l!#' IB s)!!%in ' sni%%in ' %in er)rintin ' %!!t)rintin ' etc,7, It is t*e !l" s!%t#are an" *ar"#are t*at *as been "e)recate"' an" n! l!n er su))!rte"' t*at )uts a net#!r+ at ris+, 3!#e$er' t*ere are s!(e s!luti!ns t! )art !% t*is issue, T*ere is an entire

&/

in"ustry !% security )r!%essi!nals t*at )r!$i"e s!%t#are ser$ices t! ensure t*at ne#ly "isc!$ere" $iruses are )ublic +n!#le" e as s!!n as )!ssible L McA%ee' Gas)ers+y' an" Sy(antec are #ell +n!#n s!%t#are )r!$i"ers in t*is in"ustry, Ne# libraries an" )atc*es are )r!$i"e" !n a r!utine basis t*r!u * ser$ice le$el a ree(ents' an" %!r )articularly #ell1)ublici-e" !utbrea+s !r security e4)l!itati!ns' instant u)"ates are s!(eti(es a$ailable, I% a *ac+er bec!(es a#are !% a ne# attac+ $ect!r' a%ter e"ucatin *i(sel%' in a %e# *!urs *e can be %in er)rintin an" %!!t)rintin syste(s t! %in" t*is ne#ly "iscl!se" $ulnerability' an" )er*a)s be insi"e !% a syste( causin *ar( #it*in a (atter !% /H *!urs, I% s!(e!ne *as installe" a $irus )r!tecti!n syste(' but "!es n!t c!ntinue t! u)"ate t*e library !% )!tential t*reats' t*ey #ill bec!(e $ulnerable t! any ne# $irus t*at is n!t alrea"y in t*eir library, A""iti!nally' ser$ice )ac+s 5SB7 are r!utinely release" %!r !)eratin syste(s' enter)rise1le$el s!%t#are' ser$ers' an" stan"ar" *!(e s!%t#are, T*ese SBs are n!r(ally release" as an u)"ate %i4in )r! ra( issues t*at (i *t cause it t! cras*, A""iti!nally' t*ey can %i4 c!()laints ab!ut t*e user e4)erience' user inter%ace !r )!ssibly a"" ne# %eature sets as a bene%it t! t*e !#ner be%!re an entirely ne# $ersi!n !% t*e s!%t#are is release" t! t*e )ublic, 3!#e$er' (any ser$ice )ac+s are "istribute" t! )atc* a +n!#n $ulnerability #it*in t*e s!%t#are, I% an IT )r!%essi!nal "elays !r ne$er installs a ser$ice )ac+' t*e s!%t#are #ill c!ntinue t! *!l" t*e $ulnerabilities built int! it, An" as eac* "ay )asses an" (!re *ac+ers are a#are !% t*e $ulnerability a%%ectin un)atc*e" syste(s 5e, , s!%t#are #it*!ut t*e ser$ice )ac+ installe"7' t*e (!re li+ely t*at s!%t#are is li+ely t! be e4)l!ite", Bey!n" s!%t#are' (any !l"er *ar"#are "e$ices *a$e %ir(#are !n t*e( t*at )r!$i"es

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY c!n%i urati!n settin s an" s!%t#are %eatures built int! t*e(, F!r e4a()le' i% a r!uter (a"e in /00H is still !n a net#!r+ in /0&/' t*e "e$ice is n!# : years !l" an" (ay be susce)tible t! an e4)l!it because it *asn8t been )atc*e" since t*e initial %ir(#are #as )lace" !n t*e "e$ice, S!(eti(es net#!r+ "e$ice c!n%i urati!n settin s c!ntribute t! a *ac+ers atte()t at

&A

%in er)rintin an" %!!t)rintin ' res)!n"in t! e4ternal re2uests an" )r!$i"in in%!r(ati!n t*at is n! l!n er a )art !% net#!r+ best )ractice "ue t! security ris+, Fir(#are u)"ates n!r(ally )atc* +n!#n $ulnerabilities in a "e$ice an" s!(eti(es all!# t*e "e$ice t! )er%!r( (!re e%%iciently, Alt*!u * t*e sin le lar est $ulnerability t! IT )r!%essi!nals (ay be +ee)in *ar"#are an" s!%t#are u)1t!1"ate t! ensure e(er in $ulnerabilities are re(!$e"' si()ly )atc*in e$eryt*in !n a "aily basis (ay be t!! (uc* %!r an enter)rise le$el net#!r+ t! ta+e !n, 3!#e$er' t*r!u * a c!st1bene%it analysis' ta+in int! c!nsi"erati!n a $ariety !% $ariables' an IT )r!%essi!nal can create security )r!t!c!ls t! *an"le t*e re2uire" u)"ates t*at )atc* $ulnerabilities t*at *ac+er8s (ay e4)l!it, By n!t )atc*in +n!#n $ulnerabilities' a net#!r+ is !)en t! c!((!n attac+s t*at (ay cause ra$e "a(a e t! a )ers!n' business !r !$ern(ent instituti!n,

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY Appendix A: Table 1 Microsofts STR D! Threats and "ounter#easures

&H

Source: Micr!s!%t De$el!)er Net#!r+' I()r!$in .eb A))licati!n Security' C*a)ter /? T*reats an" C!unter(easures' *tt)?CC(s"n,(icr!s!%t,c!(Cen1usClibraryC%%DH:DH&,as)4

$ote: STRIDE is an acr!ny( use" by Micr!s!%t %!r t*e %!ll!#in $ulnerabilities? S)!!%in Ta()erin Re)u"iati!n n%!r(ati!n Discl!sure Denial !% ser$ice !le$ati!n !% )ri$ile e,

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY Appendix %: Table & Microsofts Threats b' Application (ulnerabilit' "ate)or'

&E

Source: Micr!s!%t De$el!)er Net#!r+' I()r!$in .eb A))licati!n Security' C*a)ter /? T*reats an" C!unter(easures' *tt)?CC(s"n,(icr!s!%t,c!(Cen1usClibraryC%%DH:DH&,as)4

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY References /0&& state !% security sur$ey, 5/0&&' Au ust A&7, Symantec, Retrie$e" %r!( *tt)?CC###,sy(antec,c!(Cc!nnectCbl! sC/0&&1state1security1sur$ey As*%!r"' ., 5/0&/' Fanuary &A7, Bublic sect!r sees cybercri(e as risin t*reat, #omputer *eekly, *tt)?CC###,c!()uter#ee+ly,c!(Cne#sC//H0&&AI:/CBublic1sect!r1sees1 cybercri(e1as1risin 1t*reat

&D

Ansanelli' F, 5/00A' Fune /H7, Testi(!ny !% F!se)* Ansanelli' c*air(an an" CEO !% V!ntu' Inc, The #ommittee on )inancial Services, United States $ouse of +epresentatives, Retrie$e" %r!( *tt)?CC%inancialser$ices,*!use, !$C(e"iaC)"%C0D/H0AJa,)"% Carr' F,' K S*e)*er"' L, 5/0&07, %nside cyber warfare, Sebast!)!l' Cali%? ORReilly Me"ia' Inc, C*en' T, K .als*' B, F, 5/0067, Guar"in A ainst Net#!r+ Intrusi!ns, In F, R, Vacca #omputer and %nformation Security $andbook, A(ster"a(? Else$ier, Cli%%' A, 5/00&' Fuly A7, Intrusi!n "etecti!n syste(s ter(in!l! y' )art !ne? A L 3, Symantec, Retrie$e" %r!( *tt)?CC###,sy(antec,c!(Cc!nnectCarticlesCintrusi!n1"etecti!n1syste(s1 ter(in!l! y1)art1!ne1* C!le(an' G, 5/0&&' Fuly I7, Di ital C!n%lict, ,efense Systems, Retrie$e" %r!( *tt)?CC"e%ensesyste(s,c!(Cbl! sCcyber1re)!rtC/0&&C0IC*u(an1$ulnerability1c!()uter1 syste(s,as)4 T*e C!()re*ensi$e Nati!nal Cybersecurity Initiati$e, 5n,",7 The *hite $ouse, 'resident -arack .bama, Retrie$e" %r!( *tt)?CC###,#*ite*!use, !$CcybersecurityCc!()re*ensi$e1 nati!nal1cybersecurity1initiati$e D*a(an+ar' R,' et al 5/006' Se)te(ber7, T*e t!) cyber security ris+s, S/0S, Retrie$e" %r!( Retrie$e" %r!( *tt)?CC###,sans,!r Ct!)1cyber1security1ris+s E%rati' A an" G!r(an' S, 5/0&&' Fune /7, G!! le (ail *ac+ bla(e" !n C*ina, *all Street

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY 1ournal, Retrie$e" %r!(

&I

*tt)?CC!nline,#sJ,c!(CarticleCSB&000&H/H0E/I0/A0ADEIH0HEIDAE6II0/HAE&IED:,*t(l FBI says *ac+ers *it +ey ser$ices in t*ree US cities, 5/0&&' Dece(ber /0&&7, --#, Retrie$e" %r!( *tt)?CC###,bbc,c!,u+Cne#sCtec*n!l! y1&D&EI::A G!ttlieb' B, F, B,' CDR, 5/0&07, Cybers)ace $s, cyber strate y, /merican %ntelligence 1ournal' /: 5/7' &:1/E, Gran er' S, 5/00&' Dece(ber &:7, S!cial en ineerin %un"a(entals' )art &? 3ac+er tactics, Symantec, Retrie$e" %r!( *tt)?CC###,sy(antec,c!(Cc!nnectCarticlesCs!cial1en ineerin 1 %un"a(entals1)art1i1*ac+er1tactics Gre ' M, 5/00D' Fune 67, #ertified &thical $acker &xam 'rep( Understanding )ootprinting and Scanning. Bears!n IT Certi%icati!n, 3a"na y' C, 5/0&07, Social &ngineering( The /rt of $uman $acking, In"iana)!lis' In"iana? F!*n .iley an" S!ns, 3assell' F, 5/00D' Fune :7, T*e t!) %i$e #ays t! )re$ent IB s)!!%in , #omputer *orld, Retrie$e" %r!( *tt)?CC###,c!()uter#!rl",c!(CsCarticleC600&0/&CT*eSt!)S%i$eS#aysSt!S)re$entSIBSs) !!%in 3ess' M, 5/0&&' Dece(ber &67, Security ti)s %r!( a le en"ary *ac+er, #-S 0ews, Retrie$e" %r!( *tt)?CC###,cbsne#s,c!(C:A0&1E0E&HAS&D/1EIAHH/:/Csecurity1ti)s1%r!(1a1 le en"ary1*ac+erC Is)it-ner, 5/0&&' February I7, B!!+ re$ie# L S!cial en ineerin , S/0S 5Securin t*e 3u(an7, Retrie$e" %r!( *tt)?CC###,securin t*e*u(an,!r Cbl! C/0&&C0/C0ICb!!+1re$ie#1s!cial1 en ineerin 1/

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY Fac+s!n' D, 5/0&&' May &/7, Oba(a tea( un$eils cybersecurity )lan, US/ Today, Retrie$e" %r!( *tt)?CCc!ntent,usat!"ay,c!(Cc!((unitiesCt*e!$alC)!stC/0&&C0EC!ba(a1tea(1 un$eils1ne#1cybersecurity1)lanC& Gi(' F, 5/0&/' Fanuary &67, Many security breac*es ! unre)!rte", Fierce C!()liance IT, Retrie$e" %r!( *tt)?CC###,%iercec!()lianceit,c!(Cst!ryC(any1security1breac*es1 !1 unre)!rte"C/0&/10&1&6 Gnic+erb!c+er' B, 5/0&/' Fanuary &A7, Bra"ley Mannin ? 3!# alle e" intelli ence lea+er #ill "e%en" *i(sel%, #hristian Science 2onitor, Retrie$e" %r!( *tt)?CC###,cs(!nit!r,c!(CUSACFusticeC/0&/C0&&ACBra"ley1Mannin 13!#1alle e"1 intelli ence1lea+er1#ill1"e%en"1*i(sel% Gs*etri' Nir 5/00D7' ;T*e Si()le ec!n!(ics !% cybercri(es, %&&& Security and 'rivacy'

&:

1anuary3)ebruary, AA1A6. Retrie$e" %r!( *tt)?CCsee,4i"ian,e"u,cnC*uJian#eiC)a)ersC06:1T*e N/0Si()leN/0Ec!n!(icsN/0!%N/0Cybercri(es,)"% Gr!ll ann!unces t!) ten cyber security tren"s %!r /0&/, 5/0&&' Dece(ber &H7, 4roll 5 #yber Security and %nformation /ssurance, Retrie$e" %r!( *tt)?CC###,+r!ll%rau"s!luti!ns,c!(Cab!ut1usC)ress1releasesC+r!ll1ann!unces1t!)1ten1 cyber1security1tren"s1%!r1/0&/,as)4 L!*r(ann' D, 5/0&/' Fanuary H7, /0&/ Cybersecurity tren"s t! #atc* in !$ern(ent, 6overnment Technology, Retrie$e" %r!( *tt)?CC###, !$tec*,c!(Cbl! sCl!*r(ann1!n1 cybersecurityC/0&/1Cybersecurity1Tren"s1t!10&0H&/,*t(l Libic+i' M, C, 5/0067, Cyber"eterrence an" cyber#ar, Retrie$e" %r!( *tt)?CC###,ran",!r Cc!ntentC"a(Cran"C)ubsC(!n! ra)*sC/006CRANDSMG:II,)"% Libic+i' M, C, 5/0067, T*e in%!r(ati!n en$ir!n(ent, In /merica7s Security +ole in a #hanging

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY *orld( 6lobal Strategic /ssessment 899:' EA1EE, Lynn' III' ., F, 5/0&0' Se)te(berCOct!ber7, De%en"in a ne# "!(ain? T*e Benta !nRs cyberstrate y, F!rei n A%%airs, Retrie$e" %r!(

&6

*tt)?CC###,%!rei na%%airs,c!(CarticlesCDDEE/C#illia(1J1lynn1iiiC"e%en"in 1a1ne#1"!(ain Mallery' F, 5/0067, Buil"in a secure !r ani-ati!n, In Vacca' F,R, 5E",7' C!()uter an" In%!r(ati!n Security 3an"b!!+ 5)) A1//7, Burlin t!n' MA? Else$ier, Mateti' B, 5/00D7, TCBCIB Suite, In Bi" !li' 3, 5E",7' $andbook of %nformation Security, Ba+ers%iel"' Cali%!rnia? F!*n .ile K S!ns' Inc, Meier' F,D,' Mac+(an' A,' Dunner' M,' Vasire""y' S,' Esca(illa' R, an" Anan"*a Muru+an, 5/00A' Fune7, I()r!$in .eb A))licati!n Security' C*a)ter /? T*reats an" C!unter(easures, Micr!s!%t De$el!)er Net#!r+, Retrie$e" %r!( *tt)?CC(s"n,(icr!s!%t,c!(Cen1usClibraryC%%DH:DH&,as)4 Mic+' F, 5/0&&' Fune &67, Re)!rts? 3ac+ers use st!len RSA in%!r(ati!n t! *ac+ L!c+*ee" Martin, ,aily Tech, Retrie$e" %r!( *tt)?CC###,"ailytec*,c!(CRe)!rtsT3ac+ersTUseTSt!lenTRSATIn%!r(ati!nTt!T3ac+TL !c+*ee"TMartinCarticle/&IEI,*t( Mile$s+i' L, 5/0&&' Oct!ber7, Stu4net an" strate y? A s)ace !)erati!n in cybers)ace, 1oint )orce ;uarterly 5DA7, Retrie$e" %r!( *tt)?CC###,n"u,e"uC)ressCstu4net1an"1strate y,*t(l Miller' R, A, an" Gue*l' D,T, 5/006' Se)te(ber7, Cybers)ace an" t*e ;First Battle> in /&st1 century #ar, ,efense $ori<ons 5D:7, Center %!r Tec*n!l! y an" Nati!nal Security B!licy, Retrie$e" %r!( *tt)?CC###,n"u,e"uC)ressClibC)"%C"e%ense1*!ri-!nsCD31D:,)"% Mills' E, 5/00:' Fuly /&7, Ge$in Mitnic+? S!cial en ineerin &0&, =,0et, *tt)?CC###,-"net,c!(,auC+e$in1(itnic+1s!cial1en ineerin 1&0&1AA6/60IA6,*t(

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY

/0

McClure' S,' Sca(bray' F,' K Gurt-' G, 5/0067, $acking exposed >( 0etwork security secrets ? solutions, Ne# Y!r+? McGra#13ill, Meier' F,D,' Mac+(an' A,' Dunner' M,' Vasire""y' S,' Esca(illa' R, K Muru+an' A, 5/00A' Fune7, T*reats an" c!unter(easures, 2icrosoft, Retrie$e" %r!( *tt)?CC(s"n,(icr!s!%t,c!(Cen1usClibraryC%%DH:DH&,as)4 M!ntalban!' E, 5/0&&' Dece(ber /:7, A %nformation *eek. Retrie$e" %r!( *tt)?CC###,in%!r(ati!n#ee+,c!(Cne#sC !$ern(entCsecurityC/A/A0&&0H M!!re' R, 5/00E7, #ybercrime( %nvestigating $igh Technology #omputer #rime, Matt*e# Ben"er K C!()any, O$er$ie# !% cyber $ulnerabilities, 5n,",7, US1CERT 5Unite" State C!()uter E(er ency Rea"iness Tea(7, Retrie$e" %r!( *tt)?CC###,us1cert, !$Cc!ntr!lSsyste(sCcs$uls,*t(l Berera' D, 5/0&&' May 67, A))licati!n $ulnerabilities c*ie% a(!n %e"eral cybersecurity c!ncerns, )ierce 6overnment %T, Retrie$e" %r!( *tt)?CC###,%ierce !$ern(entit,c!(Cst!ryCa))licati!n1$ulnerabilities1c*ie%1a(!n 1 %e"eral1cybersecurity1c!ncernsC/0&&10E106 Security tru()s secrecy in cyber %i *t1)r!secut!r 5/0&/' Fanuary &/7, +euters, Retrie$e" %r!( *tt)?CCne#san"insi *t,t*!(s!nreuters,c!(CLe alCNe#sC/0&/C0&S1 SFanuaryCSecurityStru()sSsecrecySinScyberS%i *t1)r!secut!rC Sternstein' A, 5/0&/' Fanuary /A7, 3ac+ers (ani)ulate" rail#ay c!()uters' TSA (e(! says, 0ext6ov, Retrie$e" %r!( *tt)?CC###,ne4t !$,c!(Cne4t !$Cn S/0&/0&/ASAH6&,)*)Q !re%Ut!)st!ry St!neburner' G,' G! uen' A, an" Ale4is Ferin a, 5/00/' Fuly7, Ris+ (ana e(ent ui"e %!r ressi$e )*is*in attac+ tar ets (ilitary )ers!nnel,

CYBERSECURITY VULNERABILITIES FACING IT MANAGERS TODAY

/&

in%!r(ati!n tec*n!l! y syste(s, 0ational %nstitute of Standards and Technology 5NIST7, Retrie$e" %r!( *tt)?CCcsrc,nist, !$C)ublicati!nsCnist)ubsC:001A0Cs):001A0,)"% Strate ies t! (iti ate tar ete" cyber intrusi!ns, 5n,",7 /ustralian 6overnment, ,epartment of ,efence, %ntelligence and Security, Retrie$e" %r!( *tt)?CC###,"s", !$,auCin%!secCt!)1 (iti ati!nsCt!)AE(iti ati!nstrate ies1list,*t( Tanase' M, 5/00A' Marc* &&7, IB s)!!%in ? An intr!"ucti!n, Symantec, Retrie$e" %r!( *tt)?CC###,sy(antec,c!(Cc!nnectCarticlesCi)1s)!!%in 1intr!"ucti!n E"it!r Vacca' F, R, 5/0067, #omputer and %nformation Security $andbook, A(ster"a(? Else$ier, Valacic*' F, K Sc*nei"er' C, 5/0&/7, %nformation Systems Today( 2anaging in the ,igital *ord, B!st!n? Brentice 3all, Velasc!' V, 5/000' N!$e(ber /&7, Intr!"ucti!n t! IB s)!!%in , S/0S 5SysA"(in' Au"it' Net#!r+' Security7 Institute, Retreie$e" %r!( tt)?CC###,sans,!r Crea"in Sr!!(C#*ite)a)ersCt*reatsCintr!"ucti!n1i)1s)!!%in S6E6