Young - Information security science: measuring the vulnerability to data compromises

Syngress is an imprint of Elsevier

50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States

Copyright 2016 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

ISBN: 978-0-12-809643-7

Publisher: Joe Hayton

Acquisition Editor: Brian Romer

Editorial Project Manager: Anna Valutkevich

Production Project Manager: Mohana Natarajan

Designer: Mark Rogers

Typeset by Thomson Digital

To my remarkable sisters, Diane Uniman and Nancy Young

Carl S. Young is an expert in information and physical security risk management. He is currently a Managing Director and the Chief Security Officer at Stroz Friedberg, an international security risk consulting firm. He is the former Global Head of Physical Security Technology at Goldman Sachs as well as a former Senior Executive and Supervisory Special Agent at the FBI. He was also a consultant to the JASON Defense Advisory Group. Mr. Young is the author of Metrics and Methods for Security Risk Management (Syngress, 2010), and The Science and Technology of Counterterrorism (Butterworth-Heinemann, 2014) as well as numerous journal publications. In 1997 he was awarded the Presidents Foreign Intelligence Advisory Board (PFIAB) James R. Killian Award by the White House for significant individual contributions to US national security. Mr. Young received undergraduate and graduate degrees in mathematics and physics from the Massachusetts Institute of Technology.

All new innovations bring positive and negative consequences for users and society at large. This has been true of the development and broad deployment of alternating current a century ago, and mass vehicular and air transportation, right through to the nuclear age. We enjoy the benefits of these platforms for economic productivity and advancement as well as social interaction, but at the same time in the hands of bad actors, all these represent existential threats to society.

The Internet and electronic communication have come into the public consciousness only over the past 20 years. And perhaps they represent a new frontier in providing benefits to society, by reducing what economists call search and transaction costs. They also bring about the ability to reach and improve the lives of many people in developing economies.

At the same time the extreme networking and electronic interconnection that underpins our day-to-day lives has provided for an extraordinary amount of vulnerability; whether it be through data breaches of corporate networks or the compromise of wireless communication means, cyber threats seem potentially limitless when the tools are put in malicious hands. These threats are also limitless because they are very scalable and rely on the weak underbelly of our basic market economy, which competes on the basis of convenience and speed, often sacrificing security.

This book examines in the most comprehensive fashion how to think about vulnerabilities in a scientific way, the only approach that fully and objectively can determine how to go about identifying, understanding, and rooting out vulnerabilities. It is both wide ranging and looks at each potential vulnerability with a strict scientific mindset to help all readers determine how best to maximize the benefits of interconnection in the Internet age, while at the same time minimizing the downside so as to gain the benefits all societies have come to expect.

Michael Patsalos-Fox

CEO, Stroz Friedberg, Former Chairman of the Americas, McKinsey & Co.

Despite its name, the commercial success of the computer derives from its effectiveness as a communications tool rather than as a machine that computes . Humans are arguably obsessed with communication so any device that enables the exchange of information is likely to be popular.

To be sure, information technologies such as the telephone, the television, and the computer cum Internet have had transformational effects on society. People who were previously isolated suddenly had unprecedented access to individuals outside their immediate surroundings. In addition, they were now almost immediately aware of events that occurred beyond their immediate environment. Notwithstanding possible correlations between social media and bad grammar, the positive effects of communication technologies cannot be disputed.

Yet not all communications are meant for public consumption. Unauthorized access to information is a problem when the whole point of these technologies is to facilitate the seamless exchange of data. To complicate matters, we are a species that also craves convenience, and convenience and security are often incompatible. In fact, the need for convenience drives much of the information security risk within organizations today.

Although attacks on networks are the focus of typical security strategies, other modes of attack on information assets deserve attention. For example, unauthorized access to visual and audible information is commonplace in many business settings with the potential for significant losses. In addition, electronic devices radiate compromising energy that can be remotely detected under the right conditions. State-sponsored adversaries have both the incentive and the resources to conduct such attacks thereby obviating the need to intrude on the network and largely eliminating a concern for detection.