1. Develop a new level of technical expertise in the field of theory and practice of cyber security and IT infrastructure protection

2. Remain current and fully informed from multiple viewpoints by comprehensive and up-to-date coverage of cyber security issues

3. Grasp the material, in order to implement practical solutions, and present methods of analysis and problem-solving techniques.

4. Provide a consultative process to assess the cyber security-related risks to organizational missions and business functions

5. Provide a menu of management, operational, and technical security controls, including policies and processes, available to address a range of threats and protect privacy

6. Provide a consultative process to identify the security controls that would adequately address risks that have been assessed and to protect data and information being processed, stored, and transmitted by organizational information systems

7. Provide metrics, methods, and procedures that can be used to assess and monitor, on an ongoing or continuous basis, the effectiveness of security controls that are selected and deployed in organizational information systems and environments in which those systems operate and available processes that can be used to facilitate continuous improvement in such controls

8. Provide a comprehensive risk management approach that provides the ability to assess, respond to, and monitor information security-related risks and provide senior leaders/executives with the kinds of necessary information sets that help them to make ongoing risk-based decisions

9. Provide a menu of privacy controls necessary to protect privacy

1. Separation of business from operational systems

2. Use of encryption and key management

3. Identification and authorization of users accessing systems

4. Asset identification and management

5. Monitoring and incident detection tools and capabilities

6. Incident handling policies and procedures

7. Mission/system resiliency practices

8. Security engineering practices

9. Privacy protection

• Disaster recovery

• Biometrics

• Homeland security

• Cyber warfare

• Cyber security

• National infrastructure security

• Access controls

• Vulnerability assessments and audits

• Cryptography

• Operational and organizational security

Organization of this Book

The book is composed of 15 contributed chapters by leading experts in their fields. This book is formatted to include methods of analysis and problem-solving techniques through hands-on exercises, worked examples, and case studies. For example, the new format includes the following elements:

Contributors Ravi Jhawar, Vincenzo Piuri and Marco Santambrogio (Chapter 1, “Fault Tolerance and Resilience in Cloud Computing Environments”) focus on characterizing the recurrent failures in a typical Cloud computing environment, analyzing the effects of failures on user’s applications, and surveying fault tolerance solutions corresponding to each class of failures.

The increasing demand for flexibility and scalability in dynamically obtaining and releasing computing resources in a cost-effective and device-independent manner, and easiness in hosting applications without the burden of installation and maintenance, has resulted in a wide adoption of the cloud computing paradigm. While the benefits are immense, this computing paradigm is still vulnerable to a large number of system failures; as a consequence, users have become increasingly concerned about the reliability and availability of cloud computing services.

Finally, fault tolerance and resilience serve as an effective means to address users’ reliability and availability concerns. In this chapter, the focus is on characterizing the recurrent failures in a typical cloud computing environment, analyzing the effects of failures on users’ applications and surveying fault tolerance solutions corresponding to each class of failures. The authors also discuss the perspective of offering fault tolerance as a service to users’ applications as one of the effective means of addressing users’ reliability and availability concerns.

Next, contributors Bhushan Kapoor and Pramod Pandya (Chapter 2, “Data Encryption”) discuss the role played by cryptographic technology in data security. In other words, the Internet evolved over the years as a means for users to access information and exchange emails. Later, once the bandwidth became available, businesses exploited the Internet’s popularity to reach customers online. In the past few years it has been reported that organizations that store and maintain customers’ private and confidential records were compromised on many occasions by hackers breaking into the data networks and stealing the records from storage media. More recently we have come across headline-grabbing security breaches regarding laptops with sensitive data being lost or stolen, and most recently the Feds have encrypted around 1 million laptops with encryption software loaded to secure data such as names and Social Security numbers.

Finally, this chapter is about security and the role played by cryptographic technology in data security. Securing data while it is in storage or in transition from an unauthorized access is a critical function of information technology. All forms of ecommerce activities such as online credit card processing, purchasing stocks, and banking data processing would, if compromised, lead to businesses losing billions of dollars in revenues, as well as customer confidence lost in ecommerce.

Then, contributor Terence Spies (Chapter 3, “Public Key Infrastructure”) explains the cryptographic background that forms the foundation of PKI systems; the mechanics of the X.509 PKI system (as elaborated by the Internet Engineering Task Force); the practical issues surrounding the implementation of PKI systems; a number of alternative PKI standards; and alternative cryptographic strategies for solving the problem of secure public key distribution. PKI systems are complex objects that have proven to be difficult to implement properly. This chapter aims to survey the basic architecture of PKI systems, and some of the mechanisms used to implement them.

Finally, this chapter does not aim to be a comprehensive guide to all PKI standards or to contain sufficient technical detail to allow implementation of a PKI system. These systems are continually evolving, and the reader interested in building or operating a PKI is advised to consult the current work of standards bodies referenced in this chapter.

Contributor William Stallings (Chapter 4, “Physical Security Essentials”) is concerned with physical security and some overlapping areas of premises security. He also looks at physical security threats and then considers physical security prevention measures.

Most people think about locks, bars, alarms, and uniformed guards when they think about security. While these countermeasures are by no means the only precautions that need to be considered when trying to secure an information system, they are a perfectly logical place to begin.

This chapter discusses physical security and with some overlapping areas of premises security. Physical security is a vital part of any security plan and is fundamental to all security efforts with out it, cyber security, software security, user access security, and network security are considerably more difficult, if not impossible, to initiate.

Finally, pPhysical security refers to the protection of building sites and equipment (and all information and software contained therein) from theft, vandalism, natural disaster, man made catastrophes, and accidental damage (from electrical surges, extreme temperatures, and spilled coffee). It requires solid building construction, suitable emergency preparedness, reliable power supplies, adequate climate control, and appropriate protection from intruders.

Next, contributors Lauren Collins and Scott R. Ellis (Chapter 5, “Disaster Recovery”) provide insight to the job of DR, and provide a framework of what is necessary to achieve a successful Disaster Recovery plan. Since the environment is ever changing in an organization, the disaster recovery (DR) environment must also be continuously replicated and tested at a pace determined by the team who works on the DR plan. It must be periodically audited. Roles must be revised and reassigned as needed.

Finally, the science of a DR plan, the exact nuts and bolts of the many technologies used and approaches to take, is beyond the scope of this chapter. For example, just the DR options for SQL server applications represent a very large body of work. Failover technologies, software for IP and phone rerouting, and other data synchronization technologies do exist.

Then, contributor Luther Martin (Chapter 6, “Biometrics”) discusses the different types of biometrics technology and verification systems and how the following work: biometrics eye analysis technology; biometrics facial recognition technology; facial thermal imaging; biometrics finger-scanning analysis technology; biometrics geometry analysis technology; biometrics verification technology; and privacy-enhanced, biometrics-based verification/authentication as well as biometrics solutions and future directions. This chapter explains why designing biometric systems is actually a very difficult problem. The problem has been made to look easier than it actually is by the way that the technology has been portrayed in movies and on television.

Finally, biometric systems are typically depicted as being easy to use and secure, whereas encryption that would actually take billions of years of supercomputer time to defeat is often depicted as being easily bypassed with minimal effort. This portrayal of biometric systems may have increased expectations well past what current technologies can actually deliver, and it is important to understand the limitations of existing biometric technologies and to have realistic expectations of the security that such systems can provide in the real world.

Then, contributor Rahul Bhaskar (Chapter 7, “Homeland Security”) describes some principle provisions of U.S. homeland security-related laws and Presidential directives. He gives the organizational changes that were initiated to support homeland security in the United States.

The chapter highlights the 9/11 account of the circumstances surrounding the 2001 terrorist attacks and develops recommendations for corrective measures that could be taken to prevent future acts of terrorism. The author also details the Intelligence Reform and Terrorism Prevention Act of 2004 and the Implementation of the 9/11 Commission Recommendations Act of 2007.

The September 11, 2001, terrorist attacks, permanently changed the way the United States and the world’s other most developed countries perceived the threat from terrorism. Massive amounts of resources were mobilized in a very short time to counter the perceived and actual threats from terrorists and terrorist organizations. In the United States, this refocus was pushed as a necessity for what was called homeland security. The homeland security threats were anticipated for the IT infrastructure as well.

It was expected that not only was the IT at the federal level vulnerable to disruptions due to terrorism-related attacks but, due to the ubiquity of the availability of IT, any organization was vulnerable. Soon after the terrorist attacks, the U.S. Congress passed various new laws and enhanced some existing ones that introduced sweeping changes to homeland security provisions and to the existing security organizations.

The executive branch of the government also issued a series of Homeland Security Presidential Directives to maintain domestic security. These laws and directives are comprehensive and contain detailed provisions to make the U.S. secure from its vulnerabilities.

Later in the chapter, the author describes some principle provisions of these homeland security-related laws and presidential directives. Next, he discusses the organizational changes that were initiated to support homeland security in the United States.

Finally, he highlights the 9-11 Commission that Congress charted to provide a full account of the circumstances surrounding the attacks and to develop recommendations for corrective measures that could be taken to prevent future acts of terrorism. The author also details the Intelligence Reform and Terrorism Prevention Act of 2004 and the Implementation of the 9-11 Commission Recommendations Act of 2007. Finally, he summarizes the chapter’s discussion.

Next, contributors Anna Granova and Marco Slaviero (Chapter 8, “Cyber Warfare”) define cyber warfare (CW) and discuss its most common tactics, weapons, and tools; as well as, comparing CW terrorism with conventional warfare and addressing the issues of liability and the available legal remedies under international law. The times we live in are called the Information Age for very good reasons: Today information is probably worth much more than any other commodity.

Globalization, the other important phenomenon of the times we live in, has taken the value of information to new heights. On one hand, citizens of a country may now feel entitled to know exactly what is happening in other countries around the globe. On the other, the same people can use the Internet to mobilize forces to overthrow the government in their own country. To this end, the capabilities of the Internet have been put to use and people have become accustomed to receiving information about everyone and everything as soon as it becomes available.

Finally, the purpose of this chapter is to define the concept of cyber warfare (CW), discuss their most common tactics, weapons, and tools, compare CW terrorism with conventional warfare, and address the issues of liability and the avail- able legal remedies under international law. To have this discussion, a proper model and definition of CW first needs to be established.

Then, contributor Lauren Collins (Chapter 9, “System Security”) shows you how to protect your information from harm, and also ways to make your data readily available for access to an intended audience of users. Computer security is one division of technology; it is often referred to as information security and is applied to the systems we work on; as well as, the networks that transmit the data.

The term computer security often necessitates cooperative procedures and appliances by which such sensitive and confidential information and services are secure from an attack by unauthorized activities, usually achieved by treacherous individuals. Hackers plan events to take place on systems unexpectedly and usually target an audience or targeted data set that was well thought out and carefully planned.

Finally, this chapter objective includes familiarizing yourself with how to protect your information from harm, and also presents ways to make your data readily available for access to an intended audience of users. The author believes a real world perspective of hardware security is crucial to building secure systems in practice, but it has not been sufficiently addressed in the security research community. Many of the sections in this chapter strive to cover this gap.

In addition, contributor Lauren Collins (Chapter 10, “Securing the Infrastructure”), focuses on how security is presented to protect the infrastructure. Smart grid cyber security in this chapter, also addresses not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists; but, also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters.

Collectively, an infrastructure consists of circuits, cabinets, cages, cabling, power, cooling, hardware, data, and traffic. Devices are placed meticulously to transmit data, to secure data, and to allow an organization to conduct business efficiently and effectively.

Finally, security is presented to protect the infrastructure, especially critical applications, and custom rules strive to restrict the susceptibilities of such structures and systems. Incidental occurrences may severely impact the business, and potentially the economy, which is the prime reason engineers architect an infrastructure to manage information securely. The nature of the business that is conducted should be considered when designing the layout of an infrastructure, where security may not always be the top priority and speed is.

Furthermore, contributor Lauren Collins (Chapter 11, “Access Controls,”) endeavors to inform the reader about the different types of access controls that are being used, and describes the pros and cons they might have. Thus, the application of security policies for computers and their systems and procedures leads into the mechanism of access control.

The fundamental goal of any access control instrument is to provide a verifiable system for assuring the protection of information from unauthorized or inappropriate access, as outlined in one or more security policies. Generally, this translation from security policy to access control implementation is dependent on the nature of the policy and involves the inclusion of confidentiality and integrity.

Finally, systems are responsible for verifying the authenticity of an individual to gain access to a space, or to detect and exclude a computer program failing a spoof test as an access control. Two-factor authentication occurs when elements representing two factors are required for identification. The ways in which someone may be authenticated fall into three categories, based on what are known as the factors of authentication: something the user knows, something the user has, and something the user is.

Contributor Lauren Collins (Chapter 12, “Assessments and Audits,”) continues by presenting the basic technical aspects of conducting information security assessments and audits. She presents technical testing and examination methods and techniques that an organization might use as part of an assessment and audit, and offers insights to assessors on their execution and the potential impact they may have on systems and networks.

Risk Management is a discipline that exists in every professional environment. Having the ability to gauge and measure exposure within an environment effectively prepares the organization to proactively implement workflows and assessments.

Defining security holes in an organization is the delineation of risk that may exist. It is necessary to architect a framework to analyze exclusive incidents, potential outcomes that may arise from such incidents, and the impending consequences.

Managing vulnerability where a team can identify, classify, remediate, and mitigate potential situations is critical to keeping a business up and running. Additionally, tools can be utilized to identify and classify possible vulnerabilities.

Information security needs to be in line with the business objectives, and decisions must be made based on metrics and indicators of vulnerabilities. Regularly combining assessments and audits offers executives a clear, prioritized, and comprehensive view of risks and vulnerabilities, while integrating IT assets, resources, environment and processes into a single platform.

Finally, just as IP addresses had to advance from IPv4 to IPv6, password lengths will have to increase, as will their complexity. Standardization and open collaboration benefit both vendors and consumers; as well as, advance the industry as a whole. Security professionals benefit from the portability and ease of customization of assessing content; as well as, assessing the impact of the latest vulnerability.

Contributor Scott R. Ellis (Chapter 13, “Fundamentals of Cryptography,”) discusses how information security is the discipline that provides protection of information from intrusion and accidental or incidental loss. He also provides a framework for the protection of information from unauthorized use, copying, distribution, or destruction of data.

Finally, cryptography plays a key role in supporting the protection of captured data from prying eyes. It does nothing to actually protect the encrypted data from being intercepted.

Next, contributor Jeffrey S. Bardin (Chapter 14, “Satellite Cyber Attack Search and Destroy,”) discusses satellite cyber attacks with regards to hacking, interference and jamming. For the last several years, we have been notified that sunspot activity could disrupt Earth’s communications. In fact, there have been numerous cell phone outages due to sunspots. This disruption has a significant impact on the daily life of humans on this planet. Nearly all disruptions we have experienced have been the result of natural acts.

Finally, imagine if someone had the capability to hack a satellite. This type of activity appears in movies: Hackers release malware installed on a system that modifies the geographic positioning system of oceangoing oil tankers. Although this potentiality may be unrealistic, the effect should it occur would be extremely high. Whether environmental disaster, or total disruption of command-and-control of a military operation, or massive outages during the Super Bowl of satellite connectivity, the impacts would be significant relative to sunspots.

Finally, contributor Pramod Pandya (Chapter 15, “Advanced Data Encryption,”) explores advanced data encryption algorithms. Every engineered system has a flaw, and it is only a matter of time before someone compromises it, thus demanding new innovations by exploring applications from algebraic structures such as groups and rings, elliptic curves, hyperelliptic curves, lattice-based and quantum physics.

Over the last 20 years, we have witnessed the evolution of classical cryptography into quantum cryptography, a branch of quantum information theory. Quantum cryptography is based on the framework of quantum physics, and it is meant to solve the problem of key distribution, which is an essential component of cryptography that enables securing the data.

A key allows the data to be so coded that to decode the data one would need to know the key that was used to code the data. This coding of the given data using the key is known as the encryption; and, decoding of the encryption data, which is the reverse step-by-step process, is known as the decryption. Data encryption prevents data from being exposed to unauthorized access and makes it unusable.