Advertisement

The Twelve Principles of Safe Places

  • Ganna PogrebnaEmail author
  • Mark Skilton
Chapter

Abstract

In this chapter, we systematize best cyberdefense practices, which came out of our discussions with expert researchers and practitioners. These practices are conveniently partitioned into twelve principles of safe places. Potential benefits associated with applying each principle to business cybersecurity systems are discussed.

References

  1. 1.
    CF disclosure guidance: Topic No. 2 2011 cyber security. https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
  2. 2.
    Updated SEC guidance February 2018 17 CFR Parts 229 and 249 [Release Nos. 33-10459; 34-82746]. Commission statement and guidance on public company cybersecurity disclosures. https://www.sec.gov/rules/interp/2018/33-10459.pdf.
  3. 3.
    Godlee, F., Smith, J., & Marcovitch, H. Wakefield’s article linking MMR vaccine and autism was fraudulent. British Medical Journal 342, doi: https://doi.org/10.1136/bmj.c7452 (Published 6 January 2011) British Medical Journal 342: c7452. https://www.bmj.com/content/342/bmj.c7452.
  4. 4.
    Ruling on doctor in MMR scare. (2010, January). NHS. https://www.nhs.uk/news/medical-practice/ruling-on-doctor-in-mmr-scare/.
  5. 5.
    Smith, R. (2012, November). MMR uptake rates finally recovered from Wakefield scandal figures show. The Telegraph. https://www.telegraph.co.uk/news/health/news/9705374/MMR-uptake-rates-finally-recovered-from-Wakefield-scandal-figures-show.html.
  6. 6.
    Health and Social Care Act 2008 (Regulated activities) Regulations 2014. Regulation 20: Duty of candour. https://www.cqc.org.uk/guidance-providers/regulations-enforcement/regulation-20-duty-candour.
  7. 7.
    Witkin, R. (1983, July). Jet’s fuel ran out after metric conversion errors. New York Times. https://www.nytimes.com/1983/07/30/us/jet-s-fuel-ran-out-after-metric-conversion-errors.html.
  8. 8.
    Aviation Safety Network. July 1983 Report. https://aviation-safety.net/database/record.php?id=19830723-0.
  9. 9.
    Great miscalculations: The French railway error and 10 others (2014, May). BBC. https://www.bbc.co.uk/news/magazine-27509559.
  10. 10.
    Fox-Brewster, T. (2014, September). Londoners give up eldest children in public Wi-Fi security horror show. The Guardian. https://www.theguardian.com/technology/2014/sep/29/londoners-wi-fi-security-herod-clause.
  11. 11.
    Ross Anderson. (2002, June 20–21). Security in open versus closed systems—The dance of Boltzmann, Coase and Moore. Open source software: Economics, law and policy, Toulouse, France.Google Scholar
  12. 12.
    Lemos, R. (2002, June). Open, closed source security about equal? Zdnet. https://www.zdnet.com/article/open-closed-source-security-about-equal-5000296876/.
  13. 13.
    Smith, Luke J. (2018, August). Why buying a car or trying to tax your car this weekend could see you land a £1,000 fine. The Express. https://www.express.co.uk/life-style/cars/1004805/DVLA-car-tax-website-down-fine-buying-car-UK.
  14. 14.
    John, L. (2018, March). DVLA denies driving license processing site is a security ‘car crash’. The Register. https://www.theregister.co.uk/2018/03/09/dvla_insecure_site_dispute/.
  15. 15.
    Measuring the cost of cybercrime, WES2012 Conference. https://www.econinfosec.org/archive/weis2012/papers/Anderson_WEIS2012.pdf.
  16. 16.
    Clayton, R. Measuring Cybercrime, University of Cambridge, Computer laboratory. October 2012. https://www.cl.cam.ac.uk/~rnc1/talks/121019-cybercrime.pdf.
  17. 17.
    Hoffman, C. (2014, February). 5 serious problems with HTTPS and SSL security on the web. How-To Geek. https://www.howtogeek.com/182425/5-serious-problems-with-https-and-ssl-security-on-the-web/.
  18. 18.
    February 28th DDoS incident report. (2018, March). GitHub Engineering, skottler. https://githubengineering.com/ddos-incident-report/.
  19. 19.
    Ranger, S. (2018, March). GitHub hit with the largest DDoS attack ever seen. ZDNet. https://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/.
  20. 20.
  21. 21.
    Understanding Triangulation fraud. (October 2015). Radial. https://www.radial.com/insights/understanding-triangulation-fraud.
  22. 22.
    Red Team Definition from Financial Times Lexicon. http://lexicon.ft.com/term?term=red-team.
  23. 23.
  24. 24.
    Cyber guardian: Blue team, SANS Institute https://www.sans.org/cyber-guardian/blue-team.
  25. 25.
    Murdoch, D. (2014). Blue team handbook. Incident Response Edition (2nd ed.). Scotts Valley: CreateSpace Independent Publishing Platform. ISBN 978-1500734756.Google Scholar
  26. 26.
    Miessler, D. (February, 2016). The difference between red, blue, and purple teams. https://danielmiessler.com/study/red-blue-purple-teams/.
  27. 27.
    Jamil, A., Sectier. (2010, March 29). The difference between SEM, SIM and SIEM. https://www.gmdit.com/NewsView.aspx?ID=9IfB2Axzeew=.
  28. 28.
    Kubecka, C. (2011, December 29). 28c3: Security log visualization with a correlation engine. https://www.youtube.com/watch?v=j4pF9VUdphc&feature=youtu.be https://events.ccc.de/congress/2011/Fahrplan/events/4767.en.html.
  29. 29.
    Swift, D. (2010). Successful SIEM and log management strategies for audit and compliance. SANS Institute. https://www.sans.org/reading-room/whitepapers/auditing/paper/33528.
  30. 30.
    Pauli, D. (2016, November). IoT worm can hack Philips Hue lightbulbs, spread across cities. The Register. https://www.theregister.co.uk/2016/11/10/iot_worm_can_hack_philips_hue_lightbulbs_spread_across_cities/.
  31. 31.
    Ronen, E., O’Flynn, C., Shamir, A., Weingarten, A.-O. IoT Goes nuclear: Creating a ZigBee chain reaction. IoT IEEE Security & Privacy.  https://doi.org/10.1109/msp.2018.1331033.CrossRefGoogle Scholar
  32. 32.
    Symmetric vs. asymmetric encryption—What are differences?, SSL2Buy. Accessed October 2018. https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences.
  33. 33.
    An overview of public key infrastructures (PKI). Accessed October 2018. https://www.techotopia.com/index.php/An_Overview_of_Public_Key_Infrastructures_(PKI).
  34. 34.
    Kocher, P., Jae, J., & Benjamin, J. Differential Power Analysis (DPA). Cryptography Research, Inc. https://www.paulkocher.com/doc/DifferentialPowerAnalysis.pdf.
  35. 35.
  36. 36.
    DPA Countermeasures. Rambus. Accessed October 2018. https://www.rambus.com/security/dpa-countermeasures/.
  37. 37.
    Seppala, T. J. (2016, November). Hackers hijack Philips Hue lights with a drone. Engadget. https://www.engadget.com/2016/11/03/hackers-hijack-a-philips-hue-lights-with-a-drone/.
  38. 38.
    Kim Zetter. (2015, January). A cyberattack has caused confirmed physical damage for the second time ever. Wired. https://www.wired.com/2015/01/german-steel-mill-hack-destruction/.
  39. 39.
    Die Lage der IT-Sicherheit in Deutschland 2014 German. Steel Mill Hack Report. https://www.wired.com/wp-content/uploads/2015/01/Lagebericht2014.pdf.
  40. 40.
    Timeline: How Stuxnet attacked a nuclear plant. BBC, Iwonder. https://www.bbc.com/timelines/zc6fbk7.
  41. 41.
    Phil Muncaster. (2018, June). MPs: CNI attacks are UK’s biggest cyber-threat. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/mps-cni-attacks-are-uks-biggest/.
  42. 42.
    Spanier, G. (2016, March 8). Protecting brand reputation in the wake of a cyber-attack. Raconteur. https://www.raconteur.net/risk-management/protecting-brand-reputation-in-the-wake-of-a-cyber-attack.
  43. 43.
    Why digital-age directors need directors and officers (D&O) cover. (2018, February 28). The Telegraph. https://www.telegraph.co.uk/business/risk-insights/directors-need-d-and-o-insurance/.
  44. 44.
  45. 45.
    Monaghan, A. (2016, May 12). TalkTalk profits halve after cyber-attack. The Guardian. https://www.theguardian.com/business/2016/may/12/talktalk-profits-halve-hack-cyber-attack.
  46. 46.
    Ashley Madison data breach. Wikipedia. Accessed October 2018. https://en.wikipedia.org/wiki/Ashley_Madison_data_breach.
  47. 47.
    Thomsen, S. (2015, July 20). Extramarital affair website Ashley Madison has been hacked and attackers are threatening to leak data online. Business Insider. http://uk.businessinsider.com/cheating-affair-website-ashley-madison-hacked-user-data-leaked-2015-7?r=US&IR=T.
  48. 48.
  49. 49.
    Ashley Madison hack: 2 unconfirmed suicides linked to breach, Toronto police say. (2015, August 24). CBC Canada. https://www.cbc.ca/news/canada/toronto/ashley-madison-hack-2-unconfirmed-suicides-linked-to-breach-toronto-police-say-1.3201432.
  50. 50.
    Richard Chirgwin, Ashley Madison spam starts, as leak linked to first suicide. (2015, August 23). The Register. https://www.theregister.co.uk/2015/08/23/ashley_madison_spam_starts_as_leak_linked_to_first_suicide/.
  51. 51.
    10 Effective ways to protect your intellectual property. (2018, July 23). Forbes Technology Council. https://www.forbes.com/sites/forbestechcouncil/2018/07/23/10-effective-ways-to-protect-your-intellectual-property/#254c7f5732e1.
  52. 52.
    iRobot sues Hoover and Black & Decker over robo-vacuums. (2017, April 18). BBC. https://www.bbc.co.uk/news/technology-39629339.
  53. 53.
    D&O liability in data privacy and cyber security situations in the US. (2014, January). Financier Worldwide. https://www.financierworldwide.com/do-liability-in-data-privacy-and-cyber-security-situations-in-the-us/#.W9V-GtP7QdU.
  54. 54.
    15 U.S.C.A. § 45(n) (West). In assessing the reasonableness of cybersecurity practices, courts have considered the sensitivity of data, the size and complexity of the company’s network, and the cost of additional security measures. See F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 255 (3d Cir. 2015).Google Scholar
  55. 55.
    Enhanced cyber risk management standards, 81 Fed. Reg. 74315 (proposed 26 October 2016) (to be codified at 12 C.F.R. pt. 30). https://www.federalregister.gov/documents/2016/10/26/2016-25871/enhanced-cyber-risk-management-standards.
  56. 56.
    Cyber-security regulation, Wikipedia. Accessed October 2018. https://en.wikipedia.org/wiki/Cyber-security_regulation.
  57. 57.
    Cyber-attack: Your legal responsibilities as a company director. (2017, September). Finch. https://www.finchib.co.uk/cyber-attack-legal-responsibilities-company-director/.
  58. 58.
    Kurt, M. N., Yılmaz, Y., & Wang, X. (2018, June 28). Real-time detection of hybrid and stealthy cyber-attacks in smart grid. IEEE arXiv:1803.00128v2 [cs.IT]. https://arxiv.org/pdf/1803.00128.
  59. 59.
    Cazorla, L., Alcaraz, C., & Lopez, J. (2018 June). Cyber stealth attacks in critical information infrastructures. IEEE Systems Journal, 12 (2). https://ieeexplore.ieee.org/document/7445136.
  60. 60.
    Is data manipulation the next step in cybercrime? Cloudmask. Accessed October 2018. https://www.cloudmask.com/blog/is-data-manipulation-the-next-step-in-cybercrime.
  61. 61.
    David M. (2017, November 17). ID card security: Spain is facing chaos over chip crypto flaws. ZDNet. https://www.zdnet.com/article/id-card-security-spain-is-facing-chaos-over-chip-crypto-flaws/.
  62. 62.
    Leyden, J. (2017, November 3). Estonia government locks down ID smartcards: Refresh or else. The Register. https://www.theregister.co.uk/2017/11/03/estonian_e_id_lockdown/.
  63. 63.
    Meltdown and spectre. Accessed October 2018. https://meltdownattack.com/.
  64. 64.
    WikiLeaks dumps docs on CIA’s hacking tools. Krebsonsecurity. Accessed October 2018. https://krebsonsecurity.com/tag/weeping-angel/.
  65. 65.
    Friedmann, S. (2017, March 13). What is the weeping angel program? John Oliver debunked the rumors. March 2017. https://www.bustle.com/p/what-is-the-weeping-angel-program-john-oliver-debunked-the-rumors-43861.
  66. 66.
    Lee, D. (2016, February 18). Apple v the FBI—A plain English guide. BBC. https://www.bbc.co.uk/news/technology-35601035.
  67. 67.
    Lapowsky, I. (2018, April 18). How Russian Facebook ads divided and targeted US voters before the 2016 election. Wired. https://www.wired.com/story/russian-facebook-ads-targeted-us-voters-before-2016-election/.
  68. 68.
    Stewart, E. (2018, July 31). Facebook has already detected suspicious activity trying to influence the 2018 elections. Vox. https://www.vox.com/2018/7/31/17635592/facebook-elections-russia-2018-midterms.
  69. 69.
    Facebook-Cambridge Analytica data scandal. BBC. Accessed October 2018. https://www.bbc.co.uk/news/topics/c81zyn0888lt/facebook-cambridge-analytica-data-scandal.
  70. 70.
    Hatton, E. (2018, February 12). Life online: How big is your digital footprint?, RNZ. https://www.radionz.co.nz/news/national/350224/life-online-how-big-is-your-digital-footprint.

Copyright information

© The Author(s) 2019

Authors and Affiliations

  1. 1.University of BirminghamBirminghamUK
  2. 2.The Alan Turing InstituteLondonUK
  3. 3.Warwick Business SchoolUniversity of WarwickCoventryUK

Personalised recommendations