As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in cybersecurity risks, software assurance, advanced persistent threat, international insider threat, Wireless Emergency Alerts Service, security and survivability, and acquisition.

This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.

A Taxonomy of Operational Cyber Security Risks Version 2
By James J. Cebula, Mary Popeck, and Lisa R. Young

This report presents a taxonomy of operational cybersecurity risks that attempts to identify and organize the sources of operational cybersecurity risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements. This report discusses the harmonization of the taxonomy with other risk and security activities, particularly those described by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) method.
Download the PDF

Data-Driven Software Assurance: A Research Study
By Michael D. Konrad, Art Manion, Andrew P. Moore, Julia L. Mullaney, William Nichols, Michael F. Orlando, and Erin Harper

Software vulnerabilities are defects or weaknesses in a software system that if exploited can lead to compromise of the control of a system or the information it contains. The problem of vulnerabilities in fielded software is pervasive and serious. In 2012, SEI researchers began investigating vulnerabilities reported to the SEI's CERT Division and determined that a large number of significant and pernicious software vulnerabilities likely had their origins early in the software development life cycle, in the requirements and design phases. A research project was launched to investigate design-related vulnerabilities and quantify their effects. The Data-Driven Software Assurance project examined the origins of design vulnerabilities, their mitigations, and the resulting economic implications. Stage 1 of the project included three phases: 1) conduct of a mapping study and literature review, 2) conduct of detailed vulnerability analyses, and 3) development of an initial economic model. The results of Stage 1 indicate that a broader initial focus on secure design yields substantial benefits to both the developer and operational communities and point to ways to intervene in the software development life cycle (or operations) to mitigate vulnerabilities and their impacts. This report describes Stage 1 activities and outlines plans for follow-on work in Stage 2.
Download the PDF

Investigating Advanced Persistent Threat 1 (APT1)
By Deana Shick and Angela Horneman

This report analyzes unclassified data sets in an attempt to understand APT1's middle infrastructure.

In February 2013, Mandiant uncovered Advanced Persistent Threat 1 (APT1)--one of China's alleged cyber espionage groups--and provided a detailed report of APT1 operations, along with 3,000 indicators of the group's activity since 2006. This report analyzes unclassified data sets in an attempt to understand APT1's middle infrastructure: the system of hops, distribution points or relays, and the command and control (C2) servers that sit between APT1's victims and main C2 servers located overseas. To build that infrastructure, APT1 chose and exploited particular organizations to obfuscate communications while remaining in plain sight.

This analysis, based on data from IP addresses known to be associated with APT1 and domain names provided by Mandiant, was conducted using a combination of System for Internet Level Knowledge (SiLK) tools, Microsoft Excel, and custom Python scripts. The study detailed in this report can be replicated easily using available sources and tools. By combining key unclassified information, the authors successfully described a large, malicious network used to steal important information.
Download the PDF

International Implementation of Best Practices for Mitigating Insider Threat: Analyses for India and Germany
By Lori Flynn, Carly L. Huth, Palma Buttles-Valdez, Michael C. Theis, George Silowash, Tracy Cassidy, Travis Wright (Carnegie Mellon University, Master of Science in Information Security Policy and Management Program), and Randall F. Trzeciak

This report analyzes insider threat mitigation in India and Germany, using the new framework for international cybersecurity analysis described in the paper titled "Best Practices Against Insider Threats in All Nations," applying the framework to specific countries for the first time. Using that framework, the authors considered cybersecurity standards with respect to analysis that takes into account a country's technologies, relevant laws, law enforcement, corruption, and prevalent culture and subcultures. This report provides a detailed profile for each of these factors for each country and considers five best practices for mitigating insider threats recommended in the Common Sense Guide to Mitigating Insider Threats.

This report is intended to help organizations implement cybersecurity best practices internationally. In part, this analysis is meant to help readers understand challenges in India and Germany, plus mitigations for the challenges that are particularly useful in those countries. These insights can be used by organizations that outsource to, offshore to, or have supply chains that include these countries. Furthermore, this report's findings may be helpful on a wide scale for implementing general cybersecurity best practices in countries that share similarities with India or Germany, with regard to the factors studied. Technical, physical, and administrative controls that are helpful for implementing best practices in India and Germany may be helpful for similar countries. Likewise, particular controls may be ineffective (and require substitution controls) in similar countries. This is an initial, exploratory effort that is not exhaustive.
Download the PDF

Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy
By The WEA Project Team

This report presents the Commercial Mobile Alert Service (CMAS) Alerting Pipeline Taxonomy, a hierarchical classification that encompasses four elements of the alerting pipeline, to help stakeholders understand and reason about required CMAS operations.

This report presents a taxonomy developed for the Commercial Mobile Alert Service (CMAS). The CMAS Alerting Pipeline Taxonomy is a hierarchical classification that encompasses four elements of the alerting pipeline: alert originator, Integrated Public Alert and Warning System aggregator, commercial mobile service provider infrastructure, and recipients. The taxonomy treats the alert-originator element in the most detail, identifying key features of alert-originator organizations and systems. It also identifies a limited number of features for the other three elements. The purpose of the CMAS taxonomy is to help stakeholders understand and reason about required operations. To this end, the report provides a representative scenario to ensure that the taxonomy defines the elements used in CMAS operations. The CMAS Alerting Pipeline Taxonomy will simplify some actions related to an organization's effort to integrate into CMAS. The taxonomy will simplify analysis by decomposing the CMAS Alerting Pipeline into features so that the interactions among pieces will be simpler to understand. And the taxonomy will simplify guidance by representing the domain in a manageable form for explaining a variety of situations.
Download the PDF

An Evaluation of A-SQUARE for COTS Acquisition
By Sidhartha Mani and Nancy R. Mead

Developed by the SEI, Software Quality Requirements Engineering for Acquisition (A-SQUARE) is a methodology used for eliciting and prioritizing security requirements as part of the acquisition process. In the project described in this paper, we evaluated the effectiveness of the A-SQUARE method by applying it to a COTS product for the advanced metering infrastructure of a smart grid.

We evaluated the ability of the A-SQUARE method to

• identify security requirements for the COTS product;
• identify candidate COTS products;
• elicit, categorize, and prioritize security requirements; and
• prioritize COTS products; and select a COTS product.

We also evaluated the usability of the A-SQUARE tool using qualitative evaluation criteria.
Download the PDF

Potential Use of Agile Methods in Selected DoD Acquisitions: Requirements Development and Management
By Kenneth Nidiffer, Suzanne Miller, and David J. Carney

This report explores issues that practitioners in the field who are actively adopting Agile methods have identified in our interviews about their experience in defining and managing requirements.

Adoption of methodologies that generally come under the umbrella of Agile in the software development community includes consideration of how those adopting Agile methods interface with elements of the acquisition community who provide the requirements and other constraints that govern how the software part of a system will be developed. Several Agile methods have expectations about how requirements are handled that are different from the typical approach used in government acquisition settings. This qualitative research study from the SEI explores issues that practitioners in the field who are actively adopting Agile methods have identified in our interviews about their experience in defining and managing requirements.
Download the PDF

Additional Resources

For the latest SEI technical reports and notes, please visit
http://resources.sei.cmu.edu/library/.