• An attacker’s priority target is the
cybersecurity system { 19. 17}.
Description. Closely following from
the primacy-of-integrity principle
{03.06} is the criticality of the cybersecurity subsystem. To attack the mission, it is necessary first to disable
any security controls that effectively
defend against the adversary’s attack
path—including the security controls
that defend the security subsystem itself. Great care must be taken to protect and monitor the cybersecurity subsystem carefully { 23. 12}.
Rationale. The security subsystem
protects the mission system. Therefore, attempted attacks on the cybersecurity subsystem are harbingers of
attacks on the mission system itself
{ 22.08}. The cybersecurity system is
therefore a prime target of the adversary because it is the key to attacking
the mission system. Protection of the
cybersecurity system is thus paramount { 21.03}. For example, the cybersecurity audit log integrity is important
because attackers attempt to alter the
log to hide evidence of their cyberattack activities.
Implications. The cybersecurity system must be carefully designed to itself be secure. The cybersecurity of the
cybersecurity system cannot depend
on any other less secure systems. Doing so creates an indirect avenue for
attack. For example, if the identity
and authentication process for access
maintenance ports for updating the
cybersecurity system use simple passwords over remotely accessible network ports, that becomes the weakest
link of the entire system. In addition,
cybersecurity engineers cannot simply
use the cybersecurity mechanism that
the cybersecurity system provides to
protect the mission systems. In other
words, the cybersecurity system cannot
use itself to protect itself; that creates
a circular dependency that will almost
certainly create an exploitable flaw an
attacker can use. Lastly, the cyberse-
curity mechanisms are usually hosted
on operating systems and underlying
hardware, which become the under-
belly of the cybersecurity system. That
underbelly must be secured using dif-
ferent cybersecurity mechanisms, and
it is best if those mechanisms can be as
simple as possible. Complexity is the
to create virtual bulkheads in the sys-
tem and to detect and thwart attacks
propagating from one part of the sys-
tem (where the attacker may have a
toehold) to the next. This is a wise ap-
proach because many sophisticated at-
tacks, such as worms, often propagate
within the system once they find their
way in (for example, through a phish-
ing attack on an unsuspecting user
who clicked on an attacker’s malicious
link in an email message).
• Without integrity, no other cyber-
security properties matter {03.06}.
Description. Cybersecurity is sometimes characterized as having three
pillars, using the mnemonic C-I-A: preserving confidentiality of data, ensuring
the integrity of both the data and the
system, and ensuring the availability
of the system to provide the services for
which it was designed. Sometimes, cybersecurity engineers become hyperfo-cused on one pillar to the exclusion of
adequate attention to the others. This
is particularly true of cybersecurity
engineers who have their roots in U.S.
Department of Defense (DoD) cybersecurity because confidentiality of classified data is a high-priority concern
in the DoD. The reality is that all other
system properties depend on system
integrity, which therefore has primacy.
Rationale. System integrity is the
single most important property because, without it, no other system
properties are possible. No matter
what properties a system may possess
when deployed, they can be immediately subverted by the attacker altering
the system to undo those properties
and replace them with properties desirable to the attacker. This gives rise to
the fundamental concept of the reference monitor { 20.02}, which requires
the security-critical subsystem be correct (perform the required security
functions), non-bypassable (so that the
attacker cannot circumvent the correct
controls to access protected resources),
and tamperproof (so the system cannot
be altered without authorization).
Implications. This primacy-of-integrity principle means that cybersecurity engineers must focus attention on
access control to the system as a first
priority, including heavy monitoring of
the system for any unauthorized changes. This priority extends to the earlier
stages of system life cycle such as up-
The effectiveness
of depth could be
measured by how
miserable it makes
an attacker’s life.