Developing and verifying a set of principles for the cyber security of the critical infrastructures of Turkey

Critical infrastructures are vital assets for countries as a harm given to critical infrastructures may affect public order, economic welfare and/or national security. Today, cyber systems are extensively used to control and monitor critical infrastructures. Therefore, cyber threats have the potential to adversely affect the order of societies and countries. In this PhD study, the root causes of the susceptibility of the critical infrastructures of Turkey to the cyber threats are identified by analyzing the qualitative data with the grounded theory method. The extracted root causes are verified by two experts. The set of principles for the cyber security of the critical infrastructures are determined by introducing the root causes to six experts in a five-phased Delphi survey. A state-level cyber security maturity model to measure the readiness level of the critical infrastructure protection efforts is developed by using the set of principles. Because maturity criteria are grounded on the root causes of the susceptibility to cyber threats, the maturity model is named Vulnerability Driven National Cyber Security Maturity Model. The readiness level of the critical infrastructure protection efforts of Turkey is measured by the participation of ten former/current government officials in the maturity survey. The root causes, the set of principles, and the results of the maturity survey are compared with the relevant studies of the academia, non-profit organizations and governments

An Hierarchical Asset Valuation Method for Information Security Risk Analysis

The widespread use of information technology transforms businesses continuously and rapidly. Information technology introduces new threats to organizations as well. Risk analysis is an important tool in order to make correct decisions and to deal with cyber threats. Identification and valuation of assets is a crucial process that must be performed in risk analyses. Without properly identified and valued assets, the results of risk analyses lead to wrong decisions. Wrong decisions on information security may directly affect corresponding business processes. There are some finished and applied methods in literature for asset identification and valuation; however these methods are complicated and are not suitable for practical information security management projects. In this paper, a hierarchy based asset valuation method is proposed. Our method is intended to minimize the common mistakes that were done during Information Security Management Projects. The application of the method has not been performed yet; however it is thought that it can ease the processes and reduce the number of errors

Securing Networks of Information Age

Internet and IT devices are being used for business and entertainment more frequently. Internet has been becoming a vital part of social fabric. Threats to Internet and other complex commercial networks are solid and growing. Globalization and the need for interoperability complicates security of IT Networks and Internet. Cyber threats have an important potential damage capacity. Proactive security methodologies are needed to protect valuable information. According to the situation described above, the purpose of this paper is to examine the current trends in network security, and to propose a roadmap for protecting information from cyber threats

ISRAM: information security risk analysis method

Continuously changing nature of technological environment has been enforcing to revise the process of information security risk analysis accordingly. A number of quantitative and qualitative risk analysis methods have been proposed by researchers and vendors. The purpose of these methods is to analyze today\u27s information security risks properly. Some of these methods are supported by a software package. In this study, a survey based quantitative approach is proposed to analyze security risks of information technologies by taking current necessities into consideration. The new method is named as Information Security Risk Analysis Method (ISRAM). Case study has shown that ISRAM yields consistent results in a reasonable time period by allowing the participation of the manager and staff of the organization

Zero Trust and Advanced Persistent Threats: Who Will Win the War?

Advanced Persistent Threats (APTs) are state-sponsored actors who break into computer networks for political or industrial espionage. Because of the nature of cyberspace and ever-changing sophisticated attack techniques, it is challenging to prevent and detect APT attacks. 2020 United States Federal Government data breach once again showed how difficult to protect networks from targeted attacks. Among many other solutions and techniques, zero trust is a promising security architecture that might effectively prevent the intrusion attempts of APT actors. In the zero trust model, no process insider or outside the network is trusted by default. Zero trust is also called perimeterless security to indicate that it changes the focus from network devices to assets. All processes are required to verify themselves to access the resources. In this paper, we focused on APT prevention. We sought an answer to the question: could the 2020 United States Federal Government data breach have been prevented if the attacked networks used zero trust architecture? To answer this question, we used MITRE\u27s ATT&CK® framework to extract how the APT29 threat group techniques could be mitigated to prevent initial access to federal networks. Secondly, we listed basic constructs of the zero trust model using NIST Special Publication 800-207 and several other academic and industry resources. Finally, we analyzed how zero trust can prevent malicious APT activities. We found that zero trust has a strong potential of preventing APT attacks or mitigating them significantly. We also suggested that vulnerability scanning, application developer guidance, and training should not be neglected in zero trust implementations as they are not explicitly or strongly mentioned in NIST SP 800-207 and are among the mostly referred controls in academic and industry publications

A quantitative method for ISO 17799 gap analysis

ISO/IEC 17799:2005 is one of the leading standards of information security. It is the code of practice including 133 controls in 11 different domains. There are a number of tools and software that are used by organizations to check whether they comply with this standard. The task of checking compliance helps organizations to determine their conformity to the controls listed in the standard and deliver useful outputs to the certification process. In this paper, a quantitative survey method is proposed for evaluating ISO 17799 compliance. Our case study has shown that the survey method gives accurate compliance results in a short time with minimized cost

From the National Cyber Maturity to the Cyber Resilience: The Lessons Learnt from the Efforts of Turkey

In this paper, the details of critical infrastructure protection program of United States of America are shared by taking the cyber resilience into account. The academic and institutional studies on the concepts of cyber maturity, critical infrastructure protection program and cyber resilience are explained in detail. By the help of these studies and national efforts, the relations among these concepts are proposed. The key components of a cyber security strategy and action plan for a cyber resilient society is proposed by taking these three concepts into account. As the final step, the recent cyber security efforts of Turkey is shared with the reader and assesses according to the determined key components

Critical infrastructure protection status and action items of Turkey

Critical infrastructures are the physical and virtual systems essential to the minimum operations of the economy and the government. Critical Infrastructure Protection (CIP) is a critical agenda item for governments in the developed countries. In these countries, policies and procedures on CIP are already in place and required laws are in action as well. In Turkey, some official introductory studies have been performed in 2009. However, there are a number of steps that Turkey still has to take. In this study, key definitions are provided firstly. After the definitions, the efforts of USA, EU, OECD and NATO are summarized. The last two sections of the paper are dedicated to the steps taken by Turkey and the challenges still ahead Turkey

A Novel Approach to Information Security Risk Analysis

A number of risk analysis methods became obsolete because of the profound changes in information technologies. Revolutionary changes in information technologies have converted many risk analysis methods into inconsistent, long lasting and expensive instruments. Therefore, risk analysis methods should be adaptively modified or redesigned according to the changes in information technologies, so that they meet the information security requirements of the organizations. By taking these requirements into consideration, a survey based approach is proposed for analyzing the risks of information technologies. This new method is named as Risk Analysis Method for Information Security (RAMIS). A case study is conducted to show the steps of RAMIS in detail and to obtain the risk results. To verify the results of the case study, simulation is performed based on the real statistical data. The results of simulation showed that RAMIS yields consistent results in a reasonable time period by allowing the participation of the manager and staff of the organization

A Collaborative Process Based Risk Analysis for Information Security Management Systems

Today, many organizations quote intent for ISO/IEC 27001:2005 certification. Also, some organizations are en route to certification or already certified. Certification process requires performing a risk analysis in the specified scope. Risk analysis is a challenging process especially when the topic is information security. Today, a number of methods and tools are available for information security risk analysis. The hard task is to use the best fit for the certification. In this work we have proposed a process based risk analysis method which is suitable for ISO/IEC 27001:2005 certifications. Our risk analysis method allows the participation of staff to the determination of the scope and provides a good fit for the certification process. The proposed method has been conducted for an organization and the results of the applications are shared with the audience. The proposed collaborative risk analysis method allows for the participation of staff and managers while still being manageable in a timely manner to uncover crucial information security risks