1 / 49

Information Insecurity

Information Insecurity. Part I: The Problem. Cyber-attacks are different. Many network operators and countries may be involved. Easy to learn techniques and acquire tools. Small investment can cause massive economic damage. No need for physical contact with the victims.

Gabriel
Télécharger la présentation

Information Insecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Insecurity Part I: The Problem

  2. Cyber-attacks are different Many network operators and countries may be involved Easy to learn techniques and acquire tools Small investment can cause massive economic damage No need for physical contact with the victims When done subtly it leaves few or no traces Easy for the players to hide Inadequate cyberspace legislation

  3. Today’s Seven major threats • State sanctioned information warfare • Information counter-intelligence • Cyber-terrorism • Cyber-organized crime • Information sabotage • Cyber-crime • Cyber-hooliganism

  4. Cyberterror and Cyberwar not IF but WHEN Question 1 What constitutes an act of war in Cyberspace? Question 2 What is cyber-terrorism? Lack of definitions Electromagnetic pulse Attack on military networks/ computers Attack on critical civilian infrastructure (electricity, water, transport, hospitals) Disruption of civil systems (tax, social security, banking) Disinformation

  5. Cybercriminals Financial fraud Theft of intellectual property Money laundering Unlicensed gambling Pornography Identity theft Industrial (& other) espionage Extortion and many other…

  6. Cyberhooligans Spam Synchronised DOS attack Hijacking a computer Disseminating virus/worm (without destructive payload) Redirecting website traffic Website Spoofing Website defacement Activating intrusion detection

  7. It all started with the invention of writing and the need to keep secrets Accounting document in which the pictures represent goods and the notches quantities Mesopotamia ± 6,000 years ago Musée du Louvre, Paris Bronze Age cuneiform writing on clay tablet

  8. Growing ease of copying (copyright issues) Followed by more inventions making increasing use of binary digits (bits) Paper Printing Books Libraries Photography Phonograph Photocopier Scanner Digital everything

  9. Cyberspace: the world of bits World Wide Web 400 million “users” and growing Deep Web Intranets Extranets Satellite communications Military communications Railroad communications Air traffic control Nuclear utilities OECD’s “OLIS” Business to Business procurement (B2B) Computer aided design done jointly by several companies Networks not using Internet technologies

  10. What do we do in cyberspace? Transaction E-commerce Treasury, funds transfer Stock Exchanges Airline reservations Procurement Messaging ever expanding lists of possibilities Usually Mission Critical Some may be Mission Critical Some may not be Mission Critical Analysis Statistics Data mining Credit rating Actuarial analysis Business Intelligence Situation Analysis Process support Factory automation Air traffic control Utilities Logistics and tracking Accounting and payroll Knowledge management Office automation Increasingly Mission Critical Wire services e-publishing Interactive databases Publishing Publication

  11. The world of bits and atoms (1) Scheduling: timetable Scheduling: aircraft/ trains, etc Scheduling: maintenance Scheduling: staff and crews Calculating fuel requirements Traffic Control Ticketing, fares and yield management Passenger information systems Modeling and traffic rerouting etc.

  12. The world of bits and atoms (2) Robotic systems Computer assisted manufacturing Mass customization Just in time logistics Assembly line monitoring Quality assurance and controls etc.

  13. The world of bits and atoms (3) Electricity generation Water treatment 7 days a week, 24 hours a day operations Safety monitoring and controls Environmental controls (for discharges) Quality assurance and controls Distribution management etc.

  14. And more: vital services Hospitals Education Emergency services Skills and knowledge intensive I.T. is becoming a component in all of them

  15. Crime and punishment Humans are tool makers. Tools have always been used creatively in crime and war Codes of conduct and law recorded since the invention of writing Legislation develops less fast than technology and new forms of crime Law enforcement is not a 100% answer Code of Hammurabi contains 282 proclamations (laws) Mesopotamia ~ 3300 years ago Musée du Louvre, Paris particularly in cyberspace

  16. Types of cyber-attack Computers and communications as a target Computers and communications as tools Fraud Extorsion Disruption Espionage Breaking passwords Decryption Interception Computers and communications as weapons Malicious code dis-information sabotage smart weapons

  17. Everyone a target Every system a challenge No need for physical contact Few, if any, traces left Inadequate or non-existent legislation Many players 101101010… Many forms of attack

  18. Attack trends: malicious code Vulnerabilities reported to CERT Number of incidents reported to CERT Source: CERT, Computer Emergency Response Team April 2002 at Carnegie Mellon University www.cert.org

  19. Economic Impact (1) Average bank holdup: $ 14,000 dollars Average computer theft: $ 2,000,000 dollars Source: Association of Certified Fraud Examiners (U.S.A.), 2000

  20. CODE RED (a worm) infected 360,000 web servers in the first 14 hours Economic Impact (2) It then spread around the world in 48 hours The bad news: CODE RED and NIMDA had no destructive payload and are seen as “proof of concept” for future designs Source: Computer Economics Inc, 2000

  21. Economic Impact (3) Estimated cost of virus and worm infections in 2001 – 17 billion US dollars to • clean malicious software from all equipment • restore lost and damaged data • help end users and clients • test and return systems to normal operations • loss of productivity as a result of downtime Assumes 1 person-minute = 1 $

  22. The Players – by organization National government and legislation Critical Infrastructures International Organizations Individual users Small businesses Vendors and service providers Higher education Large enterprises and organizations

  23. Critical infrastructures Emergency services Power generation and distribution IXPs Water purification and distribution Banking and financial services Public transport Fixed and mobile telecommunications Oil refineries and distribution depots pipelines Airlines and air traffic control

  24. Public domain information Some of these Exchanges are not secure facilities

  25. www.turnofftheinternet.com so far, just fun

  26. Special responsibilities CRITICAL INFRASTRUCTURES • Ensure computing is highly secure • Monitor and deal with vulnerabilities continually • Maintain effective boundaries with the Internet • Employ qualified and trained I.T. security personnel • Manage interdependencies with other critical infrastructures • Share information with other critical infrastructures • Have ready disaster recovery and crisis management plans • Seek, obtain and maintain security certification

  27. Special responsibilities NATIONAL GOVERNMENT AND LEGISLATION • Implement national security programs • Promote standards and best practices • Ensure clear definition of accountability and oversight • Conduct security audits of government agencies • Provide adequate funding for information security • Recruit, train and retain qualified I.T. security personnel • Conduct awareness programs for government employees • Make arrangements for reporting security incidents • Have warning, analysis, incident response and recovery • procedures

  28. Special responsibilities INTERNATIONAL ORGANIZATIONS • Encourage international standards for information security • Develop mechanisms for international cooperation • Develop appropriate governance of cyberspace • Create effective mechanisms for sharing information

  29. Special responsibilities VENDORS AND SERVICE PROVIDERS • Balance “time to market” against product vulnerabilities • Protect the interests of customers by providing alerts, • patches, fixes and upgrades, perform more functions for them • Liaise with User Groups and others to reduce vulnerabilities • Develop fair terms and conditions of software licences • that do not absolve vendors from responsibility and liability • Collaborate in the pursuit of cyber-attackers by providing • access to records, logs and data

  30. Special responsibilities LARGE ENTERPRISES AND ORGANIZATIONS • Establish clear responsibility for information security • and appropriate reporting lines • The CEO, the Board and the Auditors should know about • standards, best practices and self-evaluation • Establish enterprise-wide security policies including what • should be disclosed to the Board, stakeholders, auditors, etc • Implement employee awareness programs • Manage insider threats (and balance risk vs. employee privacy) • Have appropriate risk management and insurance cover • Have working arrangements to report security incidents

  31. Special responsibilities HIGHER EDUCATION Take steps to prevent attacks originating within Institutions Protect critical information from external and internal attack Organize for security as a shared concern with other Institutions worldwide

  32. Special responsibilities SMALL BUSINESSES AND INDIVIDUALS Be aware of cyber-security issues and of how to deal with vulnerabilities and incidents Awareness of the security issues of new technologies such as ADSL, wireless connectivity, etc Require vendors to disclose risks Need for Internet Service Providers to perform more cyber-security functions for home users ?

  33. The Players – by nature Malicious insiders Script kiddies Hackers, crackers, phreakers Hacktivists Spies (industrial and other) Organised crime Cyber-terrorists BAD GUYS GOOD GUYS Responsible end-users Security administrators Security managers Internal auditors Security coordinators Providers of security alerts Ethical hackers and many more VERY SPECIAL GUYS Vendors Security auditors Security consultants Legislators

  34. Malicious insiders Script kiddies Hackers, crackers, phreakers Hacktivists Spies (industrial and other) Organised crime Cyber-terrorists The Bad Guys Access Knowledge Motivation

  35. ACCESS mechanisms Authorized insiders Rights of former personnel (should have been removed) OFFICIAL Disclosure by insiders Abuse of insider knowledge Abuse of presence as visitor Theft of ID and password Newly discovered vulnerabilities Hacker club disclosures Forced entry (password breaker) UNOFFICIAL

  36. Knowledge sources Privileged insider knowledge Obtained by following public discussions on product vulnerabilities Buying commercially available hacking tools Shared through hacker groups and conferences Virus, worm and other malicious code design

  37. nuisances What motivates the Bad Guys (1) Script Kiddies Hacktivists Cyber-hooligans Emulate the “big boys” ego-trip Deny service (sit-in) Make themselves heard Cause embarrassment Malice Gain publicity Individual copyright violators Ethical Hackers Show how smart they are Identify vulnerabilities = fun Defy authority Safely break the law Minor financial gain Many become security consultants

  38. Industrial+ spies Business copyright violators Virus and worm designers Non-ethical Hackers (crackers) What motivates the Bad Guys (2) almost always MONEY “Just because it’s there” Test new ways to spread malicious code Cause loss or corruption of data Steal IDs and passwords Impersonation and spoofing Steal credit card and similar data Sabotage, etc Low risk of detection and punishment

  39. What motivates the Bad Guys (3) Strong personal animosity towards a person Grudge against employer Criminal intent: fraud, extortion, theft, corruption of data, sabotage, etc Low risk of detection and punishment Malicious insider New areas of opportunity - globally Ease of hiding in cyberspace Ease of establishing global networks Lack of legislation and jurisdiction Interpol, Europol, FBI, Chambers of Commerce and many others organizing to fight it Organized crime

  40. What motivates the Bad Guys (4) Cyber-terrorists Driven by ideology Richness of opportunity Availability and low cost of resources needed Impact of successful attacks Visibility Ease of establishing global networks Ability to hide in cyberspace Lack of legislation and jurisdiction

  41. XWR2T P5%WZ $E#GT LLVWLSHVBNRMVDFRMTHTXT Hiding in cyber-space (1) Dorothy Denning and William Baugh Information, Communication and Society, 1999 Voice, fax and data communications E-mail Stored data In public postings Encryption Digital compression Steganography Message bits are mixed with the bits defining the image

  42. Anonymity Hiding in cyber-space (2) Use of passwords Hiding information in remote servers Disabling audit logs in servers Anonymous remailers Anonymous digital cash Computer penetration and looping Cellphone cloning Cellphone pre-paid cards Nobody knows who you are Nobody knows where you are

  43. CATEGORIES Offences – forms of attack Network-related Data-related Interference Sabotage Anonymity Interception Modification Theft Access-related Computer-related Hacking Malicious code distribution Aiding and abetting cyber-criminals Fraud, embezzlement Forgery

  44. Network-related offences Physical disconnection or damage Corruption of Domain Name Servers Attack on an Internet Exchange Point (IXP) Attack of a critical infrastructure Interference Sabotage Denial of service Control of a server or network devices Using a trusted network to access another network “Sniffing” traffic Hoaxes Anonymity Stolen and cloned cellphones Hijacking the ID and password of a legitimate network user

  45. Data-related offences Interception Voice and fax e-mail Data transfers (fixed and mobile) Defacement of a website e-mail spoofing and impersonation Database and document contents Commercial transactions 10010101001 Modification Intellectual property Personal data User IDs and passwords Non-public domain information Theft

  46. Access-related offences Hacking Unauthorized access to networks and computer systems Use of electronic services without payment Deleting and/or destroying data Disclosure of security weaknesses found and how to overcome them Invasion of privacy To launch a distributed denial of service attack To slow down/close down a network (worm) To corrupt servers and data (virus and/or worm) To gain control of a server or device (trojan horse, back door) To extort payment (logical bomb) Distribution of malicious code

  47. Computer-related offences Aiding and abetting cyber-crime Providing (knowingly or not) technical, financial and legal facilities for conducting and/or hiding cyber-crime Falsification of financial transactions Misuse of credit card and personal data Unlicensed financial services, gambling Fraud Messaging and documents Digital I.D. Copyrighted data (software, music, e-book) Forgery

  48. Impact of various offences Most pervasive Most expensive Insider fraud, sabotage Theft of proprietary information Virus, worm, trojan horse Most publicised Most frequent Attacks on e-business - theft of credit card data - Denial of Service Developers’ mistakes Network misconfiguration Poor system administration

More Related