information insecurity n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Information Insecurity PowerPoint Presentation
Download Presentation
Information Insecurity

Loading in 2 Seconds...

play fullscreen
1 / 49

Information Insecurity - PowerPoint PPT Presentation


  • 202 Views
  • Uploaded on

Information Insecurity. Part I: The Problem. Cyber-attacks are different. Many network operators and countries may be involved. Easy to learn techniques and acquire tools. Small investment can cause massive economic damage. No need for physical contact with the victims.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Information Insecurity' - Gabriel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
information insecurity

Information Insecurity

Part I: The Problem

cyber attacks are different
Cyber-attacks are different

Many network

operators and

countries may

be involved

Easy to learn techniques

and acquire tools

Small investment

can cause massive

economic damage

No need for

physical contact

with the victims

When done subtly it

leaves few or no traces

Easy for the

players to hide

Inadequate cyberspace

legislation

today s seven major threats
Today’s Seven major threats
  • State sanctioned information warfare
  • Information counter-intelligence
  • Cyber-terrorism
  • Cyber-organized crime
  • Information sabotage
  • Cyber-crime
  • Cyber-hooliganism
cyberterror and cyberwar
Cyberterror and Cyberwar

not IF but WHEN

Question 1 What constitutes an act of war in Cyberspace?

Question 2 What is cyber-terrorism?

Lack of definitions

Electromagnetic pulse

Attack on military

networks/ computers

Attack on critical

civilian infrastructure

(electricity, water,

transport, hospitals)

Disruption of civil

systems (tax, social

security, banking)

Disinformation

cybercriminals
Cybercriminals

Financial fraud

Theft of intellectual property

Money laundering

Unlicensed gambling

Pornography

Identity theft

Industrial (& other) espionage

Extortion

and many other…

cyberhooligans
Cyberhooligans

Spam

Synchronised DOS attack

Hijacking a computer

Disseminating virus/worm

(without destructive payload)

Redirecting website traffic

Website Spoofing

Website defacement

Activating intrusion detection

it all started with the invention of writing
It all started with the invention of writing

and the need to keep secrets

Accounting document in which

the pictures represent goods and

the notches quantities

Mesopotamia ± 6,000 years ago

Musée du Louvre, Paris

Bronze Age cuneiform

writing on clay tablet

followed by more inventions

Growing ease of copying

(copyright issues)

Followed by more inventions

making increasing use of

binary digits (bits)

Paper

Printing

Books

Libraries

Photography

Phonograph

Photocopier

Scanner

Digital everything

cyberspace the world of bits
Cyberspace: the world of bits

World Wide Web

400 million “users” and growing

Deep Web

Intranets

Extranets

Satellite communications

Military communications

Railroad communications

Air traffic control

Nuclear utilities

OECD’s “OLIS”

Business to Business

procurement (B2B)

Computer aided design done

jointly by several companies

Networks not using

Internet technologies

what do we do in cyberspace
What do we do in cyberspace?

Transaction

E-commerce

Treasury, funds transfer

Stock Exchanges

Airline reservations

Procurement

Messaging

ever expanding lists

of possibilities

Usually Mission

Critical

Some may be

Mission Critical

Some may not be

Mission Critical

Analysis

Statistics

Data mining

Credit rating

Actuarial analysis

Business Intelligence

Situation Analysis

Process support

Factory automation

Air traffic control

Utilities

Logistics and tracking

Accounting and payroll

Knowledge management

Office automation

Increasingly

Mission Critical

Wire services

e-publishing

Interactive databases

Publishing

Publication

the world of bits and atoms 1
The world of bits and atoms (1)

Scheduling: timetable

Scheduling: aircraft/ trains, etc

Scheduling: maintenance

Scheduling: staff and crews

Calculating fuel requirements

Traffic Control

Ticketing, fares and yield management

Passenger information systems

Modeling and traffic rerouting

etc.

the world of bits and atoms 2
The world of bits and atoms (2)

Robotic systems

Computer assisted manufacturing

Mass customization

Just in time logistics

Assembly line monitoring

Quality assurance and controls

etc.

the world of bits and atoms 3
The world of bits and atoms (3)

Electricity generation

Water treatment

7 days a week, 24 hours a day operations

Safety monitoring and controls

Environmental controls (for discharges)

Quality assurance and controls

Distribution management

etc.

and more vital services
And more: vital services

Hospitals

Education

Emergency services

Skills and knowledge intensive

I.T. is becoming a component in all of them

crime and punishment
Crime and punishment

Humans are tool makers.

Tools have always been used creatively in crime and war

Codes of conduct and law recorded since

the invention of writing

Legislation develops less fast than

technology and new forms of crime

Law enforcement is not a 100% answer

Code of Hammurabi

contains 282 proclamations (laws)

Mesopotamia ~ 3300 years ago

Musée du Louvre, Paris

particularly in cyberspace

types of cyber attack
Types of cyber-attack

Computers and communications

as a target

Computers and communications

as tools

Fraud

Extorsion

Disruption

Espionage

Breaking passwords

Decryption

Interception

Computers and communications

as weapons

Malicious code

dis-information

sabotage

smart weapons

slide17

Everyone a target

Every system a challenge

No need for physical contact

Few, if any, traces left

Inadequate or non-existent legislation

Many players

101101010…

Many forms of attack

attack trends malicious code
Attack trends: malicious code

Vulnerabilities reported to CERT

Number of incidents reported to CERT

Source: CERT, Computer Emergency Response Team April 2002

at Carnegie Mellon University www.cert.org

economic impact 1
Economic Impact (1)

Average bank holdup: $ 14,000 dollars

Average computer theft: $ 2,000,000 dollars

Source: Association of Certified Fraud Examiners (U.S.A.), 2000

economic impact 2

CODE RED (a worm) infected

360,000 web servers in the first 14 hours

Economic Impact (2)

It then spread around the world in 48 hours

The bad news: CODE RED and NIMDA had no destructive payload and are seen as “proof of concept” for future designs

Source: Computer Economics Inc, 2000

economic impact 3
Economic Impact (3)

Estimated cost of virus and worm infections

in 2001 – 17 billion US dollars to

  • clean malicious software from all equipment
  • restore lost and damaged data
  • help end users and clients
  • test and return systems to normal operations
  • loss of productivity as a result of downtime

Assumes 1 person-minute = 1 $

the players by organization
The Players – by organization

National government

and legislation

Critical

Infrastructures

International

Organizations

Individual users

Small businesses

Vendors and

service providers

Higher

education

Large enterprises

and organizations

critical infrastructures
Critical infrastructures

Emergency

services

Power generation

and distribution

IXPs

Water purification

and distribution

Banking and

financial services

Public

transport

Fixed and mobile

telecommunications

Oil refineries and

distribution depots

pipelines

Airlines and air

traffic control

slide24

Public domain information

Some of these Exchanges are

not secure facilities

special responsibilities
Special responsibilities

CRITICAL INFRASTRUCTURES

  • Ensure computing is highly secure
  • Monitor and deal with vulnerabilities continually
  • Maintain effective boundaries with the Internet
  • Employ qualified and trained I.T. security personnel
  • Manage interdependencies with other critical infrastructures
  • Share information with other critical infrastructures
  • Have ready disaster recovery and crisis management plans
  • Seek, obtain and maintain security certification
special responsibilities1
Special responsibilities

NATIONAL GOVERNMENT AND LEGISLATION

  • Implement national security programs
  • Promote standards and best practices
  • Ensure clear definition of accountability and oversight
  • Conduct security audits of government agencies
  • Provide adequate funding for information security
  • Recruit, train and retain qualified I.T. security personnel
  • Conduct awareness programs for government employees
  • Make arrangements for reporting security incidents
  • Have warning, analysis, incident response and recovery
  • procedures
slide28

Special responsibilities

INTERNATIONAL ORGANIZATIONS

  • Encourage international standards for information security
  • Develop mechanisms for international cooperation
  • Develop appropriate governance of cyberspace
  • Create effective mechanisms for sharing information
slide29

Special responsibilities

VENDORS AND SERVICE PROVIDERS

  • Balance “time to market” against product vulnerabilities
  • Protect the interests of customers by providing alerts,
  • patches, fixes and upgrades, perform more functions for them
  • Liaise with User Groups and others to reduce vulnerabilities
  • Develop fair terms and conditions of software licences
  • that do not absolve vendors from responsibility and liability
  • Collaborate in the pursuit of cyber-attackers by providing
  • access to records, logs and data
slide30

Special responsibilities

LARGE ENTERPRISES AND ORGANIZATIONS

  • Establish clear responsibility for information security
  • and appropriate reporting lines
  • The CEO, the Board and the Auditors should know about
  • standards, best practices and self-evaluation
  • Establish enterprise-wide security policies including what
  • should be disclosed to the Board, stakeholders, auditors, etc
  • Implement employee awareness programs
  • Manage insider threats (and balance risk vs. employee privacy)
  • Have appropriate risk management and insurance cover
  • Have working arrangements to report security incidents
slide31

Special responsibilities

HIGHER EDUCATION

Take steps to prevent attacks originating within Institutions

Protect critical information from external and internal attack

Organize for security as a shared concern with other

Institutions worldwide

slide32

Special responsibilities

SMALL BUSINESSES AND INDIVIDUALS

Be aware of cyber-security issues and of how to deal with

vulnerabilities and incidents

Awareness of the security issues of new technologies such

as ADSL, wireless connectivity, etc

Require vendors to disclose risks

Need for Internet Service Providers to perform more

cyber-security functions for home users ?

the players by nature
The Players – by nature

Malicious insiders

Script kiddies

Hackers, crackers, phreakers

Hacktivists

Spies (industrial and other)

Organised crime

Cyber-terrorists

BAD GUYS

GOOD GUYS

Responsible end-users

Security administrators

Security managers

Internal auditors

Security coordinators

Providers of security alerts

Ethical hackers

and many more

VERY SPECIAL GUYS

Vendors

Security auditors

Security consultants

Legislators

the bad guys

Malicious insiders

Script kiddies

Hackers, crackers, phreakers

Hacktivists

Spies (industrial and other)

Organised crime

Cyber-terrorists

The Bad Guys

Access

Knowledge

Motivation

access mechanisms
ACCESS mechanisms

Authorized insiders

Rights of former personnel

(should have been removed)

OFFICIAL

Disclosure by insiders

Abuse of insider knowledge

Abuse of presence as visitor

Theft of ID and password

Newly discovered vulnerabilities

Hacker club disclosures

Forced entry (password breaker)

UNOFFICIAL

knowledge sources
Knowledge sources

Privileged insider knowledge

Obtained by following

public discussions on

product vulnerabilities

Buying commercially

available hacking tools

Shared through hacker

groups and conferences

Virus, worm and other

malicious code design

what motivates the bad guys 1

nuisances

What motivates the Bad Guys (1)

Script Kiddies

Hacktivists

Cyber-hooligans

Emulate the “big boys”

ego-trip

Deny service (sit-in)

Make themselves heard

Cause embarrassment

Malice

Gain publicity

Individual copyright

violators

Ethical Hackers

Show how smart they are

Identify vulnerabilities = fun

Defy authority

Safely break the law

Minor financial gain

Many become security consultants

what motivates the bad guys 2

Industrial+ spies

Business copyright violators

Virus and worm designers

Non-ethical Hackers

(crackers)

What motivates the Bad Guys (2)

almost always

MONEY

“Just because it’s there”

Test new ways to spread malicious code

Cause loss or corruption of data

Steal IDs and passwords

Impersonation and spoofing

Steal credit card and similar data

Sabotage, etc

Low risk of detection and punishment

what motivates the bad guys 3
What motivates the Bad Guys (3)

Strong personal animosity towards a person

Grudge against employer

Criminal intent: fraud, extortion, theft,

corruption of data, sabotage, etc

Low risk of detection and punishment

Malicious insider

New areas of opportunity - globally

Ease of hiding in cyberspace

Ease of establishing global networks

Lack of legislation and jurisdiction

Interpol, Europol, FBI, Chambers of Commerce

and many others organizing to fight it

Organized crime

what motivates the bad guys 4
What motivates the Bad Guys (4)

Cyber-terrorists

Driven by ideology

Richness of opportunity

Availability and low cost of resources needed

Impact of successful attacks

Visibility

Ease of establishing global networks

Ability to hide in cyberspace

Lack of legislation and jurisdiction

hiding in cyber space 1

XWR2T P5%WZ $E#GT

LLVWLSHVBNRMVDFRMTHTXT

Hiding in cyber-space (1)

Dorothy Denning and William Baugh

Information, Communication and Society, 1999

Voice, fax and data communications

E-mail

Stored data

In public postings

Encryption

Digital compression

Steganography

Message bits are mixed with

the bits defining the image

hiding in cyber space 2

Anonymity

Hiding in cyber-space (2)

Use of passwords

Hiding information in remote servers

Disabling audit logs in servers

Anonymous remailers

Anonymous digital cash

Computer penetration and looping

Cellphone cloning

Cellphone pre-paid cards

Nobody knows who you are

Nobody knows where you are

offences forms of attack

CATEGORIES

Offences – forms of attack

Network-related

Data-related

Interference

Sabotage

Anonymity

Interception

Modification

Theft

Access-related

Computer-related

Hacking

Malicious code distribution

Aiding and abetting cyber-criminals

Fraud, embezzlement

Forgery

network related offences
Network-related offences

Physical disconnection or damage

Corruption of Domain Name Servers

Attack on an Internet Exchange Point (IXP)

Attack of a critical infrastructure

Interference

Sabotage

Denial of service

Control of a server or network devices

Using a trusted network to access

another network

“Sniffing” traffic

Hoaxes

Anonymity

Stolen and cloned cellphones

Hijacking the ID and password of

a legitimate network user

data related offences
Data-related offences

Interception

Voice and fax

e-mail

Data transfers

(fixed and mobile)

Defacement of a website

e-mail spoofing and impersonation

Database and document contents

Commercial transactions

10010101001

Modification

Intellectual property

Personal data

User IDs and passwords

Non-public domain information

Theft

access related offences
Access-related offences

Hacking

Unauthorized access to

networks and computer systems

Use of electronic services without payment

Deleting and/or destroying data

Disclosure of security weaknesses found

and how to overcome them

Invasion of privacy

To launch a distributed denial of service attack

To slow down/close down a network (worm)

To corrupt servers and data (virus and/or worm)

To gain control of a server or device (trojan

horse, back door)

To extort payment (logical bomb)

Distribution of

malicious code

computer related offences
Computer-related offences

Aiding and abetting

cyber-crime

Providing (knowingly or not) technical, financial

and legal facilities for conducting and/or

hiding cyber-crime

Falsification of financial transactions

Misuse of credit card and personal data

Unlicensed financial services, gambling

Fraud

Messaging and documents

Digital I.D.

Copyrighted data (software, music, e-book)

Forgery

impact of various offences
Impact of various offences

Most pervasive

Most expensive

Insider fraud, sabotage

Theft of proprietary information

Virus, worm, trojan horse

Most publicised

Most frequent

Attacks on e-business

- theft of credit card data

- Denial of Service

Developers’ mistakes

Network misconfiguration

Poor system administration