Commercial and government cyberwarfare

Information Systems 365/765Lecture 2

Commercial and Government Cyberwarfare

Today – Cyber-warfare

• Discuss “How to Sell Information Security” article• Introduction to Cyberwar• Discuss technical vs. administrative controls• Watch Frontline video• Discuss written assignment

#1

Prospect Theory

• People react differently to risk and guaranteed outcomes based on whether those outcomes are positive or negative. Known as the Prospect Theory S-Curve

Prospect Theory

• If someone offers you a guaranteed $500 or a 50% chance at winning $1000, studies show that people tend to pick the guaranteed $500

Prospect Theory

• If someone told you that you had to surrender $500 or take a 50% chance of surrendering $1000, most people would tend to take the risk of losing $1000 rather than the fixed $500 loss

Prospect Theory• When it comes to gain, people

are risk averse• When it comes to loss, people

embrace risk

• What does this mean for IT security, which is almost always sold based on potential to avoid loss?

How to Sell Information Security

Prospect Theory inrelation to informationsystems security, thebattle of cost, risk andfeatures.

The constant of battleof proving ROI

The challenges ofLayering security onafter the sale:cost, complexity ofadministration andtrue usefulness.

How to Sell Information Security (DISCUSSION)

• What has your personal experience been with security add on products?

• How do you feel about paying for virus scanning, when you already paid for the Operating System?

• If you were selling a system which required a security add on component, what approach would you take?

• As an IS security decision maker, what approach would you take with your vendors?

Security Technologies are Exciting, But…

In this class you will get handson experience with powerfulmilitary grade encryptiontechnology, you willuse automated Rainbow Tablesto crack top level AdministratorPasswords and you will learnhow to sniff network traffic!

But, we have to start at the beginning, bygaining an understanding of the threats.

Cyberwar

• Cyber-warfare (also known as cybernetic war, or cyberwar) is the use of computers and the Internet in conducting warfare in cyberspace.

Types of AttacksCyber Espionage

The act or practice of obtaining secrets(sensitive, proprietary of classifiedinformation) from individuals,competitors, rivals, groups,governments and enemies formilitary, political, or economicadvantage using illegal exploitationmethods via the internet, networks,software and or computers.

Web Vandalism – The Weapon of Mass Irritation

• Attacks that deface web pages, or denial-of-service attacks. This is normally swiftly contained and of little harm.

• Distributed Denial-of-Service Attacks: Large numbers of computers in one country launch a DoS attack against systems in another country.

Gathering Sensitive or Proprietary Information

• Classified information that is not handled securely can be intercepted and even modified, making espionage possible from the other side of the world. See Titan Rain and Moonlight Maze.

• Encryption!

Equipment Disruption

• Military and commercial activities that use computers and satellites for co-ordination are at risk from this type of attack. Orders and communications can be intercepted or replaced, putting soldiers at risk

Attacking Critical Infrastructure

• Power, water, fuel, communications, commercial and transportation are all vulnerable to a cyber attack

Information Security Controls

• Two types of controls in all information systems

• Technical controls• Administrative controls• Most good systems contain a

combination of both types of controls

Technical Controls• A direct, continuous and

unavoidable control on the use and distribution of data which allows, also for the purposes of possible audits, the following:

• The direct identification of each user in auditable form

• Keeping track, with auditable evidence, of the accesses which have occurred in the relevant period

• The prevention and exclusion of any utilization of data and systems by subjects who are not authorized

Technical Controls - Examples

• Can you think of any technical controls?

• Username/Password• Building access card• ATM card, with PIN (dual

factor)

Benefits of Technical Controls

• Strong and consistent, treat everyone equally

• Can be audited with real assurance of the truthfulness of the data

Drawbacks of Technical Controls

• Costly• Complex and time consuming• When they break, they either

fail open or fail closed, neither of which may be desirable

Administrative Controls

• Using policies, procedures, safety signs, training or supervision, or a combination of these, to control risk.

Administrative Controls Examples

• Can you think of any examples of administrative controls?

• Signing out a key• Policy requiring the shredding

of documents• Filling out a check in sheet

when you enter and leave a secure area

Benefits of Administrative Controls

• Usually inexpensive• Easy to implement• Very flexible

Drawbacks of Administrative Controls

• Difficult to enforce• Difficult to audit• Impossible to verify• Easy to evade by a dedicated

individual

Controls - Summary and Conclusions

• Both technical controls and administrative controls have benefits and drawbacks

• Technical controls are often used in highly sensitive systems

• Administrative controls are used in lower priority situations

• Hybrid solutions are the most common, placing technical controls at the front door and administrative controls behind them. Example: Server Platform

Cyberwar Video

• When watching this video, think about the following:

• How real is the threat of Cyberwar?

• How does the application of Prospect Theory relate to the threat of Cyberwar?

• What types of technical and administrative controls might help mitigate the risks posed by cyber attack?

Readings on Cybersecurity

• Might give you some things to think about when writing Assignment #1

• Cyberwar – Myth or Reality• Make Vendors Liable for Bugs• The Truth About Chinese

Hackers