Who is out there? Securing your system from future security threats ? Presented by: Dr. Craig S Wright GSE LLM Exec VP Strategy
Jan 15, 2015
Who is out there? Securing your system from future security threats ? Presented by: Dr. Craig S Wright GSE LLM Exec VP Strategy
Craig S Wright School of Computing and Mathematics
Charles Sturt University, NSW 2678 [email protected]
Who is out there?
Securing your system from future security threats
Melbourne
• We look at the economics associated with botnets.
• This research can be used to calculate territorial sizes for online criminal networks.
• We look at the decision to be territorial or not from the perspective of the criminal bot-herder.
• This is extended to an analysis of territorial size. • The criminal running a botnet seeks to maximize
profit.
Outline
SCADA Vulnerabilities ! As we know…
! Supervisory Control And Data Acquisition (SCADA) systems are the computers that monitor and regulate the operations of most critical infrastructure industries.
• Criminals defend territories in cyberspace. • Several different territorial strategies exist for
criminal groups running botnets. Each of these strategies has different benefits and costs associated with them and several of them are independent of the others. – high-value targets (including the exfiltration of data) – whereas others involve the use of large numbers of
systems to amplify low value transactions (including SPAM transmission and DDOS attacks)
Background
A cost Benefit analysis of criminal territory in cyber compromises
The first cost aspect of creating a criminal territory results from the initial acquisition cost: • Research, • Reconnaissance, • Scanning, • Exploitation, • Maintaining access, and • Covering tracks.
The costs of acquiring resources
Once a system has been acquired it needs to be defended and exploited by the cyber-criminal. • Any system that is not adequately defended by the attacker will eventually become a lost resource • Behavior of cyber-criminals may be influenced by need to maintain access to compromised systems, scan for new systems, defend territories, defend C&C servers, and so on.
The costs of defending resources
The necessity of defending a territory requires time and resources. • The economic viability of each of these platforms varies from large collections of low-value hosts through to targeted high-value platforms • The advantages of a particular model will vary based on the ability of the attacker to maintain that system once it has been acquired.
A model of territorial cybercrime
The notion of superterritories (Verner, 1977) can be used in modelling criminal behaviour in the creation of large-scale botnets.
Superterritories
The overall size of criminal territory results from a compromise between the following factors:
– Acquisition needs, – Resource maintenance needs, – Defence costs, – Predation pressure.
Each of these factors comes with an economic cost.
Criminal territories can be modeled as different ecosystems.
Assessing cyber security risks through conducting vulnerability
analysis • Information security is a risk function. • Knowing the risk means coming to
understand both the threat agents as well as the systems we are defending
Economic issues that arise from risk
• Economic issues that are arise due to an inability to assign risk correctly.
• Externalities restrict the development of secure software
• The failure of the end user to apply controls makes it less probable that a software vendor will enforce stricter programming controls
What is the real cost of ignoring the cyber risks?
• Cyber-Criminals are Rational • They go where the profit is greatest • If you ignore the risk, others will not
Developing and implementing mitigation strategies to
strengthen highest data security • Security never goes away • More and more, we are going online • Each day, more information will be
transmitted • More critical data will be stored in the
“cloud”
Rational Choice Theory • Rationally opting for
the insecure alternative:
• Negative externalities and the selection of security controls
• Relative computer security can be measured using six factors
1. What is the importance of the information or resource being protected?
2. What is the potential impact, if the security is breached?
3. Who is the attacker likely to be?
4. What are the skills and resources available to an attacker?
5. What constraints are imposed by legitimate usage?
6. What resources are available to implement security?
No Absolutes
• Security is a risk function. • It is a game of cat and mouse • There is and cannot be perfect security
Continual monitoring and updating hardware resources to
safeguard your system • Your systems are far from the only source
of data – Think accountants – Think lawyers – Think partners
What are your Assets worth?
• If you are to engage in any risk exercise, you need to start thinking about what your assets are
• This includes data, business process and more
Economics rules in security • This generates a measure of relative
system security in place of the unachievable absolute security paradigm that necessarily results in a misallocation of resources.
Three areas to be concerned with
• The three concerns that make us vulnerable are: – Human – Design – Software
• Only when we address each of these will we make headway
It is about good practice
• I will never known all the consequence of what I do or don’t do.
• Maybe you will be lucky, but the chances are increasing that you will be compromised
Zero risk is not practical
• Risk cannot be completely removed • You have to accept some risk
Don't spend a $million to protect a cent
• Always consider the value of the assets that you are defending • Look at the number of attacks (you are measuring this aren’t you?) • Know your threats
Outliers can be predicted
• Some systems are well configured and patched. • Others are terrible • It all depends on what is audited
Better managed systems survive
• Displayed above we have a plot of the survival time against automated processes (green) overlayed with that of manual processes (red).
• Before we invest our valuable resources into protecting the information assets it is vital to address concerns such as the importance of information or the resource being protected, the potential impact if the security is breached, the skills and resources of the attacker and the controls available to implement the security.
Conclusion
The overall size of criminal territory results from a compromise between the following factors: • Acquisition needs, • Resource maintenance needs, • Defence costs, • Predation pressure
Conclusion
An afterthought
• Information Security cannot be an afterthought
• Only in building security into the system from the start can we maintain it effectively
Thank you