1 / 29

The Integritas System to enforce Integrity in Academic Environments

Cyber Security and Cyber Crime – Different sides of the same coin?. The Integritas System to enforce Integrity in Academic Environments. Prof Basie von Solms Mr Jaco du Toit. Prof Basie Von Solms Director : Center for Cyber Security

Audrey
Download Presentation

The Integritas System to enforce Integrity in Academic Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security and Cyber Crime – Different sides of the same coin? The Integritas System to enforce Integrity in Academic Environments Prof Basie von Solms Mr Jaco du Toit Prof Basie Von Solms Director : Center for Cyber Security Academy for Computer Science and Software Engineering University of Johannesburg basievs@uj.ac.za

  2. What is a Cyber Security? ‘Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized’ http://whatis.techtarget.com/definition/cybersecurity ‘A major part of Cyber Security is to fix broken software’

  3. What is a Cyber Crime? ‘Cyber crime encompasses any criminal act dealing with computers and networks (called hacking). Additionally, cyber crime also includes traditional crimes conducted through the Internet.’ http://www.webopedia.com/TERM/C/cyber_crime.html ‘A major attack vector of Cyber Crime is to exploit broken software’

  4. ‘A major part of Cyber Security is to fix broken software’ ‘A major attack vector of Cyber Crime is to exploit broken software’ Common Factor : Broken Software

  5. Let us investigate two aspects related to creating software • Creating (and selling) broken software • Creating (and selling) massive untestable • big software systems

  6. Let us investigate two aspects related to creating software • Creating (and selling) broken software • Creating (and selling) massive untestable big software • systems

  7. ‘Software security vulnerabilities are caused by defective specification, design, and implementation. Unfortunately, common development practices leave software with many vulnerabilities. To have a secure US cyber infrastructure, the supporting software must contain few, if any, vulnerabilities. ‘ http://www.cigital.com/papers/download/secure_software_process.pdf Public companies face material cyber security risks from weaknesses in the software applications they use to run their businesses. http://www.veracode.com/images/pdf/software-related-cybersecurity-risks-public-companies.pdf?mkt_tok=3RkMMJWWfF9wsRonuqTLZKXonjHpfsX87u0uUK6g38431UFwdcjKPmjr1YIASMd0dvycMRAVFZl5nRpdCOGWc4RF

  8. ‘More and more hackers are targeting the same application vulnerabilities on Macs and Windows PCs as a way to reap the financial benefits of writing cross-platform malware. The trend involves exploiting vulnerabilities that go as far back as 2009 in Office documents. Other cross-platform, third-party technologies favored by hackers include Java, Adobe PDF and Adobe Flash .. Microsoft security researcher Ferrer said.’ http://www.csoonline.com/article/712640/hackers-increasingly-aim-for-cross-platform-vulnerabilities

  9. ‘Although targeted vulnerabilities may have already been patched by vendors, hackers bank on user negligence when it comes to installing software updates. As an example, people are notoriously slow in installing Java patches to Windows PCs and Macs. As much as 60 percent of Java installations are never updated’ "All these un-updated applications on the desktop, whatever they may be, are low-hanging fruit. These are the easiest things to attack.“ http://www.csoonline.com/article/712640/hackers-increasingly-aim-for-cross-platform-vulnerabilities

  10. Let’s investigate a few examples: • If a new application system is rolled out and customers suffer losses, in whatever form, because the system was not properly tested and inherent vulnerabilities were exploited by cyber criminals, have the developers and company officials committed cybercrime? • Is the process of rolling out systems software like operating systems, browser software etc. in which vulnerabilities appear which are exploited to the detriment of some user, an act of cybercrime? • Therefore, can the whole process of rolling out patches to existing software, i.e. repairing which was originally done wrong or bad, be seen as acts of cybercrime? • All 3 cases above resulted because of bad software design (engineering) • In all 3 cases Cyber Security must come to the rescue!

  11. ‘I believe that cyber security policy must focus instead on solving the software security problem – fixing the broken stuff from the beginning (or not creating broken stuff) instead of simply watching the broken stuff and reporting when it is attacked. We must refocus our energy on fixing the glass house we find ourselves in. We must begin to solve the software security problem’ ‘Frankly the target-rich environment filled with broken software makes it far too easy and tempting to misbehave criminally. In the end, someone must pay for broken software and someone must be rewarded for good software’ http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems

  12. VS Conclusion 1 Creating (and selling) broken software is as a cyber crime!

  13. Creating (and selling) broken software is a cyber crime • Creating (and selling) massive untestable big software • systems is a cyber crime

  14. Let’s investigate How is cyber crime advanced by the complexity of software systems consisting of millions of lines of code, too big to comprehensively test?

  15. ‘It is tempting to believe that the only solution is to redouble our efforts to control complexity. True enough, we should continue to construct better engineering solutions to each problem: reduce complexity, create more perfect firewalls, and better structure the interactions between all computers under our control. But we must also understand that such measures are at best stopgaps. As Tahar Elgamal points out, “ The hard truth of network security is that while many approaches are good, no individual effort makes the network completely safe. Implement enough fixes, and you only succeed at making your network more complex and, hence, more ungovernable, with solutions that wind up acting at cross-purposes.” The same can be said for each of the other specialized tasks in managing complex computing systems. To successfully improve the security of our computing systems, we will need to modify our systems at an architectural level. ‘ http://www.evolutionofcomputing.org/Multicellular/OutOfControlComplexity.html

  16. ‘Cybercriminals use the Web to serve malicious content capable of compromising users' computers and running arbitrary code on them. This has been made possible largely by the increased complexity of Web browsers and the resulting vulnerabilities that come with complex software.’ http://queue.acm.org/detail.cfm?id=1517412

  17. Analogy `The Strategic Defense Initiative (SDI), commonly called Star Wars after the popular science fiction series, was a system proposed by U.S. President Ronald Reagan on March 23, 1983 to use space-based systems to protect the United States from attack by strategic nuclear missiles. It was never implemented and research in the field tailed off after the end of the Cold War.'

  18. Analogy Prof David Parnas, one of the pioneers in the development of Computer Science and Software Engineering, was at that time a consultant to the Office of Naval Research in Washington, and was one of nine scientists asked by the Strategic Defense Initiative Office to serve on the “panel on computing in support of battle management".

  19. Analogy Parnas resigned from this advisory panel on antimissile defense, asserting that it will never be possible to program a vast complex of battle management computers reliably or to assume they will work when confronted with a salvo of nuclear missiles.

  20. Analogy In his letter of resignation he said that it would never be possible to test realistically the large array of computers that would link and control a system of sensors, antimissile weapons, guidance and aiming devices, and battle man- agement stations. Nor, he protested, would it be possible to follow orthodox computer program-writing practices in which errors and bugs are detected and eliminated in prolonged everyday use.

  21. Analogy “I believe," Professor Parnas said, “that it is our duty, as scientists and engineers, to reply that we have no technological magic that will accomplish that. The President and the public should know that."

  22. Analogy In 1984 (a year later) the ACM Council passed and published an important resolution. It begins: Contrary to the myth that computer systems are infallible, in fact computer systems can and do fail. Consequently, the reliability of computer-based systems cannot be taken for granted. This reality applies to all computer-based systems, but it is especially critical for systems whose failure would result in extreme risk to the public. Increasingly, human lives depend upon the reliable operation of systems such as air traffic and high-speed ground transportation control systems, military weapons delivery and defense systems, and health care delivery and diagnostic systems.

  23. VS Conclusion 2 • Creating (and selling) massive untestable big software systems is a cyber crime

  24. VS Conclusion 3 • Cyber Security will be massively improved • if there are less broken software • Cyber Crime will be massively reduced if there are less broken software

  25. VS Graph - two sides of the same coin Cyber Security Cyber Crime Cyber Crime Cyber Security Decrease in broken software = Increase in good software

  26. The Coin : Broken/Complex Software Cyber Security : One side of the coin Cyber Crime : Other side of the coin

  27. ‘I believe that Government can and should play a role in building more secure systems. The US Government should develop incentives for vendors to build security in (to software) and break the endless loop. Perhaps the government should even grant tax credits for creating better more secure software.’ http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems

  28. We must penalize broken software and reward good software That will decrease Cyber Crime and increase Cyber Security!

  29. Thanks basievs@uj.ac.za adam.uj.ac.za/csi

More Related