1 / 46

CMPS 5363 Cybersecurity Principles & Management

CMPS 5363 Cybersecurity Principles & Management. Dr. Ranette Halverson MSU – Dept. of Computer Science. Cybersecurity & Cyberwar. What everyone needs to know By P.W. S inger & Allan Friedman Required book. Introduction. Why?. Ubiquity 1971 – first email 1991 – first web site 2013

Rita
Download Presentation

CMPS 5363 Cybersecurity Principles & Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMPS 5363CybersecurityPrinciples & Management Dr. Ranette Halverson MSU – Dept. of Computer Science

  2. Cybersecurity & Cyberwar What everyone needs to know By P.W. Singer & Allan Friedman • Required book

  3. Introduction

  4. Why? • Ubiquity • 1971 – first email • 1991 – first web site • 2013 • 40 trillion emails per year • 30 trillion web pages • 8.7 billion devices on internet

  5. What? • 97% Fortune 500 companies –hacked • 3% - Just don’t know it yet • 100 governments planning • Scandals • WikiLeaks – Julian Assange • NSA - Edward Snowden • 2016 US Presidential election - Russia

  6. How? • Ignore – oblivious to threats • Cyberanxiety • Cybersecurity – fastest growing industry in world

  7. Who? • Leaders – older generation (digital immigrants) • Youth – games & use (digital natives) • College degrees – general • GAPS • Knowledge • Understanding • Skill • Policy • Threat • Technology developed too fast No substantive cybersecurity legislation passed in US between 2002 & 2012.

  8. Study? What we all need to know! • How does it works? • Why does it matter? • What can we do? • What will YOU do?

  9. What Matters? (p. 9) • Knowledge • People • Incentives • The Crowd • States • Cats

  10. Part 1How it all works

  11. 1. What is Cyberspace? • Realm of computer nw’s in which info. is stored, shared, & communicated online (authors) • Global domain in info. Environment consisting of interdependent nw of info. technology infrastructures, including internet, telecom nw’s, computer systems, embedded processors & controllers (DOD 2008)

  12. Features & Components • Virtual: Digitized Data – created, stored, shared • Physical - computers, systems, infrastructure (intranets, cellular, cables, space-based communication) • People – users, society • Cognitive – perceptions, ownerships, names, expectations Constantly Changing

  13. Internet vs. Cyberspace • What is the difference? • Is there a difference? • What has changed? • DISCUSS!

  14. 2. Short history of the internet • ARPANET – 1969 – UCLA to Stanford • Packet switch vs. Circuit switch • Need for reliable communication, sharing, unused computer time • Problem: Various technology • 1973 – Protocol – Vint Cerf, Robert Kahn • Established “hand-shake” & expectations • Layers for communication • TCP – Transport Control Protocol • IP – Internet Protocol

  15. And Next… • Networks of Networks (due to protocol) • 1972 - Email – Ray Tomlinson • App to compose, read, send messages • Modems – allowed everyone entry • Data  Sound waves; phone lines • NFSNet – supercomputers around US • Backbone emerges – management architecture

  16. And finally… • 1980 – Commercialization • Government Plan – very slow • 1989 – Senator Al Gore • legislation to speed up privatization • 1994 – NSF turned over control to private interests • 1990 – Tim Berners-Lee – CERN • HTTP protocol + URL’s  WWW • Mosaic web browser – U. of Ill.

  17. 3. How does internet work? • 2008 – Pakistan – YouTube situation • IP address – numeric address for device • Domain - .country, .com, .edu • ICANN – Internet Corporation for Assigned Names & Numbers • Registrars: coordinate for unique top-level domain names • Domains manage own subdomains CS. MWSU.EDU

  18. Few more details… • ISP – internet service provider • Autonomous Systems (AS) – 40K AS nodes • AS  AS • Router – looks at mssg, determines next step • Routing Table – dynamic, shared info. • Decentralized • Trust

  19. 4. Who runs it?Internet governance • 1998 – Jon Postel – “coup” • 8 emails – 2/3 of routers to him • The internet is the first thing humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we have ever had. ~ Eric Schmidt, CEO Google, in 1997 • Interoperability • Actors follow rules  Standards

  20. Who are these “people”? • Internet Engineering Task Force (IETF) • Develops & modifies internet standards • Working Groups – specialized open forums, consensus • “Security Considerations”- for every standard • IESG – oversight & guidance • Internet Architecture Board (IAB) – further oversight & guidance

  21. More people… Internet Society (ISOC) – 1992 • International organization • Open to individuals, organization ($ fee) • Offer a formal & legal means to safeguard independent & open standards processes • Elect Trustees to IAB

  22. More people… • Internet Assigned Numbers Authority • US Govt. + Researchers • Growth  relinquish control • 1998 - ICANN (Internet Corp. for Assigned Names & Numbers) • Now several regional authorities • Numerous conflicts over names • US Dept. of Commerce – hold control

  23. 5. Identity & Authentication • Identification • Act of mapping entity to information about the entity • Authentication • Proof of identification • Something you know, you have, or you are • Authorization • What you can do • Access All are hackable!

  24. IP Address & Identity • Static vs. Dynamic • Computer, not person • Geographic • Digital Identity • Privacy vs. Authentication • Can we vs. Should we

  25. 6. What is “Security”? • Former Faculty in U.S. Air Force • Secure a computer? Unplug it! • Today ~ Most devices “are connected”

  26. Security • Freedom from danger - (not enough) • Not just SW errors or power outages • Associated with adversary • To gain something – steal information, undermine system, prevent system use • Example • SW glitch that shuts down airports vs. • Hacker into air traffic control

  27. CIA Triad • Confidentiality • Keeping data private; data has value • Integrity • Data & system are not improperly altered or changed w/o authorization • Confidence system & data are correct • How can we be sure? Stuxnet • Availability • Ability to use system as expected • Lack of access can be threat

  28. More…Resilence • Ability of system to withstand security threat w/o failing • ACCEPT ~ threats will occur • Other issues: • Organizational, legal, social, economic • Security Trade-off • Cost, time, convenience, capabilities • No possibility of Absolute Security

  29. 7. What are the threats? • Red Team • Lack of understanding by public • SO MANY different types of threats • Legislation & Law makers • E.G. Bill during Bill Clinton Presidency • Vulnerability vs. Threat • V: “opening” for a breach • T: actor + consequences

  30. Actors (Adversary) • Person exploits the vulnerabilityto “get” something – but WHAT? • Money, business secrets, disrupt process • Actors within • Bradley Manning – WikiLeaks • Edward Snowden – NSA • Targeted vs. Automated Attack • Cost vs. Return • Only 3 Computer Violations • Steal data, Misuse Credentials, Hijack resources ~~ All can be very bad! How??

  31. 8. What are vulnerabilities? • 2011~London ~ 300 new BMWs stolen • Jammed locking signal ~ plugged in device to get car ID ~ programmed key ~ drove off in car • FIX: Police left flyers on BMWs • Pwned– “own” a system • Complex systems can create vulnerabilities

  32. Social Engineering • Manipulate people to reveal information • Phishing – “official looking” email requests information from recipient; may send to a fake web site – sent “in bulk” • Spear Phishing – target individuals with personal information • Taken from social media, other online sources • Watch URLs

  33. Ignored Precautions • Use default passwords (e.g. routers) • Same & obvious passwords – No pswd • Misconfigured systems • Software vulnerabilities (MS Patches) • Zero Day – previously unknown • Data vs. Code issue • SQL, Buffer Overflow

  34. “Evil” Software • Early Viruses • Malware– Prepackaged exploitation of a vulnerability • Worm – replicates over network • Virus – malicious software, usually reproduces itself • Drive-by Attack: from web site (browser) • Watering Hole: site where users come to the actor ~ Where do you browse? Similarities? Differences?

  35. Botnets • NW of private computers w/ malware & controlled w/o users knowledge • Zombie Computers: members of botnet • DDoS – Distributed denial of service • MANY computers access site to overwhelm • Threats, Diversion, Political Protest All systems have vulnerabilities Threats continue to evolve & change.

  36. 9. How do we trust cyberspace? • How can we know if trustworthy? • 2008: Voting machine hack (PacMan) • Online voting for primaries • Hack site & leave message w/o damage • Target: SW on credit card machines • Cryptography: practice of securing communications in presence of adversaries (very old)

  37. Encryption • Converting information into a code, • to prevent unauthorized access • Public Key Encryption (p47) • Symmetric – same key • Public Key – 1 open, 1 secret • Prime numbers, Semi-prime numbers • Certificate Authority – trusted 3rd party • https, tiny lock • Can’t determine key in reasonable time

  38. Access Control & Policy • Who can access what? How enforced? • People/Trust issue • Not just computers, facilities • Overentitlement – Underentitlement • 2010 - Bradley Manning & WikiLeaks • 2013 – Edward Snowden & NSA • Examples of lack access control

  39. 10. WikiLeaks?? 2006 – Julian Assange (Australia) • “Expose corruption & abuse around the world” ~ Site for activists to share information • 2008: Pentagon: “Threat to US Army” • Know this from WikiLeaks • Bradley Manning – Army Pfc – pub. 2010 • Managed data for analysts • Copied on CDs • Sentenced 35 Yrs. – Obama reduced to 7 served • Ecuador’s Embassy in London

  40. 11. What is APT?Advanced Persistent Threat • Team, Extensive planning • Organization, intelligence, complexity, patience – “Important” targets - common • Specific target ~ Target development • Observe, google, social media – details • Intrusion Team – not the main objective • Malware – “trial run” (e.g. credit cards) • Branch out & control network

  41. Advanced Persistent Threat • Exfiltration Team– go after information • May leave malware behind or alter files • “Phone Home” – removal of files – alters NW traffic & may be detected • Clean Up – months… • Which machines, what files, malware remnants • E.G. thermostat & printer sending messages to China • Seldom know perpetrators

  42. 12. Basic Computer DefenseKeeping bad guys out • McAfee Malware Zoo • 110 M “species” • 2013 – discovering every second • Evolutionary Game • Signatures – many, old, camouflage • Heuristics – suspicious

  43. Firewalls, etc. • Filter only allows “valid” activity on NW • Intrusion Detection: watches for abnormal activity ~ Alert administrator • Cost $, Slow down traffic • SW Patch: from vendor • Air Gap: physical separation between NW & critical systems • Good idea but not always practical, nor will it solve the problem

  44. Hackback Retaliation • Probably not legal • Not very effective • There’s always another hacker

  45. 13. Who/What is weakest link?Human factors Buckshot Yankee – 2008 • Largest breach – US Military history • Candy Drop – foreign intelligence-military base • Agent.btz – worm: scanned computers for data, created backdoors, linked to servers • Pentagon: 14 months to “clean-up”

  46. Other Examples • CD drop in men’s room – IT Co. • Fake emails – internal • Music file sharing – Oops! Other files, too • Don’t be the next example!

More Related