460 likes | 846 Views
CMPS 5363 Cybersecurity Principles & Management. Dr. Ranette Halverson MSU – Dept. of Computer Science. Cybersecurity & Cyberwar. What everyone needs to know By P.W. S inger & Allan Friedman Required book. Introduction. Why?. Ubiquity 1971 – first email 1991 – first web site 2013
E N D
CMPS 5363CybersecurityPrinciples & Management Dr. Ranette Halverson MSU – Dept. of Computer Science
Cybersecurity & Cyberwar What everyone needs to know By P.W. Singer & Allan Friedman • Required book
Why? • Ubiquity • 1971 – first email • 1991 – first web site • 2013 • 40 trillion emails per year • 30 trillion web pages • 8.7 billion devices on internet
What? • 97% Fortune 500 companies –hacked • 3% - Just don’t know it yet • 100 governments planning • Scandals • WikiLeaks – Julian Assange • NSA - Edward Snowden • 2016 US Presidential election - Russia
How? • Ignore – oblivious to threats • Cyberanxiety • Cybersecurity – fastest growing industry in world
Who? • Leaders – older generation (digital immigrants) • Youth – games & use (digital natives) • College degrees – general • GAPS • Knowledge • Understanding • Skill • Policy • Threat • Technology developed too fast No substantive cybersecurity legislation passed in US between 2002 & 2012.
Study? What we all need to know! • How does it works? • Why does it matter? • What can we do? • What will YOU do?
What Matters? (p. 9) • Knowledge • People • Incentives • The Crowd • States • Cats
1. What is Cyberspace? • Realm of computer nw’s in which info. is stored, shared, & communicated online (authors) • Global domain in info. Environment consisting of interdependent nw of info. technology infrastructures, including internet, telecom nw’s, computer systems, embedded processors & controllers (DOD 2008)
Features & Components • Virtual: Digitized Data – created, stored, shared • Physical - computers, systems, infrastructure (intranets, cellular, cables, space-based communication) • People – users, society • Cognitive – perceptions, ownerships, names, expectations Constantly Changing
Internet vs. Cyberspace • What is the difference? • Is there a difference? • What has changed? • DISCUSS!
2. Short history of the internet • ARPANET – 1969 – UCLA to Stanford • Packet switch vs. Circuit switch • Need for reliable communication, sharing, unused computer time • Problem: Various technology • 1973 – Protocol – Vint Cerf, Robert Kahn • Established “hand-shake” & expectations • Layers for communication • TCP – Transport Control Protocol • IP – Internet Protocol
And Next… • Networks of Networks (due to protocol) • 1972 - Email – Ray Tomlinson • App to compose, read, send messages • Modems – allowed everyone entry • Data Sound waves; phone lines • NFSNet – supercomputers around US • Backbone emerges – management architecture
And finally… • 1980 – Commercialization • Government Plan – very slow • 1989 – Senator Al Gore • legislation to speed up privatization • 1994 – NSF turned over control to private interests • 1990 – Tim Berners-Lee – CERN • HTTP protocol + URL’s WWW • Mosaic web browser – U. of Ill.
3. How does internet work? • 2008 – Pakistan – YouTube situation • IP address – numeric address for device • Domain - .country, .com, .edu • ICANN – Internet Corporation for Assigned Names & Numbers • Registrars: coordinate for unique top-level domain names • Domains manage own subdomains CS. MWSU.EDU
Few more details… • ISP – internet service provider • Autonomous Systems (AS) – 40K AS nodes • AS AS • Router – looks at mssg, determines next step • Routing Table – dynamic, shared info. • Decentralized • Trust
4. Who runs it?Internet governance • 1998 – Jon Postel – “coup” • 8 emails – 2/3 of routers to him • The internet is the first thing humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we have ever had. ~ Eric Schmidt, CEO Google, in 1997 • Interoperability • Actors follow rules Standards
Who are these “people”? • Internet Engineering Task Force (IETF) • Develops & modifies internet standards • Working Groups – specialized open forums, consensus • “Security Considerations”- for every standard • IESG – oversight & guidance • Internet Architecture Board (IAB) – further oversight & guidance
More people… Internet Society (ISOC) – 1992 • International organization • Open to individuals, organization ($ fee) • Offer a formal & legal means to safeguard independent & open standards processes • Elect Trustees to IAB
More people… • Internet Assigned Numbers Authority • US Govt. + Researchers • Growth relinquish control • 1998 - ICANN (Internet Corp. for Assigned Names & Numbers) • Now several regional authorities • Numerous conflicts over names • US Dept. of Commerce – hold control
5. Identity & Authentication • Identification • Act of mapping entity to information about the entity • Authentication • Proof of identification • Something you know, you have, or you are • Authorization • What you can do • Access All are hackable!
IP Address & Identity • Static vs. Dynamic • Computer, not person • Geographic • Digital Identity • Privacy vs. Authentication • Can we vs. Should we
6. What is “Security”? • Former Faculty in U.S. Air Force • Secure a computer? Unplug it! • Today ~ Most devices “are connected”
Security • Freedom from danger - (not enough) • Not just SW errors or power outages • Associated with adversary • To gain something – steal information, undermine system, prevent system use • Example • SW glitch that shuts down airports vs. • Hacker into air traffic control
CIA Triad • Confidentiality • Keeping data private; data has value • Integrity • Data & system are not improperly altered or changed w/o authorization • Confidence system & data are correct • How can we be sure? Stuxnet • Availability • Ability to use system as expected • Lack of access can be threat
More…Resilence • Ability of system to withstand security threat w/o failing • ACCEPT ~ threats will occur • Other issues: • Organizational, legal, social, economic • Security Trade-off • Cost, time, convenience, capabilities • No possibility of Absolute Security
7. What are the threats? • Red Team • Lack of understanding by public • SO MANY different types of threats • Legislation & Law makers • E.G. Bill during Bill Clinton Presidency • Vulnerability vs. Threat • V: “opening” for a breach • T: actor + consequences
Actors (Adversary) • Person exploits the vulnerabilityto “get” something – but WHAT? • Money, business secrets, disrupt process • Actors within • Bradley Manning – WikiLeaks • Edward Snowden – NSA • Targeted vs. Automated Attack • Cost vs. Return • Only 3 Computer Violations • Steal data, Misuse Credentials, Hijack resources ~~ All can be very bad! How??
8. What are vulnerabilities? • 2011~London ~ 300 new BMWs stolen • Jammed locking signal ~ plugged in device to get car ID ~ programmed key ~ drove off in car • FIX: Police left flyers on BMWs • Pwned– “own” a system • Complex systems can create vulnerabilities
Social Engineering • Manipulate people to reveal information • Phishing – “official looking” email requests information from recipient; may send to a fake web site – sent “in bulk” • Spear Phishing – target individuals with personal information • Taken from social media, other online sources • Watch URLs
Ignored Precautions • Use default passwords (e.g. routers) • Same & obvious passwords – No pswd • Misconfigured systems • Software vulnerabilities (MS Patches) • Zero Day – previously unknown • Data vs. Code issue • SQL, Buffer Overflow
“Evil” Software • Early Viruses • Malware– Prepackaged exploitation of a vulnerability • Worm – replicates over network • Virus – malicious software, usually reproduces itself • Drive-by Attack: from web site (browser) • Watering Hole: site where users come to the actor ~ Where do you browse? Similarities? Differences?
Botnets • NW of private computers w/ malware & controlled w/o users knowledge • Zombie Computers: members of botnet • DDoS – Distributed denial of service • MANY computers access site to overwhelm • Threats, Diversion, Political Protest All systems have vulnerabilities Threats continue to evolve & change.
9. How do we trust cyberspace? • How can we know if trustworthy? • 2008: Voting machine hack (PacMan) • Online voting for primaries • Hack site & leave message w/o damage • Target: SW on credit card machines • Cryptography: practice of securing communications in presence of adversaries (very old)
Encryption • Converting information into a code, • to prevent unauthorized access • Public Key Encryption (p47) • Symmetric – same key • Public Key – 1 open, 1 secret • Prime numbers, Semi-prime numbers • Certificate Authority – trusted 3rd party • https, tiny lock • Can’t determine key in reasonable time
Access Control & Policy • Who can access what? How enforced? • People/Trust issue • Not just computers, facilities • Overentitlement – Underentitlement • 2010 - Bradley Manning & WikiLeaks • 2013 – Edward Snowden & NSA • Examples of lack access control
10. WikiLeaks?? 2006 – Julian Assange (Australia) • “Expose corruption & abuse around the world” ~ Site for activists to share information • 2008: Pentagon: “Threat to US Army” • Know this from WikiLeaks • Bradley Manning – Army Pfc – pub. 2010 • Managed data for analysts • Copied on CDs • Sentenced 35 Yrs. – Obama reduced to 7 served • Ecuador’s Embassy in London
11. What is APT?Advanced Persistent Threat • Team, Extensive planning • Organization, intelligence, complexity, patience – “Important” targets - common • Specific target ~ Target development • Observe, google, social media – details • Intrusion Team – not the main objective • Malware – “trial run” (e.g. credit cards) • Branch out & control network
Advanced Persistent Threat • Exfiltration Team– go after information • May leave malware behind or alter files • “Phone Home” – removal of files – alters NW traffic & may be detected • Clean Up – months… • Which machines, what files, malware remnants • E.G. thermostat & printer sending messages to China • Seldom know perpetrators
12. Basic Computer DefenseKeeping bad guys out • McAfee Malware Zoo • 110 M “species” • 2013 – discovering every second • Evolutionary Game • Signatures – many, old, camouflage • Heuristics – suspicious
Firewalls, etc. • Filter only allows “valid” activity on NW • Intrusion Detection: watches for abnormal activity ~ Alert administrator • Cost $, Slow down traffic • SW Patch: from vendor • Air Gap: physical separation between NW & critical systems • Good idea but not always practical, nor will it solve the problem
Hackback Retaliation • Probably not legal • Not very effective • There’s always another hacker
13. Who/What is weakest link?Human factors Buckshot Yankee – 2008 • Largest breach – US Military history • Candy Drop – foreign intelligence-military base • Agent.btz – worm: scanned computers for data, created backdoors, linked to servers • Pentagon: 14 months to “clean-up”
Other Examples • CD drop in men’s room – IT Co. • Fake emails – internal • Music file sharing – Oops! Other files, too • Don’t be the next example!