460 likes | 749 Views
Cybercrime. Cybersecurity. The Triangle Effect. Security Policy. Jaishri Mehta. Mt. San Antonio College. Policy – Dictionary definition. Introduction. Cybercrimes drive security policy or cybersecurity drive security policy? Unfortunately, cybercrime does Reasons – Bork Case
E N D
Cybercrime Cybersecurity The Triangle Effect Security Policy Jaishri Mehta Mt. San Antonio College
Introduction • Cybercrimes drive security policy or cybersecurity drive security policy? • Unfortunately, cybercrime does • Reasons – • Bork Case • Policy can be broken into two categories: • System vulnerability – Cybersecurity • Human intervention (ethics) - Cybercrime
Policies • Cannot stop cybercrime • Help deter cybercrime • Helps in prosecuting offenders • Cybersecurity vulnerabilities help to find where crime can be committed • Also helps hackers to find vulnerabilities • Cybercrime, Cybersecurity and Security Policy cannot function without each other
Cybersecurity • Definition • Security of the data • Application of the data • Processes of the data and user intervention of the data • Security of the actual software • Security against the ability to allow upload software or input malicious data to intervene with the existing data
How do these vulnerabilities exist? • Inherent? • Not careful planning? • Human factor? • Not tested properly?
Behavior of Software How to Break Software Security by James A. Whittaker and Herbert H. Thompson
Security Fault Model • The software functions does not work according to specifications – traditional bugs – purple part • The overlap is where the software works according specification • The gray part – is the part where the software does more than it is intended to do.
Problem • Traditional bugs are tested and the product is created (sold) • The security bugs are not tested and therefore pose a security threat to the user of the software • Examples : Media player plays audio and video but writes to unencrypted temporary storage which software pirates are ready to exploit • Finding security bugs shows direct correlation to cybercrime and need for policy
Break down of the fault model • Security and User Interface • Security and File System User • Security and the Operating System • Security and the Software User • Security inside the software
Security and User Interface • Access to a software is through the user interface (input data) • The input data can also be a form of another program • Threat : • Access Control • Malicious input • Unauthorized access or Sabotage
Threats • Access Controls: • User is authorized to enter but how much authority? • He may read files but does that stop him from copy/paste, print screen, etc. • Malicious Input • Buffer overflow occurs when the software fails to properly constrain input length • Input that is interpreted as code. • SQL injection
Examples • Infamous Code Red II • Example of buffer overflow in sendmail • What did it do? • Exploited the buffer overflow vulnerability in the Microsoft’s Internet Information Server and infected the computers • Policies : also help the malicious user
Security and File System Users • Files store sensitive data such as passwords, licenses etc. • The file must be tested for how it is retrieved stored or encrypted and managed • Threats: • Access to passwords • Sensitive data • piracy
Threats • Access to sensitive data • Basically handing over the keys to the safe • Location of the file and how it is retrieved • Examples: • Passwords stolen • Denial of Service • Pirated Licenses • Policy for your users who have knowledge
Security and the Operating-System User • Any interaction with an application must pass through memory sometime • Information that passes through memory encrypted is fine but it has to be unencrypted at some point • Where it is unencrypted and how the process takes place is important • The where and the how has to be protected
Threats • Denial of Service (Dos) • Application may crash and the information (data) is in an inconsistent state. • Buffer Attacks • Source Routing attack • Spoofing
Examples • The fifteen year old Canadian boy whose alias name was “Mafia Boy” who issued a series of Dos on e-commerce sites such as e-Bay, CNN. • Some of the sites were not functional for up to 24 hours resulting in loss of millions of dollars
Security and the Software User • Every software component depends on another software component • This brings on another set of vulnerabilities • Looking at dependencies that naturally exist between the two software components • Components that depend on other software can fail, crash, or compromised which can affect your own security
Examples • Ill-formed packets • Block access to libraries • Manipulate the application’s registry values • Replace the files that creates, reads, writes or executes • Force the application to work in low memory disk space
Security Inside the Software • It is the software itself that has to be protected as it is that particular technology that gives them the advantage over other companies • Such as algorithms or optimizations • Where this software is compiled and who can access that is of concern
Threats • Access to the proprietary software and its inner workings • Using tools to reverse the compiled code
Security Policies • We looked at system vulnerabilities that can be caused by software or users • Can all of the bugs be found and fixed? • So policies are written to cover the company • Looking at the fault model – five categories • Ask if the different testing has been done • Cybercrime – Cybersecurity – Security Policy
Security Policies cont. • Write policies to cover the different areas that are not tested or unknown • The language should be generic as not to give out information of vulnerabilities. • Do not post your system security policies on the web for everyone to look at. • Handing over the research to conduct an attack
Security Policies cont. • Ensure that the language is consistent with legal language • Make sure that language is also consistent with law for your state.
Ethics (Human Intervention) • Weakest link in the “cyber world” is the human • Why look at ethics? • What is ethical to one may not be ethical to the other in “cyber world” • Ethics are important so everyone understands what is considered right or wrong
Existence of Codes of Ethics • ACM (Association for Computing Machinery) and IEEE-CS (Institute for Electric and Electronic Engineers) established a joint code of ethics for software engineers. • It consists of eight core principles • One of them deals with the integrity of your work
Whistle-Blowing • Norman Bowie defines as “the act of an employee informing the public on the immoral behavior of an employee or supervisor” • According to Sisela Bok, “makes revelations meant to call attention to negligence, abuses , or dangers that threaten the public interest” • Both instances talk about wrongdoing about a company and protecting the public • Security for the public not the company
Whistle-Blowing cont. • Case Illustration: • In the early ’70s BART (Bay Area Rapid Transit) were developing a new, computerized mass transit system. • It was over budget, behind schedule, and considered unsafe. • Three engineers went to the supervisors with their concern. • They received no satisfactions so they went to the board and received the no support. • Frustrated they went to the press with their concerns. • They were fired • This prompted the federal Whistle-blower Protection Act of 1989 (many states have their own laws as well) • It still considered very risky to “whistle blow” publicly
Whistle-Blowing • This time the “cyber crime” is committed by the company and the individual(s) are trying to bring awareness. • Is there a policy in place to protect them? • Cybercrime, Cybersecurity and Policy – The Triangle Effect
Privacy affects the Triangle Effect • Let us take examples: • Michael Scanlan describes how an independent computer consultant purchased data from the Oregon’s Department of Motor Vehicles for a fee • Then he took the data and made it electronic on the web. • For a fee anyone could enter a license plate and find the name and address of the owner registered to the vehicle
Privacy affects the Triangle Effect cont. • You can see the security of the individuals was in jeopardy. • As a result of this information, crime could be committed (cyber related crime) • There was no policy in effect to protect these individuals.
Cybercrime • Cybercrime is not defined concretely • Cybercrime defined by Forester and Morrison suggest that “a criminal act in which a computer is used as a principal tool” • Tavani divides Cybercrime into three categories
Tavani’s definition Cybercrimes Cyberrelated Crimes Cyberspecific Cyberexacerbated Cyberassisted Cyberpiracy Cyberstalking Income tax Cybertresspass Internet pedophilia Physical assault Cybervandalism Internet pornography Property damage
Cybercrimes cont • Cyberrelated crimes do not affect the other two apexes of triangle effect. They affect one of the apexes • Cybercrime supports the triangle effect • Examples: • Leon steals a computer – cyberrelated • Leon files a fraudulent tax return electronically • Curador and Identity Theft – cybercrime • Dimitri and Microsoft Corporation - cybercrime
Intellectual Property rights • Case Illustration: • Dimitri Sklyarov’s Decryption Program • Program could decrypt the code for e-reading developed by Adobe • He was handcuffed on arriving in US for a conference for what he had in his briefcase • Sparked “Free Sklyarov” movement on the principle of “fair use” • Adobe dropped the charges • The principles involved in this case will be challenged again
Intellectual Property • In the case of Sklyarov: • His program can be used to commit cybercrime • His program demonstrates vulnerability in the cybersecurity • Is there any policy in effect? No • Did Sklyarov commit the crime?
Intellectual property and domain • If a “hacker” enters a system and discovers vulnerabilities in the system. • Tells company they have vulnerabilities • He will show the vulnerabilities for a fee • Has cybercrime being committed? • Cybersecurity violated? • Is there anything to protect the company?
Intellectual property and domain cont. • He has certainly trespassed but not stolen anything • Asking for a fee for his findings is it bribery or a service? • The kinks still have not been worked out. • Companies do pay some of these people
Risk Analysis • Cybersecurity is an ongoing process or product? • This process is the basis of risk analysis and risk management • Five categories: assets, threats, vulnerabilities, impact, and safeguards • The Triangle Effect
Risk Analysis cont. • In order for us to sell cybersecurity, we need to consider risk-analysis • If we can show or determine cybersecurity in terms of $ and cents, we can convince them for funding • Just how insurance companies determine insurance as a risk-analysis, we should do the same • The Triangle Effect is one road-map
Conclusion • The Triangle Effect demonstrates that each component is not independent when looking at a community in general • When Cybercrime and Cybersecurity and Policies are looked at together, we can forge policies that will not only help corporate companies but individuals and community as whole.
Conclusion cont. • When cybersecurity and the cybercrimes are understood along with ethics: this will pave and understanding of what is right and wrong in “cyberspace” • Policies can be forged as guidelines • Hence The Triangle Effect
Important facts • http://rissc.mtsac.edu • Books referenced • How To Break Software Security – James A. Whittaker and Thompson • Ethics and Technology – Tavani • Contact Jaishri Mehta Mount San Antonio College jmehta@mtsac.edu