SlideShare a Scribd company logo

Commercial and government cyberwarfare

Download as PPT, PDF
Nicholas Davis
Nicholas Davis
Technology
1 of 27
Information Systems 365/765 Lecture 2 Commercial and Government Cyberwarfare
Today – Cyber-warfare • Discuss “How to Sell Information Security” article • Introduction to Cyberwar • Discuss technical vs. administrative controls • Watch Frontline video • Discuss written assignment #1
Prospect Theory • People react differently to risk and guaranteed outcomes based on whether those outcomes are positive or negative. Known as the Prospect Theory S-Curve
Prospect Theory • If someone offers you a guaranteed $500 or a 50% chance at winning $1000, studies show that people tend to pick the guaranteed $500
Prospect Theory • If someone told you that you had to surrender $500 or take a 50% chance of surrendering $1000, most people would tend to take the risk of losing $1000 rather than the fixed $500 loss
Prospect Theory • When it comes to gain, people are risk averse • When it comes to loss, people embrace risk • What does this mean for IT security, which is almost always sold based on potential to avoid loss?
How to Sell Information Security Prospect Theory in relation to information systems security, the battle of cost, risk and features. The constant of battle of proving ROI The challenges of Layering security on after the sale: cost, complexity of administration and true usefulness.
How to Sell Information Security (DISCUSSION) • What has your personal experience been with security add on products? • How do you feel about paying for virus scanning, when you already paid for the Operating System? • If you were selling a system which required a security add on component, what approach would you take? • As an IS security decision maker, what approach would you take with your vendors?
Security Technologies are Exciting, But… In this class you will get hands on experience with powerful military grade encryption technology, you will use automated Rainbow Tables to crack top level Administrator Passwords and you will learn how to sniff network traffic! But, we have to start at the beginning, by gaining an understanding of the threats.
Cyberwar • Cyber-warfare (also known as cybernetic war, or cyberwar) is the use of computers and the Internet in conducting warfare in cyberspace.
Types of Attacks Cyber Espionage The act or practice of obtaining secrets (sensitive, proprietary of classified information) from individuals, competitors, rivals, groups, governments and enemies for military, political, or economic advantage using illegal exploitation methods via the internet, networks, software and or computers.
Web Vandalism – The Weapon of Mass Irritation • Attacks that deface web pages, or denial-of-service attacks. This is normally swiftly contained and of little harm. • Distributed Denial-of-Service Attacks: Large numbers of computers in one country launch a DoS attack against systems in another country.
Gathering Sensitive or Proprietary Information • Classified information that is not handled securely can be intercepted and even modified, making espionage possible from the other side of the world. See Titan Rain and Moonlight Maze. • Encryption!
Equipment Disruption • Military and commercial activities that use computers and satellites for co-ordination are at risk from this type of attack. Orders and communications can be intercepted or replaced, putting soldiers at risk
Attacking Critical Infrastructure • Power, water, fuel, communications, commercial and transportation are all vulnerable to a cyber attack
Information Security Controls • Two types of controls in all information systems • Technical controls • Administrative controls • Most good systems contain a combination of both types of controls
Technical Controls • A direct, continuous and unavoidable control on the use and distribution of data which allows, also for the purposes of possible audits, the following: • The direct identification of each user in auditable form • Keeping track, with auditable evidence, of the accesses which have occurred in the relevant period • The prevention and exclusion of any utilization of data and systems by subjects who are not authorized
Technical Controls - Examples • Can you think of any technical controls? • Username/Password • Building access card • ATM card, with PIN (dual factor)
Benefits of Technical Controls • Strong and consistent, treat everyone equally • Can be audited with real assurance of the truthfulness of the data
Drawbacks of Technical Controls • Costly • Complex and time consuming • When they break, they either fail open or fail closed, neither of which may be desirable
Administrative Controls • Using policies, procedures, safety signs, training or supervision, or a combination of these, to control risk.
Administrative Controls Examples • Can you think of any examples of administrative controls? • Signing out a key • Policy requiring the shredding of documents • Filling out a check in sheet when you enter and leave a secure area
Benefits of Administrative Controls • Usually inexpensive • Easy to implement • Very flexible
Drawbacks of Administrative Controls • Difficult to enforce • Difficult to audit • Impossible to verify • Easy to evade by a dedicated individual
Controls - Summary and Conclusions • Both technical controls and administrative controls have benefits and drawbacks • Technical controls are often used in highly sensitive systems • Administrative controls are used in lower priority situations • Hybrid solutions are the most common, placing technical controls at the front door and administrative controls behind them. Example: Server Platform
Cyberwar Video • When watching this video, think about the following: • How real is the threat of Cyberwar? • How does the application of Prospect Theory relate to the threat of Cyberwar? • What types of technical and administrative controls might help mitigate the risks posed by cyber attack?
Readings on Cybersecurity • Might give you some things to think about when writing Assignment #1 • Cyberwar – Myth or Reality • Make Vendors Liable for Bugs • The Truth About Chinese Hackers

Recommended

Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and Challenges
John Gilligan
 
Qualys user group presentation - vulnerability management - November 2009 v1 3
Qualys user group presentation - vulnerability management - November 2009 v1 3Qualys user group presentation - vulnerability management - November 2009 v1 3
Qualys user group presentation - vulnerability management - November 2009 v1 3
Tom King
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
jemtallon
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
NCC Group
 
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecurityLock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
SmartCompliance
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
bhaskard8
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 

Recommended

Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and Challenges
John Gilligan
 
Qualys user group presentation - vulnerability management - November 2009 v1 3
Qualys user group presentation - vulnerability management - November 2009 v1 3Qualys user group presentation - vulnerability management - November 2009 v1 3
Qualys user group presentation - vulnerability management - November 2009 v1 3
Tom King
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
jemtallon
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
NCC Group
 
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecurityLock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
SmartCompliance
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
bhaskard8
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
Chinatu Uzuegbu
 
Ch01
Ch01Ch01
Ch01
Alitta Aisyawati
 
Mca Erg Oct 09
Mca Erg Oct 09Mca Erg Oct 09
Mca Erg Oct 09
Donald Tabone
 
Information Security Overview
Information Security OverviewInformation Security Overview
Information Security Overview
n|u - The Open Security Community
 
The Datacenter Security Continuum
The Datacenter Security ContinuumThe Datacenter Security Continuum
The Datacenter Security Continuum
Martin Hingley
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
T. J. Saotome
 
Blue Ocean IT Security
Blue Ocean IT SecurityBlue Ocean IT Security
Blue Ocean IT Security
Jonathan Sinclair
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1
jemtallon
 
Information Systems Security: An Overview
Information Systems Security: An OverviewInformation Systems Security: An Overview
Information Systems Security: An Overview
Apostolos Syropoulos
 
Intro to Security
Intro to SecurityIntro to Security
Intro to Security
primeteacher32
 
Physical security
Physical securityPhysical security
Physical security
Dhani Ahmad
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
Priyank Hada
 
Erik Nachbahr "Dealership Technology"
Erik Nachbahr "Dealership Technology"Erik Nachbahr "Dealership Technology"
Erik Nachbahr "Dealership Technology"
Sean Bradley
 
Harshit security
Harshit securityHarshit security
Harshit security
HarshitGupta435
 
Information security
Information securityInformation security
Information security
linalona515
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)
Rui Miguel Feio
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
Precisely
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
Laura Vanassche
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
NCC Group
 
USSTRATCOM Cyber & Space 2011 Herbert Lin
USSTRATCOM Cyber & Space 2011 Herbert LinUSSTRATCOM Cyber & Space 2011 Herbert Lin
USSTRATCOM Cyber & Space 2011 Herbert Lin
AFCEA International
 
Building a Hacker Resistant Network
Building a Hacker Resistant Network Building a Hacker Resistant Network
Building a Hacker Resistant Network
Sentry Global Technologies, LLC
 
Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
Nicholas Davis
 
Network security, change control, outsourcing
Network security, change control, outsourcingNetwork security, change control, outsourcing
Network security, change control, outsourcing
Nicholas Davis
 

More Related Content

What's hot

DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
T. J. Saotome
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
Priyank Hada
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
Precisely
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
NCC Group
 

What's hot (20)

Ch01
Ch01Ch01
Ch01
 
Mca Erg Oct 09
Mca Erg Oct 09Mca Erg Oct 09
Mca Erg Oct 09
 
Information Security Overview
Information Security OverviewInformation Security Overview
Information Security Overview
 
The Datacenter Security Continuum
The Datacenter Security ContinuumThe Datacenter Security Continuum
The Datacenter Security Continuum
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
 
Blue Ocean IT Security
Blue Ocean IT SecurityBlue Ocean IT Security
Blue Ocean IT Security
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1
 
Information Systems Security: An Overview
Information Systems Security: An OverviewInformation Systems Security: An Overview
Information Systems Security: An Overview
 
Intro to Security
Intro to SecurityIntro to Security
Intro to Security
 
Physical security
Physical securityPhysical security
Physical security
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
 
Erik Nachbahr "Dealership Technology"
Erik Nachbahr "Dealership Technology"Erik Nachbahr "Dealership Technology"
Erik Nachbahr "Dealership Technology"
 
Harshit security
Harshit securityHarshit security
Harshit security
 
Information security
Information securityInformation security
Information security
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
 
IT Security Strategy
IT Security StrategyIT Security Strategy
IT Security Strategy
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
USSTRATCOM Cyber & Space 2011 Herbert Lin
USSTRATCOM Cyber & Space 2011 Herbert LinUSSTRATCOM Cyber & Space 2011 Herbert Lin
USSTRATCOM Cyber & Space 2011 Herbert Lin
 
Building a Hacker Resistant Network
Building a Hacker Resistant Network Building a Hacker Resistant Network
Building a Hacker Resistant Network
 

Similar to Commercial and government cyberwarfare

Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
Nicholas Davis
 
Network security, change control, outsourcing
Network security, change control, outsourcingNetwork security, change control, outsourcing
Network security, change control, outsourcing
Nicholas Davis
 
How US Cybersecurity Executive Order Impacts IBM i Customers
How US Cybersecurity Executive Order Impacts IBM i Customers How US Cybersecurity Executive Order Impacts IBM i Customers
How US Cybersecurity Executive Order Impacts IBM i Customers
Precisely
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely
 
UNit 7 Information Security By Sulav Acharya
UNit 7 Information Security By Sulav AcharyaUNit 7 Information Security By Sulav Acharya
UNit 7 Information Security By Sulav Acharya
nmnqknibzxthowqwzc
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Michele Chubirka
 
IM Unit 4 Security and its a control.ppt
IM Unit 4 Security and its a control.pptIM Unit 4 Security and its a control.ppt
IM Unit 4 Security and its a control.ppt
RAJESH S
 

Similar to Commercial and government cyberwarfare (20)

Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
 
Network security, change control, outsourcing
Network security, change control, outsourcingNetwork security, change control, outsourcing
Network security, change control, outsourcing
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
How US Cybersecurity Executive Order Impacts IBM i Customers
How US Cybersecurity Executive Order Impacts IBM i Customers How US Cybersecurity Executive Order Impacts IBM i Customers
How US Cybersecurity Executive Order Impacts IBM i Customers
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
 
U nit 4
U nit 4U nit 4
U nit 4
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 
The Evolution of Cybercrime
The Evolution of CybercrimeThe Evolution of Cybercrime
The Evolution of Cybercrime
 
UNit 7 Information Security By Sulav Acharya
UNit 7 Information Security By Sulav AcharyaUNit 7 Information Security By Sulav Acharya
UNit 7 Information Security By Sulav Acharya
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
How To Secure MIS
How To Secure MISHow To Secure MIS
How To Secure MIS
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
IM Unit 4 Security and its a control.ppt
IM Unit 4 Security and its a control.pptIM Unit 4 Security and its a control.ppt
IM Unit 4 Security and its a control.ppt
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 

More from Nicholas Davis

Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
Nicholas Davis
 

More from Nicholas Davis (20)

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support Systems
 
Lecture blockchain
Lecture blockchainLecture blockchain
Lecture blockchain
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development Methodologies
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD Security
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up Summary
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing Education
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security Implications
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Commercial and government cyberwarfare

  • 1. Information Systems 365/765 Lecture 2 Commercial and Government Cyberwarfare
  • 2. Today – Cyber-warfare • Discuss “How to Sell Information Security” article • Introduction to Cyberwar • Discuss technical vs. administrative controls • Watch Frontline video • Discuss written assignment #1
  • 3. Prospect Theory • People react differently to risk and guaranteed outcomes based on whether those outcomes are positive or negative. Known as the Prospect Theory S-Curve
  • 4. Prospect Theory • If someone offers you a guaranteed $500 or a 50% chance at winning $1000, studies show that people tend to pick the guaranteed $500
  • 5. Prospect Theory • If someone told you that you had to surrender $500 or take a 50% chance of surrendering $1000, most people would tend to take the risk of losing $1000 rather than the fixed $500 loss
  • 6. Prospect Theory • When it comes to gain, people are risk averse • When it comes to loss, people embrace risk • What does this mean for IT security, which is almost always sold based on potential to avoid loss?
  • 7. How to Sell Information Security Prospect Theory in relation to information systems security, the battle of cost, risk and features. The constant of battle of proving ROI The challenges of Layering security on after the sale: cost, complexity of administration and true usefulness.
  • 8. How to Sell Information Security (DISCUSSION) • What has your personal experience been with security add on products? • How do you feel about paying for virus scanning, when you already paid for the Operating System? • If you were selling a system which required a security add on component, what approach would you take? • As an IS security decision maker, what approach would you take with your vendors?
  • 9. Security Technologies are Exciting, But… In this class you will get hands on experience with powerful military grade encryption technology, you will use automated Rainbow Tables to crack top level Administrator Passwords and you will learn how to sniff network traffic! But, we have to start at the beginning, by gaining an understanding of the threats.
  • 10. Cyberwar • Cyber-warfare (also known as cybernetic war, or cyberwar) is the use of computers and the Internet in conducting warfare in cyberspace.
  • 11. Types of Attacks Cyber Espionage The act or practice of obtaining secrets (sensitive, proprietary of classified information) from individuals, competitors, rivals, groups, governments and enemies for military, political, or economic advantage using illegal exploitation methods via the internet, networks, software and or computers.
  • 12. Web Vandalism – The Weapon of Mass Irritation • Attacks that deface web pages, or denial-of-service attacks. This is normally swiftly contained and of little harm. • Distributed Denial-of-Service Attacks: Large numbers of computers in one country launch a DoS attack against systems in another country.
  • 13. Gathering Sensitive or Proprietary Information • Classified information that is not handled securely can be intercepted and even modified, making espionage possible from the other side of the world. See Titan Rain and Moonlight Maze. • Encryption!
  • 14. Equipment Disruption • Military and commercial activities that use computers and satellites for co-ordination are at risk from this type of attack. Orders and communications can be intercepted or replaced, putting soldiers at risk
  • 15. Attacking Critical Infrastructure • Power, water, fuel, communications, commercial and transportation are all vulnerable to a cyber attack
  • 16. Information Security Controls • Two types of controls in all information systems • Technical controls • Administrative controls • Most good systems contain a combination of both types of controls
  • 17. Technical Controls • A direct, continuous and unavoidable control on the use and distribution of data which allows, also for the purposes of possible audits, the following: • The direct identification of each user in auditable form • Keeping track, with auditable evidence, of the accesses which have occurred in the relevant period • The prevention and exclusion of any utilization of data and systems by subjects who are not authorized
  • 18. Technical Controls - Examples • Can you think of any technical controls? • Username/Password • Building access card • ATM card, with PIN (dual factor)
  • 19. Benefits of Technical Controls • Strong and consistent, treat everyone equally • Can be audited with real assurance of the truthfulness of the data
  • 20. Drawbacks of Technical Controls • Costly • Complex and time consuming • When they break, they either fail open or fail closed, neither of which may be desirable
  • 21. Administrative Controls • Using policies, procedures, safety signs, training or supervision, or a combination of these, to control risk.
  • 22. Administrative Controls Examples • Can you think of any examples of administrative controls? • Signing out a key • Policy requiring the shredding of documents • Filling out a check in sheet when you enter and leave a secure area
  • 23. Benefits of Administrative Controls • Usually inexpensive • Easy to implement • Very flexible
  • 24. Drawbacks of Administrative Controls • Difficult to enforce • Difficult to audit • Impossible to verify • Easy to evade by a dedicated individual
  • 25. Controls - Summary and Conclusions • Both technical controls and administrative controls have benefits and drawbacks • Technical controls are often used in highly sensitive systems • Administrative controls are used in lower priority situations • Hybrid solutions are the most common, placing technical controls at the front door and administrative controls behind them. Example: Server Platform
  • 26. Cyberwar Video • When watching this video, think about the following: • How real is the threat of Cyberwar? • How does the application of Prospect Theory relate to the threat of Cyberwar? • What types of technical and administrative controls might help mitigate the risks posed by cyber attack?
  • 27. Readings on Cybersecurity • Might give you some things to think about when writing Assignment #1 • Cyberwar – Myth or Reality • Make Vendors Liable for Bugs • The Truth About Chinese Hackers