Francesca Bosco, Le nuove sfide della cyber security
Le nuove sfide della cybersecurity: Internet for peace...o for war? Ms. Francesca Bosco Project Officer Interregional Crime and Justice Research Institute (UNICRI) 01 Aprile 2011 Università degli Studi di Milano Bicocca
Vulnerability:root causes• A highly interconnected system of general purpose computers, not designed with security in mind – vulnerable software provides “launch pads” for easy propagation of attacks – erosion of the traditional perimeter (access systems and data “anytime, anywhere”)• Shift from“attacks against networks” to “attacks against (web) applications” and “attacks against users and data”• Insufficient security awareness of (some) application developers and end users
Example: How Vulnerable are UN Systems ?-which system? – publicly accessible websites – central internal applications (IMIS, email, etc.) – end user systems (desktops, laptops, BB, etc.)-which threat? – denial of service – “defacement” – abuse / threat to third parties – “APT” type attacks
State of PlayUN systems are frequently attacked – defacements (political, “commercial”) – abuse of web sites to disseminate “malware” – abuse of email systems to send spam/fraudulent email – forging of UN email addresses to commit fraudSeveral known examples of “APT” type attacks – very credible email messages – attachments deemed safe by Anti-Virus software – successful compromise of a single computer leads to further compromises on internal networks
Current situation:general• All systems are “compromisable”; perfect security is unattainable• Objective is to continue safe operation in a compromised environment, to have systems that are defensible, rather than perfectly secure• Cybersecurity is an adversarial science
Evolution of the threat landscape Mobile threats – voracious malware targeting mobiledevices and the proliferation of mobile banking. (More) Web 2.0 malware – Attackers leveraging SocialNetworks. Attackers exploiting the erosion of network boundariesafter the adoption of cloud computing. Highly-motivated attackers with strong logistic orfinancial support.
Top 5 security threats for 20111) Traditional malwareTraditional malware will remain the primary mechanism of distributing software to computers on theinternet. Recent numbers indicate roughly 55,000 new malware pieces identified every day, whichcontinues the exponential growth pattern into 2010. This trend will only continue.2) Shift to advanced persistent threat (APT)Attacks will be more advanced, targeted at a specific institution with a goal to acquire specific data.Often described as Advanced Persistent Threat (APT), these attacks are designed to infiltrate anorganisation, hop the firewall and acquire a target. Once the software gets behind the firewall, it hopsaround the organisation investigating and gathering information about the internal system. It then usesthis information to gain privileged access to critical information (e.g., transactions processing,customer lists or HR records) and begins stealing sensitive data. Without proper monitoring in place, itcan be weeks or months before an organisation detects that it is under attack.3) Focus on finance, hospitality and retailFinancial services, hospitality and retail industries will face an increased number of threats. As datafrom the 2010 data breach report issued by the Verizon RISK team and the U.S. Secret Serviceshows, these three industries combined currently represent 71% of all data breaches.4) Mobile devices increase vulnerabilitiesSeven out of ten companies still don’t have explicit policies outlining which devices can be logged onto the network or on working in public places. As more people work and access information remotely,the threat levels from existing vulnerabilities will increase and new ones will appear.5) Hactivism as a new type of threatThe most visible example of hactivism were the recent attacks by Anonymous, a group that targetedMasterCard, Visa and PayPal after those companies cut off financial services to WikiLeaks. We maysee more of these types of attack by groups representing political and environmental organisations.
What is Cyber Security?Cyber security refers to measures for protecting computer systems, networks, andinformation systems from disruption or unauthorized access, use, disclosure,modification, or destruction.The basic objectives of Cyber Security are to ensure the Confidentiality, Integrity,and Availability of data.
What is Cyber Security?Confidentiality has been defined by the International Organization for Standardization (ISO) as "ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of information security. Confidentiality is one of the design goals for many cryptosystems, made possible in practice by the techniques of modern cryptography.Integrity of the information implies that the data in question has not been tampered with through accidental or malicious activity. Source integrity also plays into this - ensuring that any piece of data actually came from the source claimed and not a "man-in-the-middle" or third party.Availability means that the information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed = timely, reliable access to data and information services for authorized users.
Information security incidents• Information Security Incident: – an attempted or successful unauthorized access, use, disclosure, modification or destruction of information; – interference with the operation of ICT resources; or – violation of explicit or implied acceptable usage policy (as defined in ST/SGB/2004/15)• Classification by common observable elements: § - Agent (internal/external)- Action § - Asset - Attribute• does not include “motive” or “attributable source”
Cybersecurity as a Balancing ActInvestigative readiness vs. PrivacyAvailability vs. SecurityRegulation vs. InnovationEnterprise vs. ProtectionHow can we make the Internet and our “Cyber -Assets” safer without sacrificing simplicity, privacy or availability?
Why do we need to talk about it?Government agencies constantly face cyber attacksBusinesses are losing revenue to cybercriminalsUsers are being targeted for their Personal Identifiable Information (PII)Cybersecurity is a global issue, which can only be solved with global solutions Need for increased cooperation and coordination at the global level International community must work together to ensure a coordinated response.
Information technology...for war?• Military history scholars argue that warfare has shifted towards a Fourth Generation of Warfare• Technology not only enables asymmetry in power relations, but can also be used to overcome it, undermining the enemy from within• Information Age, military operations have been impacted and transformed. Likewise no civil society sector has remained immune from the information revolution. The ―national information infrastructure- (NII) is defined as the set of information systems and networks on which a nation depends to function• In net-wars the confrontation takes place between “states and non- state actors, non-state actors that use states as arenas, or states that use non-state actors as their proxies”
What’s cyberwarThe United Nations Institute of Training and Research defines cyberwar as:―The deliberate use of information warfare by a state, using weapons such as electro-magnetic pulse waves, viruses, worms, Trojan horses, etc., which target the electronic devices and networks of an enemy state-Richard Clarke, a U.S. government security expert, defines cyberwar as:―Actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.
Cyber Warfare & Cyber TerrorismCyber Warfare and Terrorism is one of the fifteenmodalities of UnRestricted Warfare (URW) alsocalled asymmetric warfare.Cyber Warfare & Terrorism “The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives.” Source: U.S. Army Cyber Operations and Cyber Terrorism Handbook 1.02
CyberterrorismCyberterrorism is a phrase used to describe theuse of Internet based attacks in terrorist activities,including acts of deliberate, large-scale disruptionof computer networks, especially of personalcomputers attached to the Internet, by the meansof tools such as computer viruses.Cyber terrorism is generally understood as the crossing over ofterrorism and cyberspace. This leads to unlawful attacks and threats ofattacks against computer, networks and the info stored therein.
What’s cyberterrorismControversial term !!!!!First we need to clarify: Terrorist use of the Internet v Cyber Terrorism
Focus THE INTERNET: AN ATTRACTIVE ARENA FOR TERRORIST PUBLICITYThe internet is an ‘informational weapon’ for terrorists, as it provides: Easy access A decentralised structure Little or no regulation, censorship, or other forms of government control Potentially huge audiences spread throughout the world Anonymity of communication Fast flow of information Inexpensive development and maintenance of web presence A multimedia environment (the ability to combine text, graphics, audio, video, and allow users to download films, songs, books, posters etc) The ability to shape coverage in the traditional mass media Source: “www.terror.net: How Modern Terrorism Uses the Internet” by Prof. Gabriel Weimann
FocusTERRORIST PURPOSES IN USING THE INTERNET Data Mining (using the internet to collect intelligence) Training Fundraising Networking Recruitment and Radicalisation The internet is an important source for discovering and grooming potential jihadists Publicity
FocusMAIN AREAS OF CYBER PRESENCEMass mediaOfficial ‘jihadist’ websites A well-designed and well-maintained Web site gives a group an aura of legitimacy and increasingly attracts attention from the mass media in and of itselfUnofficial websites Forums and blogsDistributor sitesVideo sites Youtube and liveleak
Focus OBJECTIVES OF ONLINE TERRORIST PUBLICITY 1. To wage psychological warfare (through terror) and advance a causeTerrorist use internet publicity to:• amplify panic• spread fear• facilitate economic loss (eg. scaring awayinvestment and tourism)• make populations loose faith in theirgovernments ability to protect them• trigger government and popular overreaction tospecific incidents and the overall threat ofterrorism
Focus OBJECTIVES OF ONLINE PUBLICITY2. To gain sympathy and support of their cause The Internet has significantly increased the opportunities for terrorists to secure publicity for their ideological causes and spread propaganda. The Internet has become a virtual library of terrorist material, granting easy access to everything from political, ideological and theological literature, via fatwas and khutbas, to videos of assaults and attacks, and even video games.
When does a computer attack become an act of terrorism or of war? Information warfare, in information technology, is that series of actions aimed at exploiting, corrupting, wasting or destroying the information or informationresources of the enemy in order to achieve a significant advantage, using the same weapon.
Modern Weapons EconomicsWhat does a stealth bomber cost? $1.5 to $2 billionWhat does a stealth fighter cost? $80 to $120 millionWhat does a cruise missile cost? $1 to $2 millionWhat does a cyber weapon cost? $300 to $50,000
Interesting QuoteNATOs cyber defense chief has warned thatcomputer-based terrorism poses the same threatto national security as a missile attack. He went onto say that “Cyber war can become a veryeffective global problem because it is low-risk,low-cost, highly effective and easily globallydeployable. It is almost an ideal weapon thatnobody can ignore.“Using this as a framework, we can put into contextthe evolving architecture for cyber weapons.
How to build a cyber weapon: Cyber Weapons Design-1Cyber Weapon – Delivery Vehicle There are numerous methods of delivering cyber weapons to their targets. Emails with malicious code embedded or attached is one mechanism of delivery. Another delivery vehicle is web sites that can have malicious links and downloads. Hacking is a manually delivery vehicle that allows a cyber soldier to place the malicious payload on a target computer, system or network. Counterfeit hardware, software and electronic components can also be used as delivery vehicles for cyber weapons.
Cyber Weapons Design-2Cyber Weapon – Delivery Vehicle Just as a navigation system guides a missile, it allows the malicious payload to reach a specific point inside a computer, system or network. System vulnerabilities are the primary navigation systems used in cyber weapons. Vulnerabilities in software and computer system configurations provide entry points for the payload of a cyber weapon. These security exposures in operating systems or other software or applications allow for exploitation and compromise. Exploitation of these vulnerabilities may allow unauthorized remote access and control over the system.
Cyber Weapons Design-3Cyber Weapon – Delivery Vehicle The payload of a missile is sometimes called a warhead and is packed with some type of explosive. In a cyber weapon the payload could be a program that copies information off of the computer and sends it to an external source. It can also be a program that begins to ease or alter information stored on the system. Finally, it can allow remote access so that the computer can be controlled or directed over the internet. A “bot” (a component of a botnet) is a great example of a payload that allows remote use of the computer by an unauthorized individual or organization.
Cyber Weapons Design-4Cyber Weapon – Architecture This three element architecture demonstrates how advanced and sophisticated cyber weapons are becoming. The architecture creates reusability and reconfiguration of all three components. As one software or system vulnerability is discovered, reported and patched, that component can be removed and replaced while the other two components are still viable. This not only creates flexibility but also significantly increase the productivity of the cyber weapons developers.
Recent events discussed on the media• Cyber Attack on Estonia [April 2007] – sometimes referred to as “Web War 1” – sophisticated and large set of denial of service (DoS) attacks on Estonian parliament, banks, ministries, newspapers, other web sites – severe effect on above institutions for approximately three weeks• Cyber Attack against Georgia [August 2008] – denial of service against gov’t web sites – concurrent with armed conflict• Advanced Persistent Threat (APT) [December 2009] – (a.k.a. “Google war”) – “deep infiltration” of several technology providers• Stuxnet [June 2010] – technically highly sophisticated “malware” that appears to target Iranian nuclear facilities
Estonia depended largely on the Nearly every bank in the United The U.S. isinternet because of the countrys States runs its operations on an increasingly"paperless government" and web- internal network that connects to dependent on "...based banking. If these services are the Internet the unimpededmade slower, we of course lose Sandeep Junnarkar and secure flow CNET News, 2002 of technology.“economically Mihkel Tammet, head of CIA Report IT security at the Hackers are intensifying Cyber Threats and Estonian defence ministry, 2007 the US Economy, their efforts to 2007 compromise social- networking sites using unsecure Web 2.0 With global attacks on data networks Jon Swartz increasing at an alarming rate, in a more USA TODAY, 2008 organized and sophisticated manner, and….repercussions go beyond the loss of often originating from state-sponsoredpersonal data, security experts say. As sources, there is precious little time to lose.more consumers are victimized, it could Tim Bennett, president of theundercut their confidence in legitimate Cyber Security Industry Alliance, 2008websites Billy Hoffman, manager of Hewlett-Packard Security Labs Several nations, including China and Russia, “have the technical capabilities to target and disrupt elements of the U.S. information infrastructure and for intelligence…regarding counter-terrorism must be pursued collection.”“Information sharing with our allies and Mike McConnell, Director of National Intelligencepartners to support counter-terrorist operations during the Senate Intelligence Committeeoverseas”; The National Security Strategy of the United Kingdom - Security in an interdependent world
Stuxnet Iran was prime target of SCADA worm July 23 2010 http://www.computerworld.com/s/article/9179618/Iran_was_prime_target_of_SCADA_worm The First Cyber Attack Specifically Targeting Control Systems According to antivirus company Symantec Corp., Stuxnet looks for industrial control systems and thenchanges the code in them to allow the attackers to usurp controls of industrial equipment such as sensors, actuators, pumps, and valves without the operators knowing. “Stuxnet searches for industrial control systems, often generically (but incorrectly) known as SCADA systems, and if it finds these systems on the compromised computer, it attempts to steal code and design projects,” Symantec explained. “It may also take advantage of the programming software interface to also upload its own code to the Programmable Logic Controllers (PLC), which are ‘mini-computers’, in an industrial control system that is typically monitored by SCADA systems.” Very complex Windows-specific computer worm that infects computers and connected industrial controlequipment (PLCs) First known worm to attack industrial infrastructure Spreads through USB thumb drives as well as network connections Utilizes four “zero-day” exploits Uses stolen valid security certificates Initial high rate of infection in Iran, specifically found at nuclear facilities May be government (Israel, US, UK?) attempt to damage Iranian nuclear facilities Unclear if delay or damage actually occurred Worm has spread to many other countries (including large infection of Chinese systems)
Focus SCADA: Why do I care?SCADA systems are essentially the arteries of national infrastructure, the behind-the-scenes devices that make our day to day life convenient and safe. Any disruption couldlead to major inconvenience, or even loss of life…The dangers inherent in obscure or rustic SCADA architectures are very real, and novendor or governmental body responsible for NCIs can afford to let a lack ofcommunication be an excuse for passivity…
FocusSCADA • Supervisory Control And Data AcquisitionNCI • National Critical InfrastructureOther terms: • ICS – Industrial Control Systems • PCS – Process Control System - Also known as Distributed Control System (DCS)SCADA Generations and Evolution: 1. Monolithic – Mainframe computing, limited to no connectivity. 2. Distributed – Proprietary networking technology led to increased efficiency and redundancy due to real-time information sharing and specialization of tasks. 3. Networked – Transition to modern, °open° networking standards such as IP (Internet Protocol) and the deployment of “thin clients” and web applications to facilitate operations.
Focus NCI ExamplesModern NCIs can be resumed as: Food Agricultural and processing industry Food safety Food distribution Water Drinking water treatment Wastewater management Transportation Air Land (rail, roads) Marine
Focus NCI ExamplesModern NCIs can be resumed as: Safety Chemical, biological, radiological and nuclear safety Hazardous materials Emergency services (police, fire, amublance, etc) Manufacturing Chemical industry Defense industrial base
Cybersecurity: What we’re doing wrong1) We tend to seek a “centralized” solution to what is a very multi-dimensional problem with hidden interdependencies.2) Opacity – We are not enforcing enough transparency nor regulating the disclosure of data breaches.3) We aren’t moving away from a purely technical view towards a global shared approach with Political Vision, Strategy, Policies and Standards.
Cybersecurity: What we’re doing right1) Public – Private Partnerships2) Developing technical solutions.3) Information exchange and awareness raising at various levels.
Why cybersecurity partnership matters• Public and private sectors need to share more information--more parties must be included and new platforms used.• They must pay more attention to defending against attacks that threaten critical IT infrastructure and even damage physical facilities• Much of the activity revolves around information sharing in key industries.• Their collaboration must be ratcheted up to the next level--real-time identification and response as threats occur and, more to the point, "moving security practices from a reactionary posture to one thats proactive and pre-emptive"
ExampleCritical Infrastucture Protection in the US (1996-2010)
Example Critical Infrastucture Protection in Italy (2010)• Information security is an integral part of the e-government 2010 plan• 2010-A Technical group was established, under the Presidency of the Council of Ministers, to “foster coordination at the national and international level with regard to critical infrastuctures and its protection from cyberattacks”• June 2009-Centro nazionale anticrimine informatico per la protezione delle infrastrutture critiche (CNAIPIC)• In 2007, the Bank of Italy approved a set of guidelines to ensure continuity for the main financial actors, in case of cyberattack.
Creating a culture of security Despite our best efforts over the years, we need a new,comprehensive doctrine and perspective to face the innovative threats.
1.Towards a new Policy FrameworkRecognise the Internet as a key infrastructure in addressing mainstream policy challenges (e.g. ageing, health, environment, globalisation…)Reaffirm fundamental principles (e.g. privacy, security, policies to promote broadband access on fair terms and competitive prices…)Recognise the Internet as an agent of change and foster an enabling environment so that it can make positive contributions
2. Building ConfidenceThe Internet reflects the real world – shapes it and is shaped by it – and has a darkside. Confidence and trust in the Internet and about its vulnerability to events,both accidental and malicious.Issues: Multilateral efforts to ensure the security and integrity of the Internet have been limited We need to embed privacy protection in the design of applications and devices (social networking sites; profiling and advertising; geolocation; sensors and RFID) We need to identify and enforce the rights and obligations to protect digital identity Security Considerations: (i) technical – diffusion of traffic rather than optimisation of traffic for DoS; security of connection (SSL) vs. authentication of content; use of virtual machines (ii) social -- Co-operation to protect availability, integrity, confidentiality (security) Protect and inform consumers, redress and enforcement of consumer protection measures, including across jurisdictional borders Rising concerns regarding “cybersecurity”.
3.Public-Private Partnerships (PPP)To emphasize: Both the private sector and thepublic sector have crucial roles to play. Theprivate sector leads, the government enables. It is important that both agree and are aware of their respective roles.
International cooperation The European Convention on cybercrime• The Council’s of Europe Convention on Cybercrime was opened for signatures on the 23rd of November 2001.• In January 2003, an additional Protocol was adopted, concerning the criminalization of acts of racism and xenophobia committed through computer systems. This protocol has not been signed by several states and has not yet entered into force.• At the present time, 46 States among Member and non-Member States of the Council of Europe signed the Convention• Italian ratification: 2008
Why Council of Europe Convention on cybercrime? The only multilateral treaty dealing with cybercrime matters already implemented in many countries while others are taking into consideration to become Party A guideline for drafting the legislation on cybercrime Provides important tools for law enforcement to investigate cybercrime Ensure adequate protection of human rights and liberties according to the relevant international documents Flexible mechanisms to avoid conflicts with national legislations and proceedingsCC provides for countries: Coherent national approach to legislation on cybercrime Harmonisation of criminal law provisions on cybercrime with those of other countries Legal and institutional basis for international LE and judicial cooperation with other parties Participation in the Consultations of the Parties The treaty as a platform facilitating public-private cooperationSource:COE Convention provides global standards and a framework for an effective fast international cooperation October, 2008
Legal What needs to be done next• Develop international law to accommodate cyber warfare offensive and defensive activities, thus making it operative for the cyber age.• In that regard, elaborate on the UN Charter in the direction of topical interpretations: Define Article 2 armed attack and Article 51 limits of self-defense, define the concept of cyber weapon, define operational modes for Chapter VII action in case of cyber attack, develop and analyze scenarios of cyber war and cyber terrorism with a view to their legal consequences.• Drawing upon NATO’s Strasbourg/Kehl Summit Declaration, and previous NATO work in analyzing gaps in the international legal framework with respect to collective response, develop proposed amendments to NATO Treaty definitions of armed attack and territorial integrity and clarification of collective responses to accommodate collective cyber activities, self defence actions, and communication requirements.• Encourage the ratification of the Council of Europe Convention on Cybercrime (“Convention”) and internal implementation by signatory states, and, where this does not obtain, encourage the harmonization of cybercrime laws (substantively and procedurally) around the globe consistent with the Convention and the cybercrime laws enacted in developed nations.
What needs to be done nextTechnical• Develop enterprise level security metrics so security progress can be measured• Enable time-critical system availability and resiliency across distributed systems.• Improve the ability to track and trace cyber communications to enable source identification (accountability) and use of digital assets by technical means• Improve transparency of network operations to enable visibility of activities, knowledge of status of operations, and identification of issues as a diagnostic tool to enhance security.• Develop digital identification mechanisms to protect and advance the interconnection of devices, information, and networks.• Address the security challenges of mobile/wireless systems. The widespread and exponential deployment of such devices and systems presents security challenges in and of themselves and the risks they present to interconnected systems and devices.
It’s a Collective Effort: ExampleShared datasetsRed TeamingSystem stress testsShared common problem to tackle… Academia ecosystem Industry GovernmentNew models of engagementSustained investment modelsLightweight submission and reporting…
“The pursuit of peace and progress cannot end in a few years in either victory or defeat. The pursuit of peace and progress, with its trials and its errors, its successes and its setbacks, can never be relaxed and never abandoned.”Dag Hammarskjold, UN Secretary-General, 1953 - 1961 58
Q&A Only by joining forces and bringing together ourstrategic capabilities will we be able to address current and emerging cyberthreats !
Ms. Francesca BoscoProject officer on CybercrimeEmerging Crimes UnitE-mail: bosco@UNICRI.it Thank youwww.unicri.it for your attention.http://www.unicri.it/wwd/cyber_crime/index.php