commercial and government cyberwarfare
TRANSCRIPT
![Page 1: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/1.jpg)
Information Systems 365/765Lecture 2
Commercial and Government Cyberwarfare
![Page 2: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/2.jpg)
Today – Cyber-warfare
• Discuss “How to Sell Information Security” article• Introduction to Cyberwar• Discuss technical vs. administrative controls• Watch Frontline video• Discuss written assignment #1
![Page 3: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/3.jpg)
Prospect Theory
• People react differently to risk and guaranteed outcomes based on whether those outcomes are positive or negative. Known as the Prospect Theory S-Curve
![Page 4: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/4.jpg)
Prospect Theory
• If someone offers you a guaranteed $500 or a 50% chance at winning $1000, studies show that people tend to pick the guaranteed $500
![Page 5: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/5.jpg)
Prospect Theory
• If someone told you that you had to surrender $500 or take a 50% chance of surrendering $1000, most people would tend to take the risk of losing $1000 rather than the fixed $500 loss
![Page 6: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/6.jpg)
Prospect Theory
• When it comes to gain, people are risk averse
• When it comes to loss, people embrace risk
• What does this mean for IT security, which is almost always sold based on potential to avoid loss?
![Page 7: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/7.jpg)
How to Sell Information Security
Prospect Theory inrelation to informationsystems security, thebattle of cost, risk andfeatures.
The constant of battleof proving ROI
The challenges ofLayering security onafter the sale:cost, complexity ofadministration andtrue usefulness.
![Page 8: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/8.jpg)
How to Sell Information Security (DISCUSSION)
• What has your personal experience been with security add on products?
• How do you feel about paying for virus scanning, when you already paid for the Operating System?
• If you were selling a system which required a security add on component, what approach would you take?
• As an IS security decision maker, what approach would you take with your vendors?
![Page 9: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/9.jpg)
Security Technologies are Exciting, But…
In this class you will get handson experience with powerfulmilitary grade encryptiontechnology, you willuse automated Rainbow Tablesto crack top level AdministratorPasswords and you will learnhow to sniff network traffic!
But, we have to start at the beginning, bygaining an understanding of the threats.
![Page 10: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/10.jpg)
Cyberwar
• Cyber-warfare (also known as cybernetic war, or cyberwar) is the use of computers and the Internet in conducting warfare in cyberspace.
![Page 11: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/11.jpg)
Types of AttacksCyber Espionage
The act or practice of obtaining secrets(sensitive, proprietary of classifiedinformation) from individuals,competitors, rivals, groups,governments and enemies formilitary, political, or economicadvantage using illegal exploitationmethods via the internet, networks,software and or computers.
![Page 12: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/12.jpg)
Web Vandalism – The Weapon of Mass Irritation
• Attacks that deface web pages, or denial-of-service attacks. This is normally swiftly contained and of little harm.
• Distributed Denial-of-Service Attacks: Large numbers of computers in one country launch a DoS attack against systems in another country.
![Page 13: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/13.jpg)
Gathering Sensitive or Proprietary Information
• Classified information that is not handled securely can be intercepted and even modified, making espionage possible from the other side of the world. See Titan Rain and Moonlight Maze.
• Encryption!
![Page 14: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/14.jpg)
Equipment Disruption
• Military and commercial activities that use computers and satellites for co-ordination are at risk from this type of attack. Orders and communications can be intercepted or replaced, putting soldiers at risk
![Page 15: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/15.jpg)
Attacking Critical Infrastructure
• Power, water, fuel, communications, commercial and transportation are all vulnerable to a cyber attack
![Page 16: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/16.jpg)
Information Security Controls
• Two types of controls in all information systems
• Technical controls• Administrative controls• Most good systems contain a
combination of both types of controls
![Page 17: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/17.jpg)
Technical Controls• A direct, continuous and
unavoidable control on the use and distribution of data which allows, also for the purposes of possible audits, the following:
• The direct identification of each user in auditable form
• Keeping track, with auditable evidence, of the accesses which have occurred in the relevant period
• The prevention and exclusion of any utilization of data and systems by subjects who are not authorized
![Page 18: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/18.jpg)
Technical Controls - Examples
• Can you think of any technical controls?
• Username/Password• Building access card• ATM card, with PIN (dual
factor)
![Page 19: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/19.jpg)
Benefits of Technical Controls
• Strong and consistent, treat everyone equally
• Can be audited with real assurance of the truthfulness of the data
![Page 20: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/20.jpg)
Drawbacks of Technical Controls
• Costly• Complex and time consuming• When they break, they either
fail open or fail closed, neither of which may be desirable
![Page 21: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/21.jpg)
Administrative Controls
• Using policies, procedures, safety signs, training or supervision, or a combination of these, to control risk.
![Page 22: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/22.jpg)
Administrative Controls Examples
• Can you think of any examples of administrative controls?
• Signing out a key• Policy requiring the shredding
of documents• Filling out a check in sheet
when you enter and leave a secure area
![Page 23: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/23.jpg)
Benefits of Administrative Controls
• Usually inexpensive• Easy to implement• Very flexible
![Page 24: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/24.jpg)
Drawbacks of Administrative Controls
• Difficult to enforce• Difficult to audit• Impossible to verify• Easy to evade by a dedicated
individual
![Page 25: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/25.jpg)
Controls - Summary and Conclusions
• Both technical controls and administrative controls have benefits and drawbacks
• Technical controls are often used in highly sensitive systems
• Administrative controls are used in lower priority situations
• Hybrid solutions are the most common, placing technical controls at the front door and administrative controls behind them. Example: Server Platform
![Page 26: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/26.jpg)
Cyberwar Video
• When watching this video, think about the following:
• How real is the threat of Cyberwar?• How does the application of
Prospect Theory relate to the threat of Cyberwar?
• What types of technical and administrative controls might help mitigate the risks posed by cyber attack?
![Page 27: Commercial And Government Cyberwarfare](https://reader036.vdocument.in/reader036/viewer/2022062418/556412a5d8b42a0d0c8b534d/html5/thumbnails/27.jpg)
Readings on Cybersecurity
• Might give you some things to think about when writing Assignment #1
• Cyberwar – Myth or Reality• Make Vendors Liable for Bugs• The Truth About Chinese
Hackers