Cyber Security

Gustav Lindstrom

10 May 2012

Structure of the presentation

1. Why should we care about cyber security?

2. What is the scope of the threat?

• Micro level• Macro level

3. What are we doing about it?

4. What are outstanding issues?

Why should we care about cyber security?

• A growing number of individuals use the Internet– 361 million users in 2000, about 2.27 billion today

(www.internetworldstats.com/stats.htm)

• The number of applications is increasing– Video, voice, and e-services (commerce, banking, government)

• A growing reliance on computer networks magnifies vulnerabilities to individuals and society– Risks of “cascading effects” across critical infrastructures

• Malicious cyber activities are becoming more sophisticated and easier to execute

Who may threaten cyber security?

Group Motivation Type of attackScript kiddies • Curiosity / Reputation Readily availably software

Hackers • Challenge of breaking new defences• Financial gain

Use of automated tools; potential for co-ordinated attacks

Insiders • Revenge / extortion Multiple possibilities

Hacktivists • Propaganda (pol, soc, econ, relig) Same as script kiddies / hackers

Criminal groups • Financial gain Phishing, pharming, spam

Spyware/malware authors

• Mainly financial gain Same as criminal groups

Bot-net operators • Financial gain• Cause disruption / damage

Use of remotely controlled systems

Terrorists • Propaganda (pol, soc, econ, relig.)• Cause disruption / damage

Multiple possibilities, including attacks on critical infrastructures

Nation-states • Cause disruption / damage• Espionage / gather intelligence

Multiple possibilities

Sources: Baldi, Gelbstein, and Kurbalija. Hacktivism, Cyber-Terrorism, and Cyberwar, 2003 and GAO Report “Cyberspace”, GAO-10-606, July 2010.

Micro / “personal” level challenges

What are examples of malware and associated attack techniques? Examples of malware (malicious software)• Virus – attached to programmes or files and require human action to

spread from computer to computer• Worm – can replicate themselves, thereby able to spread without

human interaction • Trojan horse – a programme that hides harmful code – it is often made

to look as a useful programme• Logic bomb – code that causes a program to perform an action after a

triggering event• “Blended threats” – may combine aspects of a virus, worm, Trojan

horses, or other malicious code

Examples of attack techniques• Distributed Denial of Service attack• Phishing and Pharming • Sniffing and “war driving”

What are trends in new malicious code signatures?

Source: Symantec Global Internet Security Threat Report, April 2010.

2002 2003 2004 2005 2006 2007 2008 20090

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

3,500,000

20,254 19,159 74,981 113,081 167,069

708,742

1,691,323

2,895,802

Year

Num

ber

of n

ew t

hrea

ts

What were some of the main threat trends in 2009?

• An average of 46,541 active bot-infected computers per day in 2009 (38% decrease from 2008)

• Most bot-infected computers where located in the United States, accounting for 11% of the worldwide total

• Of the top 10 new malicious code families detected in 2009, six were Trojans, two were worms with back door components, one was a worm, and one was a virus

• 59,526 phishing website hosts were detected, an increase of 7% from 2008

[Symantec Global Internet Security Threat Report, April 2010]

In 2009, what was the country breakdown of malicious activity?

Overall Rank

2009 Activity Rank

‘09 ‘08 Country Malicious code

Spam Zombies

Phishing hosts

Bots Attack origin

1 1 United States

1 6 1 1 1

2 2 China 3 8 6 2 2

3 5 Brazil 5 1 12 3 6

4 3 Germany 21 7 2 5 3

5 11 India 2 3 21 20 18

6 4 UK 4 19 7 14 4

7 12 Russia 12 2 5 19 10

8 10 Poland 23 4 8 8 17

9 7 Italy 16 9 18 6 8

10 6 Spain 14 11 11 7 9

Source: Symantec Global Internet Security Threat Report, April 2010.

What are examples of risks at the “personal” level?

• Use of unprotected networks in the home or office

• Use of unprotected systems (cyber café, hotels, etc.)

• Provision of sensitive information via social networks

– Example of geotags

• Use of suspicious hardware (e.g. USB flash drive)

• Risks associated with the disposal of hardware

How are “old” threats evolving? (I)-----Original Message-----From: XXXXXXXX@unipo.skSent: 13 August 2010 05:30To: undisclosed-recipientsSubject: Reference

Dear Partner,

This is an urgent issue which may get your attention to know, The Thai Criminal Court has issued an arrest warrant for Thaksin Shinawatra on terrorism charges for allegedly involving in the red protests in Bangkok. I am sending you this email base on the instructions giving to me by my client Thaksin Shinawatra to kindly urge you to cooperate with my client as he urgently needs your assistance in move/transferring part of his fund under your custody for safe keeping or further business investment…

View More Of The Story Here:http://news.bbc.co.uk/2/hi/asia-pacific/1108114.stm

He instructed me as his Britain counsels to carry out this investment/safe keeping plan which involve $15Million USD under your custody from one of his offshore private security account

Finally, be mindful that nobody here knows that I contacted you for this business deal. To this effect you should please keep this letter confidential whether you are interested or not and also note that you have noting to worry about on this project as everything is kept safe and legal.

Yours Sincerely,

Mr. YYYYY YYYYYYAddress line 1 Address line 2Address line 3

Tel: +44 792 458 1639 YYYYY_Y@lawyer.com

How are “old” threats evolving? (II)

From: xxx xxxx [xxxxx@yahoo.com]Sent: Wednesday, May 09, 2012 1:13 PMTo: xxx xxxx@yahoo.comSubject: urgent

please take this email serious. i need help, am stuck in London for now because i was mugged and i lost my credit card and my phone and since then i have been without money, I was thinking of asking you to lend me some funds 2550 British pound sterling or any amount you can lend me that I can refund you back as soon as I return back home. 

Macro / strategic level challenges

What are the national security implications of cyber threats? Several countries targeted over the past few years• Estonia (April-May 2007)• Lithuania (June-July 2008)• Georgia (August 2008)• South Korea (July 2009)• United States (July 2009)• Iran (July 2010)• Internal censuring – e.g. China, Iran, Syria, Egypt

Effects vary according size and scope of the attack• May have implications for critical infrastructures. The 2007 attacks

in Estonia affected key services such as banking and e-government.

• May impact information and communication services• May result in the loss of classified or protected information

What are other potential challenges to national security?

• Targeting of critical infrastructures / combined attacks

• Rise of offensive cyber capabilities - from jamming capacity to denial of Internet access for national security reasons

• Presence of tampered hardware - e.g. computer chips

• “New” vulnerabilities to C4I systems

– UAV video feeds– Computer systems (GhostNet)– Tampering with the physical backbone of the Internet –

e.g. submarine cables

What is being done to address cyber threats?

Preventive Measures Consequence Management

TechnicalLevel

• Awareness raising (e.g. http://howsecureismypassword.net/)• Installation of protective software• Use of black and white lists• Use of open source software• Introduction of IPv6

• Increasing bandwidth • Filtering incoming traffic • Blocking access• Shifting server usage

Institutional Level

• Establishment of CERTs• Creation of specialised agencies (e.g. ENISA)• Use of exercises (e.g. Cyber Storm)• Introduction of legislation and conventions • Public – private co-operation

• Use of CERTs / CSIRTs• National and international co-operation – including information sharing• Application of legislation• Co-operation across national and international organisations

What are examples of outstanding challenges?

1. Raising awareness about cyber security threats (government, business sector, individual users)

2. Creating international norms & standards and discussions about applicability of international law

3. Strengthening attribution capabilities, which may help identify perpetrator(s)

4. Identifying the impact of new technologies on cyber security

5. Exploring governance models for the Internet - should it be centralised or kept open?

6. Improving the measurement / understanding of cyber crime