dr craig s wright global institute for cyber security: how cyber terror and cyber espionage will...
DESCRIPTION
Dr Craig S Wright, Vice President, Australia – Asia Pacific, Global Institute for Cybersecurity & Research delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private sector and focussed on solutions and counter cyber-attacks. For more information about the event, please visit the conference website http://www.informa.com.au/cybersecurityconferenceTRANSCRIPT
![Page 1: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/1.jpg)
Who is out there? Securing your system from future security threats ? Presented by: Dr. Craig S Wright GSE LLM Exec VP Strategy
![Page 2: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/2.jpg)
Craig S Wright School of Computing and Mathematics
Charles Sturt University, NSW 2678 [email protected]
Who is out there?
Securing your system from future security threats
Melbourne
![Page 3: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/3.jpg)
• We look at the economics associated with botnets.
• This research can be used to calculate territorial sizes for online criminal networks.
• We look at the decision to be territorial or not from the perspective of the criminal bot-herder.
• This is extended to an analysis of territorial size. • The criminal running a botnet seeks to maximize
profit.
Outline
![Page 4: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/4.jpg)
SCADA Vulnerabilities ! As we know…
! Supervisory Control And Data Acquisition (SCADA) systems are the computers that monitor and regulate the operations of most critical infrastructure industries.
![Page 5: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/5.jpg)
• Criminals defend territories in cyberspace. • Several different territorial strategies exist for
criminal groups running botnets. Each of these strategies has different benefits and costs associated with them and several of them are independent of the others. – high-value targets (including the exfiltration of data) – whereas others involve the use of large numbers of
systems to amplify low value transactions (including SPAM transmission and DDOS attacks)
Background
![Page 6: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/6.jpg)
A cost Benefit analysis of criminal territory in cyber compromises
![Page 7: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/7.jpg)
The first cost aspect of creating a criminal territory results from the initial acquisition cost: • Research, • Reconnaissance, • Scanning, • Exploitation, • Maintaining access, and • Covering tracks.
The costs of acquiring resources
![Page 8: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/8.jpg)
Once a system has been acquired it needs to be defended and exploited by the cyber-criminal. • Any system that is not adequately defended by the attacker will eventually become a lost resource • Behavior of cyber-criminals may be influenced by need to maintain access to compromised systems, scan for new systems, defend territories, defend C&C servers, and so on.
The costs of defending resources
![Page 9: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/9.jpg)
The necessity of defending a territory requires time and resources. • The economic viability of each of these platforms varies from large collections of low-value hosts through to targeted high-value platforms • The advantages of a particular model will vary based on the ability of the attacker to maintain that system once it has been acquired.
A model of territorial cybercrime
![Page 10: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/10.jpg)
The notion of superterritories (Verner, 1977) can be used in modelling criminal behaviour in the creation of large-scale botnets.
Superterritories
![Page 11: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/11.jpg)
The overall size of criminal territory results from a compromise between the following factors:
– Acquisition needs, – Resource maintenance needs, – Defence costs, – Predation pressure.
Each of these factors comes with an economic cost.
Criminal territories can be modeled as different ecosystems.
![Page 12: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/12.jpg)
Assessing cyber security risks through conducting vulnerability
analysis • Information security is a risk function. • Knowing the risk means coming to
understand both the threat agents as well as the systems we are defending
![Page 13: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/13.jpg)
Economic issues that arise from risk
• Economic issues that are arise due to an inability to assign risk correctly.
• Externalities restrict the development of secure software
• The failure of the end user to apply controls makes it less probable that a software vendor will enforce stricter programming controls
![Page 14: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/14.jpg)
What is the real cost of ignoring the cyber risks?
• Cyber-Criminals are Rational • They go where the profit is greatest • If you ignore the risk, others will not
![Page 15: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/15.jpg)
Developing and implementing mitigation strategies to
strengthen highest data security • Security never goes away • More and more, we are going online • Each day, more information will be
transmitted • More critical data will be stored in the
“cloud”
![Page 16: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/16.jpg)
Rational Choice Theory • Rationally opting for
the insecure alternative:
• Negative externalities and the selection of security controls
• Relative computer security can be measured using six factors
1. What is the importance of the information or resource being protected?
2. What is the potential impact, if the security is breached?
3. Who is the attacker likely to be?
4. What are the skills and resources available to an attacker?
5. What constraints are imposed by legitimate usage?
6. What resources are available to implement security?
![Page 17: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/17.jpg)
No Absolutes
• Security is a risk function. • It is a game of cat and mouse • There is and cannot be perfect security
![Page 18: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/18.jpg)
Continual monitoring and updating hardware resources to
safeguard your system • Your systems are far from the only source
of data – Think accountants – Think lawyers – Think partners
![Page 19: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/19.jpg)
What are your Assets worth?
• If you are to engage in any risk exercise, you need to start thinking about what your assets are
• This includes data, business process and more
![Page 20: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/20.jpg)
Economics rules in security • This generates a measure of relative
system security in place of the unachievable absolute security paradigm that necessarily results in a misallocation of resources.
![Page 21: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/21.jpg)
Three areas to be concerned with
• The three concerns that make us vulnerable are: – Human – Design – Software
• Only when we address each of these will we make headway
![Page 22: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/22.jpg)
It is about good practice
• I will never known all the consequence of what I do or don’t do.
• Maybe you will be lucky, but the chances are increasing that you will be compromised
![Page 23: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/23.jpg)
Zero risk is not practical
• Risk cannot be completely removed • You have to accept some risk
![Page 24: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/24.jpg)
Don't spend a $million to protect a cent
• Always consider the value of the assets that you are defending • Look at the number of attacks (you are measuring this aren’t you?) • Know your threats
![Page 25: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/25.jpg)
Outliers can be predicted
• Some systems are well configured and patched. • Others are terrible • It all depends on what is audited
![Page 26: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/26.jpg)
Better managed systems survive
• Displayed above we have a plot of the survival time against automated processes (green) overlayed with that of manual processes (red).
![Page 27: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/27.jpg)
• Before we invest our valuable resources into protecting the information assets it is vital to address concerns such as the importance of information or the resource being protected, the potential impact if the security is breached, the skills and resources of the attacker and the controls available to implement the security.
Conclusion
![Page 28: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/28.jpg)
The overall size of criminal territory results from a compromise between the following factors: • Acquisition needs, • Resource maintenance needs, • Defence costs, • Predation pressure
Conclusion
![Page 29: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/29.jpg)
An afterthought
• Information Security cannot be an afterthought
• Only in building security into the system from the start can we maintain it effectively
![Page 30: Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade](https://reader033.vdocument.in/reader033/viewer/2022050701/54b70e3f4a79594a478b47db/html5/thumbnails/30.jpg)
Thank you