1

The Economic Impact of The Economic Impact of Cyber AttacksCyber Attacks

The Global PictureThe Global PictureChapter 9Chapter 9

NEW: Final Project deadline: December 7, 2:00 am, 2013

2

3

Risk AssessmentRisk Assessment

RISKRISK

Threats

Vulnerabilities Consequences

4

Risk Management Framework(Business Context)

Understand BusinessContext

Identify Business and Technical Risks

Synthesize and RankRisks

Define RiskMitigation Strategy

Carry Out Fixesand Validate

Measurement and Reporting

5

Allocating ResourcesAllocating Resources

Limited resourcesAcceptable level of riskTie technical risk to business risk

6

Making a Business CaseMaking a Business Case

Description of the problemList of possible solutionsConstraints on solving the problemList of underlying assumptionsAnalysis of each alternative, including risks, costs, and

benefitsSummary of why the proposed investment is good

7

Influences on Cyber Security Influences on Cyber Security Investment StrategyInvestment Strategy

Regulatory requirementsNetwork history or IT staff knowledgeClient requirementsResults of internal or external auditResponse to current eventsResponse to compromised internal securityReaction to external mandate or request

8

Determining Economic Determining Economic ValueValue

Many different ways to determine valueInternal rate of returnReturn on investmentNet present value

Investment analysis: best way to allocate capital and human resources

Accounting measures are inappropriate for evaluating information security inverstments

9

Quantifying SecurityQuantifying Security

Difficult problemNot fully understoodLimited historical data to estimate likelihoodAttacks that are possible but haven’t happened

Threat estimation uses:Number and types of assets needing protectionNumber and types of vulnerabilities that exist in a

systemNumber and types of likely threats to a system

10

Data to be ProtectedData to be Protected

National and global dataEnterprise dataTechnology dataSocial vulnerability

11

Real Cost of Cyber AttackReal Cost of Cyber Attack

Damage of the target may not reflect the real amount of damage

Services may rely on the attacked service, causing a cascading and escalating damage

Need: support for decision makers to Evaluate risk and consequences of cyber attacksSupport methods to prevent, deter, and mitigate

consequences of attacks

Legal and Ethical Issues in Legal and Ethical Issues in Computer SecurityComputer Security

CSCE 522 - Farkas13

Pfleeger: Chapter 11

CSCE 522 - Farkas14

Law and Computer Law and Computer SecuritySecurity

International, national, state, and city laws: affect privacy and secrecy

Laws: regulate the use, development, and ownership of data and programs

Laws: affect actions that can be taken to protect the secrecy, integrity, and availability of computing resources

CSCE 522 - Farkas15

Lack of LegislationLack of Legislation

Reactive proceduresNot addressed improper actsLack of technical expertise of legal personnel

CSCE 522 - Farkas16

Protection of Computer Protection of Computer SystemsSystems

Protecting computing systems against criminalsProtecting code and dataProtecting programmers’ and employers’ rightsProtecting users of programs

CSCE 522 - Farkas17

Protecting Programs and Protecting Programs and DataData

CopyrightPatentsTrade secretsProtection for computer objects

CSCE 522 - Farkas18

CopyrightsCopyrights

Protect the expression of ideas 1978: U.S. copyright law

Updated in 1998: Digital Millennium Copyright Act (DMCA) – deals with computers and other electronic media

Give the copyright holder the exclusive right to make copies of the expression and sell them to the public

Simple procedure to register copyright U.S. copyright expires 70 years beyond the death of last surviving

holder

CSCE 522 - Farkas19

Intellectual PropertyIntellectual Property

Copyright Does not cover the idea being expressedApplies to original work and it must be in some

tangible medium of expressionOriginality of work!

CSCE 522 - Farkas20

Fair UseFair Use

The purchaser has the right to use the product in the manner for which it was intended and in a way that does not interfere with the author’s right.

PiracyFirst saleCopyright infringement

CSCE 522 - Farkas21

Copyright for Digital Copyright for Digital ObjectsObjects

Digital Millennium Copyright Act Digital objects can be copyrighted It is a crime to circumvent or disable anti-piracy functionality It is a crime to manufacture, sell, or distribute devices that

disable anti-piracy functionality or that copy digital objects Exempt: when used for educational and research purposes

It is legal to make a backup to protect against loss Libraries can make three backups

PatentPatent

What can be patented?

22

http://www.freepatentsonline.com/crazy.html

https://patentimages.storage.googleapis.com/pages/US4344424-1.png

CSCE 522 - Farkas23

PatentsPatents

Protects inventions – results of science, technology, and engineering

Requirement of novelty Truly novel and unique only one patent for a given

invention Non-obvious

U.S. Patent and Trademark Office: register patent Patent attorney: verifies that the invention has not been

patented and identifies similar inventions

CSCE 522 - Farkas24

Patent InfringementPatent Infringement

Copyright: holder can decide which violations prosecute

Patent: all violations must be prosecuted or patent can be lost

Suing for patent infringement may cause the patent owner to loose the paten. Infringer may argue that: This isn’t infringement (different inventions) The patent is invalid (a prior infringement was not

opposed) The invention is not novel The infringer invented the object first

CSCE 522 - Farkas25

Trade SecretTrade Secret

Information that gives one company a competitive edge over the others

Must always be kept secretIf someone obtains it improperly, the owner can recover

Profits Damages Lost revenues Legal cost

Reverse Engineering!

CSCE 522 - Farkas26

Protection of Computer Protection of Computer ObjectsObjects

Look at Table 11-1 on page 660 to compare copyright, patent, and trade secret

Protecting hardware, firmware, object code software, source code software, documentation, web content, domain names, etc.

CSCE 522 - Farkas27

Computer CrimeComputer Crime

Least clear area of law in computingSeparate category for computer crime

No access to the physical object Is it a serious crime?

Rules of evidence How to prove the authenticity?

Threats to integrity and confidentiality How to measure loss of privacy?

Value of data How to measure it?

CSCE 522 - Farkas28

Why Computer Crime is Why Computer Crime is Hard to Prosecute? Hard to Prosecute?

Lack of understandingLack of physical evidenceLack of recognition of assetsLack of political impactComplexity of caseAge of defendant

CSCE 522 - Farkas29

Laws for Computer CrimeLaws for Computer Crime

U.S. Computer Fraud and Abuse Act U.S. Economic Espionage Act U.S. Electronic Fund Transfer Act U.S. Freedom of Information Act U.S. Privacy Act U.S. Electronic Communication Privacy Act HIPAA USA Patriot Act CAN SPAM Act

CSCE 522 - Farkas30

Ethical IssuesEthical Issues

Ethic: objectively defined standard of right and wrongUltimately, each person is responsible for deciding what

to do in a specific situationEthical positions can and often do come into conflict

CSCE 522 - Farkas31

Ethics vs. LawEthics vs. LawLaw Ethics

Formal, written document Unwritten principles

Interpreted by courts Interpreted by each individual

Established by legislatures Presented by philosophers, religious, professional groups

Applicable to everyone Personal choice

Priority decided by court Priority determined by individual

Court makes final decision No external decision maker

Enforceable by police and courts

Limited enforcement

It is a Risky WorldIt is a Risky World

CSCE 522 - Farkas

33

Reading ListReading List

Pfleeger: Chapter 8

CSCE 522 - Farkas

34

VulnerabilitiesVulnerabilities

Security objectives:Prevent attacksDetect attacksRecover from attacks

Attacks: against weaknesses in the information systemsNeed: find weaknesses

CSCE 522 - Farkas

35

Identifying and Eliminating Identifying and Eliminating WeaknessesWeaknesses

I. Vulnerability monitoring

II. Secure system development

III. User training and awareness

IV. Avoiding single point of failure

CSCE 522 - Farkas

36

I. Keeping up with Security I. Keeping up with Security PublicationsPublications

Legal publications: how to remove vulnerabilitiesCERT advisories SANS Security Digest

Hacker publications: “how to” exploit known vulnerabilities

Security mailing lists

CSCE 522 - Farkas

37

II. Building Secure SystemsII. Building Secure Systems

1960s: US Department of Defense (DoD) risk of unsecured information systems

1981: National Computer Security Center (NCSC) at the NSADoD Trusted Computer System Evaluation

Criteria (TCSEC) == Orange Book

CSCE 522 - Farkas

38

II. Orange BookII. Orange Book

Orange Book objectives: Guidance of what security features to build into new products Provide measurement to evaluate security of systems Basis for specifying security requirements

Security features and AssurancesTrusted Computing Base (TCB) security components of

the system

CSCE 522 - Farkas

39

II. Orange Book LevelsII. Orange Book Levels

Highest SecurityA1 Verified protectionB3 Security DomainsB2 Structured ProtectionB1 labeled Security ProtectionsC2 Controlled Access ProtectionC1 Discretionary Security ProtectionD Minimal Protection

No Security

CSCE 522 - Farkas

40

II. Orange Book Classes II. Orange Book Classes

C1, C2: simple enhancement of existing systems. Does not break applications.

B1: relatively simple enhancement of existing system. May break some of the applications.

B2: major enhancement of existing systems. Will break many applications.

B3: failed A1A1: top-down design and implementation of a new

system from scratch.(from lecture notes of Jajodia http:www.ise.gmu.edu)

41

II. NCSC Rainbow SeriesII. NCSC Rainbow Series

Orange: Trusted Computer System Evaluation Criteria

Yellow: Guidance fro applying the Orange BookRed: Trusted Network InterpretationLavender: Trusted Database Interpretation

CSCE 522 - Farkas

42

II. European CriteriaII. European Criteria

German Information Security Agency: German Green Book (1988)

British Department of Trade and Industry and Ministry of Defense: several volumes of criteria

Canada, Australia, France: works on evaluation criteria 1991: Information Technology Security Evaluation Criteria

(ITSEC) For European community Decoupled features from assurance Introduced new functionality requirement classes Accommodated commercial security requirements

CSCE 522 - Farkas

43

II. United StateII. United State

January 1996: Common Criteria Joint work with Canada and Europe Separates functionality from assurance Nine classes of functionality: audit, communications, user data

protection, identification and authentication, privacy, protection of trusted functions, resource utilization, establishing user sessions, and trusted path.

Seven classes of assurance: configuration management, delivery and operation, development, guidance documents, life cycle support, tests, and vulnerability assessment.

CSCE 522 - Farkas

44

II. Common CriteriaII. Common Criteria

Evaluation Assurance Levels (EAL) EAL1: functionally tested EAL2: structurally tested EAL3: methodologically tested and checked EAL4: methodologically designed, tested and reviewed EAL5: semi-formally designed and tested EAL6: semi-formally verified and tested EAL7: formally verified design and tested

CSCE 522 - Farkas

45

II. National Information II. National Information Assurance Partnership Assurance Partnership

(NIAP)(NIAP)

1997: National Institute of Standards and Technology (NIST), National Security Agency (NSA), and Industry

Aims to improve the efficiency of evaluation Transfer methodologies and techniques to private sector

laboratories Functions: developing tests, test methods, tools for

evaluating and improving security products, developing protection profiles and associated tests, establish formal and international schema for CC.

Next ClassNext Class

Current issues and future trendsClass discussion

CSCE 522 - Farkas

46