Contemporary Black Hat, White Hat Research in Information Security: Where are the Gaps? Detmar...

Contemporary Black Hat, White Hat Research Contemporary Black Hat, White Hat Research in Information Security: Where are the Gaps?in Information Security: Where are the Gaps?

Detmar StraubDetmar Straub

Georgia State UniversityGeorgia State University

& Editor-in-Chief, & Editor-in-Chief, MIS QuarterlyMIS Quarterly

Indiana UniversityIndiana University

January 2011January 2011

11

AgendaAgenda1.1. Who or what are black hats? Who or what Who or what are black hats? Who or what

are white hats?are white hats?2.2. The big pictureThe big picture3.3. Types of white hat and black hat studiesTypes of white hat and black hat studies4.4. Most interesting causes & effectsMost interesting causes & effects5.5. Theory bases are not the problem…Theory bases are not the problem…6.6. Research methods are not the problem…Research methods are not the problem…7.7. The problem: data collectionThe problem: data collection8.8. Where do we go from here?Where do we go from here?

Presentation is available for downloading at: detmarstraub.comPresentation is available for downloading at: detmarstraub.com

22

33

1. 1. Who or what are black hats? Who or what are black hats? Who or what are white hats? Who or what are white hats?

44

Black hats are, loosely speaking, the bad Black hats are, loosely speaking, the bad guys, the anti-socials and hackers.guys, the anti-socials and hackers.

Occasionally criminals and terroristsOccasionally criminals and terrorists It also includes the unwashed employees, It also includes the unwashed employees,

those who develop dirty hands and switch those who develop dirty hands and switch sides.sides.

White hats are those who want to protect White hats are those who want to protect information resources from unintended information resources from unintended and illicit use.and illicit use.


55


66


A grey hat, in the hacking community, refers to a skilled hacker who sometimes acts illegally, sometimes in good will, and sometimes not. They are a hybrid between white and black hat hackers. They usually do not hack for personal They usually do not hack for personal gain or have malicious intentions, but may or gain or have malicious intentions, but may or may not occasionally commit crimes during the may not occasionally commit crimes during the course of their technological exploits.course of their technological exploits.

77

Let’s first abstract to the highest level and try to avoid Let’s first abstract to the highest level and try to avoid theory, methods, & data-collection issues and just theory, methods, & data-collection issues and just focus on the basic relationships in the phenomenon of focus on the basic relationships in the phenomenon of interest.interest.

What is the phenomenon of interest? Information in What is the phenomenon of interest? Information in organizations (and society) and how to protect it as a organizations (and society) and how to protect it as a resource. It could be at the level of the individual, resource. It could be at the level of the individual, group, profit-making firm, nonprofit organizations, group, profit-making firm, nonprofit organizations, governments, or society as a whole.governments, or society as a whole.

The players? Computer systems that produce, firewall, The players? Computer systems that produce, firewall, store, and retrieve store, and retrieve data/information/knowledge/wisdom plus white and data/information/knowledge/wisdom plus white and black hats.black hats.

2. 2. The big pictureThe big picture

88

3. 3. Types of white hat-black hat Types of white hat-black hat studiesstudies

99

Note: The hats are Note: The hats are people. Computer people. Computer systems that are used systems that are used in transmitting and in transmitting and storing information are storing information are the points of the points of interaction. interaction.

Note: The only Note: The only communication communication between the black between the black hats and white hats hats and white hats directly is through directly is through social disciplinary social disciplinary actions. actions.


1010

Orlikowski’s sociomateriality of people and Orlikowski’s sociomateriality of people and systems-systems-A philosophical view that people using A philosophical view that people using computers create a new phenomenological computers create a new phenomenological entity of interest.entity of interest.


1111

Basic terms such as deterrence and Basic terms such as deterrence and deterrents, prevention and preventives, deterrents, prevention and preventives, detection and recovery/remedies are detection and recovery/remedies are assumed.assumed.

Deterrence

Prevention

Detection

Remedies

Objective: Maximize

Deterred Abuse

Prevented Abuse

Prevented Abuse

Undetected Abuse

Objective: Minimize

Unpunished Abuse

-based on Nance and Straub (1988)

Feedback


1212

Actions of black hats create response from white hats. Actions of black hats create response from white hats. Studies in how effectively white hats ratchet up Studies in how effectively white hats ratchet up security when black hats are attacking more security when black hats are attacking more frequently or via new or certain types of strategies.frequently or via new or certain types of strategies.

4. 4. Most interesting causes & Most interesting causes & effectseffects

(Direct actions of black hats [typically by type of attack and as measured by white hats])

(Success of attacks against white hats [as measured by white hats])

1313

Choice and Chance: A Conceptual Model of Paths to Information Security CompromiseSam Ransbotham, Sabyasachi Mitra. Information Systems Research. Mar 2009 (20, 1), 121-141.

No longer the exclusive domain of technology experts, information security is now a management issue. Through a grounded approach using interviews, observations, and secondary data, we advance a model of the information security compromise process from the perspective of the attacked organization. We distinguish between deliberate and opportunistic paths of compromise through the Internet, labeled choice and chance, and include the role of countermeasures, the Internet presence of the firm, and the attractiveness of the firm for information security compromise. Further, using one year of alert data from intrusion detection devices, we find empirical support for the key contributions of the model. We discuss the implications of the model for the emerging research stream on information security in the information systems literature.

(Direct actions of black hats)

(Success of attacks against white hats)


1414

A test of interventions for security threats from social engineering, Michael Workman. Information Management & Computer Security. 2008, (16, 5), 463ff.

Recently, the role of human behavior has become a focal point in the study of information security countermeasures. However, few empirical studies have been conducted to test social engineering theory and the reasons why people may or may not fall victim, and even fewer have tested recommended treatments. Building on theory using threat control factors, the purpose of this paper is to compare the efficacy of recommended treatment protocols. A confirmatory factor analysis of a threat control model was conducted, followed by a randomized assessment of treatment effects using the model. The data were gathered using a questionnaire containing antecedent factors, and samples of social engineering security behaviors were observed. It was found that threat assessment, commitment, trust, and obedience to authority were strong indicators of social engineering threat success, and that treatment efficacy depends on which factors are most prominent. This empirical study provides evidence for certain posited theoretical factors, but also shows that treatment efficacy for social engineering depends on targeting the appropriate factor. Researchers should investigate methods for factor assessment, and practitioners must develop interventions accordingly.




1515

Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness,Mary Sumner. Information Systems Management. Winter 2009, (26, 1), 2ff.

The objectives are: (1) to determine the risk assessment of information security threats, based upon the perceived impact and the perceived probability of occurrence of these threats; (2) to determine the extent of risk mitigation, based upon the perceived level of preparedness for each of these information security threats; and (3) to determine the extent to which the occurrence and the impact of information security threats relate to the level of preparedness.




1616

Actions of black hats creates protective response from Actions of black hats creates protective response from white hats. Some attacks succeed and some fail. white hats. Some attacks succeed and some fail. Studies in why this occurs and what works and what Studies in why this occurs and what works and what doesn’t.doesn’t.

Detective actions by white hats is similar, but differs Detective actions by white hats is similar, but differs in that it requires the abuse by the black hat to fill out in that it requires the abuse by the black hat to fill out a pattern that cannot be tested in real time.a pattern that cannot be tested in real time.

If it could be determined in real time, it would simply be If it could be determined in real time, it would simply be prevented.prevented.


(Preventive actions against black hats)

(Actions of black hats)

(Thwarted)


1717

Actions of white hats leads to changing tactics of black Actions of white hats leads to changing tactics of black hats. Studies in how black hats alter their behaviors hats. Studies in how black hats alter their behaviors after the white hats change their strategies.after the white hats change their strategies.

Few studies like thisFew studies like this Anecdotal or narratives like Anecdotal or narratives like The Cuckoo’s Egg The Cuckoo’s Egg by Cliff by Cliff

StollStoll

(Changing behaviors of black hats)

(Changing strategies of white hats)


1818

Network characteristics of black hats create response Network characteristics of black hats create response from white hats. Adaptability of black hats to more from white hats. Adaptability of black hats to more effectively attack white hats.effectively attack white hats.

[Data collection option: Invade hacker user groups and [Data collection option: Invade hacker user groups and study how the hackers plan attacks and what their study how the hackers plan attacks and what their motives are.]motives are.]


1919

Network characteristics of white hats create response Network characteristics of white hats create response from black hats. Adaptability of white hats to more from black hats. Adaptability of white hats to more effectively defend against black hats.effectively defend against black hats.

[Data collection option: Study best practices for defense [Data collection option: Study best practices for defense and whether they are, in fact, best practices. User and whether they are, in fact, best practices. User groups perhaps. Sharing of information among white groups perhaps. Sharing of information among white hats via a trusted network like TQN (more later).]hats via a trusted network like TQN (more later).]


2020

White hats institute policies to protect systems.White hats institute policies to protect systems. White hats punish offenders and this deters black White hats punish offenders and this deters black

hats.hats.

[[ ]](Preventive actions against black hats)


(Thwarted)

(Success of policies, training influencing attacks against white hats)


2121

Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectivenessTejaswini Herath, HR Rao. Decision Support Systems. May 2009, 47, 2; 154ff.Abstract (Summary)

Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions.

[[ ]](Preventive actions against black hats)


(Thwarted)

(Success of policies, training influencing attacks against white hats)


2222

Theories need to deal with:Theories need to deal with:1.1.Why do black hats do what they do and what cuts Why do black hats do what they do and what cuts down their effectiveness?down their effectiveness?2.2.Why do white hats do what they do and what cuts Why do white hats do what they do and what cuts down their effectiveness?down their effectiveness?

5. 5. Theory/ethics is not the Theory/ethics is not the problem….problem….

But dubious symmetry in our But dubious symmetry in our interests in the phenomenon! interests in the phenomenon! Science cannot be neutral when Science cannot be neutral when survival is at stake.survival is at stake.

2323

We need to believe that there is a social and moral good here in order to muster our scholarly efforts on behalf of the white hats.

Was Kevin Was Kevin Mitnick Mitnick merely a merely a misunderstoomisunderstood, free spirit?!d, free spirit?!


2424

• Social critical theory? (Not sure how this would Social critical theory? (Not sure how this would play out.) play out.) • Are the black hats truly the bad guys or only Are the black hats truly the bad guys or only

because they are opposing the because they are opposing the establishment, who are the white hats. establishment, who are the white hats.

• Maybe they are disillusioned and Maybe they are disillusioned and disempowered workers in some cases and disempowered workers in some cases and the firms’ top management are to blame.the firms’ top management are to blame.o Not an entirely unreasonable argument after Not an entirely unreasonable argument after

the financial crisis of 2008-2009the financial crisis of 2008-2009


2525

• Ethnographic approaches and interpretivist Ethnographic approaches and interpretivist understanding of what black hats-white hats and understanding of what black hats-white hats and their actions might mean their actions might mean

• Orlikowski’s sociomateriality, where we have the Orlikowski’s sociomateriality, where we have the computer embedded in the hatscomputer embedded in the hats• Process and interactions rather than Process and interactions rather than

causalitycausality• Action research?Action research?• Participant observation?Participant observation?• Experimentation?Experimentation?• Simulations?Simulations?

6. 6. Research methods are not the Research methods are not the problem…..problem…..

2626

7. 7. The problem: data collectionThe problem: data collection

The low-hanging fruit problem

2727

Black hat data: a major problem when you ask students to put themselves into the position of malefactors. Need to get directly at malefactors. Become lurkers at hacker sites. Actually be upfront with the hacker community and try to

understand them and their motives. Simulate them based on what we do know about them.

Students pretending to be malefactors is questionable science. Burton-Jones’ distance bias (MISQ, 2009) Why do we do it? Low hanging fruit. Easier to get access to white hats or white hats pretending

to be black hats (sometimes they actually may be black hats, but generally and under most social conditions, likely not.)


2828

1. “Neutralization: New Insight into the Problem of Employee Information Systems Security Policy Violations” by Mikko Siponen and Anthony Vance (preprints available)

2. “Fear Appeals and Information Security Behaviors: An Empirical Study” by Allen C. Johnston and Merrill Warkentin (preprints available)

3. “Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization ” by Stephen Smith, Donald Winchester, Deborah Bunker, and Rodger Jamieson (preprints available)

4. “User Participation in Information Systems Security Risk Management” by Janine L. Spears and Henri Barki (preprints available)

5. “Detecting Fake Websites: The Contribution of Statistical Learning Theory” by Ahmed Abbasi, Zhu Zhang, David Zimbra, Hsinchun Chen, and Jay F. Nunamaker. Jr. (preprints available)

6. “Market Value of Voluntary Disclosures Concerning Information Security” by Lawrence A. Gordon, Martin P. Loeb, and Tashfeen Sohail

7. “Information Security Policy Compliance: An Emirical Study of Rationality-Based Beliefs and Information Security Awareness” by Burcu Bulgurcu, Hasan Cavusoglu, and Izak Benbasat

8. “Practicing Safe Computing: A Multi-Method Empirical Examination of Home Computer User Security Behavioral Intentions” by Catherine L. Anderson and Ritu Agarwal

Special Issue on Information Systems Security in a Digital Economy (forthcoming in 2010)

********


2929

White hat data about real losses from black hats: in a word, the problem is “access.” Most organizations are wary of sharing sensitive

data about their losses from computer abuse (Straub and Hoffer, SMR, 1989; Straub and Nance, MISQ, 1992).

TQN is one solution. There are likely others.


3030

Graphic from: Graphic from: Sainsbury, 2009Sainsbury, 2009

-Based on -Based on “Trusted Query “Trusted Query Network (TQN)” Network (TQN)” (Vaishnavi et al. (Vaishnavi et al. 2006)2006)


3131

Organizations need experience information to accurately estimate risk of events (information security breaches, infection rates, etc.), but in many cases these industry-wide data are not available.

Why? Sharing sensitive information heightens disclosure risk. Organizations do not want to share their information,

sometimes even within their own organization. Privacy concerns


3232

Requirements of such a complete inter-organizational infrastructure? Guaranteed anonymity Total control of data Flexible and rich configuration for participation

automation Support common queries to obtain useful industry-wide

information Secure and scalable


3333

Secret Value: 7

Secret Value:

11 Count: 24Value: 93

Secret Value: 7

Count: 23Value: 82

Secret Value:

10

Count: 22Value: 75

Secret Value:

25

Trusted Query Network Trusted Query Network “Simulation”“Simulation”

Count: 15Value: 45Count: 10Value: 25Count: 9Value: 20Count: 33Value: 67Count: 11Value: 52

Count: 21Value: 65

Count: 20Value: 40Count: 20Value: 40

Count: 25Value:100

Count: 5Value: 60

Average:12

Count: 5Value: 60

Average:12

Count: 5Value: 60

Average:12

Count: 5Value: 60

Average:12

Count: 5Value: 60

Average:12

Click mouse to advance

Patent applied for in August 2007 Prototype functions expanded and enhanced Evaluating filing of second patent application Market potential initially assessed for go/no go

decision “Technically significant, novel, commercially

important” Target National Health Information Network

and other Health and Human Services applications

Thus far, two interested parties identified Next steps:

For licensed test, use VeriSign or CDC? Update IP disclosure & extend patent

application Continue marketing Expand prototype


3535

Think outside the current boxes.Think outside the current boxes. Start with new sources of data. Start with new sources of data.

Established theories and methods are readily Established theories and methods are readily available (albeit new theories would also be available (albeit new theories would also be welcome).welcome).

Without better data, the enterprise is doomed.Without better data, the enterprise is doomed. Even simulated data can help.Even simulated data can help.

o Data can be generated according to the Data can be generated according to the ranges of what we know and tests ranges of what we know and tests conducted on these samples.conducted on these samples.

o Similar conceptually to bootstrapping Similar conceptually to bootstrapping which assumes that the sample you have is which assumes that the sample you have is sufficiently representative of the population sufficiently representative of the population and samples from this sample for the rest and samples from this sample for the rest of its tests.of its tests.

8. 8. Where do we go from here?Where do we go from here?

3636

Gather reported abuse data.Gather reported abuse data. Reported abuse is no doubt systematically Reported abuse is no doubt systematically

biased, but we can work with the ranges of that biased, but we can work with the ranges of that data to assume characteristics of the data to assume characteristics of the unobserved population (Cronbach’s U*).unobserved population (Cronbach’s U*).

Assume that the black hats easily caught are the Assume that the black hats easily caught are the dumbest.dumbest.

Assume that those who elude detection and Assume that those who elude detection and arrest are the smartest.arrest are the smartest.o When they are caught, use them to generate When they are caught, use them to generate

similar data about the under-represented similar data about the under-represented smart set.smart set.

o Simulate larger proportions of smarter Simulate larger proportions of smarter abusers and check the sensitivity of current abusers and check the sensitivity of current policies against this evolving population.policies against this evolving population.


3737

Go inside the hacker communities and the white hat Go inside the hacker communities and the white hat user communities.user communities. This could also be seen as research on social This could also be seen as research on social

networking and this is as hot as security right networking and this is as hot as security right now.now.


3838


3939


Thank you! Thank you! Any Questions?Any Questions?

4040

Contemporary Black Hat, White Hat Research in Information Security: Where are the Gaps? Detmar...

Documents

Transcript of Contemporary Black Hat, White Hat Research in Information Security: Where are the Gaps? Detmar...