Risk Assessment. InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy.
Protecting critical activities from cybercrime and cyber ... · Organized crime\ Cyber-warriors and...
Transcript of Protecting critical activities from cybercrime and cyber ... · Organized crime\ Cyber-warriors and...
Beyond hackers, viruses and worms
Protecting critical activities fromcybercrime and cyber-terrorism
Information workshop at OECDParis, October 2004
1
Externalattacks
Virus, worm, trojan horse writers,Script kiddies & other hackers, Zombies in DDOS mode,Hactivists and spoof sitesOrganized crime\Cyber-warriors and cyber-terrorists… and more…
The Infosec theatre of warInternal headaches
Unaware users,Malicious insiders,Weak identity managementBack doors,Logical bombs,Undocumented functions… and more…
Generalvulnerabilities
Attack and responsedynamics
Information workshop at OECDParis, October 2004
2
Types of attack1010010101101010010010
Physical attacks
Syntactic attacks
Semantic attacks
Corrupt data in “trusted” systems Make computers perform
unexpected functions
Information workshop at OECDParis, October 2004
3
Stage 1: Policies, monitoring and compliance
Stage 2: Building protection features into systems
Stage 3: Operational administration and monitoring
Stage 4: Investigations and digital forensics
Protection against insider threats
Information workshop at OECDParis, October 2004
4
Malicious insider
opportunityknowledge
motivation
Queensland (AUS) Sunshine Coast, April 2001
Just one example
Disgruntled employee hacks into computerised sewage control system.Released one million litres of raw sewage.
Found guilty on 46 counts countsof computer hacking
Sentenced to two years in jail
What if he and others like himhad been suborned by terrorists
or a foreign government?
Information workshop at OECDParis, October 2004
5
Stage 1: Policies and compliance
Appropriate use of ICT resourcesAuthentication and identity managementAccess rights “need to know” or unrestrictedIrresponsibility, impropriety and fraudComputer crime and audit strategiesMonitoringWorker* references and credentials
* employee, temporary staff, contractors, consultants, interns,visitors, maintenance personnel, cleaners, etc.
Information workshop at OECDParis, October 2004
6
Stage 2: Building features
System design safeguards and controlsBack doors and logical bombsPartition of data in support of “need to know”Authentication systemsStorage safeguardsControls – qui custodiat custodies?Review and validation (no Easter Eggs, no undocumented functionality,
no unknown superusers, etc)
Information workshop at OECDParis, October 2004
7
Stage 3: Operational matters
Identity management and MACsSuperuser rights managementData rights (C, U, R)Disclosures and social engineeringMonitoring tools, privacy and ethicsControls – qui custodiat custodies?
Sys Admin
MAC = moves, additions and changesCUR = create, update, read only
Information workshop at OECDParis, October 2004
8
Investigation and digital forensics
Determining point of access and containmentSetting up trapsEvidence preservation and custody chainEvidence analysis and forensic toolsCollaboration between HR, Internal Audit and I.T.
Information workshop at OECDParis, October 2004
9
Organization’s metabolic rateAbility to recruit and trainCareer progress criteria
Background vetting/clearancesFlexible remuneration
Fast procurement processesBudgetary room to breathe
Culture of openness
Assumption: many critical infrastructures are managed with a slow metabolic rate
NOSlow Fast
YES
Information workshop at OECDParis, October 2004
10
From cybercrime to cyberterrorismSame skills, same tools, different intent
Achieve media coverageImpact economic systemsDestabilise civilian lifeAsymmetric warfare against law enforcementHurt trust in governments’ ability to protect citizensUse “successes” to gain more support for their cause
GunsExplosivesChemical weaponsBacteriological weapons
AND/OR
Information workshop at OECDParis, October 2004
11
Planning for defensive success
Are traditional infrastructure operations, audits, etcstill good enough
How do we learn how bad guys think and operate
What can we learn from the “bad guys”
How do we incorporate this culture into our defences
How many attended DEFCON or similar