Cyber Security Challenges
Prof.dr.ir. Jan van den Berg (email: [email protected])
Cyber Security Chair TUDelft/Leiden University/Cyber Security Academy
Natuurkundig Gezelschap Middelburg, 23-03-2018
Agenda
▪ Why cyber security?
▪ Conceptualization of Cyberspace
▪ Cyber Security Challenges
▪ Dealing with the challenges
▪ Case study: privacy-security dilemma
▪ Conclusions
2
The world we are living in:
Cyber Incidents
5
6
Example cyber incidents
credit/debet card fraud
cyber stalking
identity theft
7
DDOS attacks, KPN hack
9
NSA espionage
Citizenfour: E. Snowden
Cybercrime ex.
▪ Case of silk-road (started by Ross Ulbricht alias Dread Pirate Roberts):
• “Silk Road was an online black market and the first modern darknet market, best
known as a platform for selling illegal drugs”
• “Was operated as a Tor hidden service, such that online users were able to browse it
anonymously and securely without potential traffic monitoring”
• Ulbricht was sentenced to “two for life imprisonment” (sic!)
• More recent cases: AlphaBay and Hansa
11
Energy blackout: Ukraine, 23-12-2015
• 225.000 customer affected [source]
• VPN networks and administrative tools at OS level used for
intruding energy ICS-systems (malware via spear phishing emails)
• Add picture
12
Swift hack
▪ Febr. 2016, perpetrators attempted to steal $951 million from the
Bangladesh central bank's account [source]; based on stolen user data
14
Googling for video’s: a few wake-up calls
▪ click here for several examples of Privacy Breaches
▪ click here for a Cyber Warfare video (on drones/UAVs)
▪ click here for general background of the Deep Web
▪ click here for top 10 disturbing discoveries on the Dark Web
▪ click here for a video on Wikileaks, a type of Cyber Protesting
▪ click here for an example of ICS vulnerabilities
▪ click here for a video on the Cyber Warfare incident Stuxnet
▪ click here for an Information Security Breach in Healthcare
▪ click here for more background info on PRISM (NSA activities)
▪ click here for an example of remotely hacking a car
Cyber incidents, con’t.
• Ashley-Madison enabling extramarital affairs
(“Life is short. Have an affair.”) was being
hacked by “The Impact Team” (July 2015)
• Actually, a continuous, endless list of incidents!
• Another conclusion (from the many incidents):
any targeted attack can be successful (sic!)
provided enough motivation, means, and time are (made) available…
15
State(-sponsored) cyber attacks
• Stuxnet (see above)
• NSA e-espionage (see above)
• Cyber attacks on elections: information warfare to harm
democratic candidate Hillary Clinton
• Will this become common practice??
16
One of the biggest DDOS attacks
• IoT will be the future?:
“a botnet of millions of infected devices was used to launch the
biggest DDoS attack
known to date (Sept. 2016) ,
with peaks of
over 1 Tbps of
traffic”
• IoT devices strongly
enhance the ‘attack
surface’
17
Other Cyber(space) Incidents 1
Heartbleed:
‘worst vulnerability ever’
(2014; in open SSL)
Great Bank Robbery (Carbanak)
‘biggest ever cybercrime’
(1 billion dollars, 2015, global)
IS TV4 attack
‘TV5Monde went black’
(2015)
2
Wikileaks Revelations
‘secret hacking tools: IoT’
(democratic control?, 2017)
Other Cyber(space) Incidents 2
WannyCry: Initially affected countries
Wanna Cry (2017): within a day 230.000 Microsoft
computers were infected in 150 countries
(ransom to be paid in bitcoin crypto currency;
exploit was discovered by NSA and used for cyber weapons;
Microsoft also discovered it; released a patch: was often not
implemented wide spread of the worm)
2
Compare Petya
(2016/17) container
terminal of Maersk in
port of Rotterdam
went down: 300M loss
(worldwide impact!!!!)
NCSC Cyber Security Report 2017
Key findings:
1. Professional criminals and state actors continue to be the most significant threat and inflict most damage
2. Digital attacks are being used to influence democratic processes
3. The vulnerability of the Internet of Things has resulted in disruptive attacks that endorse the need to enhance digital resilience
4. Many organisations are dependent on a limited number of foreign digital infrastructure service providers which means that the social impact of disruption is large
5. The resilience of individuals and organisations is lagging behind the increasing threat
20
Quotes Dick Schoof recent DDOS attackes(NCSC) [source]
▪ “DDOS attacks are more advanced than before”
▪ About attackers: “Het kan een land zijn, maar ook een crimineel of
een groepje whizzkids” attribution problem
(“It can be a state, but also a criminal or a group of whizzkids”)
▪ Current attacks have low risks: Minister Hoekstra van Financiën
benadrukte vandaag (29/1) dat de “DDoS-aanvallen geen gevaar
vormen voor betalingsverkeer / de persoonsgegevens van klanten.”
▪ "De financiële sector is een van de vitale sectoren binnen de
Nederlandse samenleving en heeft daarom volop onze aandacht",
zei deze minister ook But what does this really mean?
21
Discussion
▪ What are the (possible) high-impact cyber incident types
▪ at home?
▪ in your organization?
▪ in society?
22
Agenda
▪ Why cyber security?
▪ Conceptualization of Cyberspace
▪ Cyber Security Challenges
▪ Dealing with the challenges
▪ Case study: privacy-security dilemma
▪ Conclusions
23
Two (relatively) recent definitions
▪ ISO27032 (guidelines for cybersecurity, 2012):
▪ Cyberspace = ‘the complex environment resulting from the interaction
of people, software and services on the Internet, supported by
worldwide distributed physical information and communications
technology (ICT) devices and connected networks’
( italics of complex environment by me… but still rather vague!)
▪ Cybersecurity = ‘the preservation of confidentiality, integrity and
availability of information in the cyberspace’
( missed opportunity!)
24
Vision: Cyberspace = 5th domain
▪ Cyberspace is the complex, manmade system at global scale, deeply
embedded in the four physical domains of land, water, air and space,
that enables cyber activities = IT-enabled activities (key assets!)
▪ Characteristics:
▪ high speed global connectivity ( individual organizations)
▪ huge distributed data processing power (including millions of intelligent
systems taking autonomously decisions passive information)
▪ huge data storage capabilities: we now talk about big & open data
▪ with almost 3 billion human actors in different roles worldwide
▪ with > 14 billion (intelligent) devices and systems connected
6
2727
Basic cyber activities (= IT-enabled activities)
▪ Communication: sms, email, chat, whatsapp, skype, voip, twittering, …
▪ Information retrieval: news, wheather forcast, public transportation, crises, …
▪ Watching: movies, sporting events, television, youtube, …
▪ Listening: radio, music, spotify, …
More advanced cyber activities
▪ ‘Searching’: google searching, wikipedia, route planning, translating, …
▪ (Automatic) transacting: e-shopping, e-trading, e-payments, e-procurement, holiday
planning, tax returns, e-marketplaces, e-voting, crowd sourcing/funding, …
▪ Social gathering: Facebook, LinkedIn, e-dating, 2nd love, sexting, gambling, …
▪ Rating & Ranking: top web-sites, universities, hotels, services, …
Cyber activities of all kind…
2828
Cyber activities of all kind, con’t.
More advanced cyber activities, cont.
▪ Educating: MOOCs, e-learning, e-coaching …
▪ Monitoring and surveillance activities: sensoring, detecting, using drones, …
▪ Controling critical infrastructures: energy & water supply, transport, chemical
processing, flood defence, …
▪ Cyber protesting: activism including fundraising, community building, lobbying, organizing
Less favourable cyber activities
▪ Cyber crime (dark markets): financial fraud, theft, hacking, child pornography, e-
espionage, cyber bullying, sale of drugs/guns/…, illegal downloads, …
▪ Cyber warfare: intelligence, defense, attack ~ Cyber Operations: NSA, drones,
hacking, attacking, cracking, information warfare …
Note: cyber activities provide semantics to data processing (!!!)
Discussion
▪ What are the key cyber activities (‘crown jewels’) in your
organization/peronal environment/society?
29
3030
Decomposing cyberspace in layers
Technical layer:
▪ IT services ~ information security ~
CIA(A)
Socio-tech layer:
▪ cyber activities ~ cyber security ~
personal/business/societal goals
Governance layer:
▪ governance & management ~
rules & regulations (for other layers) ~
cyber risk appetite, ethics & compliance
- Cyber sub-domains: examples in figure!
- Stakeholder groups: end-users, organisations, sectors, states, continents
Agenda
▪ Why cyber security?
▪ Conceptualization of Cyberspace and Cyber Security, revisited
▪ Cyber Security Challenges
▪ Dealing with the challenges (with examples)
▪ Case study: privacy-security dilemma
▪ Conclusions
31
Basic challenge
As actors in the (new 5th) domain of cyberspace,
we have to learn how to behave ‘competently’
32
• As end-user
▪ How to protect my PC?
▪ How to educate (my) children?
• As (board) member of a company
▪ Which specialists, how to organize them?
▪ Should we start a SOC?
• As decision maker about critical infrastructures
▪ How far can we develop the smart grid?
▪ What about the cyber security of automated car control?
▪ Is distant-control for gas supply/flood defense acceptable?
33
Cyber security struggling
Cyber security struggling, cont’d
• As crisis manager
▪ What to do? Who should I contact?
▪ Which information to make public?
• As police officer
▪ What happens in the dark web?
▪ Which tools to use for catching the unknown
attacker/criminal?
• As politician
▪ Which rules & regulations to put in place?
▪ Which institutions, which responsibilities?
34
3636
Risk mgt: 1. Risk assessment of cyber activity breaches
2. Reduction of cyber risks to ‘acceptable levels’
3737
3. Taking a set of adequate security measures
Balancing preventive and repressive
measures
in different layers
▪ Technical layer: …
▪ Socio-tech layer:
▪ Governance layer:
aligned over all cyber sub-domains
• …
• …
together securing cyberspace = securing
the cyber activities of all actors
Ex. 1: Preventing identify fraud during login
Focus: secure authentication
1. Technical layer: enforce
technically (logically) use of
strong passwords only
2. Cyber Activity (behavior) layer:
use yourself only strong passwords
3. Governance layer: recommend strong / forbid weak passwords
38
Ex. 2: Preventing/Detecting infection by usb-sticks
Focus: malware infection
1. Technical layer:
▪ disable use of usb-stick
▪ check on malware usb-stick injection
2. Cyber Activity (behavior) layer:
stop using usb-sticks
3. Governance layer: forbid use of usb-sticks
39
Modern conceptualization of (Cyber) Risk
▪ Next to the possibility/likelihood of negative impact, risks might
also be interpreted is a positive sense:
▪ “Risk is the potential of gaining or losing something of value”
▪ So,
▪ aligning business opportunities and cyber risks
▪ i.e., security by design
are key issues also invites more for cyber security funding
40
Cyber Risk Management Cycle
▪ Repeat ‘forever’ (in all ‘relevant’ cyber sub-domains: wow!)
▪ Identify the critical cyber activities
▪ Identify & assess their cyber risks (= potential gains & losses)
▪ Define acceptable cyber risk levels
▪ Decide way(s) of dealing with the risks
▪ Design & Implement cyber risk measures
▪ Monitor effectiveness.
41
Discussion
▪ To what extent is the cyber risk management cycle implemented in
your organization/country?
42
Conditio-sine-qua-non for adequate risk management
▪ Creating Cyber Situational Awareness in
▪ socio-technical layer (cyber activities by people & intelligent systems)
▪ technical layer (in terms of IT-processes and -communication)
▪ Includes
▪ attackers
▪ cyber crime (dark web)
▪ in short: cyber attacks
▪ Creates
▪ privacy-security dilemma
▪ security-compliance dilemma
43
Agenda
▪ Why cyber security?
▪ Conceptualization of Cyberspace and Cyber Security, revisited
▪ Cyber Security Challenges
▪ Dealing with the challenges
▪ Case study: privacy-security dilemma
▪ Conclusions
44
Possibilities at technical layer (always cyber-risk related!)
▪ Prevention (security by design): secure hardware & software at all ICT
layers (secure architecture, secure software engineering, backups, pentesting,
certification, …) including for IoT, autonomous cars, smart electricity grid,
smart flood defense, healthcare, …., critical infra’s, etc.
(also includes secure behavior enforcement, in layer 2, e.g. by training)
▪ Repression (since no 100% security by design possible):
▪ Monitoring & detection in IT-systems: scanning the dark web/social
network sites, anti-virus software, anomaly detection (e.g. in financial
transactions), SOCs, malware detection (e.g. via reverse engineering, data analytics), …
▪ Recovery from incidents: by returning to previous safe states, crisis mgt
45
Possibilities at the governance layer (cyber-risk related!)
▪ It is about influencing
▪ cyber behavior (socio-technical layer 2) and IT (technical layer 1)
▪ Lessig’s four modalities of regulation [source]
1. laws, rules, policies, regulations in organizations, states,
countries, … (relates to education, awareness raising, compliance, alignment
of national cyber strategies, rules & regulations (PhD-research), …: layer 2)
2. informal societal rules (different per culture: layer 2)
3. economic incentives (competition, transparency, externalities: layer 2)
4. architecture (physical, IT functionality: layer 1)
46
Discussion point
▪ How can diplomates play a role in aligning international cyber
security challenges, e.g., related to
▪ Dealing with the Global Cyber Security Risks
(related to state-sponsored attacks, information/cyber warfare, mafia in the
dark-web, critical infrastructures, …)
▪ Combatting the power of the “big five”
(Facebook, Google, Amazon, Microsoft, Apple)?
▪ Inspiration/Compare: global efforts to deal with nuclear threats/risks
47
Cyber Security: are we making progress?
▪ Q: are we making progress in society to deal with cyber security?
▪ What’s different from a few years ago?
▪ First recent illustrative example:
▪ HANSA case (compare the earlier SILK ROAD marketplace case):
▪ THTC took over the website (by making a copy running in The Netherlands) and
installed monitoring software (very different from classical SILK ROAD take-down)
▪ Many malicious actors (e.g. drug sellers) could be identified high impact
▪ Close cooperation with law enforcement in other countries
▪ Analyze yourself the information on the webpage (e.g., w.r.t. legality)
https://www.wired.com/story/hansa-dutch-police-sting-operation/
48
Cyber Security: are we making progress?, con’t.
▪ Second recent illustrative example: SCR/SCC advice on IoT
▪ IoT: “Network of smart devices, sensors and other objects that collect data
from their environment, exchange them and take actions effecting their
environment”
▪ Opportunities are manifold
▪ Threats relate to “security and privacy”: e.g. DDOS attack of Mirai botnet
▪ Main challenges: to deal with
▪ insufficient security of IoT devices network security problem
▪ huge data collection capabilities privacy-related problems, a.o.
▪ liabilities (in different national legal regimes) are far from clear
49
Agenda
▪ Why cyber security?
▪ Conceptualization of Cyberspace and Cyber Security, revisited
▪ Cyber Security Challenges
▪ Dealing with the challenges (with examples)
▪ Case study: privacy-security dilemma
▪ Conclusions
50
Case Study: (Cyber) Security versus Privacy
▪ Fundamental Right of Privacy
versus
▪ Governmental ability/responsibility to secure society including
cyberspace
▪ Privacy: “ability of an individual or group to seclude themselves, or
information about themselves …” [1]
▪ Social Contract: ‘“the legitimacy of the authority of the state over the
individual” [2]
Theory of Social Contract
• “Individuals have consented, either explicitly or tacitly, to surrender
some of their freedoms and submit to the authority of the ruler or
magistrate (or to the decision of a majority), in exchange for
protection of their remaining rights” [2]
• Examples in the physical world
▪ paying taxes in exchange of …
▪ decision making rights in exchange of …
▪ right to use violence in exchange of …
▪ privacy breaching actions by police (e.g. “huiszoeking”) in exchange of …
• Condition: Ruler/Magistrate/Government should act “properly”
Application (in Cyberspace) and Discussion
▪ What privacy in cyberspace are you willing to give up in exchange for
protection by “government” by analyzing the risks (!) related to
▪ availability of child pornography (at the WWW)
▪ selling of illegal goods, hard drugs, guns, malware, … (at the dark web)
▪ detection of possible terroristic attacks
▪ cyber stalking, cyber bullying
▪ proper energy supply, water supply, flood defense, and other CIs
▪ cyber espionage & cyber warfare by other countries
▪ How should the government behave in terms of
▪ transparency of their activities
▪ effective use of resources
▪ cooperation with private partners (ISPs, Google, Facebook, …)
Agenda
▪ Why cyber security?
▪ Conceptualization of Cyberspace and Cyber Security, revisited
▪ Cyber Security Challenges
▪ Dealing with the challenges (with examples)
▪ Case study: privacy-security dilemma
▪ Conclusions
54
5555
Conclusions (Agree?)
▪ Cyberspace = space of cyber activities = IT-enabled activities
▪ Cyber security (= Securing Cyberspace) is a societal problem having
technical/legal/economical/institutional/international relations/ethical, …
perspectives: concerns both behavior- and IT-related approaches!
▪ Goal of cyber security: reducing cyber risks to acceptable levels, in alignment
with business/societal/organisational/personal interests
▪ Starts with identifying all relevant cyber activity opportunities and risks
▪ Level of cyber risks and chosen cyber risk appetite determine what measures
are appropriate
▪ Everyone can and has to contribute!
Summary
▪ Please, watch our new CSA-video:
https://www.youtube.com/watch?v=baPyGS7yGkU
56
Interested in a MSc Cyber Security??
▪ 4TU MSc program (2 years full-time) for regular students:
▪ link to MSc theses
▪ CSA MSc program (2 years part-time) for executive professionals:
▪ link to MSc theses
▪ program set-up on next slide
▪ New MSc program Cyber Security Engineering (2 years part-time)
for technical professionals (starting Sept. 2018)
57
5858
Top Related