Cyber Security and Risk Analysis

Introduction & Rationale for Cyber-Security

Security of information technologies is critical for modern organizations
- Safeguards are needed to protect
- Confidential business data
- Private customer & employee data
- Objectives
- Prevent malicious theft, disruption, vandalism, sabotage
- Maintain a balance with other business needs (cost, usability, productivity)
Core drivers of growing risk
- $\textbf{Increasing\;complexity}$ of hardware, software & networks ➜ more vulnerabilities, more entry points (cloud, virtualization)
- $\textbf{Higher\;user\;expectations}$ ➜ pressure on help desks, lax ID verification, password sharing
- $\textbf{Expanding / changing\;systems}$ in the “network era” ➜ PCs connect to millions of others; organizations struggle to keep pace with technology
- $\textbf{Reliance\;on\;commercial\;software}$ with known vulnerabilities➜ attackers exploit before users apply patches

Defining Computer / Cyber Security

Garfinkel & Spafford (1996)
- A computer is secure “if you can depend on it and its software behaves as you expect.”
- Requires
1. Dependability (reliability & availability)
2. Correct, predictable software behavior
Joseph Kizza (2003): Three-element model
- $\textit{Confidentiality}$ – protect against unauthorized disclosure
- $\textit{Integrity}$ – prevent unauthorized modification
- $\textit{Availability}$ – ensure timely access by authorized users
Peter Neumann (2004)
- Security’s broader purpose: prevent misuse, accidents, malfunctions
- Warns security is a “double-edged sword” (can protect privacy but also restrict access)
Power (2000) definition of $\textbf{Countermeasure}$ : an action / device / procedure that reduces the vulnerability of a threat

Three Inter-related Aspects of Cyber-Security

$\textbf{Data\;Security}$
- Focus: unauthorized access to data at rest or in transit
- Affects confidentiality, integrity, availability (CIA triad)
- Spinello (2000): proprietary / sensitive information must remain confidential, unaltered in transit, and reliably accessible
$\textbf{System\;Security}$
- Protects system resources: hardware, OS, applications
- Concerned with malicious code (viruses, worms, trojans, logic bombs)
$\textbf{Network\;Security}$
- Secures LANs, WANs & Internet infrastructure against attacks (e.g., DDoS, protocol exploits)
- Internet’s protocol stack itself has been repeatedly attacked (e.g., 1988 Internet Worm)

Hacking & the Evolution of the Term

$1960\text{–}1970$ : “Hacker” = creative programmer producing clever code (positive)
$1970\text{–}1990$ : term becomes negative; unauthorized system access & early computer crimes (business & government targets)
Mid- $1990$ s onward: web era increases criminal opportunity; attackers with minimal skills release malware written by others
Notable incidents & figures
- Robert Tappan Morris (1988 Internet Worm) infected $\approx 6,000$ UNIX hosts
- Kevin Mitnick (spanning $\approx 20$ years) penetrated NORAD, DEC, Shimomura’s PC
- Clifford Stoll’s chase ("The Cuckoo’s Egg") of West-German military hackers
- International exploits: Russian $\$400{,}000$ Citicorp theft, English teen Rafael Grey stealing thousands of credit-card numbers, etc.

“Hacker Ethic” – Steven Levy (1984)

Unlimited & total access to computers
All information should be free
Mistrust authority & promote decentralization
Judge hackers by hacking skill alone
Computers can create art & beauty
Computers can make life better

Three commonly cited justifications for hacking
1. Information wants to be free
2. Hackers perform a public service by exposing flaws
3. Cyberspace is virtual → no real harm
Critiques (Spafford, Moor)
- Privacy impossible if all info is free; integrity cannot be guaranteed
- “Thanking burglars” analogy shows fallacy of unsolicited security testing
- “Virtuality Fallacy”: harms inflicted online (defamation, child pornography, virtual rape) are real

Malware Taxonomy & Characteristics

$\textbf{Virus}$
- Attaches to executable or document; replicates when host runs; moderate spread; goal: corrupt / delete info
- Requires human action (opening file) to propagate
$\textbf{Worm}$
- Standalone; self-replicates via network vulnerabilities; can be remotely controlled; fast spread; overloads resources
$\textbf{Trojan\;Horse}$
- Disguised as legitimate software; no self-replication; often installs backdoor / steals data; spread via phishing, pirated downloads
$\textbf{Logic\;Bomb}$
- Code that executes on specific trigger (date, event)
$\textbf{Remote\;Access\;Trojan\;(RAT)}$ – specialized trojan providing attacker full control (e.g., Back Orifice, SubSeven)

Famous Viruses & Worms

$\textit{Internet\;Worm}$ (1988) – Robert Morris; first major Internet outage
$\textit{Melissa.A}$ (1999) – macro virus emailing to top $50$ contacts; >\$80\text{ million} damages
$\textit{ILOVEYOU}$ (2000) – mass-mailing VBScript virus
$\textit{Code\;Red}$ (2001) – $3{,}569$ -byte worm exploiting Microsoft IIS buffer overflow; runs in RAM, massive network congestion
$\textit{Slammer/Sapphire}$ (2003); $\textit{Blaster}$ (2004); $\textit{Sasser}$ (2004)
$\textit{Stuxnet}$ (2010) – state-sponsored cyber-weapon; destroyed ~ $\frac{1}{5}$ of Iran’s centrifuges; $\approx 60\%$ of infections in Iran

Impacts of Worm Attacks

Data/program loss, system crashes, network congestion, productivity decline, overtime for IT staff

Network-Level Attacks & Denial-of-Service (DoS)

$\textbf{DoS}$ goal: render resource unavailable to legitimate users
- $\approx 4{,}000$ websites attacked weekly
- Asymmetric attack attractive to terrorists
Techniques
- $\textit{SYN\;Flood}$ – incomplete TCP handshakes exhaust server
- $\textit{Smurf}$ – spoofed broadcast ICMP pings flood victim
- Email bombing, disk-filling, DDoS from botnets of hijacked PCs (forged IPs)
$\textbf{Physical\;Security}$ also essential: UPS, cooling, off-site backups, disabled amplifier features on routers

Ethical & Legal Dimensions

Cyber-security intersects with
- Individual autonomy, privacy, anonymity
- Criminal law: most security violations are crimes, yet some crimes (software piracy, child pornography) are not security breaches
U.S. federal penalties
- Unauthorized access, transmission of malware, password trafficking, interception of communications, identity fraud ➜ up to $20$ years prison + $\$250{,}000$ fine
Law enforcement challenges
- Jurisdiction, identification of suspects, extradition, global legal variation, rapid tech change, low public legal literacy

Computer Forensics & Investigation

Combines law & computer science to collect, preserve, analyze digital evidence so it’s admissible
Tools & methods
- Undercover agents, honeypots, message-board archives, data recovery utilities
- Requires extensive training & certification; must follow evidence-handling laws

Countermeasures & Best Practices

Security Policy

Defines organizational security requirements, user responsibilities, controls & sanctions
Specifies what must be done (e.g., “Passwords must change every $30$ days; no executable email attachments”)
Trade-off: ease of use vs. security; must address email, wireless, VPN, address encryption

Technical Controls

$\textbf{Patching}$ – timely OS & application updates
$\textbf{Anti-malware}$ – scan, quarantine, delete infected files; repair sectors; auto-update definitions
$\textbf{Firewalls}$ – perimeter & host-based; enforce inbound/outbound traffic rules
- Popular PC firewalls: ZoneAlarm Pro, F-Secure Internet Security, Panda Global Protection, NeT Firewall, ESET Smart Security
$\textbf{Intrusion\;Detection\;Systems\;(IDS)}$
- Knowledge-based (signature) & behavior-based (anomaly) monitoring; alert on external intrusions or internal misuse
$\textbf{Honeypots}$ – decoy servers that log attacker behavior & supply false data while isolating production network
$\textbf{Encryption / Cryptography}$
- Converts plaintext to ciphertext; protects data at rest & in transit; supports authentication, digital cash, IP protection
- Symmetric (single key) vs. Public-Key (public/private pair) systems; secure key exchange critical

Administrative Measures

User education: guard passwords, no sharing, report anomalies, protect portable devices
Insider threat mitigation: immediate account deletion for leavers, role separation, job rotation, audit trails
Periodic IT security audits & benchmark checks; disk quotas; disable unused services

Evaluating the Morris Worm – Ethical Frameworks

Kantian: unauthorized access → treating others merely as means
Social-contract: violated organizational property rights
Utilitarian: minor long-term benefits (exposed flaws) outweighed by widespread immediate harms (downtime, labor, penalties)
Conclusion: unleashing the worm was unethical

Current & Emerging Challenges

$\textbf{Globalization}$ – laws, jurisdiction, culture vary; cross-border content access complicates enforcement
$\textbf{Enforcement}$ – anonymous offenders, overseas suspects, costly extradition
$\textbf{Technology}$ – rapid evolution, proliferation of media channels, careless users, lagging self-protection, low legal literacy
$\textbf{Cyber-criminal\;innovation}$ – continual search for new infiltration avenues; ethical dilemmas (e.g., whistle-blowing, privacy vs. security)

Conclusion & Recommendations

Cultivate $\textbf{Responsible\;Net\;Citizens}$ through sustained education & awareness
Foster cooperation among government, industry, academia & international partners
Maintain dynamic legal & regulatory frameworks; regularly review statutes, penalties & investigative capabilities
Embed security into systems from inception rather than rely solely on add-on countermeasures
Balance robust security with preservation of user autonomy, privacy & open access