Cyber security and countermeasure

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Cybercrime (or computer crime) refers to any crime that involves a computer and a network.[1] In general, a countermeasure is a measure or action taken to counter or offset another one. In computer security a countermeasure is defined as an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.[2][3] An alternate meaning of countermeasure from the InfosecToday glossary[4] is:

The deployment of a set of security services to protect against a security threat.

Threats[edit]

Although different types of threats (e.g., earthquakes, floods, electrical break-down) can cause an incident, or may harm a system or an organisation,[5] only intentional threats will be considered here.
According to Microsoft's classification there are 6 categories of threats:[6]

  • Spoofing of user identity : describes a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
  • Tampering : describes an intentional modification of products in a way that would make them harmful to the consumer.
  • Repudiation : describes a situation where the authenticity of a signature is being challenged.
  • Information Disclosure (Privacy breach or Data leak) : describes a situation where information, thought as secure, is released in an untrusted environment.
  • Denial of Service (DoS): describes a situation where a technological resource (computer, network, ...) becomes unavailable to its intended user.
  • Elevation of Privilege : describes a situation where a person or a program were to gain elevated privileges or access to resources that are normally restricted to him/it.

This model is named after the initials of every threat : STRIDE, and is now widely used. Nevertheless, other models do exists ; for instance the DREAD : Damage, Reproducibility, Exploitability, Affected users, Discoverability.
To exploit those vulnerabilities, perpetrators (individual hacker or a criminal organization) most commonly use malware (malicious software), worms, viruses and targeted attacks.
To assess the risk of an attack, different scale exists. In the United States, authorities use the Information Operations Condition (INFOCON) system. This system is scaled from 5 to 1 (INFOCON 5 being an harmless situation and INFOCON 1 representing the most critical threats).

Except human factors, their own flaws of system also is a threat. Sometimes system have wrong judgement. There is a famous own flaws of system in history. Year 2000 computer problem, also called "2000 virus", the "millennium bug", "computer millennium millennium bug" or "millennium virus." Abbreviated as "Y2K". In general, the "millennium bug" also includes the following two aspects: one is the number of computer systems, computing and identification for the leap year problem, can not be recognized as a leap year in 2000, that in the calendar of the computer system no February 29, 2000 on this day, but a direct transition from February 28, 2000 to March 1, 2000; another in some older computer systems used in the program string of numbers 99 (or 99/99, etc.) to indicate the end of file, permanently expired, delete some of the special significance of automatic operation, so that when the September 9, 1999 (or April 9, 1999 that in 1999 the first 99 days) to temporarily a computer system in dealing with the content in the file date, it will encounter 99 or 99/99 and other digital series, which will document mistakenly thought to have expired or delete the wrong file operations, causing confusion and even system crashes and other failures.

Past attacks: the need for policy[edit]

Over the past 10 to 15 years, multiple cyber attacks occurred targeting both governmental agencies and private companies.

  • In 2000, several commercial websites including Yahoo.com, Amazon.com, eBay.com, Buy.com, CNN.com, ZDNet.com hit massive DOS. The FBI estimated that the attack caused $1.7 billion in damage.
  • In 2003, a slammer worm infected 90% of vulnerable computers within 10 minutes. This caused interferences with elections, airline flights cancellation, Seattle's 911 emergency system failure and over 13,000 Bank of America ATMs failure. The lost in productivity was estimated around $1 billion.
  • Since 2003, a series of coordinated attacks on American computer systems occurred. The US government designated those attacks as Titan Rain. Titan Rain hackers gained access to many U.S. computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA.

A global problem[edit]

"As a fundamental principle, cyberspace is a vital asset to the nation and the United States should protect it"[7] is the opening statement of the Cybersecurity act of 2010.
Most countries do not possess a digital infrastructure that can be qualified as "secure". The United States is no different: "Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations".[7]
As more than 85% of the digital infrastructure is owned and operated by the private sector in the United States,[7] it is crucial that both public and private sectors, in addition of on their own, cooperate on finding a global solution.

Government[edit]

The role of the government is to make regulations to force companies and organizations to protect their system, infrastructure and information from any cyber attacks, but also to protect its own national infrastructure such as the national power-grid.

The question of whether the government should intervene or not in the regulation of the cyberspace is a very polemical one. Indeed, for as long as it has existed and by definition, the cyberspace is a virtual space free of any government intervention. Where everyone agree that an improvement on cybersecurity is more than vital, is the government the best actor to solve this issue? Many government officials and experts think that the government should step in and that there is a crucial need for regulation, mainly due to the failure of the private sector to solve efficiently the cybersecurity problem. R. Clarke said during a panel discussion at the RSA Security Conference in San Francisco, he believes that the "industry only responds when you threaten regulation. If industry doesn't respond (to the threat), you have to follow through."[8] On the other hand, executives from the private sector agree that improvements are necessary but think that the government intervention would affect their ability to innovate efficiently.

Public–private cooperation[edit]

The cybersecurity act of 2010 establishes the creation of an advisory panel, each member of this panel will be appointed by the President of the United-States. They must represent the private sector, the academic sector, the public sector and the non-profit organisations.[7] The purpose of the panel is to advise the government as well as help improve strategies.

InfraGard is an example of public-private organization.

Actions and teams in the US[edit]

Cyber Security Act of 2010[edit]

The "Cybersecurity Act of 2010 - S. 773" (full text) was introduced first in the Senate on April 1, 2009 by Senator Jay Rockefeller (D-WV), Senator Evan Bayh (D-IN), Senator Barbara Mikulski (D-MD), Senator Bill Nelson (D-FL), and Senator Olympia Snowe (R-ME). The revised version was approved on March 24, 2009.
The main objective of the bill is to increase collaboration between the public and the private sector on the issue of cybersecurity. But also

"to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes."[7]

The act also wants to instate new higher standards, processes, technologies and protocols to ensure the security of the "critical infrastructure".

Government initiatives[edit]

The government put together several different websites to inform, share and analyze information. Those websites are targeted to different "audiences":

Here are a few examples :

  • http://www.msisac.org/ : the Multi-State Information Sharing and Analysis Center. The mission of the MS-ISAC is to improve the overall cyber security posture of state, local, territorial and tribal governments.
  • http://www.onguardonline.gov/ : The mission of this website is to provide practical tips from the federal government and the technology industry to help the end user be on guard against internet fraud, secure their computers, and protect their private personal information.
  • http://csrc.nist.gov/ : The Computer Security Division (Computer Security Resource Center) of the National Institute of Standards and Technology. Its mission is to provide assistance, guidelines, specifications, minimum information security requirements...

Military agencies[edit]

Homeland Security[edit]

The Department of Homeland Security has a dedicated division responsible for the response system, risk management program and rmmequirements for cyber security in the United States called the National Cyber Security Division.[9][10] The division is home to US-CERT operations and the National Cyber Alert System. The goals of those team is to :

  • help government and end-users to transition to new cyber security capabilities
  • R&D[10]

In October 2009, the Department of Homeland Security opened the National Cybersecurity and Communications Integration Center. The center brings together government organizations responsible for protecting computer networks and networked infrastructure.[11]

FBI[edit]

The third priority of the Federal Bureau of Investigation(FBI) is to:

Protect the United States against cyber-based attacks and high-technology crimes[12]

According to the 2010 Internet Crime Report, 303,809 complaints were received via the IC3 website. The Internet Crime Complaint Center, also known as IC3, is a multi-agency task force made up by the FBI, the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).[13]
According to the same report,[14] here are the top 10 reported offense in the United States only :

  • 1. Non-delivery Payment/Merchandise 14.4%
  • 2. FBI-Related Scams 13.2%
  • 3. Identity Theft 9.8%
  • 4. Computer Crimes 9.1%
  • 5. Miscellaneous Fraud 8.6%
  • 6. Advance Fee Fraud 7.6%
  • 7. Spam 6.9%
  • 8. Auction Fraud 5.9%
  • 9. Credit Card Fraud 5.3%
  • 10. Overpayment Fraud 5.3%

In addition to its own duties, the FBI participates in non-profit organization such as InfraGard. InfraGard is a private non-profit organization serving as a public-private partnership between U.S. businesses and the FBI. The organization describes itself as an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members.[15] InfraGard states they are an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States.[16]

Department of Justice[edit]

In the criminal division of the United States Department of Justice operates a section called the Computer Crime and Intellectual Property Section. The CCIPS is in charge of investigating computer crime and intellectual property crime and is specialized in the search and seizure of digital evidence in computers and networks.
As stated on their website:

"The Computer Crime and Intellectual Property Section (CCIPS) is responsible for implementing the Department's national strategies in combating computer and intellectual property crimes worldwide. The Computer Crime Initiative is a comprehensive program designed to combat electronic penetrations, data thefts, and cyberattacks on critical information systems. CCIPS prevents, investigates, and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions, and foreign counterparts."[17]

USCYBERCOM[edit]

The United States Strategic Command (USSTRATCOM) is one of the nine Unified Combatant Commands of the United States Department of Defense (DoD). The Command, including components, employs more than 2,700 people, representing all four services, including DoD civilians and contractors, who oversee the command's operationally focused global strategic mission. The United States Cyber Command, also known as USCYBERCOM, is a sub-unified command subordinate to USSTRATCOM. Its mission are to plan, coordinate, integrate, synchronize and conduct activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries."[18]

FCC[edit]

The U.S. Federal Communications Commission's role in cyber security is to strengthen the protection of critical communications infrastructure, to assist in maintaining the reliability of networks during disasters, to aid in swift recovery after, and to ensure that first responders have access to effective communications services.[19]

Computer Emergency Readiness Team[edit]

Computer Emergency Response Team is a name given to expert groups that handle computer security incidents. In the US, two distinct organization exist, although they do work closely together.

International actions and teams[edit]

International actions[edit]

A lot of different teams and organisations exists, mixing private and public members. Here are some examples:

  • The Council of Europe helps protect societies worldwide from the threat of cybercrime through the Convention on Cybercrime and its Protocol on Xenophobia and Racism, the Cybercrime Convention Committee (T-CY) and the Project on Cybercrime.[23]
  • The purpose of the Messaging Anti-Abuse Working Group (MAAWG) is to bring the messaging industry together to work collaboratively and to successfully address the various forms of messaging abuse, such as spam, viruses, denial-of-service attacks and other messaging exploitations. To accomplish this, MAAWG develops initiatives in the three areas necessary to resolve the messaging abuse problem: industry collaboration, technology, and public policy.[24] France Telecom, Facebook, AT&T, Apple, Cisco, Sprint are some of the members of the MAAWG.[24]

The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market.

National teams[edit]

Here are the main computer emergency response teams around the world. Every country have their own team to protect network security. February 27, 2014, the Chinese network security and information technology leadership team is established. The leadership team will focus on national security and long-term development, co-ordination of major issues related to network security and information technology economic, political, cultural, social, and military and other fields of research to develop network security and information technology strategy, planning and major macroeconomic policy promote national network security and information technology law, and constantly enhance security capabilities.

Europe[edit]

CSIRTs in Europe collaborate in the TERENA task force TF-CSIRT. TERENA's Trusted Introducer service provides an accreditation and certification scheme for CSIRTs in Europe. A full list of known CSIRTs in Europe is available from the Trusted Introducer website.[1]

Other countries[edit]

References[edit]

  1. ^ Moore, R. (2005) "Cybercrime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing.
  2. ^ RFC 2828 Internet Security Glossary
  3. ^ CNSS Instruction No. 4009 dated 26 April 2010
  4. ^ InfosecToday Glossary
  5. ^ ISO/IEC, "Information technology -- Security tecniques-Information security risk management" ISO/IEC FIDIS 27005:2008
  6. ^ http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
  7. ^ a b c d e Cybersecurity Act of 2010 - http://www.opencongress.org/bill/111-s773/text
  8. ^ Kirby, Carrie (June 24, 2011). "Former White House aide backs some Net regulation / Clarke says government, industry deserve 'F' in cybersecurity". The San Francisco Chronicle. 
  9. ^ "National Cyber Security Division". U.S. Department of Homeland Security. Retrieved June 14, 2008. 
  10. ^ a b "FAQ: Cyber Security R&D Center". U.S. Department of Homeland Security S&T Directorate. Retrieved June 14, 2008. 
  11. ^ AFP-JiJi, "U.S. boots up cybersecurity center", October 31, 2009.
  12. ^ "Federal Bureau of Investigation - Priorities". Federal Bureau of Investigation. 
  13. ^ Internet Crime Complaint Center
  14. ^ "2010 Annual Report - Internet Crime Complaint Center". IC3. 
  15. ^ "Robert S. Mueller, III -- InfraGard Interview at the 2005 InfraGard Conference". Infragard (Official Site) -- "Media Room". Retrieved 9 December 2009. 
  16. ^ "Infragard, Official Site". Infragard. Retrieved 10 September 2010. 
  17. ^ "CCIPS". 
  18. ^ U.S. Department of Defense, Cyber Command Fact Sheet, May 21, 2010 http://www.stratcom.mil/factsheets/Cyber_Command/
  19. ^ "FCC Cyber Security". FCC. 
  20. ^ Verton, Dan (January 28, 2004). "DHS launches national cyber alert system". Computerworld (IDG). Retrieved 2008-06-15. 
  21. ^ "FIRST website". 
  22. ^ "First members". 
  23. ^ "European council". 
  24. ^ a b "MAAWG".