Date post: | 29-Dec-2015 |
Category: |
Documents |
Upload: | georgina-cameron |
View: | 217 times |
Download: | 4 times |
Contemporary Black Hat, White Hat Research Contemporary Black Hat, White Hat Research in Information Security: Where are the Gaps?in Information Security: Where are the Gaps?
Detmar StraubDetmar Straub
Georgia State UniversityGeorgia State University
& Editor-in-Chief, & Editor-in-Chief, MIS QuarterlyMIS Quarterly
Indiana UniversityIndiana University
January 2011January 2011
11
AgendaAgenda1.1. Who or what are black hats? Who or what Who or what are black hats? Who or what
are white hats?are white hats?2.2. The big pictureThe big picture3.3. Types of white hat and black hat studiesTypes of white hat and black hat studies4.4. Most interesting causes & effectsMost interesting causes & effects5.5. Theory bases are not the problem…Theory bases are not the problem…6.6. Research methods are not the problem…Research methods are not the problem…7.7. The problem: data collectionThe problem: data collection8.8. Where do we go from here?Where do we go from here?
Presentation is available for downloading at: detmarstraub.comPresentation is available for downloading at: detmarstraub.com
22
33
1. 1. Who or what are black hats? Who or what are black hats? Who or what are white hats? Who or what are white hats?
44
Black hats are, loosely speaking, the bad Black hats are, loosely speaking, the bad guys, the anti-socials and hackers.guys, the anti-socials and hackers.
Occasionally criminals and terroristsOccasionally criminals and terrorists It also includes the unwashed employees, It also includes the unwashed employees,
those who develop dirty hands and switch those who develop dirty hands and switch sides.sides.
White hats are those who want to protect White hats are those who want to protect information resources from unintended information resources from unintended and illicit use.and illicit use.
1. 1. Who or what are black hats? Who or what are black hats? Who or what are white hats? Who or what are white hats?
55
1. 1. Who or what are black hats? Who or what are black hats? Who or what are white hats? Who or what are white hats?
66
1. 1. Who or what are black hats? Who or what are black hats? Who or what are white hats? Who or what are white hats?
A grey hat, in the hacking community, refers to a skilled hacker who sometimes acts illegally, sometimes in good will, and sometimes not. They are a hybrid between white and black hat hackers. They usually do not hack for personal They usually do not hack for personal gain or have malicious intentions, but may or gain or have malicious intentions, but may or may not occasionally commit crimes during the may not occasionally commit crimes during the course of their technological exploits.course of their technological exploits.
77
Let’s first abstract to the highest level and try to avoid Let’s first abstract to the highest level and try to avoid theory, methods, & data-collection issues and just theory, methods, & data-collection issues and just focus on the basic relationships in the phenomenon of focus on the basic relationships in the phenomenon of interest.interest.
What is the phenomenon of interest? Information in What is the phenomenon of interest? Information in organizations (and society) and how to protect it as a organizations (and society) and how to protect it as a resource. It could be at the level of the individual, resource. It could be at the level of the individual, group, profit-making firm, nonprofit organizations, group, profit-making firm, nonprofit organizations, governments, or society as a whole.governments, or society as a whole.
The players? Computer systems that produce, firewall, The players? Computer systems that produce, firewall, store, and retrieve store, and retrieve data/information/knowledge/wisdom plus white and data/information/knowledge/wisdom plus white and black hats.black hats.
2. 2. The big pictureThe big picture
99
Note: The hats are Note: The hats are people. Computer people. Computer systems that are used systems that are used in transmitting and in transmitting and storing information are storing information are the points of the points of interaction. interaction.
Note: The only Note: The only communication communication between the black between the black hats and white hats hats and white hats directly is through directly is through social disciplinary social disciplinary actions. actions.
3. 3. Types of white hat-black hat Types of white hat-black hat studiesstudies
1010
Orlikowski’s sociomateriality of people and Orlikowski’s sociomateriality of people and systems-systems-A philosophical view that people using A philosophical view that people using computers create a new phenomenological computers create a new phenomenological entity of interest.entity of interest.
3. 3. Types of white hat-black hat Types of white hat-black hat studiesstudies
1111
Basic terms such as deterrence and Basic terms such as deterrence and deterrents, prevention and preventives, deterrents, prevention and preventives, detection and recovery/remedies are detection and recovery/remedies are assumed.assumed.
Deterrence
Prevention
Detection
Remedies
Objective: Maximize
Deterred Abuse
Prevented Abuse
Prevented Abuse
Undetected Abuse
Objective: Minimize
Unpunished Abuse
-based on Nance and Straub (1988)
Feedback
3. 3. Types of white hat-black hat Types of white hat-black hat studiesstudies
1212
Actions of black hats create response from white hats. Actions of black hats create response from white hats. Studies in how effectively white hats ratchet up Studies in how effectively white hats ratchet up security when black hats are attacking more security when black hats are attacking more frequently or via new or certain types of strategies.frequently or via new or certain types of strategies.
4. 4. Most interesting causes & Most interesting causes & effectseffects
(Direct actions of black hats [typically by type of attack and as measured by white hats])
(Success of attacks against white hats [as measured by white hats])
1313
Choice and Chance: A Conceptual Model of Paths to Information Security CompromiseSam Ransbotham, Sabyasachi Mitra. Information Systems Research. Mar 2009 (20, 1), 121-141.
No longer the exclusive domain of technology experts, information security is now a management issue. Through a grounded approach using interviews, observations, and secondary data, we advance a model of the information security compromise process from the perspective of the attacked organization. We distinguish between deliberate and opportunistic paths of compromise through the Internet, labeled choice and chance, and include the role of countermeasures, the Internet presence of the firm, and the attractiveness of the firm for information security compromise. Further, using one year of alert data from intrusion detection devices, we find empirical support for the key contributions of the model. We discuss the implications of the model for the emerging research stream on information security in the information systems literature.
(Direct actions of black hats)
(Success of attacks against white hats)
4. 4. Most interesting causes & Most interesting causes & effectseffects
1414
A test of interventions for security threats from social engineering, Michael Workman. Information Management & Computer Security. 2008, (16, 5), 463ff.
Recently, the role of human behavior has become a focal point in the study of information security countermeasures. However, few empirical studies have been conducted to test social engineering theory and the reasons why people may or may not fall victim, and even fewer have tested recommended treatments. Building on theory using threat control factors, the purpose of this paper is to compare the efficacy of recommended treatment protocols. A confirmatory factor analysis of a threat control model was conducted, followed by a randomized assessment of treatment effects using the model. The data were gathered using a questionnaire containing antecedent factors, and samples of social engineering security behaviors were observed. It was found that threat assessment, commitment, trust, and obedience to authority were strong indicators of social engineering threat success, and that treatment efficacy depends on which factors are most prominent. This empirical study provides evidence for certain posited theoretical factors, but also shows that treatment efficacy for social engineering depends on targeting the appropriate factor. Researchers should investigate methods for factor assessment, and practitioners must develop interventions accordingly.
(Direct actions of black hats)
(Success of attacks against white hats)
4. 4. Most interesting causes & Most interesting causes & effectseffects
1515
Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness,Mary Sumner. Information Systems Management. Winter 2009, (26, 1), 2ff.
The objectives are: (1) to determine the risk assessment of information security threats, based upon the perceived impact and the perceived probability of occurrence of these threats; (2) to determine the extent of risk mitigation, based upon the perceived level of preparedness for each of these information security threats; and (3) to determine the extent to which the occurrence and the impact of information security threats relate to the level of preparedness.
(Direct actions of black hats)
(Success of attacks against white hats)
4. 4. Most interesting causes & Most interesting causes & effectseffects
1616
Actions of black hats creates protective response from Actions of black hats creates protective response from white hats. Some attacks succeed and some fail. white hats. Some attacks succeed and some fail. Studies in why this occurs and what works and what Studies in why this occurs and what works and what doesn’t.doesn’t.
Detective actions by white hats is similar, but differs Detective actions by white hats is similar, but differs in that it requires the abuse by the black hat to fill out in that it requires the abuse by the black hat to fill out a pattern that cannot be tested in real time.a pattern that cannot be tested in real time.
If it could be determined in real time, it would simply be If it could be determined in real time, it would simply be prevented.prevented.
(Success of attacks against white hats)
(Preventive actions against black hats)
(Actions of black hats)
(Thwarted)
4. 4. Most interesting causes & Most interesting causes & effectseffects
1717
Actions of white hats leads to changing tactics of black Actions of white hats leads to changing tactics of black hats. Studies in how black hats alter their behaviors hats. Studies in how black hats alter their behaviors after the white hats change their strategies.after the white hats change their strategies.
Few studies like thisFew studies like this Anecdotal or narratives like Anecdotal or narratives like The Cuckoo’s Egg The Cuckoo’s Egg by Cliff by Cliff
StollStoll
(Changing behaviors of black hats)
(Changing strategies of white hats)
4. 4. Most interesting causes & Most interesting causes & effectseffects
1818
Network characteristics of black hats create response Network characteristics of black hats create response from white hats. Adaptability of black hats to more from white hats. Adaptability of black hats to more effectively attack white hats.effectively attack white hats.
[Data collection option: Invade hacker user groups and [Data collection option: Invade hacker user groups and study how the hackers plan attacks and what their study how the hackers plan attacks and what their motives are.]motives are.]
4. 4. Most interesting causes & Most interesting causes & effectseffects
1919
Network characteristics of white hats create response Network characteristics of white hats create response from black hats. Adaptability of white hats to more from black hats. Adaptability of white hats to more effectively defend against black hats.effectively defend against black hats.
[Data collection option: Study best practices for defense [Data collection option: Study best practices for defense and whether they are, in fact, best practices. User and whether they are, in fact, best practices. User groups perhaps. Sharing of information among white groups perhaps. Sharing of information among white hats via a trusted network like TQN (more later).]hats via a trusted network like TQN (more later).]
4. 4. Most interesting causes & Most interesting causes & effectseffects
2020
White hats institute policies to protect systems.White hats institute policies to protect systems. White hats punish offenders and this deters black White hats punish offenders and this deters black
hats.hats.
[[ ]](Preventive actions against black hats)
(Actions of black hats)
(Thwarted)
(Success of policies, training influencing attacks against white hats)
4. 4. Most interesting causes & Most interesting causes & effectseffects
2121
Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectivenessTejaswini Herath, HR Rao. Decision Support Systems. May 2009, 47, 2; 154ff.Abstract (Summary)
Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions.
[[ ]](Preventive actions against black hats)
(Actions of black hats)
(Thwarted)
(Success of policies, training influencing attacks against white hats)
4. 4. Most interesting causes & Most interesting causes & effectseffects
2222
Theories need to deal with:Theories need to deal with:1.1.Why do black hats do what they do and what cuts Why do black hats do what they do and what cuts down their effectiveness?down their effectiveness?2.2.Why do white hats do what they do and what cuts Why do white hats do what they do and what cuts down their effectiveness?down their effectiveness?
5. 5. Theory/ethics is not the Theory/ethics is not the problem….problem….
But dubious symmetry in our But dubious symmetry in our interests in the phenomenon! interests in the phenomenon! Science cannot be neutral when Science cannot be neutral when survival is at stake.survival is at stake.
2323
We need to believe that there is a social and moral good here in order to muster our scholarly efforts on behalf of the white hats.
Was Kevin Was Kevin Mitnick Mitnick merely a merely a misunderstoomisunderstood, free spirit?!d, free spirit?!
5. 5. Theory/ethics is not the Theory/ethics is not the problem….problem….
2424
• Social critical theory? (Not sure how this would Social critical theory? (Not sure how this would play out.) play out.) • Are the black hats truly the bad guys or only Are the black hats truly the bad guys or only
because they are opposing the because they are opposing the establishment, who are the white hats. establishment, who are the white hats.
• Maybe they are disillusioned and Maybe they are disillusioned and disempowered workers in some cases and disempowered workers in some cases and the firms’ top management are to blame.the firms’ top management are to blame.o Not an entirely unreasonable argument after Not an entirely unreasonable argument after
the financial crisis of 2008-2009the financial crisis of 2008-2009
5. 5. Theory/ethics is not the Theory/ethics is not the problem….problem….
2525
• Ethnographic approaches and interpretivist Ethnographic approaches and interpretivist understanding of what black hats-white hats and understanding of what black hats-white hats and their actions might mean their actions might mean
• Orlikowski’s sociomateriality, where we have the Orlikowski’s sociomateriality, where we have the computer embedded in the hatscomputer embedded in the hats• Process and interactions rather than Process and interactions rather than
causalitycausality• Action research?Action research?• Participant observation?Participant observation?• Experimentation?Experimentation?• Simulations?Simulations?
6. 6. Research methods are not the Research methods are not the problem…..problem…..
2727
Black hat data: a major problem when you ask students to put themselves into the position of malefactors. Need to get directly at malefactors. Become lurkers at hacker sites. Actually be upfront with the hacker community and try to
understand them and their motives. Simulate them based on what we do know about them.
Students pretending to be malefactors is questionable science. Burton-Jones’ distance bias (MISQ, 2009) Why do we do it? Low hanging fruit. Easier to get access to white hats or white hats pretending
to be black hats (sometimes they actually may be black hats, but generally and under most social conditions, likely not.)
7. 7. The problem: data collectionThe problem: data collection
2828
1. “Neutralization: New Insight into the Problem of Employee Information Systems Security Policy Violations” by Mikko Siponen and Anthony Vance (preprints available)
2. “Fear Appeals and Information Security Behaviors: An Empirical Study” by Allen C. Johnston and Merrill Warkentin (preprints available)
3. “Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization ” by Stephen Smith, Donald Winchester, Deborah Bunker, and Rodger Jamieson (preprints available)
4. “User Participation in Information Systems Security Risk Management” by Janine L. Spears and Henri Barki (preprints available)
5. “Detecting Fake Websites: The Contribution of Statistical Learning Theory” by Ahmed Abbasi, Zhu Zhang, David Zimbra, Hsinchun Chen, and Jay F. Nunamaker. Jr. (preprints available)
6. “Market Value of Voluntary Disclosures Concerning Information Security” by Lawrence A. Gordon, Martin P. Loeb, and Tashfeen Sohail
7. “Information Security Policy Compliance: An Emirical Study of Rationality-Based Beliefs and Information Security Awareness” by Burcu Bulgurcu, Hasan Cavusoglu, and Izak Benbasat
8. “Practicing Safe Computing: A Multi-Method Empirical Examination of Home Computer User Security Behavioral Intentions” by Catherine L. Anderson and Ritu Agarwal
Special Issue on Information Systems Security in a Digital Economy (forthcoming in 2010)
********
7. 7. The problem: data collectionThe problem: data collection
2929
White hat data about real losses from black hats: in a word, the problem is “access.” Most organizations are wary of sharing sensitive
data about their losses from computer abuse (Straub and Hoffer, SMR, 1989; Straub and Nance, MISQ, 1992).
TQN is one solution. There are likely others.
7. 7. The problem: data collectionThe problem: data collection
3030
Graphic from: Graphic from: Sainsbury, 2009Sainsbury, 2009
-Based on -Based on “Trusted Query “Trusted Query Network (TQN)” Network (TQN)” (Vaishnavi et al. (Vaishnavi et al. 2006)2006)
7. 7. The problem: data collectionThe problem: data collection
3131
Organizations need experience information to accurately estimate risk of events (information security breaches, infection rates, etc.), but in many cases these industry-wide data are not available.
Why? Sharing sensitive information heightens disclosure risk. Organizations do not want to share their information,
sometimes even within their own organization. Privacy concerns
7. 7. The problem: data collectionThe problem: data collection
3232
Requirements of such a complete inter-organizational infrastructure? Guaranteed anonymity Total control of data Flexible and rich configuration for participation
automation Support common queries to obtain useful industry-wide
information Secure and scalable
7. 7. The problem: data collectionThe problem: data collection
3333
Secret Value: 7
Secret Value:
11 Count: 24Value: 93
Secret Value: 7
Count: 23Value: 82
Secret Value:
10
Count: 22Value: 75
Secret Value:
25
Trusted Query Network Trusted Query Network “Simulation”“Simulation”
Count: 15Value: 45Count: 10Value: 25Count: 9Value: 20Count: 33Value: 67Count: 11Value: 52
Count: 21Value: 65
Count: 20Value: 40Count: 20Value: 40
Count: 25Value:100
Count: 5Value: 60
Average:12
Count: 5Value: 60
Average:12
Count: 5Value: 60
Average:12
Count: 5Value: 60
Average:12
Count: 5Value: 60
Average:12
Click mouse to advance
Patent applied for in August 2007 Prototype functions expanded and enhanced Evaluating filing of second patent application Market potential initially assessed for go/no go
decision “Technically significant, novel, commercially
important” Target National Health Information Network
and other Health and Human Services applications
Thus far, two interested parties identified Next steps:
For licensed test, use VeriSign or CDC? Update IP disclosure & extend patent
application Continue marketing Expand prototype
7. 7. The problem: data collectionThe problem: data collection
3535
Think outside the current boxes.Think outside the current boxes. Start with new sources of data. Start with new sources of data.
Established theories and methods are readily Established theories and methods are readily available (albeit new theories would also be available (albeit new theories would also be welcome).welcome).
Without better data, the enterprise is doomed.Without better data, the enterprise is doomed. Even simulated data can help.Even simulated data can help.
o Data can be generated according to the Data can be generated according to the ranges of what we know and tests ranges of what we know and tests conducted on these samples.conducted on these samples.
o Similar conceptually to bootstrapping Similar conceptually to bootstrapping which assumes that the sample you have is which assumes that the sample you have is sufficiently representative of the population sufficiently representative of the population and samples from this sample for the rest and samples from this sample for the rest of its tests.of its tests.
8. 8. Where do we go from here?Where do we go from here?
3636
Gather reported abuse data.Gather reported abuse data. Reported abuse is no doubt systematically Reported abuse is no doubt systematically
biased, but we can work with the ranges of that biased, but we can work with the ranges of that data to assume characteristics of the data to assume characteristics of the unobserved population (Cronbach’s U*).unobserved population (Cronbach’s U*).
Assume that the black hats easily caught are the Assume that the black hats easily caught are the dumbest.dumbest.
Assume that those who elude detection and Assume that those who elude detection and arrest are the smartest.arrest are the smartest.o When they are caught, use them to generate When they are caught, use them to generate
similar data about the under-represented similar data about the under-represented smart set.smart set.
o Simulate larger proportions of smarter Simulate larger proportions of smarter abusers and check the sensitivity of current abusers and check the sensitivity of current policies against this evolving population.policies against this evolving population.
8. 8. Where do we go from here?Where do we go from here?
3737
Go inside the hacker communities and the white hat Go inside the hacker communities and the white hat user communities.user communities. This could also be seen as research on social This could also be seen as research on social
networking and this is as hot as security right networking and this is as hot as security right now.now.
8. 8. Where do we go from here?Where do we go from here?