Home >Technology >Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will...

Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will...

Date post:15-Jan-2015
View:310 times
Download:4 times
Share this document with a friend
Dr Craig S Wright, Vice President, Australia – Asia Pacific, Global Institute for Cybersecurity & Research delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private sector and focussed on solutions and counter cyber-attacks. For more information about the event, please visit the conference website http://www.informa.com.au/cybersecurityconference
  • 1. Whoisoutthere? Securingyoursystemfromfuturesecurity threats? Presentedby: Dr.CraigSWrightGSELLM ExecVPStrategy

2. Who is out there? Securing your system from future security threats Craig S Wright School of Computing and Mathematics Charles Sturt University, NSW 2678 Craig.Wright@itmasters.edu.auMelbourne 3. Outline We look at the economics associated with botnets. This research can be used to calculate territorial sizes for online criminal networks. We look at the decision to be territorial or not from the perspective of the criminal bot-herder. This is extended to an analysis of territorial size. The criminal running a botnet seeks to maximize profit. 4. SCADA Vulnerabilities ! s we know A ! upervisory Control And Data Acquisition S (SCADA) systems are the computers that monitor and regulate the operations of most critical infrastructure industries. 5. Background Criminals defend territories in cyberspace. Several different territorial strategies exist for criminal groups running botnets. Each of these strategies has different benefits and costs associated with them and several of them are independent of the others. high-value targets (including the exfiltration of data) whereas others involve the use of large numbers of systems to amplify low value transactions (including SPAM transmission and DDOS attacks) 6. A cost Benefit analysis of criminal territory in cyber compromises 7. The costs of acquiring resourcesThe first cost aspect of creating a criminal territory results from the initial acquisition cost: Research, Reconnaissance, Scanning, Exploitation, Maintaining access, and Covering tracks. 8. The costs of defending resourcesOnce a system has been acquired it needs to be defended and exploited by the cyber-criminal. ny system that is not adequately defended by A the attacker will eventually become a lost resource ehavior of cyber-criminals may be influenced by B need to maintain access to compromised systems, scan for new systems, defend territories, defend C&C servers, and so on. 9. A model of territorial cybercrimeThe necessity of defending a territory requires time and resources. he economic viability of each of these platforms T varies from large collections of low-value hosts through to targeted high-value platforms he advantages of a particular model will vary T based on the ability of the attacker to maintain that system once it has been acquired. 10. Superterritories The notion of superterritories (Verner, 1977) can be used in modelling criminal behaviour in the creation of large-scale botnets. 11. Criminal territories can be modeled as different ecosystems. The overall size of criminal territory results from a compromise between the following factors: Acquisition needs, Resource maintenance needs, Defence costs, Predation pressure.Each of these factors comes with an economic cost. 12. Assessing cyber security risks through conducting vulnerability analysis Information security is a risk function. Knowing the risk means coming to understand both the threat agents as well as the systems we are defending 13. Economic issues that arise from risk Economic issues that are arise due to an inability to assign risk correctly. Externalities restrict the development of secure software The failure of the end user to apply controls makes it less probable that a software vendor will enforce stricter programming controls 14. What is the real cost of ignoring the cyber risks? Cyber-Criminals are Rational They go where the profit is greatest If you ignore the risk, others will not 15. Developing and implementing mitigation strategies to strengthen highest data security Security never goes away More and more, we are going online Each day, more information will be transmitted More critical data will be stored in the cloud 16. Rational Choice Theory Rationally opting for the insecure alternative: Negative externalities and the selection of security controls Relative computer security can be measured using six factors1. hat is the importance of the W information or resource being protected? 2. hat is the potential impact, if W the security is breached? 3. ho is the attacker likely to be? W 4. hat are the skills and W resources available to an attacker? 5. hat constraints are imposed W by legitimate usage? 6. hat resources are available to W implement security? 17. No Absolutes Security is a risk function. It is a game of cat and mouse There is and cannot be perfect security 18. Continual monitoring and updating hardware resources to safeguard your system Your systems are far from the only source of data Think accountants Think lawyers Think partners 19. What are your Assets worth? If you are to engage in any risk exercise, you need to start thinking about what your assets are This includes data, business process and more 20. Economics rules in security This generates a measure of relative system security in place of the unachievable absolute security paradigm that necessarily results in a misallocation of resources. 21. Three areas to be concerned with The three concerns that make us vulnerable are: Human Design Software Only when we address each of these will we make headway 22. It is about good practice I will never known all the consequence of what I do or dont do. Maybe you will be lucky, but the chances are increasing that you will be compromised 23. Zero risk is not practical Risk cannot be completely removed You have to accept some risk 24. Don't spend a $million to protect a cent lways consider the value of the assets that you A are defending ook at the number of attacks (you are measuring L this arent you?) now your threats K 25. Outliers can be predicted ome systems are well S configured and patched. thers are terrible O t all depends on what I is audited 26. Better managed systems survive isplayed above we D have a plot of the survival time against automated processes (green) overlayed with that of manual processes (red). 27. Conclusion Before we invest our valuable resources into protecting the information assets it is vital to address concerns such as the importance of information or the resource being protected, the potential impact if the security is breached, the skills and resources of the attacker and the controls available to implement the security. 28. Conclusion The overall size of criminal territory results from a compromise between the following factors: cquisition needs, A esource maintenance needs, R efence costs, D redation pressure P 29. An afterthought Information Security cannot be an afterthought Only in building security into the system from the start can we maintain it effectively 30. Thank you

Popular Tags:
Embed Size (px)