Le nuove sfide della cybersecurity: Internet for peace...o for war?

Ms. Francesca BoscoProject Officer

Interregional Crime and Justice Research Institute (UNICRI)

01 Aprile 2011Università degli Studi di Milano Bicocca

Yesterday news…30/03/2011

Yesterday news…30/03/2011 tbc

Technological expected trends up to 2030

Vulnerability:root causes• A highly interconnected system of general

purpose computers, not designed with security in mind– vulnerable software provides “launch pads” for easy

propagation of attacks– erosion of the traditional perimeter (access systems

and data “anytime, anywhere”)• Shift from“attacks against networks”

to “attacks against (web) applications” and “attacks against users and data”

• Insufficient security awareness of (some) application developers and end users

Example: How Vulnerable are UN Systems ?

-which system?– publicly accessible websites– central internal applications (IMIS, email, etc.)– end user systems (desktops, laptops, BB, etc.)

-which threat?– denial of service– “defacement”– abuse / threat to third parties – “APT” type attacks

State of PlayUN systems are frequently attacked

– defacements (political, “commercial”)– abuse of web sites to disseminate “malware”– abuse of email systems to send spam/fraudulent email– forging of UN email addresses to commit fraud

Several known examples of “APT” type attacks– very credible email messages– attachments deemed safe by Anti-Virus software– successful compromise of a single computer leads to

further compromises on internal networks

Current situation:general• All systems are “compromisable”; perfect

security is unattainable • Objective is to continue safe operation in a

compromised environment, to have systems that are defensible, rather than perfectly secure

• Cybersecurity is an adversarial science

Evolution of the threat landscape Mobile threats – voracious malware targeting mobile devices and the proliferation of mobile banking.

(More) Web 2.0 malware – Attackers leveraging Social Networks.

Attackers exploiting the erosion of network boundaries after the adoption of cloud computing.

Highly-motivated attackers with strong logistic or financial support.

VIDEO

Predicting 2011...

Top 5 security threats for 2011

1) Traditional malwareTraditional malware will remain the primary mechanism of distributing software to computers on theinternet. Recent numbers indicate roughly 55,000 new malware pieces identified every day, whichcontinues the exponential growth pattern into 2010. This trend will only continue.

2) Shift to advanced persistent threat (APT) Attacks will be more advanced, targeted at a specific institution with a goal to acquire specific data.Often described as Advanced Persistent Threat (APT), these attacks are designed to infiltrate anorganisation, hop the firewall and acquire a target. Once the software gets behind the firewall, it hopsaround the organisation investigating and gathering information about the internal system. It then usesthis information to gain privileged access to critical information (e.g., transactions processing,customer lists or HR records) and begins stealing sensitive data. Without proper monitoring in place, itcan be weeks or months before an organisation detects that it is under attack.

3) Focus on finance, hospitality and retail Financial services, hospitality and retail industries will face an increased number of threats. As datafrom the 2010 data breach report issued by the Verizon RISK team and the U.S. Secret Serviceshows, these three industries combined currently represent 71% of all data breaches.

4) Mobile devices increase vulnerabilities Seven out of ten companies still don’t have explicit policies outlining which devices can be logged onto the network or on working in public places. As more people work and access information remotely,the threat levels from existing vulnerabilities will increase and new ones will appear.

5) Hactivism as a new type of threat The most visible example of hactivism were the recent attacks by Anonymous, a group that targetedMasterCard, Visa and PayPal after those companies cut off financial services to WikiLeaks. We maysee more of these types of attack by groups representing political and environmental organisations.

Cyber security refers to measures for protecting computer systems, networks, andinformation systems from disruption or unauthorized access, use, disclosure,modification, or destruction.

The basic objectives of Cyber Security are to ensure the Confidentiality, Integrity, and Availability of data.

What is Cyber Security?

Confidentiality has been defined by the International Organization for Standardization (ISO) as "ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of information security. Confidentiality is one of the design goals for many cryptosystems, made possible in practice by the techniques of modern cryptography.

Integrity of the information implies that the data in question has not been tampered with through accidental or malicious activity. Source integrity also plays into this - ensuring that any piece of data actually came from the source claimed and not a "man-in-the-middle" or third party.

Availability means that the information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed = timely, reliable access to data and information services for authorized users.

What is Cyber Security?

Information security incidents

• Information Security Incident:– an attempted or successful unauthorized access, use,

disclosure, modification or destruction of information; – interference with the operation of ICT resources; or – violation of explicit or implied acceptable usage policy

(as defined in ST/SGB/2004/15)• Classification by common observable elements:

§ - Agent (internal/external)- Action § - Asset - Attribute

• does not include “motive” or “attributable source”

Investigative readiness vs. PrivacyAvailability vs. SecurityRegulation vs. InnovationEnterprise vs. Protection

How can we make the Internet and our “Cyber -Assets” safer without sacrificing simplicity, privacy or availability?

Cybersecurity as a Balancing Act

Government agencies constantly face cyber attacksBusinesses are losing revenue to cybercriminalsUsers are being targeted for their Personal Identifiable

Information (PII)Cybersecurity is a global issue, which can only be solved

with global solutions Need for increased cooperation and coordination at the global

level International community must work together to ensure a

coordinated response.

Why do we need to talk about it?

HOW MANY CYBER-DO YOU KNOW?

Information technology...for war?• Military history scholars argue that warfare has shifted towards a

Fourth Generation of Warfare• Technology not only enables asymmetry in power relations, but can

also be used to overcome it, undermining the enemy from within• Information Age, military operations have been impacted and

transformed. Likewise no civil society sector has remained immune from the information revolution. The ―national information infrastructure- (NII) is defined as the set of information systems and networks on which a nation depends to function

• In net-wars the confrontation takes place between “states and non-state actors, non-state actors that use states as arenas, or states that use non-state actors as their proxies”

What’s cyberwarThe United Nations Institute of Training and Research

defines cyberwar as: ―The deliberate use of information warfare by a state,

using weapons such as electro-magnetic pulse waves, viruses, worms, Trojan horses, etc., which target the electronic devices and networks of an enemy state-

Richard Clarke, a U.S. government security expert, defines cyberwar as:

―Actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.

Cyber Warfare & Cyber Terrorism

Cyber Warfare and Terrorism is one of the fifteen modalities of UnRestricted Warfare (URW) also called asymmetric warfare.

Cyber Warfare & Terrorism“The premeditated use of disruptive activities,

or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives.”

Source: U.S. Army Cyber Operations and Cyber Terrorism Handbook 1.02

CyberterrorismCyberterrorism is a phrase used to describe theuse of Internet based attacks in terrorist activities,including acts of deliberate, large-scale disruptionof computer networks, especially of personalcomputers attached to the Internet, by the meansof tools such as computer viruses.

Cyber terrorism is generally understood as the crossing over ofterrorism and cyberspace. This leads to unlawful attacks and threats ofattacks against computer, networks and the info stored therein.

What’s cyberterrorismControversial term !!!!!

First we need to clarify:

Terrorist use of the Internet v

Cyber Terrorism

FocusTHE INTERNET: AN ATTRACTIVE

ARENA FOR TERRORIST PUBLICITY

The internet is an ‘informational weapon’ for terrorists, as it provides:Easy accessA decentralised structureLittle or no regulation, censorship, or other forms of government

controlPotentially huge audiences spread throughout the worldAnonymity of communicationFast flow of informationInexpensive development and maintenance of web presenceA multimedia environment (the ability to combine text, graphics, audio,

video, and allow users to download films, songs, books, posters etc)The ability to shape coverage in the traditional mass media

Source: “www.terror.net: How Modern Terrorism Uses the Internet” by Prof. Gabriel Weimann

TERRORIST PURPOSES IN USING THE INTERNET

Data Mining (using the internet to collect intelligence)

TrainingFundraisingNetworkingRecruitment and Radicalisation

The internet is an important source for discovering and grooming potential jihadists

Publicity

Focus

MAIN AREAS OF CYBER PRESENCE

Mass mediaOfficial ‘jihadist’ websites

A well-designed and well-maintained Web site gives a group an aura of legitimacy and increasingly attracts attention from the mass media in and of itself

Unofficial websitesForums and blogs

Distributor sitesVideo sites

Youtube and liveleak

Focus

OBJECTIVES OF ONLINE TERRORIST PUBLICITY

1. To wage psychological warfare(through terror) and advance a cause

Terrorist use internet publicity to:

• amplify panic

• spread fear

• facilitate economic loss (eg. scaring away investment and tourism)

• make populations loose faith in their governments' ability to protect them

• trigger government and popular overreaction to specific incidents and the overall threat of terrorism

Focus

OBJECTIVES OF ONLINE PUBLICITY2. To gain sympathy and support of their cause

The Internet has significantly increased the opportunities for terrorists to secure publicity for their ideological causes and spread propaganda.

The Internet has become a virtual library of terrorist material, granting easy access to everything from political, ideological and theological literature, via fatwas and khutbas, to videos of assaults and attacks, and even video games.

Focus

When does a computer attack become an act of terrorism or of war?

Information warfare, in information technology, is that series of actions aimed

at exploiting, corrupting, wasting or destroying the information or information

resources of the enemy in order to achieve a significant advantage, using the same

weapon.

Modern Weapons Economics

$1.5 to $2 billion

$80 to $120 million

What does a stealth bomber cost?

What does a stealth fighter cost?

$1 to $2 millionWhat does a cruise missile cost?

$300 to $50,000What does a cyber weapon cost?

Interesting Quote

NATO's cyber defense chief has warned that computer-based terrorism poses the same threat to national security as a missile attack. He went on to say that “Cyber war can become a very effective global problem because it is low-risk, low-cost, highly effective and easily globally deployable. It is almost an ideal weapon that nobody can ignore.“

Using this as a framework, we can put into context the evolving architecture for cyber weapons.

How to build a cyber weapon: Cyber Weapons Design-1

Cyber Weapon – Delivery Vehicle

There are numerous methods of delivering cyber weapons to their targets. Emails with malicious code embedded or attached is one mechanism of delivery. Another delivery vehicle is web sites that can have malicious links and downloads. Hacking is a manually delivery vehicle that allows a cyber soldier to place the malicious payload on a target computer, system or network. Counterfeit hardware, software and electronic components can also be used as delivery vehicles for cyber weapons.

Cyber Weapons Design-2

Cyber Weapon – Delivery VehicleJust as a navigation system guides a missile, it allows the malicious payload to reach a specific point inside a computer, system or network. System vulnerabilities are the primary navigation systems used in cyber weapons. Vulnerabilities in software and computer system configurations provide entry points for the payload of a cyber weapon. These security exposures in operating systems or other software or applications allow for exploitation and compromise. Exploitation of these vulnerabilities may allow unauthorized remote access and control over the system.

Cyber Weapons Design-3

Cyber Weapon – Delivery VehicleThe payload of a missile is sometimes called a warhead and is packed with some type of explosive. In a cyber weapon the payload could be a program that copies information off of the computer and sends it to an external source. It can also be a program that begins to ease or alter information stored on the system. Finally, it can allow remote access so that the computer can be controlled or directed over the internet. A “bot” (a component of a botnet) is a great example of a payload that allows remote use of the computer by an unauthorized individual or organization.

Cyber Weapons Design-4

Cyber Weapon – Architecture

This three element architecture demonstrates how advanced and sophisticated cyber weapons are becoming. The architecture creates reusability and reconfiguration of all three components. As one software or system vulnerability is discovered, reported and patched, that component can be removed and replaced while the other two components are still viable. This not only creates flexibility but also significantly increase the productivity of the cyber weapons developers.

Recent events discussed on the media

• Cyber Attack on Estonia [April 2007]– sometimes referred to as “Web War 1”– sophisticated and large set of denial of service (DoS) attacks on Estonian

parliament, banks, ministries, newspapers, other web sites– severe effect on above institutions for approximately three weeks

• Cyber Attack against Georgia [August 2008]– denial of service against gov’t web sites– concurrent with armed conflict

• Advanced Persistent Threat (APT) [December 2009]– (a.k.a. “Google war”)– “deep infiltration” of several technology providers

• Stuxnet [June 2010]– technically highly sophisticated “malware” that appears to target Iranian

nuclear facilities

Nearly every bank in the United States runs its operations on an internal network that connects to the Internet

Sandeep JunnarkarCNET News, 2002

Estonia depended largely on the internet because of the country's "paperless government" and web-based banking. If these services are made slower, we of course lose economically

Mihkel Tammet, head ofIT security at the

Estonian defence ministry, 2007

The U.S. is increasingly dependent on "... the unimpeded and secure flow of technology.“

CIA ReportCyber Threats and

the US Economy, 2007

Hackers are intensifying their efforts to compromise social-networking sites using unsecure Web 2.0

Jon SwartzUSA TODAY, 2008

….repercussions go beyond the loss of personal data, security experts say. As more consumers are victimized, it could undercut their confidence in legitimate websites

Billy Hoffman, manager ofHewlett-Packard Security Labs

With global attacks on data networks increasing at an alarming rate, in a more organized and sophisticated manner, and often originating from state-sponsored sources, there is precious little time to lose.

Tim Bennett, president of theCyber Security Industry Alliance, 2008

Several nations, including China and Russia, “have the technical capabilities to target and disrupt elements of the U.S. information infrastructure and for intelligence collection.”

Mike McConnell, Director of National Intelligenceduring the Senate Intelligence Committee

…regarding counter-terrorism must be pursued “Information sharing with our allies and partners to support counter-terrorist operations overseas”;

The National Security Strategy of the United Kingdom - Security in an interdependent world

“Cyber War” In Estonia, 2007

July 23 2010

The First Cyber Attack Specifically Targeting Control SystemsAccording to antivirus company Symantec Corp., Stuxnet looks for industrial control systems and then

changes the code in them to allow the attackers to usurp controls of industrial equipment such as sensors, actuators, pumps, and valves without the operators knowing.

“Stuxnet searches for industrial control systems, often generically (but incorrectly) known as SCADA systems, and if it finds these systems on the compromised computer, it attempts to steal code and design projects,” Symantec explained. “It may also take advantage of the programming software interface to also

upload its own code to the Programmable Logic Controllers (PLC), which are ‘mini-computers’, in an industrial control system that is typically monitored by SCADA systems.”

Very complex Windows-specific computer worm that infects computers and connected industrial control equipment (PLCs)

First known worm to attack industrial infrastructureSpreads through USB thumb drives as well as network connectionsUtilizes four “zero-day” exploitsUses stolen valid security certificatesInitial high rate of infection in Iran, specifically found at nuclear facilities

May be government (Israel, US, UK?) attempt to damage Iranian nuclear facilities

Unclear if delay or damage actually occurredWorm has spread to many other countries (including large infection of Chinese systems)

Iran was prime target of SCADA wormhttp://www.computerworld.com/s/article/9179618/Iran_was_prime_target_of_SCADA_worm

Stuxnet

FocusSCADA: Why do I care?

SCADA systems are essentially the arteries of national infrastructure, the behind-the-scenes devices that make our day to day life convenient and safe. Any disruption could lead to major inconvenience, or even loss of life…

The dangers inherent in obscure or rustic SCADA architectures are very real, and no vendor or governmental body responsible for NCIs can afford to let a lack of communication be an excuse for passivity…

VIDEO

Suki

SCADA• Supervisory Control And Data Acquisition

NCI• National Critical Infrastructure

Other terms:• ICS – Industrial Control Systems• PCS – Process Control System - Also known as Distributed Control System

(DCS)SCADA Generations and Evolution:

1. Monolithic – Mainframe computing, limited to no connectivity.2. Distributed – Proprietary networking technology led to increased

efficiency and redundancy due to real-time information sharing and specialization of tasks.

3. Networked – Transition to modern, °open° networking standards such as IP (Internet Protocol) and the deployment of “thin clients” and web applications to facilitate operations.

Focus

NCI Examples

Modern NCIs can be resumed as:

Food Agricultural and processing industry Food safety Food distribution

Water Drinking water treatment Wastewater management

Transportation Air Land (rail, roads) Marine

Focus

NCI Examples

Modern NCIs can be resumed as:

Safety Chemical, biological, radiological and nuclear safety Hazardous materials Emergency services (police, fire, amublance, etc)

Manufacturing Chemical industry Defense industrial base

Focus

1) We tend to seek a “centralized” solution to what is a very multi-dimensional problem with hidden interdependencies.

2) Opacity – We are not enforcing enough transparency nor regulating the disclosure of data breaches.

3) We aren’t moving away from a purely technical view towards a global shared approach with Political Vision, Strategy, Policies and Standards.

Cybersecurity:What we’re doing wrong

1) Public – Private Partnerships2) Developing technical solutions.3) Information exchange and awareness raising

at various levels.

Cybersecurity: What we’re doing right

Why cybersecurity partnership matters

• Public and private sectors need to share more information--more parties must be included and new platforms used.

• They must pay more attention to defending against attacks that threaten critical IT infrastructure and even damage physical facilities

• Much of the activity revolves around information sharing in key industries.

• Their collaboration must be ratcheted up to the next level--real-time identification and response as threats occur and, more to the point, "moving security practices from a reactionary posture to one that's proactive and pre-emptive"

Example

Critical Infrastucture Protection in the US (1996-2010)

Example

Critical Infrastucture Protection in Italy(2010)

• Information security is an integral part of the e-government 2010 plan

• 2010-A Technical group was established, under the Presidency of the Council of Ministers, to “foster coordination at the national and international level with regard to critical infrastuctures and its protection from cyberattacks”

• June 2009-Centro nazionale anticrimine informatico per la protezione delle infrastrutture critiche (CNAIPIC)

• In 2007, the Bank of Italy approved a set of guidelines to ensure continuity for the main financial actors, in case of cyberattack.

Creating a culture of security

Despite our best efforts over the years, we need a new,

comprehensive doctrine and perspective to face the innovative threats.

Recognise the Internet as a key infrastructure in addressing mainstream policy challenges (e.g. ageing, health, environment, globalisation…)

Reaffirm fundamental principles (e.g. privacy, security, policies to promote broadband access on fair terms and competitive prices…)

Recognise the Internet as an agent of change and foster an enabling environment so that it can make positive contributions

1.Towards a new Policy Framework

The Internet reflects the real world – shapes it and is shaped by it – and has a darkside. Confidence and trust in the Internet and about its vulnerability to events,both accidental and malicious.

Issues: Multilateral efforts to ensure the security and integrity of the Internet have

been limited We need to embed privacy protection in the design of applications and

devices (social networking sites; profiling and advertising; geolocation; sensors and RFID)

We need to identify and enforce the rights and obligations to protect digital identity

Security Considerations: (i) technical – diffusion of traffic rather than optimisation of traffic for DoS; security of connection (SSL) vs. authentication of content; use of virtual machines (ii) social -- Co-operation to protect availability, integrity, confidentiality (security)

Protect and inform consumers, redress and enforcement of consumer protection measures, including across jurisdictional borders

Rising concerns regarding “cybersecurity”.

2. Building Confidence

3.Public-Private Partnerships (PPP)To emphasize: Both the private sector and thepublic sector have crucial roles to play. Theprivate sector leads, the government enables.

It is important that both agree and are aware of their respective roles.

International cooperation

The European Convention on cybercrime

• The Council’s of Europe Convention on Cybercrime was opened for signatures on the 23rd of November 2001.

• In January 2003, an additional Protocol was adopted, concerning the criminalization of acts of racism and xenophobia committed through computer systems. This protocol has not been signed by several states and has not yet entered into force.

• At the present time, 46 States among Member and non-Member States of the Council of Europe signed the Convention

• Italian ratification: 2008

October, 2008

Why Council of Europe Convention on cybercrime? The only multilateral treaty dealing with cybercrime matters already implemented in many

countries while others are taking into consideration to become Party A guideline for drafting the legislation on cybercrime Provides important tools for law enforcement to investigate cybercrime Ensure adequate protection of human rights and liberties according to the relevant international

documents Flexible mechanisms to avoid conflicts with national legislations and proceedings CC provides for countries: Coherent national approach to legislation on cybercrime Harmonisation of criminal law provisions on cybercrime with those of other countries Legal and institutional basis for international LE and judicial cooperation with other parties Participation in the Consultations of the Parties The treaty as a platform facilitating public-private cooperation

Source:COE

Convention provides global standards and a framework for an effective fast international cooperation

What needs to be done nextLegal

• Develop international law to accommodate cyber warfare offensive and defensive activities, thus making it operative for the cyber age.

• In that regard, elaborate on the UN Charter in the direction of topical interpretations: Define Article 2 armed attack and Article 51 limits of self-defense, define the concept of cyber weapon, define operational modes for Chapter VII action in case of cyber attack, develop and analyze scenarios of cyber war and cyber terrorism with a view to their legal consequences.

• Drawing upon NATO’s Strasbourg/Kehl Summit Declaration, and previous NATO work in analyzing gaps in the international legal framework with respect to collective response, develop proposed amendments to NATO Treaty definitions of armed attack and territorial integrity and clarification of collective responses to accommodate collective cyber activities, self defence actions, and communication requirements.

• Encourage the ratification of the Council of Europe Convention on Cybercrime (“Convention”) and internal implementation by signatory states, and, where this does not obtain, encourage the harmonization of cybercrime laws (substantively and procedurally) around the globe consistent with the Convention and the cybercrime laws enacted in developed nations.

What needs to be done nextTechnical

• Develop enterprise level security metrics so security progress can be measured

• Enable time-critical system availability and resiliency across distributed systems.

• Improve the ability to track and trace cyber communications to enable source identification (accountability) and use of digital assets by technical means

• Improve transparency of network operations to enable visibility of activities, knowledge of status of operations, and identification of issues as a diagnostic tool to enhance security.

• Develop digital identification mechanisms to protect and advance the interconnection of devices, information, and networks.

• Address the security challenges of mobile/wireless systems. The widespread and exponential deployment of such devices and systems presents security challenges in and of themselves and the risks they present to interconnected systems and devices.

It’s a Collective Effort: Example

Shared datasetsRed TeamingSystem stress testsShared common problem to tackle…

New models of engagementSustained investment modelsLightweight submission and reporting…

Academia

Industry Government

ecosystem

58

“The pursuit of peace and progress cannot endin a few years in either victory or defeat. Thepursuit of peace and progress, with its trialsand its errors, its successes and its setbacks,can never be relaxed and never abandoned.”

Dag Hammarskjold, UN Secretary-General, 1953 - 1961

Q&A

Only by joining forces and bringing together ourstrategic capabilities will we be able to address current and

emerging cyberthreats !

Thank you for your attention.www.unicri.it

Ms. Francesca Bosco

Project officer on CybercrimeEmerging Crimes Unit

E-mail: bosco@UNICRI.it

http://www.unicri.it/wwd/cyber_crime/index.php