Download - Dr Craig S Wright Global Institute for Cyber Security: How cyber terror and cyber espionage will change the face of SCADA in the coming decade

Who is out there? Securing your system from future security threats ? Presented by: Dr. Craig S Wright GSE LLM Exec VP Strategy

Craig S Wright School of Computing and Mathematics

Charles Sturt University, NSW 2678 [email protected]

Who is out there?

Securing your system from future security threats

Melbourne

• We look at the economics associated with botnets.

• This research can be used to calculate territorial sizes for online criminal networks.

• We look at the decision to be territorial or not from the perspective of the criminal bot-herder.

• This is extended to an analysis of territorial size. • The criminal running a botnet seeks to maximize

profit.

Outline

SCADA Vulnerabilities ! As we know…

! Supervisory Control And Data Acquisition (SCADA) systems are the computers that monitor and regulate the operations of most critical infrastructure industries.

• Criminals defend territories in cyberspace. • Several different territorial strategies exist for

criminal groups running botnets. Each of these strategies has different benefits and costs associated with them and several of them are independent of the others. – high-value targets (including the exfiltration of data) – whereas others involve the use of large numbers of

systems to amplify low value transactions (including SPAM transmission and DDOS attacks)

Background

A cost Benefit analysis of criminal territory in cyber compromises

The first cost aspect of creating a criminal territory results from the initial acquisition cost: • Research, • Reconnaissance, • Scanning, • Exploitation, • Maintaining access, and • Covering tracks.

The costs of acquiring resources

Once a system has been acquired it needs to be defended and exploited by the cyber-criminal. • Any system that is not adequately defended by the attacker will eventually become a lost resource • Behavior of cyber-criminals may be influenced by need to maintain access to compromised systems, scan for new systems, defend territories, defend C&C servers, and so on.

The costs of defending resources

The necessity of defending a territory requires time and resources. • The economic viability of each of these platforms varies from large collections of low-value hosts through to targeted high-value platforms • The advantages of a particular model will vary based on the ability of the attacker to maintain that system once it has been acquired.

A model of territorial cybercrime

The notion of superterritories (Verner, 1977) can be used in modelling criminal behaviour in the creation of large-scale botnets.

Superterritories

The overall size of criminal territory results from a compromise between the following factors:

– Acquisition needs, – Resource maintenance needs, – Defence costs, – Predation pressure.

Each of these factors comes with an economic cost.

Criminal territories can be modeled as different ecosystems.

Assessing cyber security risks through conducting vulnerability

analysis • Information security is a risk function. • Knowing the risk means coming to

understand both the threat agents as well as the systems we are defending

Economic issues that arise from risk

• Economic issues that are arise due to an inability to assign risk correctly.

• Externalities restrict the development of secure software

• The failure of the end user to apply controls makes it less probable that a software vendor will enforce stricter programming controls

What is the real cost of ignoring the cyber risks?

• Cyber-Criminals are Rational • They go where the profit is greatest • If you ignore the risk, others will not

Developing and implementing mitigation strategies to

strengthen highest data security • Security never goes away • More and more, we are going online • Each day, more information will be

transmitted • More critical data will be stored in the

“cloud”

Rational Choice Theory • Rationally opting for

the insecure alternative:

• Negative externalities and the selection of security controls

• Relative computer security can be measured using six factors

1. What is the importance of the information or resource being protected?

2. What is the potential impact, if the security is breached?

3. Who is the attacker likely to be?

4. What are the skills and resources available to an attacker?

5. What constraints are imposed by legitimate usage?

6. What resources are available to implement security?

No Absolutes

• Security is a risk function. • It is a game of cat and mouse • There is and cannot be perfect security

Continual monitoring and updating hardware resources to

safeguard your system • Your systems are far from the only source

of data – Think accountants – Think lawyers – Think partners

What are your Assets worth?

• If you are to engage in any risk exercise, you need to start thinking about what your assets are

• This includes data, business process and more

Economics rules in security • This generates a measure of relative

system security in place of the unachievable absolute security paradigm that necessarily results in a misallocation of resources.

Three areas to be concerned with

• The three concerns that make us vulnerable are: – Human – Design – Software

• Only when we address each of these will we make headway

It is about good practice

• I will never known all the consequence of what I do or don’t do.

• Maybe you will be lucky, but the chances are increasing that you will be compromised

Zero risk is not practical

• Risk cannot be completely removed • You have to accept some risk

Don't spend a $million to protect a cent

• Always consider the value of the assets that you are defending • Look at the number of attacks (you are measuring this aren’t you?) • Know your threats

Outliers can be predicted

• Some systems are well configured and patched. • Others are terrible • It all depends on what is audited

Better managed systems survive

• Displayed above we have a plot of the survival time against automated processes (green) overlayed with that of manual processes (red).

• Before we invest our valuable resources into protecting the information assets it is vital to address concerns such as the importance of information or the resource being protected, the potential impact if the security is breached, the skills and resources of the attacker and the controls available to implement the security.

Conclusion

The overall size of criminal territory results from a compromise between the following factors: • Acquisition needs, • Resource maintenance needs, • Defence costs, • Predation pressure

Conclusion

An afterthought

• Information Security cannot be an afterthought

• Only in building security into the system from the start can we maintain it effectively

Thank you