At the Nexus of Cybersecurity and Public Policy Some Basic Concepts and Issues (2014) / Chapter Skim
Currently Skimming:
3 On the Nature of Cybersecurity
3 On the Nature of Cybersecurity
Pages 29-52
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 29... ...
3.1 ON THE TERMINOLOGY FOR DISCUSSIONS OF CYBERSECURITY AND PUBLIC POLICY In developing this report, the committee was faced with an unfortunate lexical reality -- there is no consistent or uniform vocabulary (never mind the conceptual basis) for discussions about cybersecurity and public policy.
|
From page 30... ...
that action is intended to cause damage to or destruction of information stored in or transiting through that system or network and is effected primarily through the direct use of information technology. (This definition rules out the use of sledgehammers against a computer or backhoes against fiber-optic cables, although of course such actions can seriously disrupt services provided by the attacked computer or cables.)
|
From page 31... ...
3.2.1 Cyber Exploitation A cyber exploitation is an action intended to exfiltrate digitally stored information that should be kept away from unauthorized parties that should not have access to it. To date, the vast majority -- nearly all -- of actual cyber incidents have been exploitations, and sensitive digitally stored information such as Social Security numbers, medical records, blueprints and other intellectual property, classified information, contract and bid information, and software source code have all been obtained by unauthorized parties.
|
From page 32... ...
3 Saabira Chaudhuri, "Cost of Replacing Credit Cards After Target Breach Estimated at $200 Million," Wall Street Journal, February 19, 2014, available at http://online.wsj.com/ news/articles/SB10001424052702304675504579391080333769014. 4 Nate Anderson, "Webcam Spying Goes Mainstream as Miss Teen USA Describes Hack," Ars Technica, April 16, 2013, available at http://arstechnica.com/tech-policy/2013/08/ webcam-spying-goes-mainstream-as-miss-teen-usa-describes-hack/.
|
From page 33... ...
attacks began on a range of Estonian government Web sites, media sites, and online banking services.5 Attacks were largely conducted using botnets to create network traffic, with the botnets being composed of compromised computers from the United States, Europe, Canada, Brazil, Vietnam, and other countries around the world. The duration and intensity of attacks varied across the Web sites attacked; most attacks lasted 1 minute to 1 hour, and a few lasted up to 10 hours.6 Attacks were stopped when the attackers ceased their efforts rather than being stopped by Estonian defensive measures.7 The Estonian government was quick to claim links between those conducting the attacks and the Russian government,8 although Russian officials denied any involvement.9 A damaging or destructive attack can alter a computer's programming in such a way that the computer does not later behave as it should.
|
From page 34... ...
.1 Although botnets are known to be well suited to distributed denial-of-service attacks, it is safe to say that their full range of utility for adversarial operations in cyberspace has not yet been examined. 1 Mark Landler and John Markoff, "Digital Fears Emerge After Data Siege in Estonia," New York Times, May 29, 2007, available at http://www.nytimes.com/2007/05/29/technology/29estonia.
|
From page 35... ...
3.3 INHERENT VULNERABILITIES OF INFORMATION TECHNOLOGY Designing a completely secure, totally unhackable computer is easy -- put the computer into a sealed metal box, with no holes in the box for wires and no way to pass information (recognizing that computer programs are also a form of information) outside the box, and the computer system is entirely secure (see the left side of Figure 3.1)
|
From page 36... ...
This fact underscores a basic point about most adversarial cyber operations -- the key role played by deception. Box 3.2 provides a simple example.
|
From page 37... ...
as depicted in the top of Figure 3.2, and the proper Web page appears in a second or two as depicted at the bottom of Figure 3.2. In addition, the user also wants the display of the Web page to be the only thing that happens in response to his request -- exfiltrating the user's credit card numbers to a cyber criminal or destroying the files on the computer's hard disk are things that the user does not want to happen.
|
From page 38... ...
, the corresponding page appears and can be read (bottom)
|
From page 39... ...
User start Design Web Provider of Select ISP Design App O/S Select/purchase S l / h Provider start computer VPN provider Provider of Hardware DNS registrar; Boot computer Development Create web Activate DNS DNS provider Use VPN tools page name Access ISP Run DHCP Specify DNS p y Install on Elect to use SSL Server software; Certificate server Running system available system operator authority Provider of DNS provider Elect to use Obtain merchant browser Select browser CDN certificate CDN provider Set up secure page Download Install browser mechanism Server software; Configured system available system operator Obtain URL Web page available Extract DNS Browser name All ISPs Retrieve Convert DNS DNS along path certificate to IP server/system Browser certificate Verify All ISPs Retrieve page along path authority certificate User Accept Render page Render page Browser cognition/perception verification Retrieve embedded All of these elements steps View retrieved page FIGURE 3.3 Viewing a Web page, behind the scenes. SOURCE: David Clark, "Control Point Analysis," ECIR Working Paper, 2012, Telecommunications Policy Research Conference, available at http://ecir.mit.edu/index.php/research/working-papers/278control-point-analysis.
|
From page 40... ...
3.4 THE ANATOMY OF ADVERSARIAL ACTIVITIES IN CYBERSPACE Adversarial operations in cyberspace against a system or network usually require penetration of the system or network's security to deliver a payload that takes action in accordance with the intruder's wishes against the target of interest (e.g., against any of the entities shown in ovals in Figure 3.3)
|
From page 41... ...
The canonical example of remote access is that of an adversary computer attacked through the access path provided by the Internet, but other examples might include accessing an adversary computer through a dial-up modem attached to it or through penetration of the wireless network to which it is connected. Malevolent actors are constantly searching for new computers on the Internet.
|
From page 42... ...
One example of a supply chain attack occurred in 2008. According to The Telegraph, criminal gangs in China gained access to the supply chain for a certain line of chip-and-pin credit card readers.15 The gangs modified these readers to surreptitiously relay customer account information (including the security personal identification numbers)
|
From page 43... ...
• An adversary intercepts a set of USB flash drives ordered by the victim for distribution at a conference and substitutes a different doctored set for actual delivery to the victims. In addition to the conference proceedings, the adversary places hostile software on the flash drives that the victims install when they plug in the drives.
|
From page 44... ...
Social engineering can be combined with close access techniques in other ways as well. For example, users can sometimes be tricked or persuaded into inserting hostile USB flash drives into the USB ports of their computer.
|
From page 45... ...
The red team scattered USB drives in parking lots, smoking areas, and other areas of high traffic. A program on the USB drive would run if the drive was inserted, and the result was that 75 percent of the USB drives distributed were inserted into a computer.17 Vulnerability Access is only one aspect of a penetration, which also requires the intruder to take advantage of a vulnerability in the target system or network.
|
From page 46... ...
National governments as well as nongovernment entities such as organized crime participate in markets to acquire zero-day vulnerabilities for future use. Last, both cyber exploitations and cyberattacks make use of the same penetration approaches and techniques, and thus may look quite similar to the victim, at least until the nature of the malware involved is ascertained.
|
From page 47... ...
However, at the right moment, the program activates itself and proceeds to (for example) destroy or corrupt data, disable system defenses, or introduce false message traffic.
|
From page 48... ...
For example, an intruder might use a particular access path and take advantage of a certain vulnerability to give himself remote access to the target computer such that the intruder has all of the privileges and capabilities that he might have if he were sitting at the keyboard of that computer. He is then in a position to issue to the computer commands of his own choosing, and such commands may well have a harmful effect on the target computer.
|
From page 49... ...
3.5 CHARACTERIZING THREATS TO CYBERSECURITY Malevolent actors in cyberspace span a very broad spectrum, ranging from lone individuals at one extreme to those associated with major nation-states at the other; all pose cybersecurity threats. Organized crime (e.g., drug cartels or extortion rings)
|
From page 50... ...
High-end adversaries -- and especially major nation-state adversaries -- are also likely to have the resources that allow them to obtain detailed information about the target system, such as knowledge gained by having access to the source code of the software running on the target or the schematics of the target device, or through reverseengineering. Success in obtaining such information is not guaranteed, of BOX 3.4 The Advanced Persistent Threat Discussions of high-end cybersecurity threats often make reference to the "advanced persistent threat (APT)
|
From page 51... ...
To support this broad range of malevolent actors, there is a thriving and robust underground marketplace for hacking tools and services. Those wishing to conduct an adversarial operation in cyberspace can often purchase the service with nothing more than a credit card (probably a stolen one)
|
From page 52... ...
A threat assessment sheds light on adversary capabilities and intentions. ("Adversary" in this context can refer to more than one potentially hostile party.)
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.