fragile web
Post on 08-Apr-2018
225 Views
Preview:
TRANSCRIPT
8/7/2019 fragile web
http://slidepdf.com/reader/full/fragile-web 1/5
68 comms SECURITY
fragile weAs society ecomes reliant on the Internet, the needto secure it has grown urgent. but the vulneraility of cyerspace may e intrinsic, writes David sandha
8/7/2019 fragile web
http://slidepdf.com/reader/full/fragile-web 2/5
COMMUNICATIONS networks
underpin modern society like
the nervous system of a living
organism. The public switched
telephone network, the Internet,
VoIP, cable television,
submarine cables, and satellite
communications form the major
information pathways that keep
society functioning.
This system is under dailyattack. Viruses, unauthorised
access, security breaches, spam,
phishing, illicit electronic
surveillance, denial of service
attacks and cyber terrorism are
on the increase. The very inter-
connectedness that the modern
world depends upon has become
one of its major weaknesses.
Recent events illustrate the
threat to commercial and govern-
ment networks, and the informa-
tion that flows over them.
“I’m not sure that most
law-abiding citizens understand
the magnitude of the threatfrom cyber-criminals,” says
Colonel Gary A McAlum,
formerly Chief of Staff, Joint
Task Force for Global Network
Operations at the US Strategic
Command, who recently joined
Deloitte Touche Tohmatsu, a
global financial services
company. “There is a thriving
cyber-crime market for personal
and financial information.”
In March, thieves stole
4.2 million credit and debit card
numbers from Hannaford and
Sweetbay, supermarket chains
in north east US and Florida,respectively. The cyber-crimi-
nals put software on computers
to capture credit-card informa-
and led to about 1,800 frauds.
Ironically, on the day it was
discovered, Hannaford received
a certificate saying it was fully
compliant with the Payment
Card Industry standard, which
obliges retailers to encrypt data
sent over publicly accessible
networks, but not over private
lines. Both supermarket chains
thought they were safe. But thecyber-criminals intercepted
unencrypted credit-card data as
it travelled from shop tills to
corporate servers, from where it
would have been encrypted and
routed to credit-card company
servers for authorisation.
The extent of the problem
is hard to measure, because
reporting is largely voluntary.
Victims of cyber-crime don’t
like to discuss it, because hacked
systems damage reputations
and cost customers. The US
Treasury Department has
estimated the annual profitsfrom cyber-crime at $105bn.
“I believe that is on the low end,”
says McAlum.
WAR In addition to organised crime,
there are other murky presences
lurking in cyberspace: spies.
intelligence agencies, the
shadowy groupings that assist
them, and the military of several
nations, are all interested in
mining information from the
networks of target countries.
“A significant amount of data
[has been taken] from federalnetworks over the past few
years. I don’t think we will ever
know the true extent of how
is also a significant concern
about the level of access
obtained in some cases that
would allow a potential adver-
sary to become disruptive at a
time and place of their choosing.
This is a huge concern.”
Cyber skirmishes have
already begun. In 1998 the
Internet Black Tigers, a
guerrilla organisation, floodedSri Lankan embassies with
800 emails a day for two weeks.
The first cyber war between
nations may have occurred last
year, when the digital infrastruc-
ture of public institutions in
Estonia, including the parlia-
ment, ministries, banks,
newspapers, broadcasters and
telecommunications companies,
was attacked. Estonian
networks were blasted with up
to 90Mbit of traffic a second for
up to ten hours. Most of the
traffic was part of a distributed
denial of service (DDoS) attack,in which a network of
computers, perhaps one million
strong, was hijacked and used to
flood the Estonian networks
with requests for services such
as web-page transfers. The
attacks happened after Estonia
offended Russia by relocating a
Russian Second World War
memorial. The attacks origi-
nated from computers allegedly
traced to Russia, but the Russian
government has denied any
involvement.
This year’s conflict between
Russia and Georgia had acyber-war component. DDoS
attacks disrupted access to
many Georgian websites
ENGINEERING’sGRAND cHALLENGESECURE CYbERSPACE
‘There is concernaout the level of
access otained thatwould allow an
adversary to ecome
disruptive at a time andplace of their choosing’
8/7/2019 fragile web
http://slidepdf.com/reader/full/fragile-web 3/5
70 comms SECURITY
‘We cannot securecyerspace any
more than we cancompletely securethe oceans or the
airspace’clnel Gary A mAlu,Delitte Tuhe Thatu
FThe United States is also
under continual attack. In a
recent statement to Congress,
Jim Lewis, of the Center forStrategic and International
Studies, said: “Cybersecurity is
now one of the most important
national security challenges
facing the US...this is not some
hypothetical catastrophe. We are
under attack and taking
damage.”
More than 30 nations are now
believed to have information
warfare programmes. And
individuals with technical
expertise have found their
power to disrupt their enemies
transformed in cyberspace.
In March 2000, a disgruntledAustralian employee used the
Internet to release one million
litres of raw sewage into the
river and coastal waters of
Queensland. The same year, a
university student in the
Philippines created the ‘Love
Bug’ virus, which caused
damage estimated at up to
$15bn world-wide – or about
as much as a major hurricane
disaster.
The problem is growing fast.
Mikko Hyppönen, chief
researcher at antivirus
software company F-SecureCorporation, says: “We are now
seeing tens of thousands of
unique malware samples each
SOLUTIONSThe US National Academy of
Engineering has recognised the
importance of securingcyberspace by declaring it one
of 14 Grand Challenges for
Engineering, alongside issues
such as providing energy from
fusion, preventing nuclear
terror and making clean water
accessible to all. It is right to
focus on the problem, especially
because it cannot be overcome
by a single approach. It’s just not
that simple.
As Hyppönen says: “The
power and growth of cyberspace
is due to it being an open system.
‘Open’ doesn’t always equal
‘secure’. How can you securecyberspace? Close it – but then
you might also end up killing it.”
Complete solutions, even if
they could be built, could have
unwanted consequences. In
today’s open cyberspace, anyone
or anything can connect to the
Internet. It might be possible to
introduce controls that
guarantee that all the endpoints
in the network are known to be
‘safe’. But that would destroy the
Internet as it is today, reducing
it to a closed system.
The US government has
proposed another solution using‘key escrow’, in which informa-
tion is handled under the same
kind of public-key cryptography
spare key that they can use to
decrypt any message they want.
It’s the kind of ‘solution’ that
holds the seeds of its own
destruction – it wouldn’t be used
by those it seeks to expose, and
also raises tremendous civil
liberties issues.
“Cyberspace cannot be
secured 100 per cent without
radical and fundamental
changes in the architecture and
implementation of governance
models that would never fly,”
says McAlum. “We cannot
secure cyberspace any more
than we can completely secure
the oceans or the airspace.”
Toralv Dirro, security analyst
at McAfee, says: “Because of its
nature, cyberspace is very diffi-
cult, maybe even impossible, to
secure. There is no real central
instance controlling it, each
country has different laws that
apply, and it is growing at a rapid
pace. The best hope is to make
some vital parts as safe aspossible, to allow business to be
done in a reasonably secure
manner, and to protect the users
as well as possible.”
Dr Guy Bunker, chief scien-
tist of security software and
services company Symantec
Corporation, says: “Cyberspace
as we know it is, in some places,
very insecure. So it is relatively
simple for fraudulent behaviour
to occur. We could secure it very
rapidly, but that would shut it
down for most people.”
ARMS RACEMost experts agree that there is
no single answer to securing
cyberspace. Instead, think
evolution. Think arms race.
Progress will come by
incremental improvements to
many technologies.
The traditional model of
cyber-security is to use a perim-
eter defence, the classic firewall.
But perimeters often have holes.
Today, a perimeter defence is
seen as just one component of a
multi-layered defence: it will not
keep out a determined adver-
sary, but reduces minor threatsso that effort can be concen-
trated on more sophisticated
exploits or insider threats
prevention systems run on a
remote desktop or mobile laptop,
protecting the machine
wherever it goes. Instead of
hiding behind the castle walls,
and only being safe there,
individual machines are given
their own armour.
Cyberspace security has also
become an active, rather than
passive, discipline. Instead of a
guard patrolling a perimeter
fence, think of a roving investi-
gator seeking out threats before
they cause damage. Hackers are
lured out of hiding by tempting
them with ‘honeypots’ and
‘honey-clients’, apparently
unprotected machines that can
be used to detect threats.
However, it takes two to make an
arms race. Advanced viruses
fight back by constantly
changing their attributes to
outwit security technology.
Clever hackers learn to side-step
honeypots.
Malicious software (malware)is becoming so prevalent that it
is beginning to outnumber legit-
imate software. At that point, it
is easier to create ‘white lists’ of
legitimate software than to
maintain the blacklists of
malware. Hyppönen recom-
mends a blend of whitelists and
blacklists for best effect.
INTELLIGENCEFighting a war demands a
good map of the battlefield.
Symantec runs a Global
Intelligence Network that has
more than 40,000 sensors aroundthe world and more than
two million dummy email
accounts – all of which are
monitored all day, every day.
Hundreds of millions of users
contribute statistics on
malware.
“This means that outbreaks
can be readily spotted and
contained,” says Bunker. “It also
means that new virus or
malware definitions can be
quickly and effectively written
and rolled out to prevent the
infection spreading.”
McAlum would like to seemore than just lots of sensors.
“There are sensors all over
the place and most feed back to a
The Russia/Georgia conflict was waged in cyberspace as well as in the streets
8/7/2019 fragile web
http://slidepdf.com/reader/full/fragile-web 4/5
derivation of such a system,” he
says. “What I’d like to see is
more effort placed on capabili-
ties that provide a holistic
picture of the enterprise that is
more than just an integration of
existing views and [which] helps
develop the risk picture based
on current threats, vulnerabili-
ties, and anomalous activities.
And I think there needs to be a
‘cause-effect’ aspect that helps
leadership understand the
impact of actions they may take,
for example blocking a port or
disabling a service.”
Cyberspace will get more
secure as software learns more
about how we behave. Suppose
an employee, who typically uses
a company database to access
individual customer records,
suddenly looks at the top 1,000
customers: software could be
written to highlight this
anomaly. Or suppose an Internet
user goes to a website he or she
has not visited before: softwarecould warn them that they may
have misspelled the address,
helping counter malware
infections caused by downloads
from web pages masquerading
as popular sites. Dirro believes
that behaviour-based technology
is “very important, the next
big thing”.
TRUST – BUT VERIFY Companies today tend to rely on
implicit trust to control access
to their networks: employees are
given a username and password
and then expected to do the rightthing. This will change.
Companies will keep closer tabs
on what their employees are
doing and how they are doing it.
Behaviour-based technology
“can look at things such as
typing speed or style as an
additional means of
authentication,” says Bunker.
Advanced reputation services
may also help secure
cyberspace.
“Reputation-based
technology helps
people browse the
Internet safely andengenders trust between
consumers and
businesses as well as
reputations can be inflated.
Take an online auction seller
who sells and promptly delivers
100 pencils at £1 each, gaining a
great reputation. They then
offer a car for £100,000, and
abscond with the payment. The
reputation system wasperverted to abet the crime.
Systems will get smarter.
“Neural networks and other
artificial intelligence technolo-
gies have a place in learning
what is good, bad or indifferent
about networks and systems to
help administrators make intel-
ligent decisions to enable them
to fix problems,” Bunker says.
But let’s not get
carried away. A lot of
progress can be made
by getting on with the
drudge work of imple-
menting currentsecurity techniques. The
Hannaford super-
market chain says that
it has started encrypting
customer credit-card data as
soon as the card is swiped.
Other low-technology activity,
such as creating information-
sharing mechanisms between
affected groups such as banks,
who are notoriously shy aboutrevealing their cyber-crime
losses, could also help. Just
locking equipment up can help
a lot: laptop computers and
PDAs are increasingly a target
for thieves who want them for
as much for the value of the
data they may carry as for what
they might get by selling the
hardware down the pub.
“In many cases, particularly
when it comes to industrial
espionage, employees of partic-
ular companies may be targeted
for the opportunity to snatch a
laptop,” warns McAlum.As the UK civil service is
learning, you shouldn’t leave
laptops on a train or put
chink in cyberspace’s armour –
ordinary people and their
ordinary working practices.
According to a study by
Compuware, only 1 per cent
of recent corporate data losses
were due to hackers. The biggest
culprits were negligentemployees, with outsourcing and
malicious employees being
among the other causes of
significant breaches. Worryingly,
of the 1,112 practitioners
surveyed, 79 per cent said their
organisation had experienced at
least one data breach.
Dirro of McAfee thinks that
what’s needed to secure cyber-
space for the long run is
progress on many fronts,
including technology, aware-
ness, legal redress and human
behaviour.
Given the complexity of theissue, is there any sign that we
are winning the cyber-security
war yet?
EXPLoITING WEB 2.0Facebook is becomingincreasingly popular as atarget for virus attacks.Some Facebook users arecurrently receiving a mes-sage that appears to befrom a ‘friend’. Upon click-ing the link, they are redi-rected to an enticingvideo. The video will notplay, and they are toldthey need to update
Adobe Flash. It’s a virus.
If you lose your laptop, youcould lose a lot more than
just the hardware
8/7/2019 fragile web
http://slidepdf.com/reader/full/fragile-web 5/5
top related