cyber attack

*

*

Copyright © 2012, Elsevier Inc. All Rights Reserved

Chapter 1

Introduction

Cyber Attacks

Protecting National Infrastructure, 1st ed.

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

• National infrastructure
• Refers to the complex, underlying delivery and support systems for all large-scale services considered absolutely essential to a nation
• Conventional approach to cyber security not enough
• New approach needed
• Combining best elements of existing security techniques with challenges that face complex, large-scale national services

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Introduction

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Fig. 1.1 – National infrastructure cyber and physical attacks

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Fig. 1.2 – Differences between small- and large-scale cyber security

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

• Three types of malicious adversaries
• External adversary
• Internal adversary
• Supplier adversary

National Cyber Threats,

Vulnerabilities, and Attacks

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Fig. 1.3 – Adversaries and exploitation points in national infrastructure

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

• Three exploitation points
• Remote access
• System administration and normal usage
• Supply chain

National Cyber Threats,

Vulnerabilities, and Attacks

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

• Infrastructure threatened by most common security concerns:
• Confidentiality
• Integrity
• Availability
• Theft

National Cyber Threats,

Vulnerabilities, and Attacks

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Botnet Threat

• What is a botnet attack?
• The remote collection of compromised end-user machines (usually broadband-connected PCs) is used to attack a target.
• Sources of attack are scattered and difficult to identify
• Five entities that comprise botnet attack: botnet operator, botnet controller, collection of bots, botnot software drop, botnet target

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

• Five entities that comprise botnet attack:
• Botnet operator
• Botnet controller
• Collection of bots
• Botnot software drop
• Botnet target
• Distributed denial of service (DDOS) attack: bots create “cyber traffic jam”

Botnet Threat

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Fig. 1.4 – Sample DDOS attack from a botnet

*

National Cyber Security
Methodology Components

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

• Ten basic design and operation principles:
• Deception – Discretion
• Separation – Collection
• Diversity – Correlation
• Commonality – Awareness
• Depth – Response

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

• Deliberately introducing misleading functionality or misinformation for the purpose of tricking an adversary
• Computer scientists call this functionality a honey pot
• Deception enables forensic analysis of intruder activity
• The acknowledged use of deception may be a deterrent to intruders (every vulnerability may actually be a trap)

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Deception

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Fig. 1.5 – Components of an interface with deception

*

• Separation involves enforced access policy restrictions on users and resources in a computing environment
• Most companies use enterprise firewalls, which are complemented by the following:
• Authentication and identity management
• Logical access controls
• LAN controls
• Firewalls

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Separation

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Fig. 1.6 – Firewall enhancements for national infrastructure

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

*

• Diversity is the principle of using technology and systems that are intentionally different in substantive ways.
• Diversity hard to implement
• A single software vendor tends to dominate the PC operating system business landscape
• Diversity conflicts with organizational goals of simplifying supplier and vendor relationships

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Diversity

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Fig. 1.7 – Introducing diversity to national infrastructure

*

• Consistency involves uniform attention to security best practices across national infrastructure components
• Greatest challenge involves auditing
• A national standard is needed

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Commonality

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

• Depth involves using multiple security layers to protect national infrastructure assets
• Defense layers are maximized by using a combination of functional and procedural controls

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Depth

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Fig. 1.8 – National infrastructure security through defense in depth

*

• Discretion involves individuals and groups making good decisions to obscure sensitive information about national infrastructure
• This is not the same as “security through obscurity”

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Discretion

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

• Collection involves automated gathering of system-related information about national infrastructure to enable security analysis
• Data is processed by a security information management system.
• Operational challenges
• What type of information should be collected?
• How much information should be collected?

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Collection

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Fig. 1.9 – Collecting national infrastructure-related security information

*

• Correlation involves a specific type of analysis that can be performed on factors related to national infrastructure protection
• This type of comparison-oriented analysis is indispensable
• Past initiatives included real-time correlation of data at fusion center
• Difficult to implement

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Correlation

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Fig. 1.10 – National infrastructure high-level correlation approach

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

*

• Awareness involves an organization understanding the differences between observed and normal status in national infrastructure
• Most agree on the need for awareness, but how can awareness be achieved?

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Awareness

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Fig. 1.11 – Real-time situation awareness process flow

*

• Response involves the assurance that processes are in place to react to any security-related indicator
• Indicators should flow from the awareness layer
• Current practice in smaller corporate environments of reducing “false positives” by waiting to confirm disaster is not acceptable for national infrastructure

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Response

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer

*

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Fig. 1.12 – National infrastructure security response approach

*

• Commissions and groups
• Information sharing
• International cooperation
• Technical and operational costs

Copyright © 2012, Elsevier Inc. All rights Reserved

Chapter 1 – Introduction

Implementing the Principles Nationally

The University of Adelaide, School of Computer Science

Chapter 2 — Instructions: Language of the Computer