cybersecurity notes

Conquest libicki

“The real impetus is that the more cyberspace is ritical to a nation’s economy and defense, the more attractive to enemies is the prospect of crippling either or oboth via attacks on or through it.” 1

The term cyberspace coined in William Gibson’s classic 1984 Neuromancer 5

4 tenets of cyberspace

1. Cyberspace is a replicable construt
2. There has to be a master set of rules for any given space
3. Some mechanisms and systems across different forms of cyberspace are persistent
4. There are three layers to cyberspace, and teh conquest of each has vastly different meaning
1. Physical - Only as effective as infrastructure is difficult to replicate 8*
2. Syntactic layer - If my knowledge of rules is greater than yours, I may be able to get machines to do what I want even if you physically control them
3. Semantic layer - information critical to humans or connected devices. Control of this layer may allow me to change the way you perceive reality

“Since the 1990s, … actions in [cyberspace] have been considered part of a briader topic, infirmation warfare.” 11

5 types of information warfare are currently in use, and two hypothetical

Commad and control warfare

Intelligence ased warfare

Electronic warfare

Psychological operations

Hacker warfare

Economic and informatoinn warfare

Cyberwarfare

16-17

Shift from warfare to operations in terminology to describe activities that could occur during peacetime within the military adopted in 1996

The anglo-saxon clarity of warfare should not be mistaken as lost in the change of terminology 17

“In the early 1990s, victims of most computer viruses acquried them by booting them up forom an infected floppy disk”

3 waves followed - macro viruses, worm, and viruses specific to PDAs and digital telephone waves 18

Information can be destroyed or degraded. Duplicity can avoid destrcution, while proclivity in misleading information can degrade the value of stealing information 20-1

Information used to manage information can have value, such as protocol, programs, or files on system management attacks on information and information systems are distinct entities,content and management 22

Unlike physical operations, cyber operations are much more likely to result in a stalling out or non-operating system than an operating system under false commands because computers are very effective at recognizing false information 27 */ this is where syntactic control is important

The intent and legal treatment of computer network attacks (hacking) and exploitation is different, though the mechanisms and skills requisite for each are similar. “Destruction of information is more likely than eavesdropping to be percieved as an act of war” 29

To compare a nuclear threat to a cyberthreat is like a firestorm vs. a snow storm. Different cities have different resiliencies to snowstorms, but not firestorms, snowstorm costs are greater but distributed, and the negative effects of a snowstorm are temporary for the most part while firestorms leave permanent damage. 39

One major break in this analysis is that nuclear warfare is real and happened while a large scale cyberattack has not yet been experienced in wartime 41

Information Warfare against Command and Control

Assessing War

Assessing cybersecurity

1. Cyber damage assessment in battle
2. Relative Strength of our own cyberforces as advantage

Vulnerabilities in context of pre-existing conditions systems, architectures and definitions

Impacts effects to cybersystems and those dependent on them

Liklihoods chaces that an attack initiates * chances that an attack is realized once initiated

267

Effects of cybersecurity breach

Operational effects

Monetary losses

Rep effects

270

A risk estimate may be prepared as a vector of scores 274

Law of Armed Conflict (LOAC)

Civlian cyber targest in conflict zone may be OK, some opponents may not follow LOAC 278

Russian partisans in Georgia

Aggressive cyber attacks

Defaced websites

Interruption of internet xion

-- LOAC prohbits participation of partisans in warfare without direct state control

UN Charter and LOAC apply to cyberspace 281

>> Tallin Manual

Security for McAffee detected 100k new malware samples per day in 2012 282

Surviving cyber War

Victoria’s Secret DDoS

Don’s Best Sports: Private defense against DoS:

1. Robust Servers
2. High levels of Bandwidth

63

Spurious BGP as DoS attacks: Youtube in Pakistan 70

@War

“Reachback” -> synthesis of tac and strat intel, developed after the “Prophet” intelligence machinery, designed for Korea, proved ineffective against a decentralized enemy such as those found in the Middle East.

Collective Cyber Defence

Collective Cyber Defence - A State and Industry Perspective.

Notes on Professor Dr. Marco Gercke, Director of the CyberCrime Research Institute

by Paul Fischer

under international criminal law

Misconception no prosecution occurs

Critical standpoint against int. Law

e.g. drone attacks

Currently unprotected, they will be. /

Is a cyber attack an act of war?

The cyber world has changed dramatically

No longer the sole domain of the military and other government organizations

It will be prosecuted as a matter of criminality

We are creating our own weapons as governments which will not be able to be once they retire or leave gov. Service

NATO independent states, instead of working on our own in the cyber world we work together, this can be difficult, there is an idea we can learn from.

Now it is time to think like a criminal

They are sharing knowledge free of charge, about cybersecurity attacks

Tools are also being distributed free of charge. Only the developers need to be smart, many criminals simply hit a button.

What is shared among states and industries is very limited.

CIO in an example refused to share information about another company at first even when one was contracted by both companies.

dist. Or otherwise for virus distribution, is a serious crime, but no one reports this, as a company. The state is unable to do anything about it, and may harm the image of the company if made public

This changed two years ago, and big companies began to stand up and say, we have a problem, we have been hacked.

States still do not engage in this behavior.

We are blind until you don’t report it, forcing people, to report, is coming up in Brussels and in Washington, under the Obama administration.

2 ways, report analysis and big data

The question arises about what to do with big data.

The state still does not have the power to protect, so the big data would need to shared with industries powerful enough to offer protection.

Necessity to discuss and to exchange information in the same way the criminals currently are.

Discussion of realtime exchange about attacks.

Prioritization of data sharing, this could be real.

The next step is making sure the companies work together in the defensive

Not every company could build the cyber machine for defense, opinion that cloud computing creates a big problem. The Patriot Act as an example that gives certain government agencies access to the data on your servers where otherwise it would not have that data.

In the industry there is a discussion to reduce the military expenditure but to pool resources more effectively

Let’s apply this to the states as well. Borders and infrastructure may be protectable by states, but the people cannot be protected in cyberspace by the state alone.

Change is the only constant we have, but more corporation is expected.

Transparency can be tough…

… governments are realizing that information will anyway leak, but it is better to have a straightforward process by which that information is disseminated.

Beyond NATO more states are more concerned about sharing standards and technology. States are not yet ready to talk the same language in strategies. We need to carefully move in this direction.

German membership to a convention changed the meaning of the international convention entirely. Translation issues and technological obsoletion created negative outcomes.

We should not stop. The development of a 3D printer is a beautiful thing, but it has been used to print guns and other thiings. That does not mean development should have been impeded.

Notes on Eric Fischer: Federal Legislation of Cybersecurity

Notes on Eric Fischer: Federal Legislation of Cybersecurity

Necessity to change the current legislative framework for cybersecurity

Role of the federal government complex.

sector specific responsibilities

individual federal agency demands pertaining to various systems

Currently 50 statutes in place but no overarching framework

infrastructure, private

sharing of CI among private and gov

DHS authorities for federal systems

workforce

R and D

cybercrime law, data breach notification and defense related cybersecurity

Several attempts to enact comprehensive legislation have failed.

Passage in the house but not the senate led to reform FISMA and DHS workforce and information sharing inadequacies

The continuing evolution of technology and threat environments has created a scenario in which legislative reform is necessitated

Enacted statutes currently only allow federal involvement in securing federal and non-federal systems in specific statutes, but without an overarching framework mentioned above.

Counterfiet access device and computer fraud and abuse act of 1984

electronic comm privacy act of 1986

the computer security act of 1987

paperwork reduction act of 1995

clinger-coven act of 1996 - CIO and responsibility burdens placed in hierarchy for information security, mandatory standards

the homeland security act of 2002 

cybersecurity research and development act

the e-government act of 2002 - primary legislative vehicle for federal IT management and initiatives to make information and services available online

the federal security management act of 2002 clarification and amplification, federal incident center, redistribution of responsibilities

40 other laws include provisions relating to cybersecurity

Executive branch actions

NIST in the department of commerce > cybersecurity standards promulgated by OMB and prosecuted/enforced by DOJ

US Cyber Command > responsibility for military cyberspace operations

Comprehensive National. Cybersecurity Initiative (2008)

12 subinitiatives declassified in 2010: consolidation of external access points to federal systems, deploying intrusion detection and prevention systems, research coordination, info sharing, ad education… mitigation of risks from the global supply chain for info tech

“cyber czar” - created in 2009 to orchestrate federal cybersecurity activity, no direct control over budgets, NSA is argued to pre-empt

FISMA gives OMB authority to automate continuous monitoring of federal info systems by agencies in April 2010, delegated a few months later to the DHS

Within 2 years an interagency program called FedRAMP was established for cloud-computing cybersecurity

Protection of cyber infrastructure

Information sharing, coordination

Responsibilities and authority

Reform of FISMA
research and Dev.

Cybersecurity workforce

Data breaches resulting in theft or exposure of personal data such as financial information

Cybercrime offenses and penalties

National cybersecurity strategy

International efforts

Discussion of proposed revisions

Posse Comitatus Act of 1879

Ch 263 20 stat. 152

18 U.S.C. §1385

Restricts use of military forces in civilian law enforcement unless it is within a federal governement facility

Violations of the act include direct active use of military investigators, use of military pervades the activities of the civilian officials or when the military is used so as to subject the civilians to military power regulatory prescriptive or compulsory in nature.

There are difficulties identifying when a cyberattack involves national defense

some argue that defense of US information systems must be the purview of civilian agencies such as DHS and FBI due to privacy and civil liberty concerns unique to cybersecurity, even If the other option is more feasibly implemented

Anti trust laws

Sherman Antitrust Act

Wilson Tariff Act

Clayton Act

Section 5 of the Federal Trad Commission Act - prohibits unfair and deceptive trade practices

These are relevant to cyber law reform because any sharing of information will give companies an edge to compete unfairly with one another.

National institute of standards and tech act

Federal Power Act

Authority over interstate sale and Transmission of electric power

Must change in light of the development of smart-grid systems

Communications act of 1934

FCC - all wired and wireless communications

Presidential authority to control all stations capable of emitting EM radiation

To close such facilities as well.

This could be considered an internet kill switch interpreted directly (section 706), there has been considerable debate about whether such an authority exists, or whether further authority needs to be meted through legislation to clarify and delimit

National security act of 1947

Created NSC CIA and Sec. of Def.

Precedures of access to classified information

US information and educational exchange act of 1948 (Smith-Mundt Act)

Domestic dissemination provision originally applied to the now defunct USIA

Restrictive to USIA, claimed to be a Cold War Relic to protect Americans from being propagandized by their own federal agencies.

State Department Basic Authorities Act of 1956

DoS org counterterrorism and HIV response efforts

3 exemptions the act about withholding information pertain to cybersecurity:

Information properly classified for national defense or foreign policy purposes as secret as established by an executive order

data specifically exempted from disclosure by a statute, if that statutes meets criteria laid out in FOIA

trade secrets andcommerical or financial information obtained from a person that is privileged or confidential

Omnibus Crime Control and Safe Streets Act of 1968

Federal grant programs and other forms of assistance to state and local law enforcement

Comprehensive and electronic eavesdropping statute outlawed both activities in general terms but permitted federal and state use of them under strict limitations

Racketeer Influenced and Corrupt Organizations Act (RICO)

Enlarges civil and criminal consequences of organized crime

Repeated recommendation to include computer fraud within the definition of racketeering.

Federal Advisory Committee Act 

Specifies the circumstances under which a federal advisory committee can be established and its responisibilities and limitations requires that such meetings be open to the public and records be available fro public inspection

Privacy act of 1974

Limits disclosure

Requires transparency in cases pertaining to an individual

Code of fair information practices for collection management and dissemination of records by agencies including requirements for security and confidentiality of records

Counterfeit Access Devic and computer fraud and abuse act of 1984

First incident of criminal penalties including asset forfeiture for unauthorized access and wrongful use of computers and networks of the federal government or financial institutions or in interstate or foreign commerce or communication

Criminalized electronic trespassing on and exceeding authorized access to federal government computers

Statutory exemption for intelligence and law enforcement activities

Electronic communications privacy act of 1986

Balance between the fundament al privacy rights of citizens and the needs of law enforcement

Internet was much smaller at the time of passage

Prohibition of the interception of wire oral or electronic communications unless an exception to the general rule applies

Prohibition of wiretapping or electronic eavesdropping

Disclosure of information secured through court-ordered wiretapping

Terrorism Risk Insurance Act of 2002

Risk provided for concrete losses during an act of terror, such as oil fields

Does not currently apply to cybersecurity, and modification may be appropriate

E-government act of 2002

Serves as the primary legislative vehicle to guide federal IT management and initiatives to make information and services available online

Steps to Secure and Map a Network

Paul Fischer

10/30/2016 revised: 11/11/2016

Kathleen Hyde

Steps to Secure and Map a Network

Jerry’s … Locked

Jerrys.media … Locked

MyCharterWiFi13-2G … Locked

MyCharterWiFiaa-2G … Locked and Inconsistent

MyCharterWiFiaa-5G … Locked

MyCharterWificb-2G … Locked

NETGEAR07 … Locked

NETGEAR47 … Locked

NETGEAR83 … Locked

NETGEAR83-5G … Locked

These networks are all locked. They have been mapped in this manner pursuant to a legal ruling by the Supreme Court of the United States of America in 2014 which allowed the google Fi program to map all wireless networks in the country. It is apparent that several are standardized while at least two appear to be commercial and bear the name of a local establishment. The transconnection groupings within similar names may be part of family contracts with wireless companies, which often allow multiple modems, or devices concurrent and component to the original registered device.

There do not appear to be any communications between these networks but evidence is not provided as to the nature of the networks. There may be a reference to the data communication extant in the devices, and the speed and coverage of the networks which have been connected. The average speed of the networks surveyed came to3G while the average speed of constant (not fluctuating) networks was found to be 3.5G, and these calculations also exclude the commercial connection.

To double check the results of this report, a search of the local region using google Fi reveals that the connection guaranteed for wireless devices is 4G. Speculation may commence thatanother high speed device exists without detection, that the sample is not large enough to provide a random group of devices or to determine the connection type possibilities of other local devices.

Steps a Security Firm Can Take to Protect Businesses From Cyber Attack

Security firms can be asked to help businesses with a number of different programs. Methods which can be taken to fight cybercrime in the financial sector include the use of honey nets, defensive programs, or other system structural changes. A list of such programs (Montcalm, 6) will follow along with a comprehensive step-by-step guide to preventing the ability of a Botnet program to enter into a system.

Airmagnet

SnifferWireless

Airopeeks

The Wireless Security Auditor

Netstumbler

Kismet

Methods of Intrusion

In order to understand the needs of security it is first necessary to outline the means of infection (Gibbs, 3-4). Firstly, wormlike replication indicates an evasion of intrusion detection systems by scanning a subnet using bots; malware can then be selectively inserted and replicated into unprotected networks while avoiding those with protection. Secondly, infected media such as thumbdrives and CD/DVDs can be used in the event of a physical breach. Finally, watering holes are used to instigate drive-by downloads in which undeclared downloads containing malware can insert code into a system.

While the first two are exceptionally useful in use against systems vulnerable to a physical breach or direct access, the last would be a concern only in companies with a high number of employees active on such “watering holes” that might allow a critical mass of localized traffic to obtain objective information either through a general attempt or in conjunction with wormlike replication software. It is important to remember that none of the three main methods of infection are mutually exclusive, and the presence of one likely indicates that various forms of the others are either en route or already have ben attempted.

IDPS systems of prevention

IDPS systems of prevention are recommended by the government, which will be outlined in the following section (Scarfone, 23-26). In the same way that infection techniques can build upon one another, nearly all protection services which are recommended by a government guide to intrusion detection and prevention systems are sensors. There are multiple typical components be aware of, which include appliance, software only, inline, and passive sensor systems.

Ironically enough, passive sensor systems are indeed the most effective of the systems in protection against a botnet intrusion. As was mentioned earlier, one way that aggressive attacks can enter through system protection services is by use of a reconnaissance program. Detection of these programs can be seen to be of paramount importance. An effective honey net will use information from mining techniques that have been collected into a crossplane correlation report  that allows both the types of machines and the types of activities, such as “spamming or scanning” to be used in creation of the architecture of a honeynet with individualized pots to catch the onflow of attacking programs (Gibbs, 17-24).

Steps which can be recommended to secure a wireless network in a business setting:

Detection: Set up multiple forms of detection, not just one

-Mining-based Detection

-C-plane Monitoring

-DNS based detection

-Anomaly-based detection approaches

-Network based signature

This final list is an indication that the defense mechanisms outlined thus far are limited to a reaction to a detected scanning or spamming attempt to gain command and control servers which can pose a serious threat to computer resources. There is an intrinsic flow between botnet and vulnerable threat targets which also must be addressed to deactivate an attacker, and even after some command and control servers have been accessed, it may be necessary to include logging systems which can provide a critical director towards the one way flow of code which indicates the presence of a Botnet Master. It does absolutely no good, and only distributes company information and security resources to chase these attempts at taking down vulnerable threats, marked by a number of systems, so signature-based approaches allow low rates of false positives and decrease the chances that an alert or protective service will alert intruders.

References:

Gibbs, Peter. (2014), Botnet Tracking Tools. https://www.sans.org/reading-room/whitepapers/detection/botnet-tracking-tools-35347

Montcalm, Erik. (2003), How to Avoid Ethical and Legal Issues in Wireless Network Discovery. https://www.sans.org/reading-room/whitepapers/wireless/avoid-legal-issues-wireless-network-discovery-176

Scarfone, Peter (2012), Guide to Intrusion Detection and Prevention Systems.http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf