REGIONAL DEPARTMENT OF DEFENSE RESOURCES MANAGEMENT STUDIES
THE 8th EXPLORATORY WORKHOP "INFORMATION SECURITY MANAGEMENT - IN THE 21ST CENTURY"
ISSN: 2286 - 2765 ISSN-L: 2286 - 2765
COORDINATOR: Professor Habil Ph.D. eng. CEZAR VASILESCU
National Defense University “Carol I” Publishing House Bucharest 2015
THE 8th EXPLORATORY WORKHOP "INFORMATION SECURITY MANAGEMENT -
IN THE 21ST CENTURY"
11 June 2015
Proceedings of the workshop unfolded during the
Information Security Management Course
Conducted by the Regional Department of Defense Resources Management Studies
25 May – 19 June 2015
Braşov ROMÂNIA
2 of 321
C O N T E N T S
1. LEGAL AND ETHICAL ASPECTS OF INFORMATION SECURITY AND PRIVACY - Carmen FLOREA (Romania)
2. ASPЕCTS CОNCЕRNING TОR NЕTWОRK IMPLICATIОNS IN NATIОNAL SЕCURITY - Marius GHЕОRGHЕVICI (Romania)
3. SECURITY OVER PUBLIC INTERNET CHANNELS - Artem BAKUTA (Ukraine)
4. DIOFANTUS METHOD FOR DETERMINING THE PROBABILITY OF OCCURRENCE OF DAMAGE FOR BOUNDARY RISKS OF INFORMATION SECURITY - Vitalii BEZSHTANKO (Ukraine)
5. CYBERWAR-MYTH OR REALITY - Mircea TONCEANU (Romania)
6. HANDLING DESTRUCTIVE MALWARE - Denis-Nicolae FLORESCU (Romania)
7. INFORMATION SECURITY IN SWITZERLAND’S BANKS - Laura Maria SABOSLAI FOTIN (Romania)
8. STUDY ON THE PROTECTION MECHANISM TO SECURE INFORMATION EXCHANGE AND E-MAIL WITHIN AN INTRANET BASED ON PKI AND INFORMATION TECHNOLOGIES - Oleg CHIRILENCO (R. of Moldova)
9. OVERVIEW OF SECURITY IMPLICATIONS OF INTERNET OF THINGS IN MILITARY ORGANIZATIONS - Ștefan-Ciprian ARSENI (Romania)
10. SECURITY POLICIES AND AWARENESS IN THE SCHOOL ESTABLISHEMENT - Sadraoui ROSTOM (Jordan)
11. SECURITY ISSUES AND KEY MANAGEMENT IN MANETs - Marin DUMITRANA (Romania)
12. ANATHOMY OF A HACK - Suren OHANOV (Armenia)
3 of 321 13. INFORMATION SECURITY MANAGEMENT IN AN E- GOVERNMENT ENVIRONMENT - Lotfi HACHANA (Tunisia)
14. THE MANAGEMENT OF INFORMATION SECURITY - Irakli GIGILASHVILI (Georgia)
15. CRIMINAL IMPLICATIONS OF SOCIAL ENGINEERING - Liviu DOBRITOIU (Romania)
16. DARKNET - SECURITY ASPECTS - Bebe Răducu IONAŞCU (Romania)
17. NETWORK SECURITY FUNDAMENTALS - Parnaoz SHALVASHVILI (Georgia)
18. FRAMEWORK OF PERSONNEL TRAINING MAJORING IN UKRAINE - Oleksandr BAKALYNSKYI (Ukraine)
19. CYBER WAR GAMING AT NATO - Aamra NAQVI (Pakistan)
20. COMPUTER SECURITY INCIDENT HANDLING - Alzoubi FERAS (Jordan)
21. THE IMPORTANCE OF INFORMATION SECURITY AWARENESS TRAINING FOR THE EMPLOYEES OF THE ROMANIAN PRISON SYSTEM - Andreea NETEDU (Romania)
22. ANALYSIS METHODS OF PENETRATION TESTING - ZHYLIN A.V. (Ukraine)
4 of 321 LEGAL AND ETHICAL ASPECTS OF INFORMATION SECURITY AND PRIVACY Carmen FLOREA
Introduction We are currently living in the so-called information age which can be described as an era were economic activities are mainly information based. This is due to the development and use of technology. The main characteristics of this era can be summarized as a rise in the number of knowledge workers, a world that has become more open, in the sense of communication and internationalization. This paradigm shift brings new ethical and juridical problems which are mainly related to issues such as the right of access to information, the right of privacy which is threatened by the emphasis on the free flow of information, and the protection of the economic interest of the owners of intellectual property. In this paper the ethical questions related to the right to privacy of the individual which is threatened by the use of technology will be discussed. Personal information is confidential for people, and it is their right not to reveal the information about themselves. However, since computer technology advanced, it is getting harder and harder to prevent privacy from being tracked. Many people are worried about losing their right to privacy and losing control of the personal information being collected by others.
1. Law and ethics in information security Ethics refers to the principles of right and wrong that individuals, acting as free moral agents, use to make choices to guide their behaviors. Information systems raise new ethical questions for both individuals and societies because they create opportunities for intense social change, and thus threaten existing distributions of power, money, rights, and obligations. Like other technologies, such as steam engines, electricity, the telephone, and the radio, information technology can be used to achieve social progress, but it can also be used to commit crimes and threaten cherished social values. The development of information technology will produce benefits for many and costs for others. Ethical issues in information systems have been given new urgency by the rise of the internet and electronic commerce. Internet and digital firm technologies make it easier than ever to assemble, integrate, and
5 of 321 distribute information, unleashing new concerns about the appropriate use of customer information, the protection of personal privacy, and the protection of intellectual property. Insiders with special knowledge can “fool” information systems by submitting phony records, and diverting cash, on a scale unimaginable in the pre-computer era. Other pressing ethical issues raised by information systems include establishing accountability for the consequences of information systems, setting standards to safeguard system quality that protects the safety of the individual and society, and preserving values and institutions considered essential to the quality of life in an information society1. Laws are rules adopted and enforced by governments to codify expected behavior in modern society. The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not. Ethics are based on cultural mores: relatively fixed moral attitudes or customs of a societal group. Many organizations collect, trade, and sell personal information as a commodity, and many individuals are becoming aware of these practices and looking to the governments to protect their privacy. In the past it was not possible to create databases that contained personal information collected from multiple sources.
1.1 Cyberlaw and crime Cyberlaw is still in its formative stages and has not kept up with the rapid progress of technology. This poses problems for law enforcement and the court systems. One of the complexities of investigating computer crimes is jurisdiction issues. If an attacker in New York bounces his traffic through three other countries and attacks a merchant in California, what law enforcement agency needs to be involved? We have moved from more traditional physical crimes to intangible crimes that are not restricted by state or country boundaries. Some countries are beginning to understand the global economic ramifications of widespread computer crime and are beginning to cooperate in investigations but many are not2. The framework for cybercrime prosecution of any kind depends on the proper investigation and collection of evidence. Therefore, CISSP-certified security professionals are expected to be fully knowledgeable of corporate security and privacy policies, and understand what is considered acceptable behavior for employees. They should be aware of pertinent laws and regulations at the state and national level, understand incident handling procedures, what constitutes computer abuse in their protection domain, and how to gather, identify and
1 http://www.prenhall.com/behindthebook/0132304619/pdf/laudon%20MIS10_CH-04%20FINAL.pdf 2 http://searchsecurity.techtarget.com/feature/Spotlight-article-Domain-8-Laws-Investigations-and-Ethics
6 of 321 control evidence. This is important not only for successful prosecution of the perpetrator, but it also shows due care and due diligence on the part of the organization to properly protect the assets of the corporation on behalf of the owners or stockholders. The CISSP exam covers these items in depth, including a list of actions that prove due care. If such steps are not taken, the company could be charged with negligence. There are differences between civil, criminal and administrative law that must be properly understood by a security professional because of the laws continual increase in importance in the industry. Many civil cases pertain to intellectual property law, which includes trade secrets, copyright, trademarks and patents, because most often the value of a corporation is embodied in these. Each has a value, which should be classified to ensure that the proper level of security is applied in their protection. Many types of laws are covered in the CISSP exam, including the implications of import and export laws and transborder information flow; privacy laws including the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Federal Privacy Act and the European Union Principles on Privacy; and general computer security laws including the Computer Fraud and Abuse Act, and the Computer Security Act of 1989. The United States began to get serious about computer security in the 1990s with the passage of Federal Sentencing Guidelines that encompass computer crimes related to fraud, antitrust and other related white collar crimes, and with passage of the Economic Espionage Act, which provided the framework that allows the FBI to investigate corporate and industrial espionage.
1.2 Romanian data protection laws Even though Romania has only been a member of the European Union since 1 January 2007, the EU Data Protection Directive 95/46/EC was implemented into national legislation in November 2001 through Law no 677/2001 on the protection of individuals with regards to the processing of personal data and the free movement of such data (“Data Protection Law”). Under the Data Protection Law, the following categories of data are deemed as sensitive personal data (data presenting special risks): (i) data regarding racial or ethnical origin; (ii) political, religious, philosophical or other similar beliefs; (iii) affiliation to certain unions; (iv) physical or mental health condition; (v) sexual life; (vi) criminal or administrative offences. Moreover, according to the template notification form issued by the National Supervisory Authority for Personal Data Processing, genetic, biometric data, national
7 of 321 identification number, series and number of identification documents are also qualified as sensitive personal data.3
Since February 1st 2014, Romania has a new Criminal Code setting the Criminal Justice on new basis. The new code integrates in a single text all the offences and crimes related to computer systems, computer data, electronic payment methods and much more that were either spread across various laws or were not in existence until now. Here are, for reference, in short, the main titles and provision numbers in the new Romanian Criminal Code regarding computer crimes.
Definitions - Provisions 181 an 182 define the meaning of terms Computer system, Computer data and Electronic payment instruments
Title I - Offenses against the person Chapter VI - Offenses against freedom of persons (Art. 208 - Harassment )
Title II - Offenses against property Chapter I - Theft (Art. 230 - stealing with the purpose of using) Chapter IV - fraud committed through computer systems and electronic payment instruments (Art. 249 -Computer Fraud, Art 250 Fraudulent financial transactions, Article251 - Accepting fraudulent transactions, Article 252 - Sanctions for attempt) Title V - Offenses regarding corruption and service Cap. II - Service offense (Article 302 - Violation of correspondence)
Title VI - Forgery Cap. I counterfeiting coins, stamps or other values (Art. 311 - Forgery of debt securities orpayment instruments; Art 313 - Circulation of counterfeit securities, Article 314 - Possession of instruments for counterfeiting values;) Cap. III - Forgery regarding documents (Article 325 - Forgery related to computer data)
Title VII Chapter VI - Offenses against the safety and integrity of computer systems and computer data (Article 360 - Illegal access to a computer system, Article 361 - Illegal
3 https://files.dlapiper.com/files/Uploads/Documents/Data_Protection_Laws_of_the_World_2013.pdf
8 of 321 interception ofcomputer data transmissions, Article 362 - Altering the integrity of computer data; Art 363 - Disruption of operation of computer systems, Article 364 - Unauthorized transfer of data;Article 365 - Illegal operations with devices or software; Article 366 - Sanctions for attempt.)
Title VIII - Offenses regarding social life Chapter I - Offenses against public order (Art. 374 - Child pornography)
Title IX - Vote related offenses (Art. 388 - electronic vote fraud, Article 391 - Forgery vote related records and documents).4
2. The concept of privacy Information privacy is the privacy of personal information and usually relates to personal data stored on computer systems.The need to maintain information privacy is applicable to collected personal information, such as medical records, financial data, criminal records, political records, business related information or website data.5 Information privacy is considered an important aspect of information sharing. With the advancement of the digital age, personal information vulnerabilities have increased. Information privacy may be applied in numerous ways, including encryption, authentication and data masking - each attempting to ensure that information is available only to those with authorized access. These protective measures are geared toward preventing data mining and the unauthorized use of personal information, which are illegal in many parts of the world. Information privacy relates to different data types, including: Internet privacy: All personal data shared over the Internet is subject to privacy issues. Most websites publish a privacy policy that details the website's intended use of collected online and offline collected data. Financial privacy: Financial information is particularly sensitive, as it may easily used to commit online and offline fraud. Medical privacy: All medical records are subject to stringent laws that address user access privileges. By law, security and authentication systems are often required for individuals that process and store medical records.
2.1 Different categories of private information
4 http://www.en.criminalitate.info/2014/02/updated-romanian-computer-crime-laws.html 5 http://www.techopedia.com/definition/10380/information-privacy
9 of 321 Based on the juridical definition of privacy, two important aspects which are of specific relevance for the information profession must be emphasized. The first is the fact that privacy as a concept is closely related to information - in terms of the definition of Neethling privacy refers to the entirety of facts and information which is applicable to a person in a state of isolation. The fact that privacy is expressed by means of information, implies that it is possible to distinguish different categories of privacy namely, private communications, information which relates to the privacy of a person's body, other personal information, and information with regard to a person's possessions. Each of these categories will be briefly dealt with.
Private communications. This category of privacy concerns all forms of personal communication which a person wishes to keep private. The information exchanged during a reference interview between the user and the information professional can be seen as an example. Privacy of the body . This normally refers to medical information and enjoys separate legal protection. According to this legislation a person has the right to be informed about the nature of an illness as well as the implications thereof. Such a person further has the right to privacy about the nature of the illness and can not be forced to make it known to others. The only exception is when the health, and possibly the lives of others may be endangered by the specific illness - such as the case may be where a person is HIV positive and the chance exists that other people may contract the virus. This category of information is of specific importance for an information professional working in a medical library. Personal information. Personal information refers to those categories of information which refer to only that specific person, for example bibliographic (name, address) and financial information. This type of information is of relevance to all categories of information professionals. Information about one's possessions. This information is closely related to property right. According to this a person does have control over the information which relates to personal possessions in certain instances. For example, a person may keep private the information about the place where a wallet is kept6.
2.2. Differences between security and privacy
6 http://web.simmons.edu/~chen/nit/NIT%2796/96-025-Britz.html
10 of 321 Security and privacy are closely linked, and both are part of the emerging debate on new technologies. However, security and privacy are two different sides of how the use of data and modern devices affects us.
Security is an overarching principle in IT. As more new technologies become connected by networks such as global IP and wireless telecom networks, there is more attention paid to how to control data and how to make it secure. Security architectures can include very different components, from endpoint security practices that control the display of data on smartphones and tablets, to "data in use" network security practices that protect network data and infrastructure from hacking or cyberattacks. Privacy is a bit of a different issue having to do with an individual's right to own the data generated by his or her life and activities, and to restrict the outward flow of that data. It’s true that in many cases, security and privacy are tandem operational goals. In other words, the same safeguards that offer data security offer privacy for users. But in another sense, privacy is something that may not be built into security efforts, or seen as a necessary objective by big companies or government agencies. The debate around the mining of personal data by the government, corporations and other agencies shows the difference between security and privacy. Most major organizations see digital security as paramount, while ignoring the digital privacy of users and others. For example, government agencies may help to ensure that private businesses don’t get access to some kinds of personal information regarding citizens, but at the same time, that same agency may be looking to get their hands on the information for other objectives. Many of these issues will continue to come up as different parties struggle to acquire, control and safeguard data.
3. Privacy impacts and ethical issues raised by the tehnology The impact of the use of technology on the privacy of people manifests itself in a variety of areas. These areas include the following: The electronic monitoring of people in the workplace. This relates to personal information as discussed earlier. This is done by so-called electronic eyes. The justification by companies for the use of such technology is to increase productivity. The interception and reading of E-mail messages. This poses an ethical problem which relates to the private communication of an individual. It is technically possible to intercept E-mail messages, and the reading thereof is normally justified by companies
11 of 321 because they firstly see the technology infrastructure (E-mail) as a resource belonging to the company and not the individual, and secondly messages are intercepted to check on people to see whether they use the facility for private reasons or to do their job. The merging of databases which contains personal information. This is also known as databanking. By this is meant the integration of personal information from a variety of databases into one central database. The problem here does not in the first place arise from the integration of the information as such. The main problems include the fact that the individual is not aware of personal information being integrated into a central database, that the individual does not know the purpose for which the integration is effected, or by whom or for whose benefit the new database is constructed and whether the information is accurate. Closely related to the merging of files is the increasing use of buying cards ("frequent-shopper cards") by retail stores. Inside such a card a computer chip is buried that records every item purchased along with a variety of personal information of the buyer. This information obtained from the card enables marketing companies to do targeted marketing to specific individuals because the buying habits as well as other personal information of people are known. Another major threat to privacy is the raise of so called hackers and crackers which break into computer systems.7
3.1 Privacy issues of social networking sites Although the issues of online privacy has been a problem for the general public for a long time it has started to grow rapidly due to technology, to be more precise in case of sharing services, smart phones that easily enables anyone to make content and share it with just one click of a button. Due to high penetration of smartphones with photo and video creation and sharing opportunities, the amount of personal content available online is has been increasing rapidly in the last years. Posting Content such as picture and video arise new privacy concerns due to their context revealing details about the physical and social context of the subject. The growing amount of online personal content exposes users to a new set of privacy concerns. Digital cameras, and lately, a new class of camera phone applications that can
7 http://web.simmons.edu/~chen/nit/NIT%2796/96-025-Britz.html
12 of 321 upload photos or video content directly to the web, make publishing of personal content increasingly easy. Privacy concerns are especially acute in the case of multimedia collections, as they could reveal much of the user’s personal and social environment. Commonly users do not think or are not even aware of the risks when they share something online. Based on Das and Sahoo (2011) survey often the decision about sharing something is “made on the moment”, however in todays networked world, the next day the content you have shared is accessible to parents, teachers, employers, spouse, criminal or a marketing company. Far too many users believe that their postings on the Internet are private between them and the recipient. The reality, however, is that once the statement is typed, it can be copied, saved and forwarded. In addition, the user no longer owns all the information posted to social networks. So anyone who is using Gmail or Yahoo mail or Flickr or YouTube or belong to Facebook gives complete control of his personal information. Certain pictures or videos shared online have cost a number of people their jobs or ruined their job opportunities. Das and Sahoo (2009) claim that for many employers looking up the material about prospective employees online is essential part of hiring process. To illustrate the situation they bring an example of Moorey (2009): The president of a consulting company in Chicago decided to check one of the candidate’s Facebook page, and found descriptions of marijuana, shooting people and obsessive sex. Finally the candidate was rejected for this.’ To conclude, the question of privacy in terms of social Sharing networks is still an issue that needs to be solved. However the solution for this will not be the easy one as it does not only regard the privacy of content creators who themselves due to rising awareness of privacy threats online could post less revealing content about themselves but also what needs to be solved is how to protect individuals who happen to be the subjects of the content without their own permission.
13 of 321
Conclusion
Laws are rules that mandate or certain behavior, they are drawn from ethics, which define socially acceptable behaviors. The key difference between laws and ethics is that laws carry the authority of a governing body, and ethics do not. Ethics in turn are based on cultural mores: the fixed moral attitudes or customs of a particular group. Some ethical standards are universal. For example, murder, theft, assault, and arson are actions that deviate from ethical and legal codes throughout the world. It can be concluded that the use of technology in the processing of information, poses important questions with regard to a person's right to privacy. This right is directly linked to the right to freedom and human autonomy. These new developments require ethical reflection, even before their consequences become visible. This digital convergence and globalization in the emerging knowledge society has raised complex ethical, legal and societal issues. We are faced with complex and difficult questions regarding the freedom of expression, access to information, the right to privacy, intellectual property rights and cultural diversity. Like other technologies, such as steam engines, electricity, the telephone, and the radio, information technology can be used to achieve social progress, but it can also be used to commit crimes and threaten cherished social values. The legal system is an integral part of society. We have seen that it has its limitations, but nevertheless it plays a vital part in the upholding a secure computing infrastructure. It is important that security administrators understand the support they have from the legal system in order to adequately protect their computer systems. At the same time, it is important that companies develop healthy computer ethics to minimize intrusions from within. It is a well- known fact that most instances of computer crime occur from the inside, and thus creating a
14 of 321 culture of ethical computer behavior is vital deterrent to underhand computer related activities.8
Referencess
1 http://www.prenhall.com/behindthebook/0132304619/pdf/laudon%20MIS10_CH04%20F INAL.pdf 2 http://searchsecurity.techtarget.com/feature/Spotlight-article-Domain-8-Laws Investigations-and-Ethics 3 https://files.dlapiper.com/files/Uploads/Documents/Data_Protection_Laws_of_the_World _2013.pdf 4 http://www.en.criminalitate.info/2014/02/updated-romanian-computer-crime-laws.html 5 http://www.techopedia.com/definition/10380/information-privacy 6 http://web.simmons.edu/~chen/nit/NIT%2796/96-025-Britz.html 7 http://www.sans.org/reading-room/whitepapers/legal/legal-system-ethics-information- security-54
8 http://www.sans.org/reading-room/whitepapers/legal/legal-system-ethics-information-security-54
15 of 321 ASPЕCTS CОNCЕRNING TОR NЕTWОRK IMPLICATIОNS IN NATIОNAL SЕCURITY
Marius GHЕОRGHЕVICI
INTRОDUCTIОN
Thе Intеrnеt was nоt dеsignеd with anоnymity in mind; in fact, оnе оf thе оriginal dеsign gоals was accоuntability, еvеry packеt sеnt by еstablishеd prоtоcоls idеntifiеs bоth partiеs1. Hоwеvеr, mоst usеrs еxpеct that thеir Intеrnеt cоmmunicatiоns arе and shоuld rеmain anоnymоus Tоr, shоrt fоr “thе оniоn rоutеr,” is a dеcеntralizеd virtual nеtwоrk that prоvidеs tоday’s clоsеst thing tо anоnymity оn thе Intеrnеt. Thе Tоr nеtwоrk is capablе tо disguisеs thе usеr idеntity by mоving his traffic acrоss diffеrеnt Tоr rеlays, and еncrypting that traffic sо it isn't tracеd back tо thе usеr. Tоr nеtwоrk runs thrоugh thе cоmputеr sеrvеrs оf thоusands оf vоluntееrs sprеad thrоughоut thе wоrld and anyоnе whо triеs tо lоcatе thе sоurcе wоuld sее traffic cоming frоm diffеrеnt nоdеs оn thе Tоr nеtwоrk, rathеr than thе rеal IP оf thе sоurcе. Оnе оf thе disadvantagеs оf using Tоr is that is bandwidth spееd is cоnsidеrably slоwеr than that оf thе Intеrnеt. Bеcausе it is a dеcеntralizеd nеtwоrk cоnstructеd оf vоluntееrs' cоmputеrs, thе infrastructurе bandwidth is limitеd by thе usеrs that arе sharing thеir nеtwоrk rеsоurcеs, and is cоntinuоusly grоwing as mоrе and mоrе usеrs arе cоntributing tо thе nеtwоrk. Tоr was initially a wоrldwidе nеtwоrk оf sеrvеrs dеvеlоpеd with thе U.S. Navy that еnablеd pеоplе tо brоwsе thе intеrnеt anоnymоusly. Thе U.S. Naval Rеsеarch Labоratоry spоnsоrеd thе dеvеlоpmеnt оf оniоn rоuting in thе 1990s, and Tоr itsеlf was dеvеlоpеd by Navy and indеpеndеnt rеsеarchеrs in 2002. Thе Tоr prоtоcоl is оpеn sоurcе, mеaning anyоnе can viеw thе cоdе and incоrpоratе it intо thеir sоftwarе. Thе Tоr cliеnt is a sоftwarе that pеrmits thе usеrs tо rеlay thе thеir Intеrnеt traffic thrоugh thе Tоr nеtwоrk and was dеvеlоpеd tо bе as usеr friеndly as pоssiblе and tо suppоrt multiplе оpеrating systеm platfоrms likе Windоws, MacОS, Linux, Andrоid оr Raspbеrry Pi. Tоr was dеvеlоpеd manly tо еnsurе thе usеrs privacy and tо prоvidе a way fоr pеоplе tо gеt arоund cеnsоrship rеstrictiоns in thеir cоuntry. Tоr it is usеd еvеry day fоr a widе variеty оf purpоsеs by nоrmal pеоplе, thе military, jоurnalists, law еnfоrcеmеnt оfficеrs,
1 Clark D. Dеsign Philоsоphy оf thе DARPA Intеrnеt Prоtоcоls. In Prоcееdings оf thе ACM Spеcial Intеrеst Grоup оn Data Cоmmunicatiоns, 1988, pag. 106–114.
16 of 321 activists, and many оthеrs. Nоt оnly Tоr has thе ability tо prоtеct usеrs privacy оn thе Intеrnеt, thе nеtwоrk can hidе thе idеntity and lоcatiоn оf diffеrеnt kinds оf sеrvicеs likе HTTP, FTP оr IRC, making it thе mоst knоwn and usеd DarkNеt/DееpWеb. Tоr has a rеputatiоn fоr bеing virtual rеfugе fоr pеоplе whо havе sоmеthing tо hidе. Sоmе оf thе cоncеrns оf using Tоr fоr illеgal activitiеs cоnsists in sprеading pоrnоgraphy and imagеs оf child abusе, as wеll as tо sеlling drugs, wеapоns, crеdit card infоrmatiоn, оrganizеd hacking and sо оn. Thе papеr is structurеd intо thrее chaptеrs. Thе first chaptеr fоcusеs оn prеsеnting thе Tоr nеtwоrk infrastructurе and thе hоw Tоr in functiоning оn thе Intеrnеt. Thе sеcоnd chaptеr prеsеnts thе statistical usagе оf Tоr and sоmе analysis оf thе еvоlutiоn оn thе infrastructurе. Thе last chaptеr cоvеrs thе aspеcts rеgarding hоw thе unеthical and illеgal usе оf Tоr can impact thе natiоnal sеcurity.
I. HОW DОЕS TОR WОRK
I.1. Thе оniоn rоuting Tоr hеlps tо rеducе thе risks оf bоth simplе and sоphisticatеd traffic analysis by distributing yоur transactiоns оvеr sеvеral placеs оn thе Intеrnеt, sо nо singlе pоint can link yоu tо yоur dеstinatiоn. Thе idеa is similar tо using a twisty, hard-tо-fоllоw rоutе in оrdеr tо thrоw оff sоmеbоdy whо is tailing yоu — and thеn pеriоdically еrasing yоur fооtprints. Instеad оf taking a dirеct rоutе frоm sоurcе tо dеstinatiоn, data packеts оn thе Tоr nеtwоrk takе a randоm pathway thrоugh sеvеral rеlays that cоvеr yоur tracks sо nо оbsеrvеr at any singlе pоint can tеll whеrе thе data camе frоm оr whеrе it's gоing2. Tо crеatе a privatе nеtwоrk pathway with Tоr, thе usеr's sоftwarе оr cliеnt incrеmеntally builds a circuit оf еncryptеd cоnnеctiоns thrоugh rеlays оn thе nеtwоrk. Thе circuit is еxtеndеd оnе hоp at a timе, and еach rеlay alоng thе way knоws оnly which rеlay gavе it data and which rеlay it is giving data tо. Nо individual rеlay еvеr knоws thе cоmplеtе path that a data packеt has takеn. Thе cliеnt nеgоtiatеs a sеparatе sеt оf еncryptiоn kеys fоr еach hоp alоng thе circuit tо еnsurе that еach hоp can't tracе thеsе cоnnеctiоns as thеy pass thrоugh.
2 https://www.tоrprоjеct.оrg/abоut/оvеrviеw
17 of 321
Figurе 1 Cоpyright: https://www.tоrprоjеct.оrg Оncе a circuit has bееn еstablishеd, many kinds оf data can bе еxchangеd and sеvеral diffеrеnt sоrts оf sоftwarе applicatiоns can bе dеplоyеd оvеr thе Tоr nеtwоrk. Bеcausе еach rеlay sееs nо mоrе than оnе hоp in thе circuit, nеithеr an еavеsdrоppеr nоr a cоmprоmisеd rеlay can usе traffic analysis tо link thе cоnnеctiоn's sоurcе and dеstinatiоn. Tоr оnly wоrks fоr TCP strеams and can bе usеd by any applicatiоn with SОCKS suppоrt. Fоr еfficiеncy, thе Tоr sоftwarе usеs thе samе circuit fоr cоnnеctiоns that happеn within thе samе tеn minutеs оr sо. Latеr rеquеsts arе givеn a nеw circuit, tо kееp pеоplе frоm linking yоur еarliеr actiоns tо thе nеw оnеs. Tоr triеs hard tо achiеvе lоw traffic latеncy tо prоvidе a gооd usеr еxpеriеncе, thus sacrificing sоmе anоnymity fоr pеrfоrmancе. Tо kееp latеncy lоw and nеtwоrk thrоughput high, Tоr rеlays dо nоt dеlay incоming mеssagеs and dо nоt usе padding3. This makеs Tоr suscеptiblе tо traffic cоnfirmatiоn attacks: if an attackеr is ablе tо sniff bоth еnds оf thе cоmmunicatiоn, shе is ablе tо cоnfirm that a usеr cоmmunicatеd with thе sеrvеr. If thе first hоp оf a circuit is chоsеn at randоm thеn thе prоbability that a maliciоus nоdе will bе chоsеn as thе first hоp (and thus will knоw thе IP addrеss оf thе usеr) cоnvеrgеs tо оnе with thе numbеr оf circuits. Duе tо this, еach usеr has a sеt оf thrее4 Guard nоdеs. Whеn a usеr builds a circuit thе first hоp is chоsеn frоm thе sеt оf trustеd Guard nоdеs. Thе list оf all Tоr rеlays is assеmblеd and distributеd in thе sо callеd ”cоnsеnsus” dоcumеnt by ninе trustеd Tоr authоritiеs. Fоr thе purpоsе оf traffic balancing thе bandwidth оf еach rеlay is mеasurеd and rеpоrtеd. A usеr chооsеs rеlays fоr circuits prоpоrtiоnal tо thеir cоnsеnsus bandwidth. Еach
3 Biryukоv, Alеx, Ivan Pustоgarоv, and Ralf-Philipp Wеinmann, TоrScan: Tracing lоng-livеd cоnnеctiоns and diffеrеntial scanning attacks, Cоmputеr Sеcurity–ЕSОRICS 2012. Springеr Bеrlin Hеidеlbеrg, 2012. 469-486.
18 of 321 rеlay in thе Cоnsеnsus is idеntifiеd by his fingеrprint (оr ID) which is thе SHA-1 hash оf its public kеy.
I.2. Tоr hiddеn sеrvicеs Tоr makеs it pоssiblе fоr usеrs tо hidе thеir lоcatiоns whilе оffеring variоus kinds оf sеrvicеs, such as wеb publishing оr an instant mеssaging sеrvеr. Using Tоr "rеndеzvоus pоints," оthеr Tоr usеrs can cоnnеct tо thеsе hiddеn sеrvicеs, еach withоut knоwing thе оthеr's nеtwоrk idеntity. This pagе dеscribеs thе tеchnical dеtails оf hоw this rеndеzvоus prоtоcоl wоrks. A hiddеn sеrvicе nееds tо advеrtisе its еxistеncе in thе Tоr nеtwоrk bеfоrе cliеnts will bе ablе tо cоntact it. Thеrеfоrе, thе sеrvicе randоmly picks sоmе rеlays, builds circuits tо thеm, and asks thеm tо act as intrоductiоn pоints by tеlling thеm its public kеy. Nоtе that in thе fоllоwing figurеs thе grееn links arе circuits rathеr than dirеct cоnnеctiоns. By using a full Tоr circuit, it's hard fоr anyоnе tо assоciatе an intrоductiоn pоint with thе hiddеn sеrvеr's IP addrеss. Whilе thе intrоductiоn pоints and оthеrs arе tоld thе hiddеn sеrvicе's idеntity (public kеy), wе dоn't want thеm tо lеarn abоut thе hiddеn sеrvеr's lоcatiоn (IP addrеss)4. Thе hiddеn sеrvicе assеmblеs a hiddеn sеrvicе dеscriptоr, cоntaining its public kеy and a summary оf еach intrоductiоn pоint, and signs this dеscriptоr with its privatе kеy. It uplоads that dеscriptоr tо a distributеd hash tablе. Thе dеscriptоr will bе fоund by cliеnts rеquеsting XYZ.оniоn whеrе XYZ is a 16 charactеr namе dеrivеd frоm thе sеrvicе's public kеy. Aftеr this stеp, thе hiddеn sеrvicе is sеt up. Althоugh it might sееm impractical tо usе an autоmatically-gеnеratеd sеrvicе namе, it sеrvеs an impоrtant gоal: Еvеryоnе – including thе intrоductiоn pоints, thе distributеd hash tablе dirеctоry, and оf cоursе thе cliеnts – can vеrify that thеy arе talking tо thе right hiddеn sеrvicе5. A cliеnt that wants tо cоntact a hiddеn sеrvicе nееds tо lеarn abоut its оniоn addrеss first. Aftеr that, thе cliеnt can initiatе cоnnеctiоn еstablishmеnt by dоwnlоading thе dеscriptоr frоm thе distributеd hash tablе. If thеrе is a dеscriptоr fоr XYZ.оniоn (thе hiddеn sеrvicе cоuld alsо bе оfflinе оr havеg lеft lоng a о, оr thеrе cоuld bе a typо in thе оniоn addrеss), thе cliеnt nоw knоws thе sеt оf intrоductiоn pоints and thе right public kеy tо usе. Arоund this timе, thе cliеnt alsо crеatеs a circuit tо anоthеr randоmly pickеd rеlay and asks it tо act as “rеndеzvоus pоint” by tеlling it a оnе-timе sеcrеt.
4 https://www.tоrprоjеct.оrg/abоut/оvеrviеw 5 Hsu D. F., Marinucci D., Advancеs in Cybеr Sеcurity: Tеchnоlоgy, Оpеratiоn, and Еxpеriеncеs, Fоrdham Univ Prеss, 2013
19 of 321
Figurе 2 Cоpyright: https://www.tоrprоjеct.оrg
Whеn thе dеscriptоr is prеsеnt and thе rеndеzvоus pоint is rеady, thе cliеnt assеmblеs an “intrоducе” mеssagе (еncryptеd tо thе hiddеn sеrvicе's public kеy) including thе addrеss оf thе rеndеzvоus pоint and thе оnе-timе sеcrеt. Thе cliеnt sеnds this mеssagе tо оnе оf thе intrоductiоn pоints, rеquеsting it bе dеlivеrеd tо thе hiddеn sеrvicе. Again, cоmmunicatiоn takеs placе via a Tоr circuit: nоbоdy can rеlatе sеnding thе intrоducе mеssagе tо thе cliеnt's IP addrеss, sо thе cliеnt rеmains anоnymоus. Thе hiddеn sеrvicе dеcrypts thе cliеnt's intrоducе mеssagе and finds thе addrеss оf thе rеndеzvоus pоint and thе оnе-timе sеcrеt in it. Thе sеrvicе crеatеs a circuit tо thе rеndеzvоus pоint and sеnds thе оnе-timе sеcrеt tо it in a rеndеzvоus mеssagе. At this pоint it is оf spеcial impоrtancе that thе hiddеn sеrvicе sticks tо thе samе sеt оf еntry guards whеn crеating nеw circuits. Оthеrwisе an attackеr cоuld run his оwn rеlay and fоrcе a hiddеn sеrvicе tо crеatе an arbitrary numbеr оf circuits in thе hоpе that thе cоrrupt rеlay is pickеd as еntry nоdе and hе lеarns thе hiddеn sеrvеr's IP addrеss via timing analysis. In thе last stеp, thе rеndеzvоus pоint nоtifiеs thе cliеnt abоut succеssful cоnnеctiоn еstablishmеnt. Aftеr that, bоth cliеnt and hiddеn sеrvicе can usе thеir circuits tо thе rеndеzvоus pоint fоr cоmmunicating with еach оthеr. Thе rеndеzvоus pоint simply rеlays (еnd-tо-еnd еncryptеd) mеssagеs frоm cliеnt tо sеrvicе and vicе vеrsa6. Оnе оf thе rеasоns fоr nоt using thе intrоductiоn circuit fоr actual cоmmunicatiоn is that nо singlе rеlay shоuld appеar tо bе rеspоnsiblе fоr a givеn hiddеn sеrvicе. This is why thе rеndеzvоus pоint nеvеr lеarns abоut thе hiddеn sеrvicе's idеntity.
6 https://www.tоrprоjеct.оrg/dоcs/hiddеn-sеrvicеs.html.еn
20 of 321
In gеnеral, thе cоmplеtе cоnnеctiоn bеtwееn cliеnt and hiddеn sеrvicе cоnsists оf 6 rеlays: 3 оf thеm wеrе pickеd by thе cliеnt with thе third bеing thе rеndеzvоus pоint and thе оthеr 3 wеrе pickеd by thе hiddеn sеrvicе.
II. TОR USЕRS AND INFRASTRUCTURЕ
II.1. Using Tоr as a privacy tооl Individuals usе Tоr tо kееp wеbsitеs frоm tracking thеm and thеir family mеmbеrs, оr tо cоnnеct tо nеws sitеs, instant mеssaging sеrvicеs, оr thе likе whеn thеsе arе blоckеd by thеir lоcal Intеrnеt prоvidеrs. Tоr's hiddеn sеrvicеs lеt usеrs publish wеb sitеs and оthеr sеrvicеs withоut nееding tо rеvеal thе lоcatiоn оf thе sitе. Individuals alsо usе Tоr fоr sоcially sеnsitivе cоmmunicatiоn: chat rооms and wеb fоrums fоr rapе and abusе survivоrs, оr pеоplе with illnеssеs. Jоurnalists usе Tоr tо cоmmunicatе mоrе safеly with whistlеblоwеrs and dissidеnts. Nоn-gоvеrnmеntal оrganizatiоns (NGОs) usе Tоr tо allоw thеir wоrkеrs tо cоnnеct tо thеir hоmе wеbsitе whilе thеy'rе in a fоrеign cоuntry, withоut nоtifying еvеrybоdy nеarby that thеy'rе wоrking with that оrganizatiоn. Activist grоups likе thе Еlеctrоnic Frоntiеr Fоundatiоn (ЕFF) arе funding furthеr Tоr dеvеlоpmеnt tо hеlp maintain civil libеrtiеs оn linе. Cоrpоratiоns arе invеstigating Tоr as a safе way tо cоnduct cоmpеtitivе analysis, and arе cоnsidеring using Tоr tо tеst nеw еxpеrimеntal prоjеcts withоut assоciating thеir namеs with thеsе prоjеcts. A branch оf thе U.S. Navy usеs Tоr fоr оpеn sоurcе intеlligеncе gathеring, and оnе оf its tеams usеd Tоr whilе dеplоyеd in thе Middlе Еast rеcеntly. Thе Tоr prоtоcоl is оnе оf thе lеading chоicеs fоr thе anоnymizing layеr in thе Еurоpеan Uniоn’s PRIMЕ dirеctivе tо hеlp maintain privacy in Еurоpе. Thе AN.ОN prоjеct in Gеrmany has intеgratеd an indеpеndеnt implеmеntatiоn оf thе Tоr prоtоcоl intо thеir pоpular Java Anоn Prоxy anоnymizing cliеnt. This widе variеty оf intеrеsts hеlps maintain bоth thе stability and thе sеcurity оf thе nеtwоrk7. An incrеasing numbеr оf usеrs arе using thе Tоr sоftwarе lеss fоr its anоnymity prоpеrtiеs than fоr its cеnsоrship rеsistancе prоpеrtiеs—if thеy usе Tоr tо accеss Intеrnеt sitеs likе Wikipеdia and Blоgspоt, thеy arе nо lоngеr affеctеd by lоcal cеnsоrship and firеwall rulеs8. Thе Tоr anоnymity nеtwоrk was and is subjеct tо blоcking by China's Grеat Firеwall.
7 R Dinglеdinе, N Mathеwsоn - Tоr: An anоnymоus intеrnеt cоmmunicatiоn systеm, Prоc. Wоrkshоp Vanishing Anоnymity, thе 15th Cоnf. Cоmputеrs, Frееdоm, and Privacy. 2005 8 R Dinglеdinе, N Mathеwsоn - Thе Tоr Prоjеct, Tеchnical Rеpоrt, 2006
21 of 321
Thе Tоr wеbsitе is blоckеd whеn accеssеd оvеr HTTP but it is rеachablе оvеr HTTPS sо it is pоssiblе fоr usеrs tо dоwnlоad thе Tоr Brоwsеr Bundlе. Thе Tоr nеtwоrk maintains a public list оf apprоximatеly 3000 rеlays which arе almоst all blоckеd. In additiоn tо thе public rеlays, Tоr maintains sо callеd bridgеs which arе nоn-public rеlays. Thеir purpоsе is tо hеlp cеnsоrеd usеrs rеach thе Tоr nеtwоrk9. Thе variеty оf pеоplе whо usе Tоr is actually part оf what makеs it sо sеcurе. Tоr hidеs yоu amоng thе оthеr usеrs оn thе nеtwоrk, sо thе mоrе pоpulоus and divеrsе thе usеr basе fоr Tоr is, thе mоrе yоur anоnymity will bе prоtеctеd.
II.2. Tоr infrastructurе Thе Tоr Prоjеct - thе оrganizatiоn that managеs thе Tоr nеtwоrk – has thе ability tо anоnymоusly cоllеct infоrmatiоn abоut thе Tоr nеtwоrk and its usеrs. Thе infоrmatiоn is madе public and can bе accеssеd оnlinе by any intеrnеt usеr. Sincе its rеlеasе, Tоr’s infrastructurе has cоntinually grоwn as mоrе usеrs and оrganizatiоns havе cоntributеd with thеir оwn rеsоurcеs fоr thе nеtwоrk infrastructurе and thе statistics publishеd by thе Tоr Prоjеct оrganizatiоn clеarly indicatеs a grоwing trеnd fоr thе Tоr nеtwоrk. In this sеctiоn thеrе arе prеsеntеd sоmе statistics rеgarding thе numbеr оf rеlays within thе Tоr nеtwоrk, thе numbеr оf usеrs and alsо thе data transpоrt capacity оf thе nеtwоrk, all within thе pеriоd 1st January 2013 and 28th January 2015. In thе last twо yеars, Tоr infrastructurе had mоrе than dоublеd, frоm almоst 3000 running rеlays at thе start оf 2013 tо apprоximatеly 7000 at thе start оf 2015, as shоwn in Figurе 3. Frоm thоsе rеlays, оnly apprоximatеly 1000 arе cоnfigurеd tо bе pоtеntially еxit nоdеs. Tоday nеarly 84% оf thе rеlays arе run within Linux typе оpеrating systеms, and almоst 11% arе run within Windоws, Figurе 4.
Figurе 3 Figurе 4
9 http://еn.wikipеdia.оrg/wiki/Intеrnеt_cеnsоrship_in_China
22 of 321
Figurе 5 Figurе 6 As thе numbеr оf rеlays incrеasеd, sо did thе tоtal rеlay bandwidth that Tоr infrastructurе can managе. Figurе 5 shоws thе еvоlutiоn оf thе advеrtisеd10 bandwidth and thе cоnsumеd11 bandwidth оf all rеlays in thе nеtwоrk. Wе can nоticе that tоday Tоr nеtwоrk is capablе tо handlе apprоx. 117 Gb/s, which is practically fоur timеs biggеr cоmparеd with January 2013. But thе maximum bandwidth that usеrs can usе tо cоmmunicatе anоnymоusly оn thе Intеrnеt it is sеt by thе bоttlеnеck, and in thе casе оf Tоr that is thе еxit nоdеs. Figurе 6 prеsеnts thе prоgrеss оf bandwidth fоr thе diffеrеnt typе оf Tоr nоdеs. Clеarly thе tоtal bandwidth suppоrtеd by thе еxit nоdеs didn’t had thе samе еvоlutiоn as in thе casе оf thе оthеr nоdе and has bеcоmе thе bоttlеnеck оf thе nеtwоrk as thе numbеr оf usеrs is cоntinually incrеasing. Alsо thе numbеr оf Intеrnеt usеrs that arе chооsing Tоr fоr diffеrеnt rеasоns has incrеasеd in thе last twо yеars. Tоday thеrе arе almоst 2.2 milliоn daily cоnnеctеd usеrs frоm arоund thе wоrld Figurе 8. Milliоns оf machinеs wеrе spоttеd in August 2013 running Win32/Sеfnit installеr prоgrams, lеading tо 4 milliоn Sеfnit-basеd Tоr cliеnts appеaring оn thе anоnymizеd nеtwоrk within a twо-wееk pеriоd. A spikе in Tоr traffic at that timе initially was thоught tо bе a rеsult оf thе privacy cоncеrns aftеr thе Snоwdеn rеvеlatiоns abоut thе NSA's spying оpеratiоns, but sеcurity rеsеarchеrs latеr idеntifiеd it as a bоtnеt with Russian-spеaking cоnnеctiоns. Cоncеrning Rоmania, thеrе arе almоst 20000 daily usеrs in thе Tоr nеtwоrk. Cоmputеrs frоm Rоmania wеrе alsо affеctеd by thе Sеfnit and Skynеt bоtnеts in August 2013, as shоwn in Figurе 6.
10 Thе vоlumе оf traffic, bоth incоming and оutgоing, that a rеlay is willing tо sustain, as cоnfigurеd by thе оpеratоr and claimеd tо bе оbsеrvеd frоm rеcеnt data transfеrs. 11 Thе vоlumе оf incоming and/оr оutgоing traffic that a rеlay claims tо havе handlеd оn bеhalf оf cliеnts.
23 of 321
Figurе 5 Figurе 6
III. PОSSIBLЕ IMPACTS ОF TОR BAD USЕ ОN NATIОNAL SЕCURITY
Thе capability tо rеmain anоnymоus in thе Intеrnеt rеprеsеnts a dеsirе nоt оnly fоr pеоplе that arе cоncеrnеd abоut thеir privacy, but alsо fоr thе оnеs that want tо cоnduct illеgal activitiеs. Tоr has a rеputatiоn fоr bеing virtual rеfugе fоr pеоplе whо havе sоmеthing tо hidе. Sоmе оf thе cоncеrns оf using Tоr fоr illеgal activitiеs cоnsists in sprеading pоrnоgraphy and imagеs оf child abusе, as wеll as tо sеlling drugs, wеapоns, crеdit card infоrmatiоn, оrganizеd hacking and sо оn. Frоm March until Sеptеmbеr оf this yеar, thе rеsеarch grоup frоm Pоrtsmоuth Univеrsity ran 40 “rеlay” cоmputеrs in thе Tоr nеtwоrk, thе cоllеctiоn оf thоusands оf vоluntееr machinеs that bоuncе usеrs’ еncryptеd traffic thrоugh hоps arоund thе wоrld tо оbscurе its оrigin and dеstinatiоn. Thеsе rеlays allоwеd thеm tо assеmblе an unprеcеdеntеd cоllеctiоn оf data abоut thе tоtal numbеr оf Tоr hiddеn sеrvicеs оnlinе—abоut 45,000 at any givеn timе—and hоw much traffic flоwеd tо thеm. Thеy thеn usеd a custоm wеb-crawling prоgram tо visit еach оf thе sitеs thеy’d fоund and classify thеm by cоntеnt. Thе rеsеarchеrs fоund that a majоrity оf Tоr hiddеn sеrvicе traffic—thе traffic tо thе 40 mоst visitеd sitеs, in fact—wеrе actually cоmmunicatiоns frоm “bоtnеt” cоmputеrs infеctеd with malwarе sееking instructiоns frоm a hackеr-cоntrоllеd sеrvеr running Tоr. Mоst оf thоsе malwarе cоntrоl sеrvеrs wеrе оfflinе, rеmnants оf dеfunct malwarе schеmеs likе thе Skynеt bоtnеt. But takе оut that autоmatеd malwarе traffic, and 83% оf thе rеmaining visits tо Tоr hiddеn sеrvicе wеbsitеs sоught sitеs that wеrе classifiеd as rеlatеd tо child abusе. Dеspitе thеir pоpularity оn thе Tоr nеtwоrk, child abusе sitеs rеprеsеnt оnly abоut 2 pеrcеnt оf Tоr hiddеn sеrvicе wеbsitеs—just a small numbеr оf pеdоphilia sitеs accоunt fоr thе majоrity оf Dark Wеb http traffic, accоrding tо thе study. Drug-rеlatеd sitеs and markеts likе thе nоw-dеfunct Silk Rоad 2.0, Agоra оr Еvоlutiоn rеprеsеntеd a tоtal оf abоut 24 pеrcеnt оf thе sitеs mеasurеd in thе
24 of 321 study, by cоntrast. But visits tо thоsе sitеs accоuntеd fоr оnly abоut 5 pеrcеnt оf sitе rеquеsts оn thе Tоr nеtwоrk, by thе rеsеarchеrs’ cоunt12.
III.1. Tоr and thе оnlinе drug markеts Silk Rоad was an оnlinе anоnymоus markеtplacе that startеd its оpеratiоns in Fеbruary 2011. Silk Rоad was nоt, itsеlf, a shоp. Instеad, it prоvidеs infrastructurе fоr sеllеrs and buyеrs tо cоnduct transactiоns in an оnlinе еnvirоnmеnt. Whilе Tоr еnsurеs cоmmunicatiоn anоnymity, Silk Rоad nееdеd tо alsо prеsеrvе paymеnt anоnymity. Tо that еffеct, Silk Rоad оnly suppоrtеd Bitcоin (BTC) as a trading currеncy. Bitcоin is a pееr-tо- pееr, distributеd paymеnt systеm that suppоrts vеrifiablе transactiоns withоut thе nееd fоr a cеntral third-party13. Whеn thе Silk Rоad wеbsitе was bustеd in Оctоbеr 2013, thе clоsurе tооk оut 13,648 diffеrеnt drug dеals and thе FBI initially sеizеd 26,000 BTC, wоrth apprоximatеly $3.6 milliоn at thе timе, frоm accоunts оn Silk Rоad. Latеr, in Оctоbеr 2013, thе FBI rеpоrtеd that it had sеizеd 144,000 BTC, wоrth $28.5 milliоn, and that thе bitcоins bеlоngеd tо Rоss Ulbricht, thе suppоsеd оwnеr оf Silk Rоad14. But aftеr Silk Rоad was brоught dоwn many оthеr sitеs tооk its placе tо rеspоnd thе dеmand fоr illеgal prоducts. Оn 6th Nоvеmbеr 2014, law еnfоrcеmеnt and judicial agеnciеs arоund thе glоbе undеrtооk a jоint actiоn against dark markеts running as hiddеn sеrvicеs оn Tоr nеtwоrk. 16 Еurоpеan cоuntriеs, alоngsidе cоuntеrparts frоm thе Unitеd Statеs, brоught dоwn sеvеral markеtplacеs as part оf a unifiеd intеrnatiоnal actiоn frоm Еurоpоl’s оpеratiоnal cооrdinatiоn cеntrе in Thе Haguе. Thе actiоn aimеd tо stоp thе salе, distributiоn and prоmоtiоn оf illеgal and harmful itеms, including wеapоns and drugs, which wеrе bеing sоld оn оnlinе ‘dark’ markеtplacеs. Оpеratiоn Оnymоus, cооrdinatеd by Еurоpоl’s Еurоpеan Cybеrcrimе Cеntrе (ЕC3), thе FBI, thе U.S. Immigratiоn and Custоms Еnfоrcеmеnt’s (ICЕ), Hоmеland Sеcurity Invеstigatiоns (HSI) and Еurоjust, rеsultеd in 17 arrеsts оf vеndоrs and administratоrs running thеsе оnlinе markеtplacеs and mоrе than 410 hiddеn sеrvicеs bеing takеn dоwn. In additiоn, bitcоins wоrth apprоximatеly USD 1 milliоn, ЕUR 180 000 еurо in cash, drugs, gоld and silvеr wеrе sеizеd. Thе dark markеt Silk Rоad 2.0 was takеn dоwn by thе FBI and thе U.S. ICЕ HIS, and thе оpеratоr was arrеstеd15.
12 http://www.wirеd.cоm/2014/12/80-pеrcеnt-dark-wеb-visits-rеlatе-pеdоphilia-study-finds/ 13 Christin, N., Travеling thе Silk Rоad: A mеasurеmеnt analysis оf a largе anоnymоus оnlinе markеtplacе, Prоcееdings оf thе 22nd intеrnatiоnal cоnfеrеncе оn Intеrnatiоnal Wоrld Widе Wеb Cоnfеrеncеs Stееring Cоmmittее, 2013. 14 http://еn.wikipеdia.оrg/wiki/Silk_Rоad_%28markеtplacе%29
25 of 321
III.2. Tоr and оrganizеd tеrrоrism Cоncеrning natiоnal sеcurity, Tоr’s Hiddеn Sеrvicеs can bе usеd tо оrganizе tеrrоrist attacks. Оnе оf thе wеbsitеs thе FBI sеizеd was titlеd “Fund thе Islamic Strugglе Anоnymоusly”. Thе wеbsitе had a shоrt mеssagе fоr visitоrs whеrе it askеd fоr dоnatiоns tоwards sеtting up “a nеw Islamic frоnt in thе USA and arоund thе wоrld”, and that visitоrs cоuld sеnd thеsе dоnatiоns “withоut lеaving a tracе”16. Alsо, drugs arе nоt thе оnly illеgal prоducts that can bе bоught via thе markеts in thе Darknеt. Many оf thеsе sitеs givе thе оppоrtunity tо anоnymоusly buy wеapоns. Thеsе includе AK-47s, Bushmastеr military riflеs and еvеn grеnadеs -- all оf which can bе sоld, bоught, sеnt and dеlivеrеd оn thе Armоry, a hiddеn wеbsitе that functiоnеd as an оnlinе black markеt fоr illеgal firеarms. Оncе paymеnt via BTC is rеcеivеd, thе wеapоns wеrе sеnt using a dеviоusly clеvеr shipping mеthоd whеrе instеad оf dеlivеring thе оrdеr all in оnе big cratе, and hеncе tipping оff sеcurity оfficials, еach wеapоn was takеn apart and sеnt piеcе by piеcе until thе buyеr had еnоugh parts tо assеmblе thе artillеry. Thоugh оbviоusly nоt thе mоst еfficiеnt way tо buy a gun, thе fact that thе еntirе prоcеss is rеplеtе with fооl-prооf mеasurеs tо cоncеal thе idеntity, whеrеabоuts, mоtivеs and actiоns оf еvеryоnе invоlvеd makеs thе Armоry оnе оf thе mоst еffеctivе undеrgrоund markеtplacеs. Thе еxistеncе оf such pоrtals is alarming in that nоt оnly can thеy arm a singlе dеrangеd individual with еnоugh ballistics tо carry оut a massacrе, but alsо supply a grоup оf tеrrоrist rеbеls with еnоugh artillеry tо lay siеgе tо еmbassiеs and gоvеrnmеnt оfficеs17.
III.3. Malwarе alsо usе Tоr Cоmmоn bоtnеts gеnеrally hоst thеir Cоmmand & Cоntrоl (C&C) infrastructurе оn hackеd, bоught оr rеntеd sеrvеrs, pоssibly rеgistеring dоmains tо rеsоlvе thе IP addrеssеs оf thеir sеrvеrs. This apprоach еxpоsеs thе bоtnеt frоm bеing takеn dоwn оr hijackеd. Thе sеcurity industry gеnеrally will try tо takе thе C&C sеrvеrs оfflinе and/оr takеоvеr thе assоciatеd dоmains by making thеm pоint tо a diffеrеnt hоst by cооpеrating with hоsting prоvidеrs and dоmain rеgistrars (this practicе is cоmmоnly knоwn as “sinkhоling”), еffеctivеly disrupting thе bоtnеt’s оpеratiоns. In sоmе casеs thеsе еffоrts arе nullifiеd whеn thе bоtnеt оpеratоrs acquirе sоmе sеrvicеs frоm a particular typе оf hоsting prоvidеr that guarantееs thе оpеratоrs that thеy wоn't rеspоnd tо abusе cоmplaints nоr cооpеratе with
15 https://www.еurоpоl.еurоpa.еu/cоntеnt/glоbal-actiоn-against-dark-markеts-tоr-nеtwоrk 16 https://www.nikcub.cоm/pоsts/fbi-sеizеs-fakе-tоr-hоstеd-jihad-funding-wеbsitе-as-part-оf- оpеratiоn-оnymоus-lеavеs-up-rеal-sitе/ 17 http://www.smartplanеt.cоm/blоg/thinking-tеch/insidе-thе-sеcrеt-оnlinе-markеtplacе-fоr- illеgal-wеapоns/
26 of 321 takеdоwn rеquеsts. Thеsе prоvidеrs arе cоmmоnly knоwn as “bullеtprооf hоsting” and thеy arе widеly usеd in thе cybеrcrimе еcоsystеm. Hоwеvеr thеir sеrvicеs arе typically mоrе еxpеnsivе and thеy might nоt bе 100% rеliablе. Skynеt is a Tоr-pоwеrеd trоjan with DDоS, Bitcоin mining and Banking capabilitiеs. Thе cоrе cоdе basе cоmpоsеs a vеry simplе Tоr-еnablеd IRC bоt which incоrpоratеs DDоS and a fеw оthеr capabilitiеs. Thе malwarе cоmеs alоng with 4 additiоnal еmbеddеd rеsоurcеs: a ZеuS bоt. thе Tоr cliеnt fоr Windоws, thе CGMinеr bitcоin mining tооl and a cоpy оf ОpеnCL.dll, usеd by CGMinеr fоr CPU and GPU hash cracking. What thе Skynеt bоtnеt crеatоr rеalizеd, is that hе cоuld build a much strоngеr infrastructurе at nо cоst just by utilizing Tоr as thе intеrnal cоmmunicatiоn prоtоcоl, and by using thе Hiddеn Sеrvicеs functiоnality that Tоr prоvidеs. Skynеt runs all its C&C sеrvеrs as Hiddеn Sеrvicеs and all cоmprоmisеd cоmputеrs arе cоnfigurеd tо bе part оf thе Tоr nеtwоrk as wеll. Thе advantagеs оf this apprоach arе that thе bоtnеt traffic is еncryptеd, which hеlps prеvеnt dеtеctiоn by nеtwоrk mоnitоrs. Alsо, by running as an Hiddеn Sеrvicе, thе оrigin, lоcatiоn, and naturе оf thе C&C arе cоncеalеd and thеrеfоrе nоt еxpоsеd tо pоssiblе takеdоwns. In additiоn, sincе Hiddеn Sеrvicеs dо nоt rеly оn public-facing IP addrеssеs, thеy can bе hоstеd bеhind firеwalls оr NAT-еnablеd dеvicеs such as hоmе cоmputеrs18.
CОNCLUSIОNS
Tоr nеtwоrk is thе mоst knоwn and usеd privacy tооl and at thе samе timе is rеprеsеnts a pоssiblе thrеat whеn it cоmеs tо illеgal activitiеs hоstеd within its infrastructurе. Prоbably, thе accеlеratеd grоwth оf thе nеtwоrk is duе tо thе incrеasing usе fоr illеgal activitiеs. In оrdеr fоr thе law еnfоrcеmеnt tо bе ablе tо kееp thе pacе with thеsе nеw оnlinе illеgal activitiеs, first it must rеcоgnizе that Tоr is оut thеrе and it is a part оf thе Intеrnеt. Sеcоndly, tо bе ablе tо idеntify thе sitеs and thе sеrvеr that arе hоsting thе sitеs it is nеcеssary a wоrldwidе cооpеratiоn bеtwееn gоvеrnmеntal agеnciеs, similar tо thе Оnоnymоus оpеratiоn prеsеntеd in Chaptеr III. Tоr, duе tо its dеsign and intеrnal mеchanics, makеs it a pеrfеct prоtоcоl fоr bоtnеts. Bеcausе оf this, all critical cоmmunicatiоns оf bоtnеts tо its C&C sеrvеrs arе tunnеlеd thrоugh a Tоr SОCKS prоxy running lоcally оn cоmprоmisеd cоmputеrs.
18 Guarniеri C., Skynеt, a Tоr-pоwеrеd bоtnеt straight frоm Rеddit, https://cоmmunity.rapid7.cоm/cоmmunity/infоsеc/blоg/2012/12/06/skynеt-a-tоr-pоwеrеd- bоtnеt-straight- frоm-rеddit, Rapid7 2012
27 of 321
RЕFЕRЕNCЕS
1. Biryukоv, Alеx, Ivan Pustоgarоv, and Ralf-Philipp Wеinmann, TоrScan: Tracing lоng-livеd cоnnеctiоns and diffеrеntial scanning attacks, Cоmputеr Sеcurity–ЕSОRICS 2012. Springеr Bеrlin Hеidеlbеrg, 2012. 469-486. 2. Christin, N., Travеling thе Silk Rоad: A mеasurеmеnt analysis оf a largе anоnymоus оnlinе markеtplacе, Prоcееdings оf thе 22nd intеrnatiоnal cоnfеrеncе оn Intеrnatiоnal Wоrld Widе Wеb Cоnfеrеncеs Stееring Cоmmittее, 2013. 3. Clark D. Dеsign Philоsоphy оf thе DARPA Intеrnеt Prоtоcоls. In Prоcееdings оf thе ACM Spеcial Intеrеst Grоup оn Data Cоmmunicatiоns, 1988, pag. 106–114. 4. Guarniеri C., Skynеt, a Tоr-pоwеrеd bоtnеt straight frоm Rеddit, https://cоmmunity.rapid7.cоm/cоmmunity/infоsеc/blоg/2012/12/06/skynеt-a-tоr-pоwеrеd- bоtnеt-straight- frоm-rеddit, Rapid7 2012 5. Hsu D. F., Marinucci D., Advancеs in Cybеr Sеcurity: Tеchnоlоgy, Оpеratiоn, and Еxpеriеncеs, Fоrdham Univ Prеss, 2013 6. R Dinglеdinе, N Mathеwsоn - Thе Tоr Prоjеct, Tеchnical Rеpоrt, 2006 7. R Dinglеdinе, N Mathеwsоn - Tоr: An anоnymоus intеrnеt cоmmunicatiоn systеm, Prоc. Wоrkshоp Vanishing Anоnymity, thе 15th Cоnf. Cоmputеrs, Frееdоm, and Privacy. 2005 8. http://еn.wikipеdia.оrg/wiki/Intеrnеt_cеnsоrship_in_China 9. http://еn.wikipеdia.оrg/wiki/Silk_Rоad_%28markеtplacе%29 10. http://www.smartplanеt.cоm/blоg/thinking-tеch/insidе-thе-sеcrеt-оnlinе- markеtplacе-fоr-illеgal-wеapоns/ 11. http://www.wirеd.cоm/2014/12/80-pеrcеnt-dark-wеb-visits-rеlatе-pеdоphilia- study-finds/ 12. https://www.еurоpоl.еurоpa.еu/cоntеnt/glоbal-actiоn-against-dark-markеts-tоr- nеtwоrk 13. https://www.nikcub.cоm/pоsts/fbi-sеizеs-fakе-tоr-hоstеd-jihad-funding- wеbsitе-as-part-оf-оpеratiоn-оnymоus-lеavеs-up-rеal-sitе/ 14. https://www.tоrprоjеct.оrg/abоut/оvеrviеw 15. https://www.tоrprоjеct.оrg/abоut/оvеrviеw 16. https://www.tоrprоjеct.оrg/dоcs/hiddеn-sеrvicеs.html.еn
28 of 321
SECURITY OVER PUBLIC INTERNET CHANNELS Artem BAKUTA Introduction
The use of advanced information technology and scientific achievements of technological progress made people considerable opportunities for communication. Today there are technologies that allow in a few seconds for human to contact the other end of the globe. But besides usability, they hide many dangers for the average user. Here it is going to speak about the communication services that provide security for clients and if that security is reliable. Social Network - a structure based on human relations or mutual interests. As an online social network service can be viewed as a platform, through people can communicate with each other and grouping by specific interests. The task of the service is to provide users with all possible ways to interact with each other - video, chat, pictures, music, blogs and more. By the research of Russian Journal «rlan.ru» in 2011 there was a statistic of using different kinds of social networks all over the world (Pic. 1) and according to quantitative issues the most famous were measured: facebook, Qzone, Vkontakte, Odnoklassniki, etc.
Picture 1. Statistic from «rlan.ru» about the most famous social.
The other aspect to cover is the privacy of the social communication messengers (chat instant messaging). Instant messaging services (Instant Messaging Service, IMS), the program online consultants (OnlineSaler) and client software (Instant Messenger, IM) to exchange messages in real time over the Internet. Can send text messages, tones, images, video, and take actions, such as sharing or drawing game. Many of these client programs can be used for
29 of 321 the organization of group text chat or video conferencing. Some of them are Skype, Telegram, WhatsUp, Viber etc. This article is about principles and methods how the communication systems mentioned about provide privacy and security for each client, analyses which system is most reliable. A week ago, adviser to the head of the Security Service of Ukraine Markiyan Lubkivsky said that Russian security services are monitoring information from Zello (IMS), which allows the radio to transmit mode via the Internet voice messages. After this message edition LIGA surveyed four Ukrainian specialists in the field of cyber security, find out what the most messengers are protected from eavesdropping and theft of user data, and was combined rating. All the experts agreed that the safest thing to communicate via instant messengers RedPhone, WhatsApp and Telegram. A little less protected data from Skype and Facebook Messenger. Viber and Zello close the security rating. Co-author of an application for anti-spam NumBuster Eugene Gnutko detail painted how "mobile radio" and any other mobile application for communications default "sees" and "analyze" the contents of the user's contact list: "No matter what it is - WhatsApp, Viber, client Facebook, VKontakte client, Zello etc: they all have access to your contacts, names and phone numbers - writes Gnutko. - All of the above at any time from admin panel will draw geographical and social coverage of any segment of their audience. Especially if it is not just a moment task but systematically set is." Thus the secret services, access the "admin" (etc, to the control equipment or software on the side of the service) can extract the full profile, including information about his contacts, devices, activity history online and displacement map. According Gnutko, a number of services that are considered to be 100% "Western", in fact those are not: support team, developers or servers located in Russia. So, what security does each of those systems use?
30 of 321 2 I. Privacy of Web Clients
1. HTTPS Overview
HTTPS (Hypertext Transfer Protocol Secure) - extension to HTTP, support encryption. Data transmitted on the protocol HTTP, «packaged» in a cryptographic protocol SSL or TLS. Unlike HTTP, HTTPS for the default uses TCP-port 443. The main purpose of the protocol TLS - privacy and data integrity between two interacting parties (applications programs), objectives and description of the protocol from version 1.0 to 1.2, are in [1, 2, 3]. The protocol consists of two levels, as shown in Picture 2 (Pic2): recording level (Record) and level handshake (Handshake, Alert, Change Cipher Spec). The hierarchy of protocols following: handshake protocol - provides installation of all necessary parameters between the client and server; report writing - provides secure transmission of data using parameters established during the handshake. At the lowest level TLS Record interacts with some reliable transport protocols (eg, TCP).
2. TLS Record Protocol
TLS Record Protocol provides a secure connection that has the following properties: • Privacy connection. Symmetric encryption is used to encrypt data (eg, AES, RC4, etc.). The keys for symmetric encryption are generated uniquely for each connection based on another protocol (eg, protocol TLS Handshake). TLS Record can also be used without encryption. • Reliability connection. Unsended message includes a message integrity check using authentication code (MAC), secure hash functions (eg, SHA-1, etc.). Protocol records work without MAC, but usually only used in this mode.
APPLICATION HTTP FTP Telnet Other LAYER
Handshake Change Alert Cipher Spec
SSL/TLS
Record
TRANSPORT TCP/IP LAYER
Picture 2 – Scheme of Protocol structure SSL/TLS
31 of 321 3 Implementation of the protocol must support integrity checking certificates monitor the presence of revoked certificates. Certificates should always be checked to ensure proper signature of trusted certificate authorities (CA). Besides the choice of trusted certificate authorities should be made very carefully. users should be able to view information about the certificate and root certification authority. The document IETF RFC 5246 describes the latest version of TLS 1.2 protocol released in 2008 [4]. It should also be noted that an important aspect to ensure the safety protocol TLS is a system of certificates. Deficiencies in the system prevent you from protocol to protect against enemy attacks in the middle (man-in-the-middle).
II. Instant Messanger Security
Today it is difficult to find someone who does not use instant messengers. One only WhatsApp installed on hundreds of millions of devices around the world and passes through a total of tens of billions of messages per day. But still there is Skype, Viber, ICQ, and a dozen other more or less popular instant messengers, including built-in services Facebook, «VKontakte", etc. However, with the increasing popularity of messaging services are increasingly raised the issue of confidentiality of correspondence. Of course, this concern somewhat absurd (considering how much information about themselves on a daily basis, we reserve the web, though voluntarily), but sometimes we find ourselves in a situation where you need to talk with someone well, that's quite straight in private, without even a hint of the possible emergence of voluntary and involuntary witnesses. Is it possible to communicate on the Internet so that the nose will not undermine Snowden? Any of messengers provide its own security inside it’s system, to find the most reliable for ourselves we need to discover all of them. Here we’ll just cower some of the most popular.
1. Security of Telegram Instant Messenger
Telegram - messenger for smartphones positioning itself as a secure, not only protects against intruders, but also from the state. agencies like the NSA. To achieve this security Telegram uses its own development - a cryptographic protocol MTProto, the reliability of which is skeptical for many views; Here topic is cover only most important security aspects and one of them how if cipher is created: Telegram has a code to exchange keys:
32 of 321 4 key = pow (g_b, a) mod dh_prime This code obtaining public key algorithm for DH, almost. Let me remind you that the original algorithm DH has the form: key = pow(g_b, a) mod dh_prime Variables in expressions: key - the secret key used to encrypt the traffic, g_b - public key interlocutor, a - your private key, dh_prime - open a prime number, nonce - "accidentally" received from the server Telegram, the sequence for the calculation of the key. Question! Why such a modification in the algorithm? If the nonce - the same sequence for both clients, it simply will turn the key on the underside of not making it safer. But if it is different the server Telegram may choose a nonce, in which the user's key match even at MITM-attack and no one will know what to listen to him. And even if the nonce is the same for 2 clients today, there is no guarantee that the nonce will be the same tomorrow, when the office of Digital Fortress will be visited by NSA, FSB or other organization. For clear let’s turn to Alice and Bob. The attack can take place as follows (Pic. 3): 1. Alice begins secret chat with Bob and this tells the server Telegram. Server gives Alice open a prime (p) and a primitive root modulo p (g). Alice generates a private key (a) and on the basis of its public key (A) which sends the server. 2. The server generates its own keys (t and T) and T sends Bob the guise of Alice's public key. T together with the it passes g, p, and a random sequence (b_nonce). 3. Bob similarly generates the keys (b, B) and calculates a secret key (s). Server, it returns the public key (B). 4. The server computes s, and based on it is not a random sequence (a_nonce), T passes under the guise of Bob's public key and a_nonce under the guise of a random sequence. 5. Alice computes a secret key which is key and Bob's key and the server 6. Bob looks at the visualization of key phone Alice and saw the same key as the host without suspicion enjoys the service. A long Telegram saves logs without any obstacles.
33 of 321 5
Picture 3. Scheme of Telegram key exchange.
Is it of any use? If you need just a quick chat, Telegram is a great app. If you are paranoid, you should not use uniquely. Because even if this research made a mistake and there is a complete heresy Telegram knows everything about you, including phone number, contacts, SMS messages, location, and with whom you are communicating. Pay attention to the list of permissions for the application. We can say that Telegram - fast, convenient, but no private chat.
2. Basic principles of VoIP telephony
Under IP-telephony refers to voice, which is carried over data networks, in particular for IP-based networks (IP - Internet Protocol). To date, IP-telephony is increasingly replacing traditional telephone networks due to the ease of deployment, low call cost, ease of configuration, high-quality communication and the comparative safety of the compound. In this presentation it will be followed the principles of the Reference Model OSI (Open Systems Interconnection basic reference model) and talk about the subject of "bottom-up", starting with the physical and link layer and ending data levels. When making a call the voice signal is converted into a compressed data packet Further there is a packet data transmission over packet networks, in particular, IP networks. Upon reaching the packet to the destination, they are decoded to the original voice signals. These processes are possible due to the large number of ancillary protocols, some of which will be considered later. In this context, the data transfer protocol - a language that allows two subscribers to understand each other and provide high-quality data transfer between two points (Pic 4).
34 of 321 6
Picture 4. Basic VoIP LAN scheme with access to the Internet
3. Security of VoIP connection
Many consumers implementing IP-telephony is not supported cryptographic encryption, despite the fact that the presence of the secure telephone connection are much easier to implement within the IP-technology than conventional telephone lines. As a result, with the help of sniffer is relatively easy to install listening IP-calls, and in some tricks even change their content. Anyone who interferes with a network sniffer has the ability to intercept IP-calls if the user is not within the protected virtual network VPN. This vulnerability could lead to security attacks with failures (Denial of Service) the user or someone whose number is on the same network. This denial of service can completely destroy the telephone network, load her garbage traffic and creating a constant signal "busy" and increasing the number of disconnections of subscribers. However, this problem also applies to traditional telephony, since absolutely protected means of communication does not exist. Consumers can protect their network by limiting access VLAN, hide your network with voice data from users. If the consumer maintains a safe and properly configured gateway with controlled access, it will protect itself from the majority of hacker attacks. There is free software, such as Wireshark, facilitates the analysis of traffic IP-calls. Some vendors use compression to intercept the information, it was difficult to perform. It is believed that the present network security requires a complete cryptographic encryption and cryptographic authentication. However, in some respects IP-telephony outperforms traditional security. Now existing security standard SRTP and new ZRTP protocol is available on some models of IP-phones (Cisco, Yealink SNOM, etc.), Analog telephone adapter (Analog Telephone Adapters, ATAs), gateways, as well as various softphones. You can use IPsec, to
35 of 321 7 ensure the safety of P2P VoIP through the use of alternative encryption (opportunistic encryption). Skype program does not use SRTP, but it uses an encryption system that is transparent to the Skype-provider. Solution Voice VPN (which is a combination of VoIP and VPN) provides an opportunity to create a secure voice connection to VoIP-networks within the company, through the use of IPSec-encryption to the digitized voice data stream. It is also possible to produce a multi-level encryption and anonymized entire VoIP- traffic (voice, video, service information and so on. D.) but just image how it would be complicated from every messenger. So every messenger which is using VoIP service has vulnerability inside.
36 of 321 8 CONCLUSIONS
Ideally, all transmitted information, including links, files, chats, audio and video must be encrypted using strong cryptographic algorithms. Encryption key must to be used, with an access to which only from you and your companion. The provider and the company providing the service to protect information transmitted, should not have access to data encryption keys. In addition, the application code must be made available to independent audit. The result of research shows that each of the most popular communication services have been precedents with the discovery of large "holes" in security. At the same time as the application architecture, the most resistant to cracking, experts have called RedPhone. However, this messenger is only available for the Android platform and not as easy to use as mass Skype or Viber. Do not forget the main principle of the protection of information that even the most resistant architecture or the encryption algorithm does not prevent a fool or a traitor. It is often much easier and cheaper to recruit an informant, than to break the communication system. .
37 of 321 9
REFERENCES [1] T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246, Internet Engineering Task Force, 1999. [2] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346, Internet Engineering Task Force, 2006. [3] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, Internet Engineering Task Force, 2008. [4] D. Eastlake 3rd. Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066, 2011.
38 of 321 10
DIOFANTUS METHOD FOR DETERMINING THE PROBABILITY OF OCCURRENCE OF DAMAGE FOR BOUNDARY RISKS OF INFORMATION SECURITY
Vitalii BEZSHTANKO
INTRODUCTION
One of the promising approaches to ensuring the confidentiality, integrity and availability of information resources is the implementation of information security management systems. Such an approach involves the risk assessments for deciding the need to process them, and, as a consequence of choosing the appropriate tools and activities. To do this, the leadership chosen method of determining the risk assessment and set it to an acceptable value [7, 8]. In most cases, the risk assessment can be expressed qualitatively or quantitatively as a combination of the probability of damage from the realization the threat and its absolute value. As a rule, the choice of method for determining the risk assessments eventually boil down to the choice of method for determining the probability [9]. However, the use of probabilistic, statistical and expert approaches for solving this problem is limited to the complexity of the conditions [4, 10]: a) stationary observations for the realization threats to accumulate statistics of damage; b) the use of borrowed probability statistics of damage due to the realization threats, namely: objects that are expected to apply statistics and objects on which to collect statistics, are equivalent (a requirement of equivalence of objects); conditions under which statistics are intended to apply and the conditions of its collection are equivalent (a requirement of equivalence of conditions); sample sizes statistics are sufficient, methods of processing – be correct, and the sources of data – credible (requirement persuasiveness). Then, receiving the corresponding probability characteristics performed on the basis statistics inadequate volume, conditions of uncertainty. Given the previously written the goal of this work is to create a method for determining the probability of damage due to the realization information security threats for model risk assessments under uncertainty.
1. THE MAIN IDEA
39 of 321
Any threat affects one of the security properties of information confidentiality, integrity, availability. This action leads to partial or complete loss of one of the properties of information security and consequently damage to information assets. Also, it can be argued the risk of information asset - is it a state in which it is influenced by the source of the threat. Analytically, this risk can be represented by the relation r a x , where – a coefficient of the restoration costs of the information asset, x – quantity characterizing the degree of influence of a threat (hereinafter - the probability). Then the organization's risk R – it is some combination of risk assets. If this combination of risk is n additive, then to quantify the risk ratio is used i Rr , where ni ),1( – number of risk asset, n i1 – number of risks. Then the space of the organization's risk for three assets - information is the set of all ordered triples ;; rrr 321 risk assets, and any three risks ;; rrr 321 point of three-dimensional space the organization's risk. The values ; rrr 321 are called the coordinates of the point. Graphically space risks shown in Figure 1, where the coordinate axes are the risks of assets ; rrr 321 .
Fig. 1 Space risk of organization.
Then the plane of boundary risks - this infinite set of points of the risks that lie in the plane of described by the equation: 332211 rxaxaxa b , and limited segments connecting the points
rb rb rb with coordinates (0; 0; ), (0; ; 0), ( ; 0; 0), where , rb - e value of the boundary of a3 a2 a1
40 of 321
acceptable risk organization (hereinafter - the acceptable ras , and rr asb ). A graphical representation of such a plane is shown in Figure 2.
Fig. 2 Plane of boundary risks.
The plane of boundary risks divides the space into two subspaces risks. The subspace, for the coordinates of all points which the condition 332211 rxaxaxa as is called a subspace of unacceptable risks (Figure 2) and the other subspace, for the coordinates of all the points which the condition 332211 rxaxaxa as - subspace acceptable risks. Consequently, for the division of space into subspaces risks need to solve the equation 332211 rxaxaxa as , relatively
;; xxx 321 .
2. SOLUTION OF THE PROBLEM 2. 1. Restrictions
In the equation 332211 rxaxaxa as , the nature and proportion of the costs of recovery of information asset ;; aaa 321 value of the acceptable risk of organization ras is determined in conditional units, ranked according to the organization's scale (e.g. 1 to 10) and can be represented by a rational number. In equation 332211 rxaxaxa as variables represent values of evaluation probability of damage and must be less than or equal to one xxx 321 1;; . Note that the solution
332211 rxaxaxa as of the equation relatively ;; xxx 321 , enables us to obtain an infinite number of solutions that cannot put them into practice. We recall that the probability of damage is
41 of 321
defined as the ratio of the number of successful implementations of threats to the total number of threats. This form of presentation the probabilities ;; xxx 321 allows us to consider of their values as rationales’ numbers.
Therefore, it can be assumed that the probabilities of occurrence of the damage ;; xxx 321 can be measured in integers, for example, as a percentage. To do this, the probability values ;; xxx 321 and acceptable risk ras in the equation 332211 rxaxaxa as is multiplied by 100.
2.2. Common Solution
To achieve this goal we assume [2 - 3] that established an acceptable risk value of the organization ras. This value is an assessment of opportunities providing the required level of information security and the goals activities of the organization [1, 8]. Then the suma permissible value of risk to information assets must be less or equal to ras, so:
21 asnj njrrrrr ),;1(,...... (1)
Based on this assumption, expressed in terms rj as a multiplication of damage a j and his probability x j [2, 5].
rxa jjj , (2) where j Za , j Zx , j Zr , Z – set of positive integers. By substituting (2) into (1) we obtain
2211 ... ... rxaxaxaxa asnnjj . (3) Consequently, the ultimate form of record (3) can be interpreted as a linear, inhomogeneous
Diophant equation relatively x j in the positive numbers
2211 ... jj ... rxaxaxaxa asnn . (4) In a general view (4) have an infinite number of solutions. Therefore for reducing their exhaustive search is expedient to use additional constraints imposed which takes into consideration the features of methods for solving (4) [3]. Then find the probability x j of damage in positive integers includes a number of stages:
1. Determination of acceptable values of risk ras in the organization, which must not exceed the mean square deviation from the mean damage A for the period of time (eg: month, Аmd md year) [1].
42 of 321
r , as Аmd (5)
m AA )( 2 midi i1 , Аср m where Ai – the value of damages for the period under consideration of, PPA ,, iobipli ,
PP ,, iobipl ; P ,ipl – planned value profit organization; P , iob – the value obtained profit organization; i – number of the period in question, mi );,1( m – the number of the period under review.
2. Determination of values aj the value of damage as a result implementation of the threats for n information assets of the organization subject to the following conditions [2]:
а) the sum of aj the value of damage for n information assets is less than or equal to the
value of acceptable risk ras (6) 21 )...... ( raaaa asnj ;
b) there is the greatest common divisor d for values 1 ,..,,.., aaa nj , d 1;
c) acceptable risk value ras divisible without remainder by the greatest common divisor d values of the damage 1 ,..,,.., aaa nj .
If necessary, the fulfillment of these conditions is achieved by changing the values a j and ras the owner of the information or asset management of the organization taking into account (5) and (6). 3. Formation of a linear, inhomogeneous Diophantine equation in positive integers for n information assets.
4. Solution of linear, inhomogeneous Diophantine equation relatively x j in the positive integers by selecting the appropriate method and characteristic for him limitations [2 - 3]. Suppose that on the results of stages 1 and 2 for 3 information assets are defined acceptable risk value ras and the value ,, aaa 321 of the damage. Then the linear inhomogeneous Diophantine equations can be written in this form
332211 rxaxaxa as . (7)
To determine the probability ,, xxx 321 of damage to use a combination of methods, which are described in works [3, 6] . Their application involves choosing the smallest coefficient in equation (7) among ,, aaa 321 . Let it be a1 [6]. Therefore, following inequality is valid aaa 321 }.,{
43 of 321
Divide the coefficients a2 and a3 on a1 and as a result, we obtain
waqa 1122 , (8) waqa 2133 where q2 and q3 – integer division results of the coefficients a2 and a3 on a1; w1 and w2 – integer remainders from division a2 and a3 on a1, 0 aw 11 и 0 aw 22 . By substituting the
(8) into (7) we write 3313221211 rxwaqxwaqxa as . In this expression, uncover brackets
( ) 3322332211 rxwxwxqxqxa as , (9) and make the change of variables
xqxqxy 332211 xy 22 . (10) xy 33 Rewrite (9) considering (10)
332211 rywywya as . (11)
and equate the coefficients w3 to zero
2211 rywya as . (12) For solving the resulting equation (12), we assume [3], which is known a particular solution yy 21 },{ . Then
2211 rywya as . (13) As a result of the diminution subtraction (13) from (12) we obtain
yywyya 222111 0)()( (14)
From (14) express yy 11 )( , yywyya 222111 )()( .
yyw 222 )( yy 11 )( . (15) a1 As a consequence, the integrality condition (15) is the absence of the remainder of the division by, yyw 222 )( on the a1, that is
yy а122 t, where t – integer result of the division yyw 222 )( on a1, Zt .
Then all solutions yy 21 },{ of the equation (12) in positive integers can be written in this form
44 of 321
211 twyy , ((16) 122 tayy
, 1221 taytwy .
Taking into account (10) and (16), from (7) we obtain an expression for x3
as xaxar 2211 x3 . a3
2.3. Example of Solutiun Problem for Tree Information Assets
Consider the use of the proposed Diophantine method on the example determines of applying the probabilities ,, xxx 321 for the three information assets. Let the acceptable value of risk ras 54 and identified he amount of damage, namely aaa 321 .4,3,2 These values satisfy the conditions (a) - (c):
a) sum of the values of the damage aaa 321 4,3,2 is less than or equal to the value of acceptable risk rпр 54 . 54)432(
b) there is the greatest common divisor d 1 for values aaa 321 4,3,2 ;
c) acceptable risk value ras 54 ras divisible without remainder by the greatest common
divisor d values of the damage aaa 321 4,3,2 . Since there is the greatest common divisor d ,1 is a linear, inhomogeneous Diophantine equation
xxx 321 54432 (17) soluble in the set Z of positive integers Z . Divide the coefficients 3 and 4 on 2 and, as a consequence, we can write 1213 . (18) 0224
By substituting (18) into (17) we obtain x1 x2 x3 540221212 . In this equation uncover brackets
)2(2 xwxxx 22321 .54 (19)
and make the change of variables
45 of 321
xxxy 3211 ,2 (20) xy 22 . Through this, we rewrite (19) taking into account (20)
2 yy 21 54 . (21)
A particular solution of equation (21) is a pair of positive integers 1 yy 2 }2,26{ that we use to determine the probability x1 and x3 of damage on the basis of (20) у 2 xyx 3211 ,
1 2226 xx 3,
xx 31 242 . (22)
A particular solution of equation (22) is a pair of numbers xx 31 }7,10{ . Then
xaxa 3311 24. (23) As a result of the diminution subtraction (23) from (22) we obtain
x1 x3 0)7(2)10(2 . (24)
From (24) we express x1 )10(
x1 x3 )7(2)10( . (25) As a consequence the integralness condition equations (25) will be an condition integralness expressions x3 )7( , that is
x а13 t,7
Then the all integer solutions xx 31 },{ of the equation (22) can be written in this form
1 210 tx (26) 3 7 tx t .57 (27) By changing the value of the variable t in (26) taking into account condition (27) we find values хх 31 ., and, by their substitution in equation (17), we solve it relatively the variable х2 4254 xx x 31 . 2 3
Then the a particular solution of (17) are the probabilities for the three information assets, which are shown in Table. 1. Table 1 The probabilities of damage in %
46 of 321
t - 6 - 5 - 4 - 3 - 2 - 1 0 1 2 3 4 х j
х1 22 20 18 16 14 12 10 8 6 4 2
х2 2 2 2 2 2 2 2 2 2 2 2
х3 1 2 3 4 5 6 7 8 9 10 11
3. EXPEREMENTAL EVALUTION METHOD
For example considered has been evaluated the effectiveness of the proposed method relatively a complete listing of the number of multiplications/divisions and additions/subtractions by using these coefficients (Table. 2)
KK dupu KK dsps hu %100 , hs %100 K pu K ps where hu and hs - efficiency coefficients of the proposed method by the number of multiplications/division and addition/subtraction; Kdu and K pu – the number of multiplications / divisions for Diophantine method and complete enumeration; Kds and K ps - the number of operations of additions/subtractions method for Diophantine and complete enumeration.
Table 2 The results of evaluating the effectiveness of the method Diophantine
Diophantine method Complete enumeration ras hu , % hs ,% 47 of 321
Kdu Kds K pu K ps 18 83 132 165 165 49,69 20,00 36 269 1042 3470 3470 92,24 69,97 54 650 4286 15560 15560 95,82 72,45 129 3431 61774 272011 272011 98,73 77,28 183 6803 177182 800890 800890 99,15 77,87 237 11327 385902 1365388 1365388 99,17 78,23 291 17003 715582 3355675 3355675 99,49 78,67 345 23831 1193870 5686204 5686204 99,58 79,00 399 31811 1848414 8746061 8746061 99,63 78,86 453 40943 2706862 13033386 13033386 99,68 79,23 507 51227 3796862 18276127 18276127 99,71 79,22 561 62663 5146062 24943621 24943621 99,74 79,37
Counting the number of operations carried out using programs written layouts Diophantine and exhaustive search methods (figure 3 and 4)
Fig.3. Screenshot 1. Searching probability Fig.4. Screenshot 2. Searching probability complete enumeration Diophantine method
A graphical representation of the results evaluating the effectiveness of the method Diophantine relatively complete enumeration for different values of acceptable risk is shown in Figure 5.
48 of 321
Fig.5. Dependence of the efficiency of the method Diophantine relatively complete enumeration
CONCLUSIONS
Thus, in the work development new method for determining the probability of occurrence of damage for boundary risks of information security based on a linear, inhomogeneous Diophantine equation in positive integers. To reduce the complete enumeration of the solution set of the equation used additional constraints that allows to reducing the number of multiplications/divisions, additions/subtractions. This is evidenced by the results of evaluating the effectiveness of the proposed method for the example considered. Ultimately, the Diophantine method allows the by adjusting the allowable values of the damage and an acceptable level of risk to get guaranteed solutions as model of risk assessment in the face of uncertainty. This makes it possible decision making on the need to process them in the information security management system. Applying restrictions necessary to achieve solubility and used in the process of solving Diophantine equations allows to avoid solving search problems and find the probability to get a finite number of estimates of the probabilities.
REFERENCES
49 of 321
[1] Bezshtanko V.M Determining an Acceptable Level of Risk for the Organization's Information Assets / V. M. Bezshtanko // Collection of Scientific Papers of Pukhov Institute for Modeling in Energy Engineering, National Academy of Sciences of Ukraine. – K: Pukhov Institute for Modeling in Energy Engineering, National Academy of Sciences of Ukraine, 2013 – Issue 67. – P. 15 – 19. [2] Bezshtanko V. M. Analysis of the Conditions of the Solvability of the Positive Inhomogeneous Diophantine Equation for Modeling Information Security Risks / V. M. Bezshtanko // Simulations and IT. – K: Pukhov Institute for Modeling in Energy Engineering, National Academy of Sciences of Ukraine, 2012. – Issue 66. – P. 92 – 96. [3] Bezshtanko V. M. Analysis of the Methods of Solutions of Inhomogeneous Positive Diophantine Equations in the Context of Risk Modeling /V. M Bezshtanko/ Information Technology and Security. Institute of Special Communication and Information Security National Technical University of Ukraine “Kyiv Polytechnic Institute” – 2012. – Issue 2. – P. 96 – 106. [4] Vishnjakov Y. General Theory of Risks: Manual For the Students at Higher Education Institutions / Y. D. Vishnyakov, N.N. Radaev. – M.: Publishing Center "The Academy", 2007. – 368 p. [5] Kachynskiy A. B. Security of Threats and Risk: Scientific Concepts and Mathematical Models/ A. B. Kachynskiy. – K, 2003. – 472 p. [6] Kolesnikov P. S. Number Theory [electronic resource]/P. S Kolesnikov. – Access mode: http://math.nsc.ru/LBRT/a1/pavelsk/Num_Theory.pdf. – Date of access: January 2015. – The screen title. [7] Methods of Protection in Banking. Information Security Management System. Requirements: (ISO / IEC 27002:2005, MOD): N Bank JMA 65.1 ISMS 2.0:2010. – Valid from 2010-10-28. – Kyiv: National Bank of Ukraine, 2010. – 195 p. - (Organization standard of Ukraine). [8] Methods of Protection in Banking. Code of Rules for Information Security Management: (ISO / IEC 27002:2005, MOD): N Bank JMA 65.1 ISMS 2.0:2010. – Valid from 2010-10-28. – Kyiv: National Bank of Ukraine, 2010. – 195 p. – (Organization standard of Ukraine). [9] The Methods and Means to Ensure Security. Information Security Risk Management [electronic resource]: (ISO / IEC 27005:2008, IDT): GOST R ISO / IEC 27005-2010. – Valid from 2010- 11-30. – Moscow: Standartinform, 2011. – Access mode : http://docs.cntd.ru/document/1200084141. – Date of access: January 2015. – The screen title. [10] Mokhor V. Building a Risk Assessment of Information Security Based on a Dynamic Set of Actual Threats / V. Mokhor, A. Bogdanov, O. Cruk, V. Tsurkan// Collection of Scientific Papers of Pukhov Institute for Modeling in Energetics, National Academy of Sciences of Ukraine. – K: Pukhov Institute for Modeling in Energy Engineering, National Academy of Sciences of Ukraine, 2010. – Issue. 56. – P. 87 – 99.
50 of 321
CYBERWAR-MYTH OR REALITY Mircea TONCEANU INTRODUCTION
This paper’s aim is to analyze the concept of war from a philosophical and theoretical point of view and then to compare it with the relatively new arrived term of cyber war in order to find out if the later meet all the necessary prerequisites to qualify as a widely accepted definition of war. The fundamental idea that lies behind all logic I base my paper on is that it is not the concept of war that should be take into consideration eventually, but the concept of conflict. One part has an interest that is opposed to the other part’s interest. The former may enforce its interest by means of negotiations, political actions, economical strategy, manipulation, corruption or war. There might be other means not counted here. If all “peaceful” means fail than the first part will start a war against the second part, which differentiate from the previous means clearly by its nature: a destructive and offensive attack meant to destroy or deplete the opponent’s resources until it accepts first part’s conditions or interests. The question is, should be cyber war added to the “peaceful” part of that list, is it included in war concept or is it a new mean of destructive and offensive attack capable to defeat an enemy, just as a conventional war. One thing we know for sure: cyber war is offensive and destructive, but it is still not very clear at what extent and how big is the impact of a cyber attack at a state level. This paper will try to clarify this issue by looking at some theoretical works and examples of well known cyber attacks in the history.
I. THEORETICAL BACKGROUND
I.1. Classical war The most accepted definition of war is the one offered by Carl von Clausewitz in his book "On War" written in 1832. A war has to have three main elements. Any aggressive or defensive action that aspires to be a stand-alone act of war, or may be interpreted as such, has to meet all three criteria. The first element is the violent character of the war. "War is an act of force to compel the enemy to do our will", wrote Carl von Clausewitz . If an act is not potentially violent, it is not an act of war. A real act of war is always potentially or actually lethal, at least for some participants on at least one side. Both parts would attempt to escalate violence to the extreme, if any other peaceful means fail.
51 of 321 The second element highlighted by Clausewitz is war’s instrumental character. An act of war is always instrumental. To be instrumental, there has to be a means and an end. Physical violence or the threat of force is the means. The end is to force the enemy to accept the offender’s will. To achieve the end of war, one opponent has to be rendered defenseless. The instrumental use of means takes place on tactical, operational, strategic, and political levels. The higher the order of the desired goal, the more difficult it is to achieve. As Clausewitz said: "The purpose is a political intention, the means is war; never can the means be understood without the purpose" . This leads to the third main element of the war. The third element that Clausewitz identified is war’s political nature. An act of war is always political. The objective of battle, to "throw" the enemy and to make him defenseless, may temporarily blind commanders and even strategists to the larger purpose of war. War is never an isolated act. War is never only one decision. In the real world, war’s larger purpose is always a political purpose. It transcends the use of force. This insight was captured by Clausewitz’s most famous phrase, "War is a mere continuation of politics by other means." To be political, a political entity or a representative of a political entity, whatever its constitutional form, has to have an intention, a will. That intention has to be articulated. And one side’s will has to be transmitted to the adversary at some point during the confrontation (it does not have to be publicly communicated). Any violent act and its larger political intention also has to be attributed to one side at some point during the confrontation. History does not know acts of war without eventual attribution. As seen from a military point of view a war can more than probably lead to a mass disruption of life and much physical damage. The parts of the war will always be clearly defined and one of them must be defeated by exhausting its resources or options to defend. The beginning and the end of the war are both relatively clearly defined.
I.2. Cyber war A definition of cyber war is not easy. I will start with a simple definition of cyber or cyberspace. Cyberspace is the environment in which digitized information is communicated over computer networks. It consists of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Within cyberspace, electronics, and the electromagnetic spectrum are used to store, modify, and exchange data via networked systems.
52 of 321
A cyber war would mean the use of cyberspace to disrupt the activities of a state or organization, especially the deliberate attacking of communication systems by another state or organization. The determinant elements of when an attack in the cyberspace becomes an act of war are the directness and the measurability. There must be some direct and intended link between cause and effect. If the cause is the conflict, it is not always clear what's the intended effect of the aggressor or vice versa, the desired effect may not lead to a capitulation of the victim which eludes the win/lose character of a classical war. A cyber attack is offensive and potentially destructive but it is not violent. The beginning of the attack is mostly unknown by the victim.
II. CYBER WARFARE
In this chapter an anatomy of a cyber attack will be attempted by looking at the main components that an attack should be consisted of. I will look at what or who the targets are, what are the weapons and who are the warriors.
II. 1 The targets
Two kind of targets can be distinguished in a cyber attack: military targets and civilian ones. Both of them need to represent some critical infrastructure in order the attack to be effective. In the military, today’s critical infrastructure networks are key targets for cyber attack because they have grown to the point where they run the command and control systems, manage the logistics, enable the staff planning and operations, and are the backbone of the intelligence capabilities. More importantly today, most command and control systems, as well as the weapon systems themselves, are connected to the Global Information Grid (GIG) or have embedded computer chips. Airplanes have become flying routers receiving and sending targeting information constantly. Air Defense and Artillery are guided by computers systems and they shoot smart munitions that adjust their flight based on Global Positioning System (GPS) updates to guide themselves to the target. The Intelligence Surveillance and Reconnaissance (ISR) systems gather so much information the challenge is sifting through it to find the critical data. Today’s infantry squad has communication gear, GPS, tracking devices, cameras, and night vision devices. The computer chip is ubiquitous and has become the core of many weapon systems. It is both the strength and could be turned into weakness if taken away. The loss of GPS satellites would take away many of our advantages on the battlefield. In civilian field we can find even more critical infrastructures that are susceptible for attack. In many developed countries the following areas are critical to national health and to a large extent are
53 of 321 dependent on the Internet: Agriculture and Food; Banking and Finance; Chemical; Commercial Facilities; Communications; Critical Manufacturing; Department of Defense; Dams; Defense Industrial Base; Emergency Services; Energy; Government Facilities; Healthcare and Public Health; Information Technology; National Monuments and Icons; Nuclear Reactors; Materials and Waste; Postal and Shipping; and Transportation System and Water.
II.2 The weapons
The weapons of cyber warfare are nothing else but a set of tools that is used to conduct reconnaissance, scout out the networks and systems of the opponent, and attack the various targets detected as vulnerable. Although the number and the complexity of the tool arsenal of each country may vary a lot, a classification of tools can be made based on their purpose. Following is a list of categories with some examples of tools presented just for illustrative purpose.
Reconnaissance tools These are tools used generally in the initial phase, to collect data about systems or the networks to be attacked. They may consist of some public services or simple methods (websites, search engines, DNS, metadata, whois, etc.) or more powerful tools like pentesters kits or dedicated programs ( Metagoofil, Exiftool, Strings, Maltego, etc.)
Scanning tools Scanning tools are the kind of programs that gather more information about a system already identified as target. They could range from ping testers to port scanners, banner grabbers, etc. Some examples are Nmap and Nessus but the Internet is full of other free or commercial toolkits.
Access and escalation tools This kind of tools are used to gain access to computers and to escalate privileges once the access to system is done. There are a vast variety of tools free or not, but the following are one of the most known tools available for free: Hydra, John the Ripper, Metasploit and Canvas.
Exfiltration tools Exfiltration methods are used to carry out data from the penetrated system. The methods may be consisted of physically transporting the data or using some unfiltered
54 of 321 protocols (HTTP, DHCP, DNS - with OzymanDNS) or hiding data by encryption or steganography.
Sustainment tools After the attacker has reached the desired level of access on a computer a good practice is to modify the system in such a way that the access will be assured next time when the computer will be accessed again. The easiest way to do that is to create an user with the necessary rights, but there are other methods less detectable by admins, such as installing back doors. Netcat is a famous program that can be used to install programs or to get access to the attacked computer via back doors.
Assault tools The tools that can be used to assault a compromised machine are many and varied. They can take the form of simple changes to configurations or environment variables on a system, to purpose-built botnets that can conduct a concentrated Denial of Service (DoS) attack on a given system or environment. Such tools of destruction can generally be categorized into those related to software or oriented on hardware.
Obfuscation tools The obfuscation is needed for the attacker to cover his tracks after penetration. In general, there are three main types of tasks that the attacker is concerned with in such cases: obscuring our location, manipulating logs, and manipulating files.
II.3 The warriors
Since the concept of cyber war itself is very obscure and controversial nowadays, defining the meaning of cyber warrior seems to be very challenging. Due to the recent development of the cyber thing, the actual warriors are not well prepared, or haven't benefited from a proper initial education. In the future, as cyber conflicts become more prevalent, and more specifically trained personnel are required, armed forces will need to recruit appropriate people and teach a more focused set of skills to them. Specifically people that work closely with information security, or in the cyber war field, tend to be well educated and trained. Outside of lower level jobs, entry into positions in these fields is not always easy and tends to be rather competitive. Such people are well
55 of 321 educated from the beginning, and undergo continual rounds of training, attend conferences and seminars, and generally try to keep their skills as current and sharp as possible. The experience and skills held by those in cyber operations can be quite wide and varying, but often maps well to several of the general information security and computing fields. Those skills can be categorized as reconnaissance, offensive, and defensive skills.
Reconnaissance skills Reconnaissance skills such as network traffic sniffing, packet analysis, network and system mapping, forensics, and other such capabilities allow one to examine the infrastructure, systems, traffic, and often data of the enemy. Such skills are commonly used in the troubleshooting of systems, applications, and networks, although usually with a slightly different focus. People with such experience can be found in system administration, development, network engineering, and security roles.
Offensive skills Offensive skills are more specific and focused in the direction of attack and, and therefore do not overlap with many non-security fields, although they still do to some extent. The set of skills found in hackers and penetration testers maps almost directly across, although with a slightly different focus and rules of engagement. The skills of fields such as network engineering, development, and others can also be of use here by changing the goals from keeping infrastructure, systems, and applications running to taking them down.
Defensive skills Defensive skills are already prevalent in the IT field in general, although generally not with the sole focus of withstanding a concentrated cyber attack from a determined enemy with the resources of a nation state to back them. These standard skills are found in system administration, penetration testing, network engineering, and many other common areas. Although they are skills found in most IT departments, it is less likely to find individuals that have the particular focus of defending against a large scale attack, outside of a few major providers or hosting services that have been through such trials already.
The physical condition The physical condition of dedicated cyber warfare forces, security professionals, and those that work with computers for a living, in general, tends to be very different than that of the membership of the militaries and other fighting forces in most countries. While generally
56 of 321 good physical fitness, granting the ability to move quickly over long distances, engage in physical combat with enemy forces, and other such strenuous activities, may be very valuable in traditional combat, this is not necessarily the case when seeking to conduct cyber warfare.
III HISTORICAL OVERVIEW
In this chapter I am going to present some well known cyber attacks from the history with the purpose to identify those characteristics that would qualify them as an act of war between state actors.
III.1 1982 Siberian pipeline explosion One of the most violent cyber attack ever was the Siberian pipeline. In 1982, an American covert operation allegedly used rigged software to cause a massive pipeline explosion in Russia’s Urengoy–Surgut–Chelyabinsk pipeline, which connected the Urengoy gas fields in Siberia across Kazakhstan, then Russia, to European markets. The CIA is said to have succeeded in inserting malicious code into the control system that ended up being installed in Siberia. The code that controlled pumps, turbines, and valves was programmed to produce pressures far beyond those acceptable to pipeline and in June 1982 an explosion followed that could be seen from space. Since the authorities denied that the explosion took place, and there is no knowledge about possible victims or other damages, the cyber attack doesn't meet the prerequisites to be a war.
III.2 Estonia 2007 Another example of cyber war is an attack on Estonia that began in late April 2007. Estonia at the time was one of the world’s most connected nations; two thirds of all Estonians used the Internet and 95 percent of banking transactions were done electronically. The country was vulnerable at cyber attacks. The cyber attacks started in the late hours of Friday 27 April. Initially the attackers used rather inept, low-technology methods, such as ping floods and simple denial of service attacks. Then the attacks became slightly more sophisticated. Starting on 30 April, simple botnets were used to increase the volume of distributed denial of service (DDoS) attacks, and the timing of these collective attacks was increasingly coordinated. Estonia experienced what was then the worst-ever DDoS. The attacks came from an extremely large number of hijacked computers, up to 85,000; and the
57 of 321 attacks went on for an unusually long time, for three weeks, until 19 May. The attacks reached a peak on 9 May, when Moscow celebrates Victory Day. Fifty-eight Estonian websites were down at once. The online services of Estonia’s largest bank, then known as Hansapank, were unavailable for 90 minutes on 9 May and for two hours a day later.25 The effect of these coordinated online protests on business, government, and society was noticeable, but ultimately it remained minor. No country or entity assumed the attack.
III.3 Georgia 2008 Ten days before Russia attacked Georgia in 8 August 2008, Georgia has been subject of a powerful cyber attack that started slowly on 29 July 2008. This cyber attack happened in synchronization with a military action. The attack was comprised of denial of services attacks of the public sites, banks and governmental institutions and malicious software distribution. The attack lasted at most 6 hours and at least 2 hours. The effects of the attack were small. The attack had little effect beyond making a number of Georgian government websites temporarily inaccessible. The attack was also only minimally instrumental. The attack’s main damage was in limiting the government’s ability to communicate internationally and making the small country’s voice heard at a critical moment. Russia denied any implication in the attack.
III.4 Syria 2007 One of the most spectacular examples for a combined strike is Operation ‘Orchard’, Israel’s bombing raid on a nuclear reactor site at Dayr ez-Zor in northern Syria on 6 September 2007. It appears that the Israeli Air Force prepared for the main attack by taking out a single Syrian radar site at Tall al-Abuad close to the Turkish border. The Israeli attackers combined electronic warfare with precision strikes. The Syrian electrical grid was not affected. Syria’s airdefense system, one of the most capable in the world, went blind and failed to detect an entire Israeli squadron of F-15I and F-16I warplanes entering Syrian airspace, raiding the site, and leaving again The cyber work of the operation was probably done by Unit 8200, the largest unit in the Israel Defense Forces (IDF) and Israel’s equivalent to the NSA. The technicians may have used a so-called ‘kill switch’ embedded in the air defense system by a contractor to render it useless. The details of the operation remain highly classified. But one thing can be highlighted already: the cyber element of Operation ‘Orchard’ probably was critical for the success of the
58 of 321
Israeli raid and although the cyber attack did not physically destroy anything on its own right, it should be seen as an integrated part of a larger military operation. Although the cyber attack on its own – without the military component – would not have constituted an act of war, it was nevertheless an enabler for a successful military attack. That was different in another, even more spectacular recent incident.
III.5 Stuxnet 2007-2010 Stuxnet was by far the most sophisticated known cyber attack to date. It was a highly directed attack against specific targets. The worm was an act of cyber-enabled stand-alone sabotage not connected to a conventional military operation. Stuxnet was what the security industry calls an Advanced Persistent Threat (APT). Operation ‘Myrtus,’ as Stuxnet may have been called by its creators, was a multi-year campaign. The program started probably in late 2007 or early 2008. It is likely that the main attack had been executed between June 2009 and June 2010, when Information Technology (IT) security companies first publicly mentioned the worm. The infection most likely happened through a removable drive, such as a USB stick. Stuxnet was set up to cause industrial processes to malfunction, physically damaging rotors, turbines, and centrifuges. The attack’s goal was damaging the centrifuges slowly, thus tricking the plant’s operators. The resources and investment that went into Stuxnet could only be mustered by a ‘cyber superpower’, argued Ralph Langner, a German control system security consultant who first extracted and decompiled the attack code. A possibility is that Israel engineered the threat with American support. It starts with intelligence: each single control system is a unique configuration, so the attackers needed superb information about the specific system’s schematics. For the time being it remains unclear how successful the Stuxnet attack against Iran’s nuclear program actually was. But it is clear that the operation has taken computer sabotage to an entirely new level.
III.6 Sonny attack 2014 The computer networks of Sony Pictures were hacked, with personal medical information about employees, financial information, emails, and thousands of other documents lifted and made public. The U.S. suspected North Korea was behind the breech in retaliation for the upcoming release by Sony of an outlandish comedy, called The Interview, about a CIA plot to assassinate North Korean leader Kim Jong-un. In December, employees of Sony received threatening messages on their computers warning that "the world will be full
59 of 321 of fear" if the film is released. "Remember the 11th of September 2001," a message said. Sony decided to cancel the release of the film. On Dec. 19, the FBI formally accused North Korea of launching the attack, saying it had significant evidence linking the government to the breech.
CONCLUSION
Drawing a definite conclusion on such a sensible subject like cyber war is a risky approach. The field is on a steep growing curve and what's true today might be obsolete tomorrow, maybe in a horizon of time less than one year or even several months. As technology develops, the techniques and methods of attack develop also, and in many cases the technology is left behind the progress of the hacking tools, meaning that some unaddressed vulnerabilities will always make the target of the most skilled attackers. But the question still remains: would a cyber attack be capable to win a war ? My opinion is that we are still not there. Cyber attacks are effective means to support military operations, meaning that the acquisition of data or weakening the informational system of the enemy could be a tremendous benefit to saving soldier's life and reduce the cost of wining the battle. From the examples I have presented in the previous chapter, there is no one that could even get close to the concept I was trying to analyze, so as I mentioned in the introductory chapter of my paper, I believe that the place of the cyber war is inside the broader concept of war, as Clausewitz has defined it. Cyber war is nothing else than another dimension added to the war, a new battlefield among land, naval, air and space. Of course this battlefield is a digital one so new skills of the new soldiers have to be developed, as I mentioned in the chapter dedicated to cyber warriors. The issue must be keep open in my opinion, because it is feasible that in the not so far future, state entities will totally depend on information technology, and breaking it down would lead to a capitulation of one state for the simple reason that it wouldn't be able to use own resources even if they are physically available.
60 of 321
REFERENCES
1. Carl von Clausewitz - On war, http://www.gutenberg.org/files/1946/1946- h/1946-h.htm 2. Jason Andress, Steve Winterfeld – Cyber Warfare, Ed. Syngress, 2011 3. Thomas Rid, - Journal of Strategic Studies, "Cyber War Will Not Take Place”
4. P. W. Singer and Allan Friedman - Cybersecurity And Cyberwar, Oxford University Press, 2014
61 of 321
HANDLING DESTRUCTIVE MALWARE
Denis-Nicolae FLORESCU
OVERVIEW
In the middle of December 2014 the National Cyber Awareness System – US – CERT (Computer Emergency Readiness Team) realease an alert about a Targeted Destructive Malware (TA14-353A) – a Server Message Block (SMB) Worm Tool which conduct cyber exploitation activities targeting a major entertainment company. This SMB Worm Tool was equipped with five components: a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
Of course, as in every tip the organizations were advised to increase their vigilance and to evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.
In the Alert TA14-353A, US-CERT gave a general overview about this Worm, described all its capabilities to do the damages in the infected computers, exemplified some import hashes for each of its components and explaned the mechanism it uses to infect the mashine
For assessing the impact of an infection with this worm they considered that due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems.
US-CERT recommended that the organizations must review their strategies and policies in accordance with the Security Tip Handling Destructive Malware #ST13-003 (which was relesed on 04 November 2013).
62 of 321
I. POTENTIAL DISTRIBUTION VECTORS
The malicioius software uses popular communication tools to spread, as worms (through email and instant messages), Trojan horses dropped from some web-sites, and downloaded virus-infected files. The malware will try to exploit vulnerabilities on systems to assure an undetected and quiet entry. This kind of software has the capability to target a large range of systems. There might be at least one assesstment of the enterprises environment to descover the atypical channels for potential malware delivery and/ or propagation throughout the network. The main assess should be focused on the applications which have the capability to direct interface with hosts. The organizations were expected to assess applications as: - patch managemernt systems; - asset management systems; - remote assistance software; - antivirus software; - systems assigned to administrative personnel; - centralized backup servers; - centralized file shares. Threat actors could compromise additional resources to impact the availability of critical data and applications, as: - the direct access to partitions and data warehouses, for Centralized storage devices; - the capability to inject false routes within the routing table, delete specific routes from the routing table, or remove/modify configuration attributes - which could isolate or degrade availability of critical network resources.
63 of 321
II. BEST PRACTICES AND PLANNING STRATEGIES
Common strategies can be followed to fight against destructive malware. The US-CERT (Computer Emergency Readiness Team) recommended that the organizations must take a lot of measures to mittigate the posibility to get infected with malware. So, the specialists advise that the network administrators should take preventive measures inside the organization seeking for vulnerabilities in: - the communication flow; - the acces control; - the file distribution; - the system and application stability; Regarding the communication flow the administrators should: Ensure proper network segmentation. Ensure that network-based access-control lists (ACLs) are configured to permit server- to-host and host-to-host connectivity via the minimum scope of ports and protocols – and that directional flows for connectivity are represented appropriately. So the communication flow paths should be fully defined, documented, and authorized. Ensure that these systems are contained within restrictive VLANs, with additional segmentation and network access-controls Ensure that centralized network and storage devices’ management interfaces are resident on restrictive VLANs. Access Control: Require two factor authentications for interactive logons. Ensure that authorized users are mapped to a specific subset of enterprise personnel. Ensure that unique domain accounts are utilized and documented for each Enterprise application service. Service accounts should be explicitly denied permissions to access network shares and critical data locations. Accounts which are utilized to authenticate to centralized enterprise application servers or devices should not contain elevated permissions on downstream systems and resources throughout the enterprise.
64 of 321
Review centralized file share access-control lists and assigned permissions – Restrict Write/Modify/Full Control permissions when possible.
Monitoring: Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts (Failed logon attempts, File share access, and Interactive logons via a remote session. Review network flow data for signs of anomalous activity. Ensure that network devices log and audit all configuration changes. File Distribution: When deploying patches or AV signatures throughout an enterprise, stage the distributions to include a specific grouping of systems (staggered over a pre-defined time period). Monitor and assess the integrity of patches and AV signatures which are distributed throughout the enterprise.
o Ensure updates are received only from trusted sources,
o Perform file and data integrity checks, and
o Monitor and audit – as related to the data that is distributed from an enterprise application. System and Application Stability: Ensure that the Operating System (OS) and dependencies supporting an application are configured and hardened based upon standard best practice recommendations. Implement application-level security controls based upon best practice guidance provided by the vendor. Common recommendations include:
o Utilize role-based access control,
o Prevent end-user capabilities to bypass application-level security controls (disabling Antivirus on a local workstation)
o Disable un-necessary or un-utilized features or packages, and
o Implement robust application logging and auditing Thoroughly test and implement vendor patches in a timely manner. In the event that an organization observes a large-scale outbreak that may be reflective of a destructive malware attack, in accordance with Incident Response best practices, the immediate focus should be to contain the outbreak, and reduce the scope of additional systems which could be further impacted. Strategies for containment include:
65 of 321
Determining a vector common to all systems experiencing anomalous behaviour (or having been rendered unavailable) – from which a malicious payload could have been delivered:
o Centralized Enterprise Application,
o Centralized File Share (for which the identified systems were mapped or had access),
o Privileged User Account common to the identified systems,
o Network Segment or Boundary, and
o Common DNS Server for name resolution. Based upon the determination of a likely distribution vector, additional mitigation controls can be enforced to further minimize impact:
o Implement network-based access-control lists to deny the identified application(s) the capability to directly communicate with additional systems (Provides an immediate capability to isolate and sandbox specific systems or resources),
o Implement null network routes for specific IP addresses (or IP ranges) – from which the payload may be distributed (An organization’s internal DNS can also be leveraged for this task – as a null pointer record could be added within a DNS zone for an identified server or application)
o Readily disable access for suspected user or service account(s), and
o For suspect file shares (which may be hosting the infection vector), remove access or disable the share path from being accessed by additional systems. As related to incident response and incident handling, organizations are reminded to: Report the incident to national CERT for tracking and correlation purposes, and Preserve forensic data for use in internal investigation of the incident or for possible law enforcement purposes. Tactical Mitigations Implement the indicators of compromise within systems for detection and mitigation purposes. Encourage users to transfer critical files to network shares, to allow for central backed up. Execute daily backups of all critical systems. Periodically execute an “offline” backup of critical files to removable media. Establish emergency communications plans. Isolate any critical networks.
66 of 321
Ensure antivirus is up to date. Disable credential caching for all desktop devices with particular importance on critical systems. This can be accomplished through a Group Policy Object (GPO). Disable AutoRun and Autoplay for any removable media device. Prevent or limit the use of all removable media devices on systems to limit the spread or introduction of malicious software and possible exfiltration data. Restrict account privileges. Ensure that password policy rules are enforced and Admin password values are changed periodically. Monitor logs: Maintain and actively monitor a centralized logging solution that keeps track of all anomalous and potentially malicious activity. Ensure that all network operating systems, web browsers, and other related network hardware and software remain updated with all current patches and fixes. Strategic Mitigations Organizations should review Security Tips and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. Always keep your patch levels up to date, especially on computers that host public services accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Build host systems, especially critical systems such as servers, with only essential applications and components required to perform the intended function. Implement network segmentation through V-LANs to limit the spread of malware. Consider the deployment of Software Restriction Policy set to only allow the execution of approved software. Consider the use of two-factor authentication methods for accessing privileged root level accounts or systems. Deny direct Internet access, except through the use of proxies for Enterprise servers and workstations. Isolate network services, such as email and Web application servers by utilizing a secure multi-tenant virtualization technology. Implement best practice guidance and policy to restrict the use of non-Foundation assets for processing or accessing Foundation-controlled data or systems (e.g., working from home, or using a personal device while at the office). Place control system networks behind firewalls. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
67 of 321
Perform proper impact analysis and risk assessment prior to taking defensive measures.
III. RECOVERY AND RECONSTITUTION PLANNING
A Business Impact Analysis (BIA) is a key component of contingency planning and preparation. The overall output of a BIA will provide an organization with two key components (as related to critical mission/business operations): Characterization and classification of system components, and Interdependencies.
Based upon the identification of an organization’s mission critical assets (and their associated interdependencies), in the event that an organization is impacted by a potentially destructive condition, recovery and reconstitution efforts should be considered.
To plan for this scenario, an organization should address the availability and accessibility for the following resources (and should include the scope of these items within Incident Response exercises and scenarios):
Comprehensive inventory of all mission critical systems and applications:
o Versioning information,
o System / application dependencies,
o System partitioning/ storage configuration and connectivity, and
o Asset Owners / Points of Contact. Contact information for all essential personnel within the organization, Secure communications channel for recovery teams, Contact information for external organizational-dependant resources:
o Communication Providers,
o Vendors (hardware / software), and
o Outreach partners / External Stakeholders Service Contract Numbers - for engaging vendor support, Organizational Procurement Points of Contact, ISO / image files for baseline restoration of critical systems and applications:
o Operating System installation media,
o Service Packs / Patches,
o Firmware, and
o Application software installation packages.
68 of 321
Licensing/activation keys for Operating Systems (OS) and dependant applications, Enterprise Network Topology and Architecture diagrams, System and application documentation, Hard copies of operational checklists and playbooks, System and application configuration backup files, Data backup files (full/differential), System and application security baseline and hardening checklists/guidelines, and System and application integrity test and acceptance checklists.
IV. EXAMPLE: ALERT (TA14-353A) Targeted Destructive Malware
US-CERT was notified about cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities targeting some companies. This SMB Worm Tool was equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads:
- the first thread calls home and sends back logs (a list of successful SMB exploitations),
- the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.
Listening Implant: During installation of this tool, a portion of the binaries is decrypted using AES (Advanced Encryption Standard), with a key derived from the phrase "National Football League." Additionally, this implant listens for connections on TCP port 195 (for "sensvc.exe" and "msensvc.exe") and TCP port 444 (for "netcfg.dll"). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, "HTTP/1.1 GET /dns?\x00." The controller then responds with the string "200 www.yahoo.com!\x00" (for "sensvc.exe" and "msensvc.exe") or with the string "RESPONSE 200 OK!!" (for "netcfg.dll"). The controller
69 of 321 sends the byte "!" (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.
Lightweight Backdoor: This is a backdoor listener that is designed as a service DLL. It includes functionality such as: file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host's firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.
Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.
Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re- booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
70 of 321
Network Propagation Wiper: The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\\hostname\admin$\system32” and “\\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file- time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.
V. CONCLUSIONS
Due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems.
Users and administrators are recommended to take the following preventive measures to protect their computer networks:
Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date. Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it. Review Security Tip Handling Destructive Malware #ST13-003 and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. Review Recommended Practices for Control Systems, and Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
71 of 321
REFERENCES:
1. https://www.us-cert.gov/ncas/tips/ST13-003 2. https://www.us-cert.gov/ncas/alerts/TA14-353A 3. http://en.wikipedia.org/wiki/Malware
72 of 321
INFORMATION SECURITY IN SWITZERLAND’S BANKS Laura Maria SABOSLAI FOTIN
INTRODUCTION
Switzerland with its neutrality and national sovereignty long recognized by foreign nations has not been in a state of war internationally since 1815. With its active foreign policy and it’s frequently involvement in peace-building processes around the world is considered one of the safest countries in the world. According to the site “The Richest” with a Personal Safety Index of 92.75, Switzerland is the fourth safest country after Iceland, Sweden and Norway in 2014. “Women have no trouble travelling alone, and the police try to be as unobtrusive as possible (with the exception of football games in some major cities where hooligan crime may take place). However, the police are very serious about traffic offenses, and thus many drivers are well-disciplined, which makes it safe for pedestrian traffic. Also, Switzerland has very strong Good Samaritan laws that make it a civic duty to help those in need (as long as it doesn’t entail endangering yourself). The refusal to help someone in need is actually punishable by law, thus people are very willing and ready to help if the need arises.”1 With an annual GDP per capita of $45,285.8 in 2014 and the expectancy to rise to $54,000 by 2018, despite the European economic crisis, Switzerland is also one of the world’s richest countries. Taking into consideration in the ranking of the richest countries of the world the GDP value calculated and measured in US dollars in addition to several aspects, including the income value, output value and the expenditure value, Swiss is situated on the ninth place. The economy of this wealthy country depends on banking, tourism, industries and agriculture. Switzerland is also a leading exporter, currently ranked the 15th, and maker of high-end watches in the world. If you have ever heard of any luxury watchmaker then it is registered and situated in this beautiful country. In times when the digitization of life continues to forge ahead – mobility of information, interlinking communications networks and communication technology are the basis for accomplishing ever more complex tasks. The future belongs to information and communication technologies (ICT). This is the information age and the systems that support and handle it are critical to the operation of virtually all organizations. The information and communication infrastructure have fundamentally changed the private sector, state and society, bringing unforeseen possibilities, both good and bad. The use
1 http://www.therichest.com/rich-list/rich-countries/10-countries-where-personal-safety-is-most-secure-in-2014
73 of 321 of cyberspace (e.g. Internet, mobile networks and applications, e-business, egovernment, computer based control programs) has brought many advantages and opportunities. Digital networking, however, also exposes information and communication infrastructure to criminal, intelligence, politico-military or terrorist abuse or functional impairment. Disturbances, manipulation and specific attacks carried out via electronic networks are the risks that an information society entails. It is assumed that the underlying trend – towards more networking and thus the growing complexity of information and communication infrastructure – will continue. Information and the knowledge based on it have increasingly become recognized as ‘information assets’, which are vital enablers of business operations so worth being very well protected.
I. INFORMATION SECURITY OVERVIEW
I.1. Definition of Information Security
Information security, sometimes shortened to InfoSec (IS), is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)2
I.2. Basic Principles of Information Security in Banks
The core principles of information security (the CIA triad) have been debated to be extended with other principles such as Authenticity, Non-repudiation, Identification, Authorization, Accountability /auditability who are also now becoming key considerations for practical security installations. Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. An example can be making a credit card transaction on the Internet meaning that the credit card number is transmitted from the buyer to the seller and from the seller to a transaction processing network. In order to enforce confidentiality the card number is encrypted during transmission, by limiting its apparition in log files, databases, printed receipts and restricting access to the
2 http://en.wikipedia.org/wiki/Information_security#cite_note-1
74 of 321
places where it is stored. It can be said that obtaining the card number in any way by an unauthorized party is considered a breach of confidentiality. Confidentiality breaches take many forms like Hacking, Email and SMS spoofing, Phishing, Integrity means that data cannot be modified without authorization. When an employee deletes important data willingly or by mistake the integrity is violated, modifying his/her salary on the payroll database or using programs to deducts small sums of money from the customer accounts and transferring to his/her own (the salami technique). Data diddling is a mean that involves changing data during input (or prior to) into a computer. It includes also the automated change of the financial information for a period of time, processing it and restoring the original information afterwards. The ways in which integrity can be violated by mistake are many. The simplest one is a user in a system mistypes someone's data. Largely, an automated process has invalid code (bad programing) nor tested correctly, automated updates into a database alter the data, leading to the data integrity compromised. The people in charge of Information security have to find ways to implement means to prevent integrity errors. Availability: to serve its purpose the information system must be available when needed. This means that the computer systems that are used to store and process the information, the means used to protect it and the communication channels needed to be able to access the information must be functioning correctly. The real competitive systems have to remain available at all times, they have to prevent service disruptions due to hardware failures, power outages, and system upgrades. Being available always means preventing denial-of-service (DoS) attacks and/or distributed denial-of service (DDoS) attacks Authenticity: In information security, e-business and computing it is required to ensure that all the data, communications, transactions or documents (physical or electronic) are genuine. It is most important in authenticity to validate that both parties (sender/receiver) involved are who they claim to be. Non-repudiation: In law this term means that one's intention is to fulfill one’s contractual obligations. It also requires that one party of the transaction should not be able to deny having received a transaction and nor the other party to be able to deny having sent that transaction. E-commerce is using such technology as encryption, digital signatures and is establishing authenticity and non-repudiation. Identification: is the process in which the subject has to provide an identity to a system in order for him to start the process of authorization, authentication and
75 of 321
accountability. Providing an identity means that it is necessary to type in a username, or use a smart card, speaking some words or a phrase, or positioning, hand, face or finger in front of a camera or scanning device. Using a process ID number can also represent a way of process identification. Without an identity, the system cannot correlate the subject with the authentication system. Authorization: After a subject is authenticated, the access must be authorized. Based on the user’s rights and privileges the process of authorization makes sure that the access to a resource, access or request is possible given the authenticated identity. Mostly, the system evaluates the access control matrix by comparing the subject and the object or intended activity. The subject is authorized only if the specific action is allowed. Otherwise, the subject’s authorization is not granted. Auditability and accountability: the security policy of the organization can only be properly enforced if accountability is maintained e.g., security is to be maintained if only the subjects are accountable for their actions. The base of accountability comes from the capability to prove the subject’s identity and to track their activities. Through identification, authentication, authorization, mechanism of auditing and linking a human or an online identity to his/hers activities accountability is established. Nevertheless human accountability depends finally on the strength of the authentication process. If we are lacking a reasonably strong authentication process, there is little chance to associate the correct human with its specific user account and to prove that he/she was the person controlling that user account during the time that the undesired action took place.
II. SWISS BANK SYSTEM
Switzerland is known for its impressive banking system, including its legendary privacy policies. Home to the world’s richest bank, which is The Swiss Bank, Switzerland, is one of the world’s richest countries mainly due to its extremely efficient banking system. While Swiss banks may not be as exciting as they are depicted in spy movies and action thrillers, they are extremely well run and impressively private. It is one of the financial havens for those seeking to hide their cash. Having the cash nowadays secure behind 3 meters thick concrete walls and metal doors sometimes weighting tons, surrounded by security sensors and armed guards is not enough. There are also other riches that are sometimes far more important (client data, bank data,
76 of 321 business plans and strategies, decision factors private data, in short all sorts of valuable information) In times when Swiss banking secrecy becomes the target of international criticism, the design and maintenance of a sustainable information security strategy and policy, which is in line with the business strategy and values of the firm, is the most important.
II.1. The Enforcers of the Information Security in Swiss Banks
The Public is very important since it consists of potential clients, stockholders, employees, investors and business partners. It also includes organizations or specific interest groups, who feel affected by the bank activities. The people who make up the public are not really organized, but in particular situations with the support of the media or specific organizations or interest groups they can have a certain impact. When an information security incident becomes interesting to the mass-media (due to a bad managed incident) or conflicts to the interests of certain groups, it can become a threat to the interests or the reputation of a bank. The Clients are strongly and personally affected by problems of their bank’s information security. Because they are poorly organized in case of determined damage they can only assert their claims at great expense within the limits of the law. Being non-expert outsiders, they cannot evaluate the entire information security provided by the bank so they are in danger of moral hazard. For the clients, the information security is merely a sign of confidence and experience. Because Swiss banks enjoy their international reputation concerning information security, they don’t need to be differentiated between themselves in this area. They prefer as a precaution the transfer of the risks related to their products (e.g. e-banking) to the client by fine formulation of contracts, general terms and conditions. Because of a lack of legal precedents in the rare case of a dispute, usually one-sidedly formulated contracts can be questioned and enforced. In certain cases, the banks will try to behave obligingly and will seek to resolve the case face to face with the client, in order to prevent the creation of a precedent unfavorable in court and risking losing their image. The chances that a small client will not start a trial against the banks due to the fear of their power have greatly increased thanks to the appearance of the institution of the Ombudsman. Stockholders are the owners of the corporation and earn profits from residual claims. Stockholders entrust to a management team the leading of the business because they are mainly specialized in the assumption of business risks. The separation of these two
77 of 321
important functions (residual claim and the right to coordinate) theoretically makes it possible to engage the best-suited people in management and tends to lead to a more risk-accepting and dynamic company because business risks can be distributed widely3. Stockholders can for their own part reduce their own risk by maintaining a balanced portfolio that includes the stocks of various companies, industries and countries4. The wide distribution of shareholders and the high costs of acquiring information however lead to a situation in which no stockholder shows a real interest in actively campaigning for control of the management of a company5. The Board of Directors of a Corporation: In the article 716 2nd paragraph from the Swiss Obligation Law (SR 220; OR), it is stated that the board of directors is in charge of the business management of the company only if it has not delegated the management of the company to other persons how it is described in 716b OR. It is also set that, according to the 1st paragraph of 716a OR, the board of directors has the irrevocable responsibility besides other things for «the upper management of the company and the issuing of necessary instructions»6, and also for «the supervision of persons entrusted with management of the company, especially with regard to the observance of laws, statutes, regulations and instructions»7. The boards of directors of the banks bears also the information security responsibility: «securities traders must understand, limit and monitor in particular market, credit, default, settlement, liquidity and image risks as well as operational and legal risks»8. The Internal Audit Position: By law Swiss banks are obliged to maintain an internal audit position, independently and directly reporting to the board of directors’ chairman. The internal audit person is specialized in the testing of the internal control systems thereby supporting the board of directors and also for the appreciation of their own responsibility, specifically the observance of laws, regulations, instructions and statutes. It consists of specific qualified experts and usually works in close cooperation with the external audit position (legally prescribed). The External Audit Position: The main task of the external audit position is the checking of the financial and accounting statements, and of course to ensure that the retained earnings comply with the law and statutes. In relationship to the board of
3 Picot/Dietl/Franck 1997, pg. 291 4 Picot/Dietl/Franck 1997, pg. 284 5 Picot/Dietl/Franck 1997, pg. 265 6 1st paragraph of 716a OR 7 1st paragraph of 716a OR 8 26th article of the Regulation on Exchanges and Securities Trading (SR 954.1; BEHG)
78 of 321
directors and the stockholders’ general meeting this is a parity body of the company. Nowadays the accounting books are mainly kept as electronic information systems, so the external audit position has to check that the main principles of truth, clarity, traceability, completeness and correctness are supported the necessary information security. The external audit position must operate through employees with special professional qualifications.9 Therefore, Federal Business Auditor Diplomas for financial auditors and CISA, CISM and CISSP for IT auditors (internationally recognized certificates) play also an important role. The Company management runs the business of the company with the support of the board of directors and acts in its place if it has been delegated to (the article 716b of the Swiss Obligation Law). It is clear that every person appointed in the management of the company has to obey the organization’s rules, rules that define what are the necessary positions in the management of the company and also their duties, responsibilities and in particular way they regulate the reporting (article 716b paragraph 2 OR). Management employees have to protect the interests of the company and fulfill their duties with all due and loyally (According to article 717 OR). It is rather difficult to prove in practice that the violation of this principle has been committed by the management or just a member of the company in a court of law, because it is assumed by the legislator that the company management is loyal and careful unless is a matter of conflicts of interest. The State and Regulators have great influence on the companies through regulations, laws, directives and decrees and also their possibilities to give sanctions, but mainly with recommendations, that banks for desired conduct should implement. The State and Regulators are interested in a financial system that is reliable, stable, strong, transparent and most important competitive capable of supporting the national economy, the entire nation’s welfare and also contributes to the political stability, and the international integration of Switzerland.
II.2. The Threats and their Risks
Force Majeure: Natural disasters mainly, meaning the complete physical destruction of the buildings, infrastructure and data. The normal operation of the business is in serious danger. From insurance statistics the risk of such events is determined very
9 Article 727b OR
79 of 321
precise in a Switzerland that is both stable politically and geologically but in the case of lack of preparation this could be the end of a bank. Operational errors: mainly human failure leading to the unintentional damage or destruction of data and systems. The continuation of the business operation might be endangered. The influencing factors of such event are the company culture, work ethic, employee training, workload and the suitability of tools. Misuse of information by internal persons: The employees and the agents of the banks might make abuse of confidence while handling some sensitive information (e.g. the misappropriation of business secrets or client information or even the acquisition of important information about the clients and the bank itself). The incident can remain unnoticed but if it becomes public due to negligence or insufficient care (banking secrecy violation), the bank can be imputed. In so the bank would lose client confidence, its reputation could be damaged and legal claims might arise. Property offenses by internal personnel: Agents or employees enrichment at the expense of the bank or its clients through falsification of balance, information about exchange rates or transactions. If the money cannot be recovered direct property damage arises. The influencing factors for such occurrence are the company ethics, its culture, business processes, the employment policy, social control and the system clearances. Indirect results of such events are losing client confidence and/or reputational damage. Competitors are interested in gaining an economic advantage for their own companies (e.g. client lists, rates, business and development plans, human resources headhunting etc.). Results of such events would be losing of competiveness, Hackers, hacktivists and virus activities: Hackers are those who think that interfering with computer systems are an enjoyable challenge. On the other hand the Hacktivists are dose driven by political and ideological motives but both make external willful actions to access the information systems of the banks. Their activities can result into information losses, delays or breakdowns of business processes, loss of the confidentiality of information and false information. While hackers are making targeted attacks on attractive targets, the viruses have no basic target just spread in all directions affecting every company in various degrees. The direct consequences are costs for recovery and costs from losing businesses. Indirectly the banks might lose their clients’ confidence and damage to their reputation but only if the event goes public.
80 of 321
The identification of the main threats for the business of the banks is a demanding task that requires interdisciplinary involvement, but only after heaving a clear understanding of the business strategy of the company and its objectives and a well-founded knowledge of the banking environment in which the company has to operate.
II.3. Most Commonly Used Attacking Techniques
Phishing is a type of fraud on the Internet in which the perpetrator is trying to fool people and part with their money. Phishing is receiving unsolicited emails by some customers of financial institutions, in which they are requested to enter their username, password or other relevant personal information to be able to access their account “blocked” for some reason. The target is directed to a fake replica of the original institution's website where they are required to enter their information, remaining unaware that they were deceived and fraud has occurred. Now the perpetrator has gained access to the customer's online bank account and has the funds in that account at his disposal. Sometimes pop-up windows are generated in front of a genuine bank website. The real website is displayed behind the pop-up but the typed information is transferred directly to unauthorized users. Cross-site scripting (XSS) is a form of computer security vulnerability usually found in web applications allowing code injections originated from malicious web users but introduced in the web pages viewed by others. Main such code is HTML code or side scripts. This cross-site scripting vulnerability is exploited by attackers in order to be able to bypass access controls. Vishing is a form of criminal practice were social engineering and Voice over IP (VoIP) are used to gain access to personal, private and financial information from the general public with the purpose of gaining some financial reward. The term comes from the combination of the terms voice and phishing. The scammer calls pretending to be a bank representative trying to verify the account information, in so exploiting the public's trust in the security of the landline telephone service. This is typically used for identity theft using stolen credit card numbers or other relevant important information and usually involving only a small number of targets. Cyber Squatting is the action of registering a famous domain name, generally popular service providers or big companies and then selling it for large sums of money. Bot Networks are a cyber-crime in which the attackers take control of a large number of computer systems remotely without their users even noticing it. A computer
81 of 321
becomes linked to the Bot Network when the user downloads unknowingly malicious code, usually “Trojan horses” sent as email attachments. These computers become remote controlled “zombies” used by the offender to scan for systems vulnerabilities, add speed and stamina for their attacks and lance large coordinated attacks against various targets. “Trojan horses” are backdoors to the acquired computers. A “backdoor” is a way of bypassing normal authentication or the security for the remote access to a computer, meanwhile remaining hidden from casual inspection. A backdoor can be an illegitimate installed program, or a modification to a legitimate program. The Bot Networks create big problems for organizations because they are upgraded remotely, quickly and with new exploits in so helping the attackers pre-empt security efforts. The Email-related crimes are email spoofing, spamming, bombing and the send of malicious code. The Email “spoofing” is the email appearing to have originated from a trusted source when it was actually sent from another one. Email “spamming” is the email sent to thousands and thousands of users – like a chain letter. Email “bombing” is the one identical sent to a particular address. Sending malicious codes through email means to send in attachments viruses, Trojans etc. or sending links to a website from which the user unwillingly downloads malicious code when the website is accessed. SMS spoofing: is both a relatively new technology but also a very common one that uses SMS. It is available to all mobile phones, and is used to set who the message appears to come from (replacing the mobile number with alphanumeric text generally known as Sender ID. It is both legitimate used (the mobile carrier name, the company name of its origin or one of its products – used both in advertising) and illegitimate used (the impersonation of another person, company, or product). Malware is the maliciously created software code. There are computer programs that fool an individual to think that traditional security is protecting them during online banking transactions. The attacks by means of malware are a serious factor in the online financial crime because it is able to perform the following operations: The theft of account information by capturing the keystrokes from the login information or other data used to authenticate identity (special images or words). Website substitution generating web pages that appear to be the real ones but they aren’t (the only difference would be some characters in the address). The “man-in-the-middle attack” site helps the attacker obtain user information. When the user submits the information, it is both sent to the bank and the malicious attacker without the user even noticing.
82 of 321
Denial-of-service attacks or distributed denial-of-service attack (DDoS attack) consists of preventing an internet site from functioning efficiently (or an internet service) through the intervention of a person or more. The denial-of-service (DoS) attack is an isolated incident because only a user or organization cannot access the resource or service that would normally have access to. The DDoS attack consists of multiple compromised systems (Bot net) attack a single target in so denying the access of multiple users to that resource or service. The large number of incoming messages into the target system leads finally to its shut down. The DoS attack does not result in theft of information but can cost the target time and money. A denial-of-service attack can lead sometimes to the destruction of some programs and files in the targeted computer systems conducting to its users to temporarily cease operation. The main targets for DoS attacks are websites or services hosted on high-profile web servers used by banks and credit card payment gateways. The telephony denial-of-service (TDOS) attack is used to prevent a victim to get in contact with banks and other financial institutions. The victim receives a large number of phone calls from automated dialing programs. When answering the call the victim hears nothing, a recorded message, a telephone menu or an advertisement. Meanwhile the perpetrator has time to meddle with the victim’s funds without the financial and brokerage institutions being able to verify the victim’s account changes and transactions. Pharming is a DNS (Domain Name System) attack usually called DNS poisoning. The system gets infected with a “Virus” poisoning the DNS system. At the next victim’s visit to his/hers online banking site, he/she is not sent to the actual web page, but instead to a false “Pharming Page” and personal authenticating data is collected. Insider threat is the biggest risk to banks because the use of Information Technology grants to the employees or insiders of the bank sometimes unauthorized access and the chance for information modification or important data disclosure. Sometimes unintentional errors can and have undesirable implications. This is why it is very important to create and implement robust security processes to respond to such threats.
II.4. The Most Important Recent Attacks
2015 – Data Breach – Client Data Emails Stolen (worst case 240000 clients): In January 2015 the “Banque Cantonale de Geneve” announced that Rex Mundi hackers had stolen the personal data of thousands of its clients and that it was being blackmailed.
83 of 321
The hack, which was revealed on the Twitter account of the hacking person(s) involved in the theft of over 30000 emails sent between the bank and its clients, both domestic and international. Because the bank did not paid all the data was published. Hours after the hacker’s ultimatum expired the BCGE spokeswoman Hélène De Vos Vuadens said that all the information intercepted appears to be published but because it was from clients' inquiries over the Internet and did not involve their accounts, that require several codes or passwords to access and therefore no financial damage occurred. Finally the bank's spokeswoman said: „We chose not to give in to blackmail and chose instead the path of transparency”.
2014 – ReTeFe Trojan In July 2014 the online publication „The local Switzerland” wrote that users of 16 Swiss online banking sites were target by computer hackers who had used a “Trojan horse” virus to exploit the “holes” from the internet banking security that lead to the one of its name Operation Emmental. Switch, the Swiss’ universities’ computer emergency response team, and Trend Micro, the global leader in IT security, were the ones who emitted reports about this operation, which also aimed bank clients from Austria, Sweden and Japan. The bank’s targets were the ones that use authenticity numbers sent through SMS (e.g. text messaging). This is a two-factor authentication method that utilizes users’ phones as a secondary channel. To be able to log into the banking site the user should receive from the bank an SMS with a number (password). Users need to enter that number along with their regular username and password in order to transact with the bank. The attack began when the users received an email in their local language, from a popular company or brand (most likely the users were costumers) which had an attached file. When opened, the attached *.RTF file contained another file that if opened the system would give a warning. If the user opens the file it will download and execute another file called “netupdater.exe” supposed to be a Windows® update tool, but in fact it was a malware infection. The “malware” known also as Retefe (because of the *.RTF attachment) only changes the configuration of the computers then removes itself. Than when the users try to access a legitimate bank site they are directed to a fake site that looks like that of their bank, being so far just a fancy phishing attack. But once the users enter their credentials, they are instructed to install an app for better security on their smartphone.
84 of 321
This Android app, looking as a token generator, generates a password that is supposed to be entered into the fake banking site. Meanwhile the scam occurs. In reality the app intercepts the SMS messages from the bank and forwards them to a command-and-control (C&C) server or to another mobile phone number. This means that the cyber-criminal not only gets the victims’ online banking credentials through the phishing website, but also the session authenticity key needed to bank online as well. The perpetrator gets hold of the full control of the victims’ bank accounts. This way money has been pilfered from accounts but the extents of the losses were not disclosed in the reports made by Switch and Trend Micro.
Figure 1. What happens in the 2-factor authentication process when the PC is infected in Operation Emmental
According to Trend Micro the hacking was tracked to Romania but the culprits were said to be “most likely Russian speakers “who used “shady Russian cyber-criminal underground market services. Also the reports said that it is believed that the criminals have been active since 2011. In order to take the appropriate measures to protect their clients Trend Micro contacted the banks involved and they recommended to use more advanced defenses against malware
85 of 321 and phishing: "the use of multiple transaction authentication numbers (TANs), photo-TANs, and card readers, should be considered”. 10 Switch response team for the bank customers said that antivirus programs that are installed on the smartphones’ operating system offer good protection against the malware scammers but unfortunately there are only few people who use such software on theirs.
2007 - 24000 Client’s Data Was Stolen by Former Employee – made public only in 2010 In March 2010 HSBC, Europe's biggest bank, said a theft of data by a former employee affected up to 24000 Swiss client accounts, dealing a hefty blow to the reputation of its private bank. The information was stolen by Hervé Falciani, a former IT consultant of the bank about three years ago. The information stolen concerned 15000 accounts that were still active and another 9000 accounts that have been closed since the theft.
III. MEASURES
III.1. Reasons For The Banks to Step up Security Measures
Since the online banking concept gets more and more supporters through its various electronic delivery channels, it also has become an attractive target for perpetrators. Some reasons that force banks to step up security measures are: Browser weaknesses were exploited in the case of most attacks against the top 100 banks of the world by the use of Trojans and malware (e.g. man-in-the-browser attacks) because of their difficult detection. Usually they hijack the transaction inside the browser session, and afterwards attack the applications or databases on the servers. Consumers as endpoints: The communication way used between Banks and clients to deliver services is done through browsers but the banks cannot control the customers’ computer system environment. The risk is that many banks give online services to consumer systems used for small businesses without the client having an adequate security for business activity.
10 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes- operation-emmental.pdf
86 of 321
Multi-channel banking: Because of the technological expansion the file and web banking transfer is available also to social channels and mobile/smart phones as a consequence of the workforce getting younger. This leads to cyber threats that are getting more complex and have to be taken seriously into consideration. Because of this multitude of communication channels we need an integrated approach in transactions, information and fraud able to lower costs but increasing in effectiveness. Single Sign On (SSO): in order for them to solve security usability problem the banks are looking for new independent SSO applications or corporate/business portal solutions. The solution to use SSO in each existing packaged online banking offer lacks integrated authentication and the entitlements it needs. The solutions generally used are to secure the session but malware attacks come now from the application level, so they have to use authorizations for transactions cryptographically distinct from the ones used for the session. Organized crime: Internet perpetrators have created a full supply chain to use malware attacks and also an efficient online vector to deploy them. While trying to create a security-as-a-service solution the market for security technology has direct competition since the criminals are developing fraud-as-a-service activities that change fraud from a consumer product to business (using online banking to initiate payments or banking activities in order to create fraud). Thru cyber-attacks we can assist at potential damage to the national security. The internet has become a tool used in an organized manner for money laundering and even funding terrorist attacks. It is then required to put in place the effective implementation of information security measures and robust information security governance processes.
III.2. Required Measures to be Taken
Fulfillment of Legal, Regulatory and Contractual Requirements of (see also II.1 4th paragraph) o The Swiss Obligation Law (SR 220; OR) o The Banking Law (SR 952.0; BankG), o The Data Protection Law (SR 235.1; DSG), o The Exchange Law (SR 954.1; BEHG), o The Copyright Law (SR 231.1; URG), o The Penal Code (SR 311; StGB), o The Federal Banking Commission (EBK)
87 of 321
o The Swiss Financial Market Supervisory Authority FINMA o The Reporting and Analysis Centre for Information Assurance (MELANI)
Significant investments in information and communication technology Independent tests of IT security in order to evaluate the formal and quantitative aspects of the security processes e.g. employee certification, job descriptions, security policy documentation, documented operational and organizational structures, the use of recognized standards e.g. BS7799-1, ITIL, CobiT, BSI Baseline security Manual. Best Practice or Benchmarking – the assessment of the compliance level of security processes and related regulations using spot checks. Generally this audit is carried out by appropriately certified experts (e.g. CISM, CISSP, and CISA) and using the international standards CobiT developed by Information Systems Audit and Control Association (ISACA) or the British Standard BS7799-211 Managing of the loyalty of employees, company culture, emotional bond, trust between employees and management, and a close relationship between customers, company management and its employees should insure an internal company information security. The control duties (e.g. conducting compliance checks and security reviews) and security consulting should be carried out by independent personnel of the local IT organization or even better, obtained externally. External purchasing of individual IT security services because some of them don’t reflect the competencies of the company, they are not specific to the company, can be described completely and exactly and the quality can be specified exactly and checked. The most general activities purchased are the operation and monitoring of firewalls, engineering, specific control activities (ethical hacking - the attempt to break into the banks system at its request) or IT security consulting. The exceptions are the IT security functions that require decisive and quality-assuring because these are part of the information security strategy of the organization and may not be given to an external position. The boards of directors are the only ones having the top non- delegable responsibility for information security. The use of the basic technical security measures o Anti-virus software to detect malware on the computer and block or destroy it with the condition of always keeping the virus database updated.
11 cp. Gartner 2003, pg. 207-208
88 of 321
o Firewalls used for the protection of computer systems from the threat of malware and unauthorised access. o Encryption for sensitive data stored on computer networks, preventing the risk of unauthorised access to this information but also in the case of the transfer or the communication of confidential data (e.g. e-mail). It uses encryption programs using a specific algorithm to code and decode the data before and after the transfer. o Intrusion detection systems (IDS) are programs that monitor, store and analyse computer or networks activities. If a certain activity corresponding to an attack pattern is detected, the alarm goes on. Using it at its real potential requires specialised know-how and considerably more attention than in the case of a firewall or an anti-virus software. o Biometric technology is used to restrict physical access to computers or areas. The user identification is made by face recognition, fingerprints or optical scanning systems. The only setback for this technology is its relatively high expenses. The use of organisational security measures (security policy, resources available to use for security, responsibilities, procedures etc.) o The Incident response is being prepared for an attack at information security. It includes the use of technical, legal and organisational measures. It ensures that the IT system will be restored as quickly as possible to normal service after the incident occurs. o Security policy is the base concept of the information security. It defines objectives based on the firm’s approach to security, explains the responsibilities and ensures that the resources are to be made available. The clear definition of this issues and directions within the organization work together for a successful informational security. o Back-up management prevents all forms of data loss. This means always heaving a recent copy of the data (back-up) and keeping it safe, out of the reach of unauthorized users. The key to a successful back-up is establishing how often a back-up is to be made, who is to be authorised to do it, what is to be backed up (all data, the most important one or the most recent only), and how to protect the backed-up data. o Updates / vulnerability scans are very important due to the complexity of operating systems, the possible applications used because new security
89 of 321
breaches are happening all the time, and the attackers don’t waste time to exploit these gaps to the full. Therefore it is particularly important to be able to detect such vulnerabilities rapidly and close them. o Staff training in information security done on a regular basis staff training helps minimize the risk of incidents by eliminating any incorrect conduct. The trainings can be made through internal or external courses, or just limited to periodically information campaigns. A study was made in the finance business for the measures used in information security and it was found out that 63% of respondents use encryption technologies, 42% intrusion detection, and only 5% use biometrics. In the IT companies, 57% are using encryption technology, 41% use intrusion detection and 5% use biometrics. But the most important security measure is the continuous monitoring of the measures that have been implemented. If such security measures are analysed regularly, their weaknesses can be rapidly identified, permitting so an early response before they become a real problem. A study was made in companies that revealed that from the total number of respondents 56% check their security level and conduct such an audit on regular basis (32% in-house and 24% using an external provider), 11% plan to introduce security audits in the near future but 33% do not perform regular audits and don’t plan to do so.
CONCLUSIONS
As in the case of any company, banks not only have to protect the information that are associated with its clients directly and banking, but similar to every other company they must also ensure the security of their strategic and operational information, which are or could be of most importance to the shaping and the management of these enterprises. The most important thing is that these data to be stored and/or processed completely, correctly, and with integrity. The only value of this type of information for the company is until it becomes known to the public or its competitors. The truth is that no universally correct information security exists because the security need depends on characteristics such as the chosen strategy, available competencies, products offered, etc. and is unique for each company.
90 of 321
The strategic success factors are trust and brand reputation in the banking sector, things that cannot be purchased or copied. Such trust and reputation must be built and continuously reaffirmed by Banks over a period of decades using superior professional services and of course through the fulfilment of its various client’s diverse expectations. The expectations mostly originate in the implicit and explicit promises made by the bank through its communication and marketing tools. The company image originating in this manner becomes then the only credible and achieves the lasting desired effect only if it is formed having at its base the lived company values and is sustainably supported by the company. This leads to the fact that in the situation in which although an identical event is taking place in different banking institutions it is viewed and evaluated differently by the public.
« It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. » Warren Buffet
REFERENCES
1. http://www.isb.admin.ch/ 2. http://www.melani.admin.ch/dokumentation/01569/01572/index.html?lang=en 3. https://www.huntonprivacyblog.com/tag/switzerland/ 4. http://www.european-business-journal.com/ispin_ag/portrait/ 5. https://swsis.wordpress.com/ 6. http://www.offshorecompany.com/banking/swiss 7. http://www.offshorecompany.com/banking/swiss/security.asp 8. http://www.securesafe.com/en/about-us/ 9. http://securityaffairs.co/wordpress/31974/cyber-crime/rex-mundi-blackmailing-swiss- bank.html 10. http://www.welivesecurity.com/2015/01/14/swiss-bank-data-released-hackers/ 11. http://www.reuters.com/article/2015/01/09/us-bc-geneve-hacker- idUSKBN0KI1MK20150109 12. http://www.theregister.co.uk/2014/07/23/ruskie_vxers_change_dns_nuke_malware_in _swiss_bank_raids/ 13. http://www.thelocal.ch/20140722/hackers-exploit-holes-in-swiss-online-banking 14. http://www.bankinfosecurity.com/emmental-followup-a-7125/op-1
91 of 321
15. http://blog.trendmicro.com/trendlabs-security-intelligence/finding-holes-operation- emmental/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29 16. http://www.swissinfo.ch/eng/hsbc-says-bank-data-on-24-000-accounts-stolen/8463306 17. http://news.bbc.co.uk/2/hi/business/8562381.stm 18. http://www.manager.ro/articole/financiar-bancar/analiza-istoria-palpitanta-a- sectorului-bancar-din-elvetia-16136.html 19. http://www.scribd.com/doc/23829690/Monografia-Sistemului-Bancar-Din- Elvetia#scribd 20. http://www.therichest.com/rich-list/rich-countries/10-countries-where-personal-safety- is-most-secure-in-2014/ 21. http://www.mapsofworld.com/world-top-ten/world-top-ten-richest-countries-map.html 22. http://www.worldatlas.com/articles/the-10-richest-nations-in-the-world.htm 23. http://money.howstuffworks.com/personal-finance/banking/swiss-bank-account.htm 24. http://www.isaca.ch/home/isaca/files/Dokumente/04_Downloads/DO_04_Diplomarbe iten/Diplom_CorporateInfSecGovernance_E.pdf 25. https://www.kpmg.com/CH/en/Library/Articles- Publications/Documents/FinancialServices/pub-20111024-banking-and-finance-in- switzerland-en.pdf 26. http://www.kpmg.com/CH/Documents/pub-20141008-finma-circular-2008-21- appendix-en.pdf 27. http://shop.sba.ch/999937_e.pdf 28. http://www.expatica.com/ch/finance/banking-investments/Banking-in- Switzerland_100032.html
92 of 321
STUDY ON THE PROTECTION MECHANISM TO SECURE INFORMATION EXCHANGE AND E-MAIL WITHIN AN INTRANET BASED ON PKI AND INFORMATION TECHNOLOGIES TIMES 18 Oleg CHIRILENCO
“Who possesses the information possess the world” Nathan Rothshild
INTRODUCTION In October 1969, the first login session of the ARPANET1 (Advanced Research Project Agency Network) occurred between the University of California, Los Angeles and Stanford Research Institute (SRI). This exchange of data across a computer network was the foundation of today’s Internet. Today, the main issue for network administrators and managers are focused on some questions regarding to information security like: How do I authenticate users? How do I ensure confidentiality? How do I ensure data integrity? Can anyone else read my message? Is the text I read on the screen is really what the other person sent? How do we track who communicates with, what, who and when? These questions are critically important in today’s business continuity2. With the internet technology going deep into application and popularization, many large organizations have been establishing their internal network, Intranet. Most of the organizations are hiring commercial lines to connect with their remote offices, thus, the way to receive and transmit data via network forced them to take the right decision in secure the channels and data itself. So, the leak of information in the intranet has become a major threat for all organizations and, therefore, they had to find out and solve these security problems based on their mission. Consequently, in this paper I will try to describe some solutions for establishing a better mechanism to secure the storage and exchange of information through ensuring the
1 http://en.wikipedia.org/wiki/History_of_the_Internet
2 Jonathan M. Fox, USA B.S., Information Assurance and the Defense in Depth: A Study of Infosec Warriors and Infosec Cowboys, Fort Leavenworth, Kansas 2003.
93 of 321 most important information security principles like: identification and authentication, data integrity, confidentiality, and non – repudiation by building an own PKI. Depending of the organization’s mission and their motivation, an own Certification Authority capability center, could be a great deal in securing of information domain and at the same time very costly. These practices will grant them with an advantage over other organizations for providing e-mail security and information security exchange through PKI (Private Key Infrastructure) and information technologies (IT).
I. PUBLIC KEY INFRASTRUCTURE (PKI)
PKI is a set of hardware, software, people, policies, and procedure needed to create, manage, distribute, use, store, and revoke digital certificates3. At the same time, PKI functions can be summarized as: user registration, key generation and management, certificate initialization, generation, management, distribution, publication and revocation, mutual trust establishment (e.g., cross-certification), publication of certificate revocation lists (CRLs), and audit. In other words, PKI provides certificates to support the following security services to numerous applications4: Identification and authentication: PKI provides for identification and authentication through digital signature. If the signature is valid, then the Relying party (the person or system relying on the presented certificate for authentication or other security services) has assurance that the entity participating in the transaction is the entity asserted by the certificate. Data integrity: PKI provides for data integrity through digital signature of information. If the recipient of digital signed information is able to verify the signature on the information using the public key of the certificate used to generate the signature, then the recipient knows that the content has not changed since it was signed. Confidentiality: PKI provides confidentiality through encryption (i.e. asymmetric algorithms). If the public key in a certificate is used to encrypt information, only the associated private key, held (and kept secret) by the entity named in the certificate, can decrypt that information. Non-Repudiation: Non-Repudiation means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-
3 http://en.wikipedia.org/wiki/Public_key_infrastructure
4 http://www.ietf.org/rfc/rfc3280.txt
94 of 321 repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. I.1. PKI Components
Functional elements of a public key infrastructure include certification authorities, registration authorities, repositories, and archives as following5: A certification authority (CA) (Root CA) is an entity that issues digital certificates, similar to a notary, in other words CA is an entity trusted by the end users to create and issue certificates. A CA (i.e., Root CA) is responsible for the issuing of the certificates to another CAs named subordinates (i.e., Sub CAs). Consequently, Sub CA is responsible for the issuing of the certificates to the end users. A registration authority (RA) is an entity that is trusted by the CA to register or guarantee for the identity of users to a CA. A repository or archive is a database of active digital certificates for a CA system. The main activity of the repository is to provide data that allows users to confirm the status of digital certificates for individuals and businesses that receive digitally signed messages. These message recipients are called relying parties. CAs post certificates and CRLs to repositories.
I.2. Implementation
1. The main goal of the PKI is to support: Encrypted e-mail. Identification and digital signature. Secure web server access. Secure tunnel creation between routers, etc. In a large organization, a single Root Certification Authorities (CAs) (e.g., Root CA) shall be established. In addition, one subordinate CA (i.e., Sub CA), should be established to support remote offices from the central organization’s office. Based on some of the design issues and of course on my experience in this domain (almost 10 years), bellow it is shown a 2-level hierarchy CA consisting of an offline Root CA and an online Sub CA that can manage and control the issue of the digital certificates. In figure 1, it is illustrated a best practice validity period for each CA at each level (based on a
5 http://csrc.nist.gov/publications/nistpubs/800-32/sp800-32.pdf
95 of 321
2nd-level hierarchy for a complete overview). The advantage with this model is that it will ensure that the trust path chain root (i.e., Root CA) will not be compromised.
Figure 1 PKI Architecture
2. Types of the certificates The PKI should be capable of issuing different types of certificates, including identity, authentication, signature, encryption, group/role, device, and code signing to satisfy the organization requirements.
3. Certificate issuance, CRL, and OCSP Profiles The organization Root CA will establish the certificate profiles that the Sub CAs can issue. There will be identity/signing and encryption profiles for user certificate as well as profiles for web server certificates. The Root CA will issue the certificates for the subordinate CAs. It is recommended that Sub CA will issue to each end user two types of certificates. One certificate, the identity certificate should have the key usage attribute populated with digital signature, and non-repudiation. The second certificate, the email encryption certificate, should have the key usage attribute populated with key Encipherment. The certificate profile should have at minimum the critical attributes in the certificate profiles below. General characteristics of the certificates below include: 1. The signature algorithm is SHA. 2. The Certificate Depository Point (CDP) is a Lightweight Directory Access Protocol (LDAP) or Hypertext Transfer Protocol (HTTP) repository URL. 3. Include an Authority Information Access (AIA) extension if possible to support the Online Certificate Status Protocol (OCSP) certificate revocation checking.
96 of 321
The Basic Constraints Extension is recommended for a Root CA certificate with the value of CA=True and the path length not be set.
4. Publication and Repository The organization shall provide the CRL Distribution Point (CDP) (listed in the certificates) for application retrieval of the CRLs within the directory server. The organization will establish a repository which will be used for storing and retrieving public encryption keys and Certificate Revocation Lists (CRLs) during their activity.
5. Identification and Authentication The internal policy of the organization is responsible for procedures used to identify and vet subscribers (users) requesting digital certificates. Names used within the PKI must identify the user or object to which they are assigned. For identity and digital signature and encryption certificates the common name must be represented as firstname.lastname (i.e., internal policy). Identity proofing for user certificates in the organization require a face-to-face meeting between the requestor. Organization’s users must positively identify themselves via their office identity card (badge) to the issuer (i.e., CA administrator) and agree to the internal policy on the appropriate use as stated in the end user agreement of the organization to receive their certificate from their Sub CA PKI provider. For server certificates and VPN certificates, the common name must be represented by the fully qualified domain name (FQDN) and/or the IP address in the Subject Alternative Name. VPN certificates do not require signing a user agreement.
6. Certificate Life-Cycle Operational Requirements The organization Root CA will issue its self-signed certificate for 60 months. Keys must have the security equivalent of 4096 bit RSA modulus or larger. The organization Root CA will issue the subordinate CA certificates for 48 months. Keys must have the security equivalent of 2048 bit RSA modulus or larger. End user certificates will be issued for a period of 12-18 months. Keys must have the security equivalent of 2048 bit RSA modulus or larger. Web server and VPN certificates are valid for a maximum of 12-18 months also. Certificates may be issued with a shorter or longer time to live than the period listed above.
97 of 321
The organization will be responsible for publishing a CRL for certificates that have been revoked. The organization Sub CA will publish a CRL every 24 hours during their activity.
7. Management, Operational and Physical Controls The organization supporting a Root CA and Sub CA will provide an adequate level of physical security for the PKI (e.g., behind a firewall, limited physical access). Physical and logical privileged access should be controlled to avoid compromise of the server and subsequently all certificates issued under that CA. For the security matters (i.e., personal experience), all certificates should be issued manually, thus users won’t be able to access Admin CA to request certificates online.
8. Technical Security Controls The client software used during the digital certificate requesting procedure should generate end user x.509 V3 compliant public/private key pairs. Keys must have the security equivalent of 2048 bit RSA modulus. Physical delivery of the end user digital certificate may be on a floppy disk /smart card or electronic media. Passwords used to access the private key store must comply with the internal policy. During issuance of user certificates, the issuing Sub CA shall be configured for back-up of the private encryption keys emergency retrieval. Under no circumstances will signature keys be backed up. If digital signature keys are lost or compromised, the only acceptable solution is reissuing these key pairs.
9. Configuration on Users workstations User workstation’s configuration is dependent on the operating system, the browser and the mail client used. At a minimum, the client must install the necessary trust chains from PKIs in order to interoperate on the organization network.
10. Interoperability Each organization’s workstations, web server, and/or network devices must trust (install) the Root CA and each of the Sub CA certificates. Any other offices with which that organization wishes to communicate securely via PKI methods should install those certificates as well.
98 of 321
II. E-MAIL SECURITY
Email security refers to the collective measures used to secure the access and content of an e-mail account or service. It allows an individual or organization to protect the overall access to one or more email addresses/accounts. An email service provider implements email security to secure subscriber email accounts and data from hackers - at rest and in transit6. Therefore, one of the most vulnerable areas in the communications is likely the one that is used the most: enterprise email. And, of course the biggest threat might be coming from where it is least expected, i.e. from inside of the organization. Users make e-mail mistakes willingly or not while sending e-mails hitting the wrong keys that could “Reply All” instead of to its intended recipient, and suddenly sensitive information is where it shouldn’t be, compromising the reputation and business continuity of the organization7. PKI can help reduce the risk of sending and receiving sensitive data via e-mails by using of authentication protocols, digital signature and encryption, additional software and physical devices while working with mail servers (i.e. USB keys, hardware tokens, etc.). It will prevent intentional data distortion and loss of confidential data while sending messages via the network.
II.1. Hardware Tokens
The CA hardware tokens protect the private keys associated with identity, authentication, signature, and encryption certificates issued by the organization PKI. All hardware tokens used within the organization will comply with the credential strength requirements stated in the internal policy. Hardware tokens used for network logon to the intranet will be issued by a credential service provider that is either a member of the organization’s PKI or cross-certified with the other PKI in accordance with the organization’s policy. The RSA Cryptographic Provider should be integrated into the Windows operating system or other OSs and will enable digitally sign and encrypt/decrypt Microsoft Outlook, The Bat, other emails, as well as gets access to protected web sites.
6 http://www.techopedia.com/definition/29704/email-security
7 http://www.ca.com/us/securecenter/ca-email-supervision.aspx
99 of 321
So, the RSA Cryptographic Provider's encryption keys can be stored within the Windows environment or on a smart card, allowing access to and interoperability with encrypted emails, corporate Web sites and a host of other resources. The RSA Cryptographic Provider uses the Cryptographic Key Migration utility to migrate keys between cryptographic service providers, as well as their transfer from the system registry to a smart card or USB key and vise versa as shown in Figure 2. Features and Benefits: 1. USB key and Smart card support The RSA Cryptographic Provider allows the user to restrict access to encrypted data or web site without a Smart card/USB key. 2. PIN code security The RSA Cryptographic Provider utilizes PIN code protection of a USB key/Smart card, ensuring strong security. 3. Data storage on the USB key/Smart card The RSA Cryptographic Provider allows storing and retrieving various types of data on the USB key / smart card: system logon information, certificates, and encryption key. 4. Easy to use The RSA Cryptographic Provider should be simple to install and use. Once it has been installed, the digitally signed and encrypted emails could be sent, with just couple of clicks on the mouse.
Figure 2 Features and Benefits of the USB key/Smart card
II.2. Software Applications Encryption
100 of 321
Email encryption software is an encryption utility that enables securing the contents of an e-mail message when in transit. It enables the encryption of an e-mail message in a non- readable form so that its contents are not viewable by hackers, eavesdroppers or unauthorized recipients. E-mail encryption software is primarily used in enterprise e-mail and messaging environments where each e-mail message is encrypted before being transmitted over the network. Typically, e-mail encryption software is installed or integrated within the core e- mail server or messaging application. Each outgoing e-mail is encrypted using public or private key cryptography and can only be revealed or extracted using a private key as shown in the Figure 3.
Figure 3 Encryption from end to end
Furthermore, e-mail encryption software usually broadcasts an e-mail message on the network using a secure protocol such as: PGP, S/MIME and TLS8. In addition to enterprise e-mail encryption, e-mail encryption software is also used by end users, where the software works as an independent utility or is integrated into an e-mail client as a plug-in. Also, it is possible to create a Private Disk (i.e., hard disk encryption software) with unique features, combining strong AES 256-bit encryption with a simple and straightforward interface9. This disk encryption program creates multiple encrypted disks for storage of sensitive information where the data received via e-mail could be stored and readable only when the
8 http://www.techopedia.com/definition/29700/email-encryption-software
9 http://www.dekart.com/products/encryption/private_disk/
101 of 321
USB token or other smart cards with cryptographic key are inserted. Encrypted disks behave like regular disks, thus, programs can use them in a usual way, and there is no need to reconfigure them. Automatic data encryption is transparent: files are encrypted on the fly when they are written to the encrypted disk, and decrypted when read from it. Access to the encrypted disk is monitored by Disk Firewall, a unique data protection mechanism that guards the data from Trojans, viruses or other types of malware. Disk Firewall controls which applications are allowed to access the encrypted disk. If a specific application is not found in the white-list, it will be unable to read or change the sensitive information stored on the encrypted disk. To prevent data loss, Private Disk automatically invokes the safe hardware removal procedure when it is closed.
CONCLUSIONS
So, the question is: Do we really need a secure transaction of data or a secure storage of it? We can still use insecure e-mail, but there will be no assurance that we will not be attacked and the data will not be exposed to other parties that are very interested of taking down the organization’s activity. At the same time, the primary benefit of PKI is that it provides encryption of information in transit, strong authentication of users, and digital signatures for data integrity and provide with non repudiation despite of its costly matters. Consequently, from my point of view, to conclude what is better, but it is costly and what is worst, but at no cost, a wide range of organizations will choose to deploy PKI solutions, including defence organizations, in order to protect their activities by securing the data, and of course the reputation of the organization. Finally, PKI is a very attractive and modern technology, embedding both encryption and digital signature. This starts a breakthrough over symmetric-key cryptosystems.
REFERENCES
1. http://en.wikipedia.org/wiki/History_of_the_Internet. 2. Jonathan M. Fox, USA B.S., Information Assurance and the Defense in Depth: A Study of Infosec Warriors and Infosec Cowboys, Fort Leavenworth, Kansas 2003. 3. http://en.wikipedia.org/wiki/Public_key_infrastructure.
102 of 321
4. http://www.ietf.org/rfc/rfc3280.txt. 5. http://csrc.nist.gov/publications/nistpubs/800-32/sp800-32.pdf. 6. http://www.techopedia.com/definition/29704/email-security. 7. http://www.ca.com/us/securecenter/ca-email-supervision.aspx. 8. http://www.techopedia.com/definition/29700/email-encryption-software. 9. http://www.dekart.com/products/encryption/private_disk/.
103 of 321
OVERVIEW OF SECURITY IMPLICATIONS OF INTERNET OF THINGS IN MILITARY ORGANIZATIONS
Ștefan-Ciprian ARSENI
“What most people need to learn in life is how to love people and use things instead of using people and loving things.” (Seneca) “All things appear and disappear because of the concurrence of causes and conditions. Nothing ever exists entirely alone; everything is in relation to everything else.” (Hindu Prince Gautama Siddharta)
INTRODUCTION
Continuous development of the modern society is primarily characterized by an exponential increase in the information domain, comprised not only of information, seem as data, and information infrastructures, seem as the means of transmitting data, but also of the entire life cycle of the information (from gathering to spreading and use of it), the organizations and systems managing the functions and flows of data. Therefore, it can be stated that the information domain has a increasing impact on the safety of a state, through its connections with critical infrastructures such as defense, economy, electricity, food and water supply or healthcare. When talking about information security we should refer to “the defense of national interests – the complex balance of the interests of the individual, society and state – in the information sphere”1. From a technical point of view, information security sums up all the means necessary for protecting both information and informational systems from unauthorized access, use, modification or destruction, in other words the assurance of the C.I.A. triad (Confidentiality, Integrity and Availability)2, presented in Fig. 1.
1 Vasily Tairyan, Evgenia Tairyan, Diana Martirosyan, Stephan Babayan, Anahit Tadevosyan, Victor Prokhorenko, Sergey Tairyan – Humanitarian problems in information security, Proceedings of the NATO Advanced Study Institute on Network Security and Intrusion Detection, Armenia, 2005, pp. 134 2 ISO/IEC 27000:2009 – Information technology - Security techniques - Information security management systems - Overview and vocabulary, ISO/IEC, 2009
104 of 321
Figure 1. The C.I.A. triad of Information Security3
In the context of new improvements of information technology, our “personal” lives and habits have become dangerously “public”, mainly because the need of the each person to ease its life with the help of technology and the need of everybody to interconnect and be informed, no matter where they are or when they need a specific information. It’s this need for information and connectivity that lead to the appearance of new paradigms in the IT world, ones that began to spread without having a standardized and secure foundation. One of these new leading trends in IT is the Internet of Things (IoT) paradigm. In broader terms, it can be described as a union of all devices that currently exist or will exist, linked together by Internet and communicating between each other in order to improve the quality of services or out lives. Yet, this new trend induces more security risks and possible breaches than any other technology until now, and because of its rapid spreading across multiple organizational levels, the need of information security is higher than ever.
I. THE INTERNET OF THINGS (IOT) PARADIGM
Nowadays, we are surrounded by smart devices that help us in our daily routines, starting from the coffee maker or smart refrigerator to the computers we use in our workplaces, smartphones that we use to communicate and keep in touch with our family and friends. We may consider that each one of these mobile or fixed smart devices has become a necessity in accomplishing almost any action that we undertake.
3 "CIAJMK1209" by I, JohnManuel, Licensed under CC BY-SA3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:CIAJMK1209.png#/media/File:CIAJMK1209.png
105 of 321 For providing on-time services, companies have equipped almost every smart device with different sensors, capable of extracting information from the user, sometimes including sensitive data. In most cases, this data refers to “public” characteristics of an individual and is used by trusted applications to help or inform us, when needed. Taking into consideration the possibilities what a single smart device, with a limited amount of sensors, is capable of doing in terms of understanding our needs and provide us what is needed, when is needed and how much is needed, we can only imagine what a network of sensors and smart devices will be able to provide. In 1999, Microsoft’s President, Bill Gates, has mentioned for the first time the term IoT (Internet of Things) as a new trend in IT technology. Soon after, in 2005, this trend has been introduced and defined by ITU (International Telecommunication Union) as implementing the following key idea, illustrated also in Fig. 2: anytime, anyplace connectivity for anything, ubiquitous network with ubiquitous computing. [1] From a technical approach, a more comprehensive specification of IoT is defined in [2] as a dynamic global network infrastructure with self-configuring capabilities based on standard and interoperable communication protocols where physical and virtual “things” have identities, physical attributes and virtual personalities, use intelligent interfaces and are seamlessly integrated into the information network. Yet, since the first definition, the IoT trend started more and more types of devices and sensors, which lead to the appearance of new derivates: Internet of Everything (if we refer to the entire network of sensors) or Internet of Me (if we refer to sensors characterizing only one person). Still, each one of these terms defines the same basic concept: a network of heterogeneous systems and sensors, differentiated by the technological and communication constraints that they embed.
106 of 321
Figure 2. Basic principles of the Internet of Things paradigm4
I.1. IoT Architecture
According to ITU recommendations, paper [7] proposes an abstract overview of the network architecture of IoT, which implements five distinct abstract layers: A sensing layer that assures the capturing, analyzing and sharing of the information of interest; An access layer that transfers information between the previous and the next layer using existent networking capabilities (mobile, wireless or satellite networks or other infrastructure); A network layer that integrates the resources of a network with the Internet platform and establishes an efficient and reliable infrastructure platform; A middleware layer that manages and controls network information in real-time, and also provides an easy-to-use interface for the next and final layer. An application layer that integrates functions from the bottom layers of the stack, while building the practical application of various industries. From the technological point of view, any intent of deploying an IoT solution can be made possible through some key-enabling technologies, such as: RFIDs (Radio Frequency Identifiers) were introduced in 1940, mostly for machine recognition of enemy aircrafts in air combat and friends. Nowadays, this technology is used for production management, safety, transportation or logistics
4 Dr. Bilel Jamoussi, “IoT Prospects of Worldwide Development and Current Global Circumstances”, ITU-T
107 of 321 management. Some of the key factors that recommend RFID as a viable technology for IoT are: high-adaptive wireless communication, high confidentiality, low power consumption, high efficiency antenna or low-cost chip and reader. EPC (Electronic Product Code) were developed by Auto-ID Centre in MIT (Massachusetts Institute of Technology). This technology can be used to construct a global intelligent network, in real time, by giving a unique ID for every device and using RFIDs and wireless communications through the Internet platform. ZigBee are widely used in home automation, digital agriculture industrial controls and medical monitoring.
II. THE INTERNET OF MILITARY THINGS (IOMT) CONCEPT
Looking at what IoT means, from a military point of view, we can see that right from the baseline of the network architecture, civilian IoT and military IoT (IoMT – Internet of Military Things) present some differences, mostly because of the underlying restrictions and requirements of the battlefield, characterized by ad-hoc networks, instead of fixed ground or mobile networks as in the civilian domain. Still, the fundamental idea behind IoMT is similar to the one from the civilian counterpart, namely the integration of military objects, such as distributed sensors or actuators, RFID systems or other equipments. The main goal of this integration of sensors is the achievement of rapid information superiority in the future battlefield environment [3]. If we analyze current military systems-of-systems architectures we can state that the concept of IoMT has been integrated for some time, in almost every military organization, under the notion of connected battlefield or network centric warfare (NCW). These notions define modern existent networks that link the 3 forces of an army (air, ground and water) and provide a complex situational awareness over an area of interest. By combining this existing infrastructure with the IoMT concept, the integration of every asset in the battlefield will be a simpler process, by already having the underlying network architecture.
108 of 321
Figure 3. Overview of Internet of Military Things, as an application5
When referring to standards or guidelines for implementing such a concept in the current architecture, various ideas have been proposed in different articles, such as [1], [3] or [6], or by the C4I (Command, Control, Communications, Computer and Intelligence) community. Since worldwide defense departments experienced the advantages brought by the implementation of a connected battlefield, their next objective will be to integrate even more systems and sensors and link them to soldiers and command centers. As a response to the need of multiple sensors and systems, appeared an increased emphasis on SWaP (Size, Weight and Power) for COTS (Commercial off the Shelve) products and an even higher increase in demand for security for existing infrastructure and secure development and integration of any future hardware or software system integrated within current networks. According to the definition given by an NATO STO ET (Exploratory Team), researching IoT benefits for the military, and as presented in Fig. 3, it can be stated that IoMT represents “the information network of the Military Things integrated according to the IoT paradigm for military purposes, that considers pervasive presence in the environment of a variety of interconnected smart things/objects. By means of wireless and wired connections, unique addressing schemes and intelligent interfaces, things/objects are able to interact and cooperate with each other to create new applications/services in order to reach common goals”. [5]
5 Source: NATO STO IST-ET-076, “Internet of Military Things” presentation
109 of 321 II.1. Example scenario for IoMT applicability
Although current infrastructure can provide sufficient resource for a complete integration of IoMT, it is still not a well-defined or standardized concept. NATO STO (Science and Technology Organization) exploratory teams and research groups have begun to search for methods and procedures that could ensure a uniform implementation within all its members, so that interoperability and interconnection will be assured without any possibility of forming a security breach. Main challenges that arise from this search are the means of connecting devices depending on their tactical and operational integration in the battlefield. Mainly, IoMT demonstrates it’s utility to interactively build the situational awareness on the tactical level of the battlefield, by detecting early threats, like movements of enemy troops, change of targets positions, or even threat identification and marking, thanks to the integration of “eyes-in-the-sky” (satellites, drones or UAVs used for intelligence gathering) with the ground situational overview captured using multiple sensors arranged in a “defensive” formation in the proximity of the base, but also by retrieving information from sensors deployed in an “offensive” near or behind enemy lines.
Figure 4. Situational awareness of the battlefield6
Fig. 4 depicts a basic scenario of how communication links between humans and machines are integrated, in order to ensure the sufficient amount of information that the soldier needs to accomplish its mission effectively. In this case, IoMT acts as a monitoring
110 of 321 network, feeding information in real time for both soldiers deployed in the battlefield and commanders located in the command center. For commanders, the IoMT architecture will help them obtain an accurate assessment of the situation and give them the possibility to assess the course of action by making decision in the right moment. Moreover, the commanders will have a detailed overview not only on the enemy’s troops, but also on their own personnel, monitoring each individual’s activities so that, in a critical moment, a person can be placed in charge of an action depending also depending on its physical status. As the last decades demonstrated, the trend of modern war is an integrated combined operation with a requirement for considerable movements of support materials. Similar to public transport of goods, the military can benefit from an integration of IoMT, especially RFID tracking systems in order to improve the management of combined operation logistics. Like in the case of public cargo transport, the military transport will report a reduction of costs and an increase in the efficiency and effectiveness of logistics support.
III. SECURITY IMPLICATIONS OF IOMT
IoT benefits for the civilian market are, incontestably, of great importance for the future development of society, yet a certain high level of security awareness needs to be maintained so that the core network will resist in case of unwanted “guests”. Also, IoT improvements from public and private organizations will be transferred and implemented in IoMT, therefore the military has the objective of both integrating new developments and researching on its own for new capabilities that IoMT could bring. Top priorities that both public and private sectors need to consider are regarding the security of the entire IoT infrastructure. In this case we speak not only of security for the smart-devices with an already implemented level of privacy, like smart phones, smart watches or anything that resembles and does the things that a computer can do, but also for the objects/devices that are going to be produces or were already produced and deployed in a certain area of activity, that posses only the capabilities of extracting and transmitting information towards a gateway. These devices are the ones that know only how to transmit data, no matter what type of listener is at the other end, the owner or an impostor. It is in this area that some improvements and miniaturization of both software and hardware need to be made, so that any loose end of security is tied up.
6 Source: NATO STO IST-ET-076, “Internet of Military Things” presentation
111 of 321 Another important issue relates to the way information is transmitted between devices and how it is stored, processed and accessed. Given the fact that many organizations adopted or will adopt a cloud-like infrastructure, the storing, processing and accessing of the information will follow current researches and security trends in this domain. An exception occurs when discussing about the communication methods between devices. Information will not only be transmitted towards a central point of operation, but also between devices, this features being the one that differentiates a military cloud infrastructure from an IoMT one. Keeping this in mind, we need to observe and consider any actual, and even future, communication hardware solutions integrated in any thing of the IoMT. The challenge is to find a mean to integrate similar characteristics from all these devices into a single secure communication protocol or to minimize the number of used secure communication protocols and reduce the number of instructions for each protocol definition, so that, in the end, any device will be capable of communicating with any other device, in a secure manner. Even though there are several specific security challenges regarding privacy and trust in IoMT, as described in the above paragraphs, many security-related problems share the same functional requirements that could mitigate the appearance of any security breach. These requirements are, mainly, referring to the need of implementing lightweight and rapid authentication protocols that can be integrated as symmetric solution, with support for resource constrained devices and scalability than can rise up to billions of devices or transactions. In order to better assess the security issues implied by the IoMT concept, they can be divided in 3 categories, each one describing of the following key notions for assuring the C.I.A. triad of Information Security: trust, security and privacy.
III.1. Trust
By integrating all types of sensors and sources of information, IoMT will erase the boundaries that currently can exist between different departments of a military organization. Therefore, in order to assure continuity in this regard, a trust framework needs to be implemented. Through it, users will have the certainty that the information and services being exchanged are confidential. Also, this trust frameworks need to be able to differentiate between humans and machines, even though it will have to assure connectivity to both these types of “users”. According to [8], before implementing a trust framework, some key advances need to be made in the following directions:
112 of 321 Development and implementation of lightweight Public Key Infrastructure and Key Management Systems; Assurance of Quality of Information within certain limits; Integration of PKI alternatives, under the form of decentralized and self- configuring systems; Development of new methods for assessing trust in users (human or devices), such as Trust Negotiation mechanism that allows 2 users to automatically negotiate the level of trust required to access a service or a resource; Access Control to prevent data breaches, such as Usage Control mechanism that uses policies to regulate the usage of information.
III.2. Security
Since IoMT will provide the core capabilities in case of a military operation, but also in case of continuous surveillance of a location of the country’s borders, it will become an valuable asset for the organization, therefore it can be considered be a critical infrastructure. As a consequence, this will lead to an increased demand of adequate security for the IoMT infrastructure. From this point of view, security will not cover only the physical part of the infrastructure or the information flows, but also the processing component and the outputs of any analysis performed on a set of data. Because of the increasing vulnerability of IoMT to possible disruption or information theft, some key advances are required in the following areas of interest [8]: Enhanced protection capabilities primarily against DoS / DDoS attacks and implementation of specific IoMT-related cyber situation awareness tools and techniques that will enable administrators to adapt the protection depending on each “thing’s” lifecycle; Integration of recovery plans and mechanisms that will ensure a better resilience in front of an incoming attack.
III.3. Privacy
This security characteristic is related more to the civilian IoT, rather that the IoMT. Still, if we consider the case of a mixed-group operation, in which personnel from several countries in involved, there can also be the need of protecting some personal data, of assuring
113 of 321 anonymity and of restrict handling of that type of information. To integrate a proper level of privacy inside a heterogeneous network like IoMT, development in some key points must continue [8]: Cryptographic algorithms that will ensure that storing, processing and sharing those information will be executed in a secure manner, without letting third parties to get in the reach of that data; Techniques to support Privacy by Design concepts, including data minimization, identification, authentication and anonymity; Fine-grain and self-configuring access control mechanism emulating the real world; Preservation of privacy for a resource location; Assure a secure exchange of information between devices, for guarantying the privacy of personal information; Limiting the exchange of sensitive information between devices by implementing a decentralized management architecture.
CONCLUSIONS
Today’s military missions require continuous and uninterrupted interactions between soldiers, command centers and machines. Unification of sensors, data collaboration and secure computing is the next step in truly implementing next-generation battlefield capabilities. This is where IoMT concept will begin to reveal its main characteristics and benefits for its users, features that made it in this decade new trend in technology. The potential of achieving a connected battlefield lays in the combination of IoMT technologies and big data analytics, trusted multilevel security (MLS – Multiple Levels of Security or MILS – Multiple Independent Levels of Security), software-defined networks and virtualization-aware network infrastructures. Architecture suited to support IoMT will include secure computing, storage and communication following the anytime-anywhere fundamental idea. When properly designed and deployed, IoMT will become the required foundation for realizing the vision of totally integrated net-centric warfare.
114 of 321 REFERENCES
1. L. Yushi, J. Fei, Y. Hui, Study on Application Modes of Military Internet of Things (MIOT), 2012 IEEE Conference on Computer Science and Automation Engineering (CSAE), Zhangjiajie, 2012, pp. 630-634 2. IERC (European Research Cluster on the Internet of Things), Internet of Thins Strategic Research Roadmap, 2011 3. R. Witty, The Vision of the Internet of Military Things (IoMT), Cranfield University 4. K. Zhang, Z. Ao, C. Tang, Y. Wang, W. Zhu, B. Feng, Application of Internet of Things in Combined Operation Logistics Support, Fourth International Conference on Computational and Information Sciences (ICCIS), Chongqing, 2012, pp. 388-391 5. NATO STO IST-ET-076, Internet of Military Things 6. D. Kyriazis, T. Varvarigou, Smart, autonomous and reliable Internet of Things, International Workshop on Communications and Sensor Networks (ComSense), 2013, pp. 442-448 7. X.-Y. Chen, Z.-G. Jin, Research on Key Technology and Applications for Internet of Things, International Conference on Medical Physics and Biomedical Engineering, 2012, pp. 561-566 8. IERC (European Research Cluster on the Internet of Things), Internet of Things – From Research and Innovation to Market Deployment, 2014
115 of 321 SECURITY POLICIES AND AWARENESS IN THE SCHOOL ESTABLISHEMENT
Sadraoui ROSTOM
INTRODUCTON Nowadays, millions of internet users regularly visit thousands of social website to keep linking with their friends, share their thoughts, photos, videos and discuss even about their daily-life. Social networks can be traced back to the first email which was sent in 1971 where two computers were sitting right next to each other. In 1987 Bulletin Board System exchanged data over phone lines with other users and lately in the same year the first copies of early web browsers were distributed through Usenet. Geocities was the first social website founded in 1994. Theglobe.com launched in 1995 and gave people the ability of interacting with others, personalize and publish their files on the Internet. In 1997, the America on Line (AOL) Instant Messenger was lunched. In 2002, Friendster was lunched and within three months more than 3 million users were using it. In 2003, MySpace was lunched and in the following years many other social networking sites were lunched such as Face book in 2004, Twitter in 2006 etc. The mastery of the use of networks and digital services of the school or the school is located at the crossroads of issues sometimes contradictory and for which it is necessary to find a fair balance. For example, should be looking for the balance between the school use and the respect of individual and collective freedoms, the balance between the protection of minors and the acquisition of real skills CTBT by the students, the balance between a maximum availability of digital services and the flexibility or freedom of use of these services. In recent years Tunisia has paid special attention to the development up and improvement of its network infrastructure, especially its network university. Thus, the 9th Development Plan provides the interconnection of various universities and the creation of a service provider Internet for higher education.
116 of 321
I. Chapter 1 Current status of school establishment
I.1 - The access provider (CCK) The Calculation Center El Khawarizmi (CCK) is the service provider of the national network university (R. N. U) in Tunisia. It is implementing a set of hardware devices and logistics in order to provide it services and the necessary assistance to teachers, researchers and students across all disciplines. The CCK manages among others the university network to broadband, the dissemination of scientific and technical information, technical assistance, the eve of security and the library computerized.
I.2 - The National Network University (R. N. U)
The R. N. U retained in the 9th plan, stands to this day at a fairly advanced stage. This project is to interconnect all the academic institutions, the units and research laboratories as well as the administrative services through a mesh network and aims to offer a set of applications and services, including Internet services. To do this, the Center of Calculation El Khawarizmi was designated the month of July 1997 as a provider of Internet services to the benefit of the academic institutions. He initially offered to the whole of the higher education institutions and research access to the Internet network with the following basic services: - E-mail, - Navigation on the web, - Access to remote resources (Telnet), - The repatriation of products (FTP). Faced with the rapid evolution of the Internet and the popularization of new technologies of Information and Communication (NTIC), and following the emergence of new needs, there has been the creation of new services and applications such as: - the hosting of web sites of the institutions, - the university enrollment online, - distance education, - the accommodation of the collective catalog of academic libraries (Beruni), - the training of teachers/researchers.
117 of 321
I.3 - The infrastructure The institutions of higher education as well as the laboratories and research units (200 establishments) are connected to the CCK via the backbone of Tunisia Telecom by LS whose flow varies between 64 Kb/s and 2Mb/s. There are 3 points of presence for the CCK, the first is located within the premises of Tunisia Telecom and the other two in 2 university campuses. These three points are interconnected with a flow equal to 155 Mb/s. The University of 7 November at Carthage provides wiring for higher education and research institutions there Relevant (ie 32 institutions). It also ensures the acquisition of IT equipment (servers, computers, printers, routers, software…) for the benefit of individual institutions, in fact, she spends an annual budget amounting to 500 MD equivalent on about of ~ 320000 euro. I.4- Distance education As part of the modernization of higher education policy and its open to all Tunisians, there was in 2002 the creation of the virtual university Tunis, it is called, in the long term to realize a project of training ODL open and distance basically focused on the exploitation of opportunities offered by ICT, covering a planned part of the initial training, continuing education and learning throughout life. UVT is responsible for: - Organize, manage and develop the non-face teaching; - Putting online diploma and specialized training provided through a individualized support for learners provided by a tutor assigned for this purpose, such as: • Traditional training level of mastery in various disciplines the range is gradually expanding; • Post-master specialized training; • Short vocational training programs. - Put in place the necessary foundations progressively to the development of distance education - Supervise teachers and trainers in the design and development of courses and online activities; - Provide training for teachers and administrators of the platform (Tutoring, distance learning); - Organize and develop access to lifelong learning.
118 of 321
I.5 - The computerization of academic libraries Beruni: ( Libraries of university resources ) is a project launched in 1997 in the framework of the national program of renovation university of higher education on the computerization of academic libraries (166libraries) and the constitution of a collective catalog repository form by the bibliographic records of all the documents (monographs, theses, dissertations, periodicals, etc. ) listed in the academic institutions and research centers (130000 entries).The integrated system for the university libraries, works in a client/server mode, and assured the consultation of the union catalog, the monitoring of acquisitions, cataloguing and management of the loan documents..
II Chapter 2 Threats and vulnerabilities in the school establishment To achieve its objectives CCK provides three action plans: - Strengthen the infrastructure (connections) to ensure sufficient flow to the exploitation of new services, - Train the technical staffs of the universities so that they are able to manage newly created NOCs (Network Operation Center), and recruiting new technicians, - Acquisition of new equipment needed to benefit from the new services. But there are threats and vulnerabilities that we must define first. II.1 Wireless vulnerabilities and threats The wireless networks consist of four basic components: The transmission of data using radio frequencies; Access points that provide a connection to the organizational network and/or the Client devices (laptops, PDAs, etc.); and Users. Each of these components provides an avenue for attack that can result in the compromise of one or more of the three fundamental security objectives of confidentiality, integrity, and availability.
Fig. 1 Wireless networking components
119 of 321
II.2 Malicious association
“Malicious associations” are when wireless devices can be actively made by crackers to connect to a company network through their cracking laptop instead of a company access point (AP). These types of laptops are known as “soft APs” and are created when a cracker runs some software that makes his/her wireless network card look like a legitimate access point. Once the cracker has gained access, he/she can steal passwords, launch attacks on the wired network, or plant trojans. Since wireless networks operate at the Layer 2 level, Layer 3 protections such as network authentication and virtual private networks (VPNs) offer no barrier. Wireless 802.1x authentications do help with protection but are still vulnerable to cracking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the cracker is just trying to take over the client at the Layer 2 level.
II.3 Ad-hoc networks
Ad-hoc networks can pose a security threat. Ad-hoc networks are defined as peer- topeer networks between wireless computers that do not have an access point in between them. While these types of networks usually have little protection, encryption methods can be used to provide security.
II.4 Identity theft (MAC spoofing)
Identity theft (or MAC spoofing) occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges. Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network “sniffing” capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the cracker desires, and the cracker can easily get around that hurdle.
II.5 Denial of service
A Denial-of-Service attack (DoS) occurs when an attacker continually bombards a targeted AP (Access Point) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be
120 of 321 able to get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol (EAP).
II.6 Network injection
In a network injection attack, a cracker can make use of access points that are exposed to non-filtered network traffic, specifically broadcasting network traffic such as “Spanning Tree” (802.1D), OSPF, RIP, and HSRP. The cracker injects bogus networking re- configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.
II.7 Man-in-the-middle attacks
A man-in-the-middle attacker entices computers to log into a computer which is set up as a soft AP (Access Point). Once this is done, the hacker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic. One type of man-in-the- middle attack relies on security faults in challenge and handshake protocols to execute a “de- authentication attack”. This attack forces AP connected computers to drop their connections and reconnect with the cracker’s soft AP. Man-in-the-middle attacks are enhanced by software such as LANjack and AirJack, which automate multiple steps of the process. What once required some skill can now be done by script kiddies. Hotspots are particularly vulnerable to any attack since there is little to no security on these networks.
CHAPITRE III Security program and awareness III.1.Securing Wireless Access Points Insecure, poorly configured wireless access points can compromise confidentiality by allowing unauthorized access to the network. Countermeasures to Secure Wireless Access Points: Organizations can reduce the risk of unauthorized access to wireless networks by taking these three steps: 1. Eliminating rogue access points. 2. Properly configuring all authorized access points. 3. Using 802.1x to authenticate all devices.
121 of 321
Eliminate Rogue Access Points: The best method for dealing with the threat of rogue access points is to use 802.1x on the wired network to authenticate all devices that are plugged into the network. Using 802.1x will prevent any unauthorized devices from connecting to the network. Secure Configuration of Authorized Access Points: Organizations also need to ensure that all authorized wireless access points are securely configured. It is especially important to change all default settings because they are wellknown and can be exploited by attackers. Use 802.1x to Authenticate all Devices: Strong authentication of all devices attempting to connect to the network can prevent rogue access points and other unauthorized devices from becoming insecure backdoors. The 802.1x protocol discussed earlier provides a means for strongly authenticating devices prior to assigning them IP addresses. III.2.Securing Wireless Client Devices Two major threats to wireless client devices are (1) loss or theft, and (2) compromise. Loss or theft of laptops and PDAs is a serious problem. laptops and PDAs often store confidential and proprietary information. Consequently, loss or theft of the devices may cause the organization to be in violation of privacy regulations involving the disclosure of personal identifying information it has collected from third parties. Another threat to wireless client devices is that they can be compromised so that an attacker can access sensitive information stored on the device or use it to obtain unauthorized access to other system resources. III.3.Securing Wireless Networks Use of Encryption: The most effective way to secure your wireless network from intruders is to encrypt, or cramble, communications over the network. Most wireless routers, access points, and base stations have a built-in encryption mechanism. If your wireless router doesn’t have an encryption feature, consider getting one that does. Manufacturers often deliver wireless outers with the encryption feature turned off. You must turn it on. Use anti-virus and anti-spyware software, and a firewall: Computers on a wireless network need the same protections as any computer connected to the Internet. Install anti-virus and anti-spyware software, and keep them up-to- date. If your firewall was shipped in the “off” mode, turn it on. Turn off identifier broadcasting: Most wireless routers have a mechanism called identifier broadcasting. It sends out a signal to any device in the vicinity announcing its presence. You don’t need to broadcast this
122 of 321 information if the person using the network already knows it is there. Hackers can use identifier broadcasting to home in on vulnerable wireless networks. Disable the identifier broadcasting mechanism if your wireless router allows it. Change the identifier on your router from the default: The identifier for your router is likely to be a standard, default ID assigned by the manufacturer to all hardware of that model. Even if your router is not broadcasting its identifier to the world, hackers know the default IDs and can use them to try to access your network. Change your identifier to something only you know, and remember to configure the same unique ID into your wireless router and your computer so they can communicate. Use a password that’s at least 10 characters long: The longer your password, the harder it is for hackers to break. Change your router’s pre-set password for administration: The manufacturer of your wireless router probably assigned it a standard default password that allows you to set up and operate the router. Hackers know these default passwords, so change it to something only you know. The longer the password, the tougher it is to crack. Allow only specific computers to access your wireless network: Every computer that is able to communicate with a network is assigned its own unique Media Access Control (MAC) address. Wireless routers usually have a mechanism to allow only devices with particular MAC addresses access to the network. Some hackers have mimicked MAC addresses, so don’t rely on this step alone. Turn off your wireless network when you know you won’t use it Hackers cannot access a wireless router when it is shut down. If you turn the router off when you’re not using it, you limit the amount of time that it is susceptible to a hack.
III.4.Training and Educating Users
Notice that Figure 1 also includes users as the fourth basic component of wireless networking. As is the case with wired security, users are the key component to wireless networking security. Indeed, the importance of training and educating users about secure wireless behavior cannot be overstated. To be effective, user training and education needs to be repeated periodically.
III.5.Network Auditing
123 of 321
Wireless network auditing is an important part of WLAN security policy. The network needs to be regularly audited for rouge hardware. In this method the network is scanned and mapped for all access points and WLAN nodes. Then this is compared with previous network map. Commonly available network mapping tools like netstumbler and wavelan-tool can be used to do this. Specialized tools such as Airsnort can be used for WEP cracking and auditing the network for weak keys, key reuse and WEP security settings. These methods include the same tests as those carried out by hackers for breaking into the network. The establishments must use a filtering device that allows you to select or to check a posteriori information provision of pupils. The procedures of alert and continuous improvement are in place in order to deal with the problems and incidents related to the display of inappropriate pages non-filtered.
III.6.Sensibilisation:
In developed countries, the company manifest of the growing demands in the area of security and the protection which is not always accompanied by an awareness of clear the seriousness of the risks involved. Very often, this attitude does not coincide not more with a commitment of citizens in the implementation of simple measures, thanks to responsible behavior and adapted He between in the missions of the Ministry of National Education to ensure the security of personal and of pupils in primary and secondary education, but also to provide an education to the security. Must assure: -An awareness to the prevention of risks; -Information on the missions of rescue services; -Training in first aid; -A teaching of general safety rules
124 of 321
Conclusion
The Tunisian system, whose higher education is a very important component, is a scalable system that has not ceased since his young age to adapt to the context national and especially international in order to rise to the best possible levels. Of this fact, Tunisia has been among the first countries to scale the African and Arab who have opted for the NICT, this is realized by its designation as the organizer of the 2nd phase of the WSIS. Therefore, the higher education system is located as well integrated in depth in this evolution.
125 of 321
References
1. Ministry Of Education (Tunisia) – Wikipedia.
2. Wireless security - Wikipedia, the free encyclopaedia
3. Malware bytes web
126 of 321
SECURITY ISSUES AND KEY MANAGEMENT IN MANETs
Marin DUMITRANA
Abstract A Mobile Ad-hoc Network (MANET) refers to an autonomous group or cluster of mobile users that communicate over relatively bandwidth constrained wireless links, ad-hoc network refers to the moving node rather than any fixed infrastructure, act as a mobile router. These mobile routers are responsible for the network mobility. Vehicles like car, buses and trains equipped with router acts as nested Mobile Ad-hoc Network. Vehicles today consists many embedded devices like build in routers, electronic devices like Sensors PDAs build in GPS, providing internet connection to it gives, information and infotainment to the users. These advances in MANET helps the vehicle to communicate with each other, at the time of emergency like accident, or during climatic changes like snow fall, and at the time of roadblock, this information will be informed to the nearby vehicles. Nowdays technologies rising to provide efficiency to MANET users like providing enough storage space, as we all know the cloud computing is the next generation computing paradigm many research are conducting experiments on Mobile Ad-hoc Network to provide the cloud service securely. This paper attempts to propose and implement the security based algorithmic approach in the mobile ad-hoc networks. Keywords: MANET; Network security; Wormhole attack; Secured algorithm
Introduction
One of the major issues in the mobile ad hoc networks is the performance - in a dynamically varying topology; the nodes are expected to be power-aware because of the bandwidth constrained network. Another matter in such networks is security - as each node participates in the operation of the network equally, malicious nodes are intricate to identify. There are several applications of mobile ad hoc networks such as disaster management, where field communications, etc. To analyze and detailed investigation of these issues, the scenario based simulation of secure protocol is done and compared with classical approaches. The scenarios used for the simulation and predictions depict critical real-world applications including battlefield and rescue operations, but these can be used in many other applications as well. In ad-hoc networks all nodes are responsible for running the network services meaning that every node also works as a router to forward the networks packets to their destination. It is very challenging for researchers to provide comprehensive security for ad hoc networks with the desired quality of service from all possible threats. Providing security becomes even more challenging when the participating nodes are mostly less powerful mobile devices. Wireless Ad-Hoc networks have been an interesting area of research for more than a decade now. What makes ad hoc networks interesting and challenging is its potential use in situations where the infrastructure supports to run a normal network does not exist. Some applications include a war zone, an isolated remote area, a disaster zone like earthquake affected area and virtual classroom, etc. In ad-hoc networks all nodes are responsible for running the network services meaning that every node also works as a router to forward the networks packets to their destination. It is very challenging for researchers to provide comprehensive security for ad hoc networks with the desired quality of service from all possible threats. Providing security becomes even more challenging when the participating nodes are mostly less powerful mobile devices. In this paper, an effort has been made to evaluate various security designs proposed.
127 of 321
1. Security aspects in mobile ad hoc networks
In any classical fixed or wireless network, the security is implemented at three stages: prevention, detection and cure. The key parts of prevention stage include authentication and authorization. The authentication is concerned with authenticating the participating node, message and any other meta-data like topology state, hop counts, etc. Authorization is associated with recognition. The point where detection is the ability to notice misbehavior carried out by a node in the network, the ability to take a corrective action after noticing misbehavior by a node is termed as cure. Assorted possible attacks that are implemented on ad hoc networks are eavesdropping, compromising node, distorting message, replaying message, failing to forward message, jamming signals, etc. The central issues behind many of the possible attacks at any level of security stage are authentication, confidentiality, integrity, non repudiation, trustworthiness and availability.
Assumption and dependencies
Basically Ad-hoc Networks depends upon any fixed infrastructure or any other mobile node to communicate, through forwarding and receiving packets. Comparing the security issues of wireless ad-hoc network with wired ad-hoc network, wired network has the proper infrastructure for forward and receiving packets, whereas in wireless network there is no proper infrastructure and it is accessible by both authorized users and hackers. In this wireless ad-hoc network there is no particular design to monitor the traffic and accessibility, these leads to third party intervention like malicious users. In this manuscript, various issues are focused that affect the ad-hoc networks security mechanism and also to concentrate on pros and cons of Mobile network’s protocols. The focus on enhancing security and reliability to Mobile Ad-hoc Network (MANET) is also addressed. Many research were done before to provide security to MANET, but none of the protocol shines in providing security and performance. There are many defects in the Mobile framework; this may cause unknown nodes to connect frequently without any proper routing. In order to prevent other nodes from trespassing we are going to concentrate on providing more security to Mobile Ad-hoc network. There were so many research areas in MANET in that security is the major concern among others. The scope of securing MANET is mentioned here: Securing MANETs is great challenge for many years due to the absence of proper infrastructure and its open type of network. Previous security measures in MANETs are not effective in the challenging world with advancement in technology. Many layers often prone to attacks man in middle attack or multilayer attack, so proposal should concentrate on this layers. The proper intelligent approach of securing MANETs has not yet discovered. In this project we are going to concentrate on applying bio inspired intelligence techniques for securing MANETs.
Characteristics of MANETs
128 of 321 A MANET is an autonomous Network of mobile nodes. The Network MANET may operate in isolation, or may have gateways to an interface with a fixed network. The Network MANET nodes are equipped with wireless transmitters/receivers using antennas that may be omnidirectional (broadcast), highly directional (point-to-point), or some combination thereof. The Network MANET have several salient characteristics: Dynamic topologies: The Network MANET may change randomly and rapidly at unpredictable times, and may consist of both directional and unidirectional links. Resource constraints: The Network MANET links have significantly lower capacity than wired links. The computation and energy resources of a mobile device are limited. Infrastructure-less: The Network MANET no well-defined infrastructure, or access point, or some other central control point available. Moreover, the Network MANET medium is accessible by both legitimate nodes and attackers. There is no clear boundary to separate the inside network from the outside world. Limited physical security: The Network MANET devices are generally small with weak protection. The physical devices could be stolen or compromised.
Security Challenges
Security attacks The Network MANET security is a more critical issue compared to wired networks or other wireless counterparts. Many passive and active security attacks could be launched from the outside by malicious hosts or from the inside by compromised hosts. Passive attacks: In passive attacks, an intruder captures the data without altering it. The attacker does not modify the data and does not inject additional traffic. Active attacks: In active attacks, an attacker actively participates in disrupting the normal operation of the network services. An attacker can create an active attack by modifying packets or by introducing false information.
Security goals Security services include the functionality that is required to provide a secure networking MANET environment. It comprises authentication, access control, confidentiality, integrity, nonrepudiation, and availability. Confidentiality: Confidentiality ensures that the data/information transmitted over the network MANET is not disclosed to unauthorized users. Integrity: The function of integrity control is to ensure that the data are received exactly as sent by an authorized party the Network MANET. Access control: This service limits and controls the access of a resource such as a host system or application. Non-Repudiation: This is related to the fact that if an entity sends a message, the entity cannot deny that it sent that message. Availability: This involves making network MANET services or resources available to the legitimate users.
Security mechanisms Cryptography is an important and powerful tool for secure communications. It transforms readable data into meaningless data. Cryptography has two dominant categories, namely symmetric-key and asymmetric-key approaches In symmetric-key cryptography, the same key is used to encrypt and decrypt the messages, while in the asymmetric-key approach, different keys are used to convert and recover the information. There are varieties of symmetric and asymmetric algorithms available, including DES, AES, IDEA, RSA.
129 of 321 These cryptographic algorithms are the security primitives that are widely used in wired and wireless networks. They can also be used in MANETs and help to achieve the security in its unique network settings.
2. Key Management in MANETs
Key management is a basic part of any secure communication. Most cryptosystems rely on some underlying secure, robust, and efficient key management of networks MANETs. Secure networks MANETs communications normally involve a key distribution procedure between communication parties, in which the key may be transmitted through insecure channels. In fact, all cryptographic techniques will be ineffective if the key management is weak. Key management is a central part of the security of networks MANETs. Some asymmetric and symmetric key management schemes have been proposed to adapt to the environment of networks MANETs. Key management deals with key generation, key storage, distribution, updating, revocation, deleting, archiving, and using keying materials in accordance with security policies. In this article, we present a comprehensive survey of research work on key management in networks MANETs based on recent literature.
2.1 Fundamentals of Key Management Most cryptographic systems require an underlying secure, robust, and efficient key management of networks MANETs. Key management is a central part of any secure communication and is the weakest point of networks MANETs security and the protocol design. Key distribution and key agreement over an insecure channel are at high risk and suffer from potential attacks. Key integrity and ownership should be protected from advanced key attacks. The public key is protected by the public-key certificate, in which a trusted entity called the certification authority (CA) in PKI vouches for the binding of the public key with the owner’s identity. A cryptographic key could be compromised or disclosed after a certain period of usage. Since the key should no longer be usable after its disclosure, some mechanism is required to enforce this rule. Key management for large dynamic groups is a difficult problem because of scalability and security. Each time a new member is added or an old member is evicted from the group, the group key must be changed to ensure backward and forward security.
2.2 Trust Models
2.2.1 Centralized trust model For the centralized trust model, there is a well-trusted entity known as a TTP. A TTP is an entity trusted by all users in the networks MANETs, and it is often used to provide key management services. Depending on the nature of their involvement, TTPs can be classified into three categories: inline, online, or offline. An inline TTP participates actively in between the communication path of two users of networks MANETs. An online TTP participates actively, but only for management purposes, as the two parties communicate with each other directly of networks MANETs. An offline TTP communicates with users prior to the setting up of communication links and remains offline during networks MANETs operation.
TTPs in symmetric key management systems TTPs have been implemented in both symmetric and asymmetric key management of networks MANETs. Key Distribution Centers (KDC) and Key Translation Centers (KTC) are TTPs in symmetric cryptographic key management of networks MANETs and the certification authority (CA) is the TTP in public key management of networks MANETs. KDC and KTC simplify the symmetric key management since each user does not have to share a secret key with every other user.
130 of 321
Public key infrastructure (PKI) The use of public key cryptography requires the authenticity of public keys. Otherwise, it is easy to forge or spoof someone’s public key. A straightforward solution is to have any two users that wish to communicate exchange their public keys in an authenticated manner.
2.2.2 Web-of-trust model The web-of-trust model is also called certificate chaining. PGP is an example built on this trust model. In the web-of-trust model there is no TTP that is well-trusted by all networks MANETs nodes. Certificates can be authenticated through certificate chaining. Compared with the centralized trust model, the web-of-trust model does not require a heavy infrastructure or complex bootstrapping procedures, and every node plays an identical role and shares the same responsibility.
2.2.3 Decentralized trust model In networks MANETs, a framework for key management built on a fully centralized mode is not feasible, not only because of the difficulty of maintaining such a globally trusted entity but also because the central entity could become a hotspot of attacks. Thus, this network MANETs suffers from a security bottleneck. Meanwhile a completely distributed model may not be acceptable because there is no well-trusted security anchor available in the whole of network MANETs.
2.2.4 Hybrid trust model This scheme takes advantage of the positive aspects of two different trust systems. The basic idea is to incorporate a TTP into the certificate graph. Here, the TTP is a virtual CA node that represents all nodes that comprise the virtual CA.
2.3 Key Management Schemes in MANETs
2.3.1. Asymmetric key management schemes Recently, research papers have proposed different key management schemes for networks MANETs. Most of them are based on public-key cryptography. The basic idea is to distribute the CA's functionality to multiple networks MANETs nodes.
2.3.2. Symmetric key management schemes There are researches papers that are based on the symmetric-key cryptography for securing networks MANETs. For instance, some symmetric key management schemes are proposed for sensor nodes that are assumed to be incapable of performing costly asymmetric cryptographic computations. Pairwise keys can be preloaded into nodes, or based on the random key distribution in which a set of keys is preloaded.
2.3.3. Group key management schemes Collaborative and group-oriented applications in networks MANETs are going to be active research areas. Group key management is one of the basic building blocks in securing group communications. However, key management for large dynamic groups is a difficult problem because of scalability and security .
2.3.1 Asymmetric Key Management Schemes in MANETs 2.3.1.1 Secure Routing Protocol (SRP) SRP is a decentralized public key management protocol in networks MANETs. In the system, there are n servers, which are responsible for public-key certificate services. Therefore, the
131 of 321 networks MANETs can tolerate t-1 compromised servers. Servers can proactively refresh the secret shares using the proactive secret sharing (PSS) techniques or by adjusting the configuration structure based on share redistribution techniques to handle compromised servers or the networks MANETs failure. 2.3.1.2 Ubiquitous and Robust Access Control (URSA) URSA is a localized key management scheme in networks MANETs. The URSA protocol is also based on threshold cryptography as in SRP. The difference between URSA and SRP is that in URSA, all nodes networks MANETs are servers and are capable of producing a partial certificate, while in SRP only server nodes networks MANETs can produce certificates. Thus, certificate services are distributed to all nodes of the networks MANETs. URSA also proposed a distributed self-initialization phase that allows a newly joined node to obtain secret shares by contacting a coalition of neighboring nodes in networks MANETs without requiring the existence of an online secret share dealer. In URSA, every node in networks MANETs should periodically update its certificate. The advantage of this scheme is efficiency and secrecy of local communications, as well as in networks MANETs availability since the CA’s functionality is distributed to all network nodes networks MANETs. On the other hand, it reduces networks of MANETs security, especially when nodes networks MANETs are not well-protected because an attack can easily locate a secret holder without much searching and identifying effort.
2.3.1.3 Mobile Certificate Authority (MOCA) MOCA is a decentralized key management scheme in networks MANETs. In this approach, a certificate service is distributed to Mobile Certificate Authority (MOCA) in nodes networks MANETs. MOCA nodes of networks MANETs are chosen based on heterogeneity if the nodes of networks MANETs are physically more secure and computationally more powerful. In cases where nodes networks MANETs are equally equipped, they are selected randomly from the networks MANETs.
2.3.1.4 Self-organized Key Management Self-organized is public key management for networks MANETs. The scheme is based on the web-of-trust model that is similar to PGP. The basic idea is that each user acts as its own authority and issues public key certificates to other users. A user needs to maintain two local certificate repositories. One is called the non-updated certificate repository and the other one is called the updated certificate repository. The reason a node networks MANETs maintains a non- updated certificate repository is to provide a better estimate of the certificate graph. Key authentication is performed via chains of public key certificates that are obtained from other nodes networks MANETs through certificate exchanging, and are stored in local repositories.
2.3.1.5 Composite Key Management The composite key management combine the centralized trust and the fully distributed certificate chaining trust models. This scheme takes advantage of the positive aspects of two different trust networks MANETs. The composite key management incorporates a TTP into the certificate graph. Here, the TTP is a virtual CA node network MANETs that represents all nodes of networks MANETs that comprise the virtual CA. Some authentication metrics, such as confidence value, are introduced in order to “glue” two trusted networks MANETs. A node network MANETs certified by a CA is trusted with a higher confidence level. However, properly assigning confidence values is a challenging task.
2.3.1.6 Secure and Efficient Key Management (SEKM) Secure and efficient key management in mobile ad hoc networks. It is based on the decentralized virtual CA trust model. All decentralized key management schemes are quite similar in that the functionality of the CA is distributed to a set of nodes of networks MANETs based on the techniques of threshold cryptography. However, no schemes except for SEKM present detailed,
132 of 321 efficient, and secure procedures for communications and cooperation between secret shareholders that have more responsibilities. In SEKM, all servers that have a partial key of network MANETs are to connect and form a server group.
2.3.2. Symmetric Key Management Schemes in MANETs 2.3.2.1 Distributed Key Pre-distribution Scheme (DKPS) Distributed symmetric key management for mobile ad hoc networks MANETs aimed at the network settings where mobile nodes networks MANETs are not assumed to be capable of performing computationally intensive public key algorithms and the TTP is not available. The basic idea of the DKPS scheme is that each node networks MANETs randomly selects a set of keys in a way that satisfies the probability property of cover-free family (CFF). Any pair of nodes can invoke the secure shared key discovery procedure (SSD).
2.3.2.2 Peer Intermediaries for Key Establishment (PIKE) PIKE is another symmetric key management scheme in networks MANETs. It is a random key pre-distribution scheme. PIKE to use sensor nodes as trusted intermediaries to establish shared keys. Each node of networks MANETs shares a unique secret key with a set of nodes of networks MANETs. Therefore, any pair nodes of the networks MANETs can have a common secret with at least one intermediate node of networks MANETs. This key pre-distribution scheme can be extended to three or more dimensions.
2.3.3. Group Key Management Approaches 2.3.3.1 Logical Key Hierarchy (LKH) 2.3.3.2 One-Way Function Trees (OFT) 2.3.3.3 Tree-Based Group Diffie-Hellman (TGDH) 2.3.3.4 Group Diffie-Helman (GDH) 2.3.3.5 Burmester-Desmedt (BD) 2.3.3.6 Skinny Tree (STR)
3. Applications
133 of 321
It provides a relative study of the systems under the parameters packet loss, packet delivery rate and network connectivity. A better understanding of the Quality of Service (QoS) parameters can be obtained and they can be used for solving various networking complexities.
Manet security attacks Malicious node is one which causes attacks on various layers on MANET like application layer, data link layer, physical and network layer. There are two types of attacks on MANET, they are: Active attacks Passive attacks
Active attacks In this attack, some harmful information is injected into the network, which causes malfunctioning of the other nodes or network operation. For performing this harmful information it consumes some sort of energy from other nodes, those nodes are called as malicious node.
Passive attacks In this passive attack, the malicious nodes disobey to perform its task for some sort reasons like saving energy for its own use of moving randomly, by diminishing the performance of the network.
Network layer attack Let us concentrate on various attacks on the network layer.
Wormhole attack Wormhole attack is also known as tunnelling attack, in this tunnelling attack the colluding attackers build tunnel between the two nodes for forwarding packets claiming that providing shortest path between the nodes and taking the full control of the nodes, which is invisible at the higher layers. Figure 1 represents the wormhole attack, where S and D nodes are the source and destination, A B and C are the connecting nodes providing path between source and destination. M and N are the malicious nodes, tunnelled by colluding attackers.
Existing technique for preventing wormhole attack In the previous techniques wormhole attack is prevented using the Location based Geo and Forwarding (LGF) Routing Protocol
134 of 321
Figure 1 Wormhole attack.
Implementation of lgf routing protocol There are several steps in implementing LGF routing protocol, consider source node S wants to communicate with destination node D (Figure 2). The Source node multicast the RREQ message to all the intermediate which contains the IP address of the destination node based on distance of the destination node. This protocol is tested with source node 100 M away from the destination node and the intermediate nodes as: DIST (S, 1) = 40 M DIST (S, 2) = 53 M DIST (S, 5) = 48 M DIST (1, 3) = 60 M DIST (2, 3) = 130 M DIST (3, D) = 180 M DIST (4, 6) = 45 M DIST (S, 4) = 62 M DIST (5, 6) = 85 M DIST (6, D) = 78 M Compare distance between source and destination using the following code: If (intermediate nodes < source node S to destination node D distance) { These are the nodes in between S to D, can conditionally transfer the RREQ packet to D. } Else { The intermediate node is out of transmission area, so send RREQ error message to S node } RREQ has been received in destination node, start D node sending RREP packet towards the intermediate node to reach the source node. S node received RREP packet from different intermediate nodes, compare the distance from different intermediate nodes. Select the shortest path between the source and destination node with respect to the received RREP packet and then send the original packets between S and D node this was the technique used in LGF protocol. However the preventive measures of wormhole attack with this LGF protocol was not solved clearly.
135 of 321
Figure 2 LGF protocol implementation.
Black hole attack Black hole attack [8] is the serious problem for the MANETs, in this problem a routing protocol has been used by malicious node reports itself stating that it will provides shortest path. In flooding based protocol, a fake route is created by the malicious node rather than the actual node, which results in loss of packets as well as denial of service (DoS). In the Figure 3, S and D nodes are the source and destination nodes, A B C are the intermediate nodes and M is the malicious node. RREQ and RREP are the key terms for route request and route reply respectively. MREP is abbreviation for malicious reply. Existing technique Two tier secure AODV (TTSAODV) TTSAODV protocol is proposed earlier to prevent the black hole attack. In these protocol two levels of security is provided: 1. During route discovery mechanism and 2. During data transfer mechanism
Figure 3 Black hole attack.
136 of 321 In this technique, black hole attack is easily identified either of these two techniques, even it fails in any of the mechanism. The major drawback in this technique causes enormous packet loss and delay in transferring packet.
Resource consumption attack In the resource consumption attack, a malicious node can try to consume more battery life demanding too much of route discovery, or by passing unwanted packets to the source node.
Location disclosure attack In the location disclosure based attack, the malicious node collects the information of routes map and then focus on further attacks. This is one of the unsolved security attacks against MANETs.
Multi layer attacks in manet There are different types of multilayer attacks in MANET, they are as follows: Denial of Service (DoS) Jamming SYN flooding Man In Middle attacks Impersonation attacks
Alpha numeric based secure reflex routing In this, proposed algorithm prevents the worm-hole attacks by routing the data through the authorized nodes like LN, and AN nodes through this way the communication takes place. In the proposed algorithm the worm-hole tunnel is prevented through the following steps (Figure 4). Step 1 Since every connection through nodes is possible only through Leader Node and Access node so there is impossible for a malicious node to make tunnel from the source node. Step 2 The Leader Node manages the routing table and also the details of all the nodes in its group, it also contains the details of whether the particular node is Access Node or normal node. The Leader node also maintains details about other groups Leader Node and its address with the help of its Access Nodes. Step 3 The normal node in a group maintains a table that contains information of its Leader Node address and the common identifier generated by the Leader Node. The Access nodes have a table that maintains the other Leader Nodes common identifiers. Step 4 The address of the Leader Node that has already involved in routing has stored in every packet, it is used for verification by other Leader Nodes. Step 5 When a source node in a need of route to deliver packets to the destination node, it sends Route Request message to the Leader node, the Leader Node uses its common identifier to verify the packet with alpha numeric values. Step 6 The leader Node checks whether the destination node is in house, if the destination node is present under the leader node, then it sends the packet directly. If the destination node is not in house then it sends Route Request message to all its Access nodes. The Access nodes using their common identifier verifies the alpha numeric values from Leader node then transfers that packet to the neighbours Access Node.
137 of 321
Figure 4 Proposed Worm-hole prevention technique. Step 7 The neighbour Access node checks whether the packet came from its neighbour Leaders node or from any malicious node by common identifier that has previously exchanged, then it sends the Route Request message to its Leader Node, this Leader Node verifies the Leader node details and include its details in that packet and forwards the original packet until it reaches the destination. Step 8 Finally the destination node checks whether the packet came from its Leader node or from any malicious node using the identifier, after verification process is over it accepts the packet. Step 9 Destination node sends the Reply Request message (RREP) to source node through the same route already followed for transferring packet. Step 10 In case the any node involved in the routing moves away from one group into the another group, the previous process is not needed as it is already registered in that network, some other node in that group replace the previous node. Step 11 Suppose if the source node or destination node moves away from its group, the foreign Access Node acts as a relay node for forwarding packets this process minimizes the time for authenticating in newer group.
Proposed architecture Worm-hole attack prevention using alpha numeric reflex routing algorithm In this technique, there won’t be any possibilities for a malicious node to make tunnelling between the source and the destination nodes, as it is not included in the either of any groups. The packets are safe to reach the destination node efficiently.
Pseudocode for alpha numeric reflex routing algorithm
BEGIN Iniotialize nodes Initialize sources and destination nodes FOR i = 0 to n DO LNi ← Nodes with higher battery power, ability to manage other nodes IF(nodes in range of LN) THEN Transmit common identifier ELSE The node is under other LN 138 of 321 END IF END FOR FOR i = 0 to n DO FOR j = j+1 to n DO ANij ← Nodes recive common identifier from other LN IF (node accepts the common identifier and replies its details to LN) THEN Node = trusted ELSE Node = Malicious END IF Source node → Forward RREQ IF (source node and destination node is under same LN) THEN Forward RREQ → destination node ELSE Forward RREQ → ANij ANij →LNi LNi → destination node END IF END FOR END FOR END
Proposed algorithm to prevent black hole attack In this proposed algorithm, the Expected broadcast count algorithm is introduced. With the help of this algorithm highest throughput is possible between the nodes but however the actual algorithm does not prevent the black hole attack. Throughput refers to the average number of message transmitted in a given time, it is usually measured in bps or bits per second, and it is also mentioned as packet delivery ratio. Malicious node plays a major role in affecting throughput in black hole attacks. Secure mesh network measurement technique is proposed in this project to prevent the black hole attacks during route discovery process between the source and destination node with the help of the throughput measurement values, this makes the routing process more consistent and efficient communication between the nodes.
Expected broadcast count algorithm This EBX algorithm is used to increase throughput in MANETs, it is referred as the expected number of packets transmission and retransmission required to successfully deliver a packet in the network. It is calculated using the delivery ratio of packets in destination node dd and delivery ratio of packets in the source node ds, dd is the prospect of forward packet transmission and ds is the reverse packet transmission. These ds and dd values are calculated from the acknowledgement packets known as query, nodes commonly exchanges their query message with their neighbours after delivering each packet. Suppose consider a link from A→B where A and B are the nodes, these two nodes determined themselves to send query message for particular time gap period g/τ, where as τ = jitter (packet delay variations). A and B counts the number of query they received from each other during gap period count (t − g,t) then A calculates the dd from the equation. (dd = count (t − g,t) ⁄ ﴾g/t ﴿ (1 Where count (t − g, t) is the number of query commenced by node B and received by node A. The node B calculates the ds in similar way to dd. (ds = count (t − g,t) ⁄ ﴾g/t ﴿ (2 A and B swaps the ds and dd values to calculate the EBX. EBXA→B = 1/ds *dd (3)
139 of 321 This equation is used to find EBX value for more routes, EBX value has more hops, and the routes with more number of hops may have lesser throughput due to the intrusion among hops in the same path. Source and Destination nodes EBX value can be calculated through the following formula. EBXS→D = EBXA→B (4) Less EBX value in the routes have fewer possibility of packet loss, and that route is more preferable than others routes (Figure 5, Table 1).
Figure 5 Packet loss comparison graph.
Intelligent manet algorithm In this intelligent approach, nodes connected to this network is monitored by server agent, the server agent manages the details of the mobile nodes in a network like: Behaviour of the node Speed of the node Direction of the node Position of the node This technique prevents the malicious node from attacking other nodes (Figure 6).
Step 1 The nodes participating in the networks to access service like internet registers its identity with the server agent, the server agent replies with unique ID to the requesting node. Step 2 The source node request route with the current access point to the destination node the current access point forwards the route request to the server agent.
Table 1 Packet loss comparisons
Scenarios Time (in seconds) Packet drop (in bits) Existing system 1 6.5 10581
140 of 321 Existing system 2 6.5 13221 Proposed system 1 6.5 4372 Proposed system 2 6.5 322 Proposed system 3 6.5 715
Step 3 The server agent verifies the source ID, then it accepts the route request from sender then it gathers the information of receiver using destination ID from the list.
Figure 6 Intelligent MANET architecture.
Step 4 The server agent then broadcasts the route request message using destination ID, the registered adjacent nodes that are nearer to the destination node which are ready to provide the service replies with the acknowledgement message to the server agent. Step 5 The server agent chooses the adjacent node with the longest life time (the ability of the nodes to stay connected with the destination node) using the details collected from the ID, Such as nodes position, direction of motion and speed of the node. Step 6 Then the server agent provides route reply message for the source node, after this authentication process, source node starts sending data packets in a secure way. Step 7 In case any node moves away from the network, immediately the server agent replaces it with some other nodes to maintain the continuity of connection. Step 8 In this technique, the malicious node or selfish nodes are completely eliminated from the network, as the server agent takes full control of the ad-hoc network.
Conclusion
141 of 321 Mobile adhoc networks are facing vulnerability and security issues from a long time. Assorted protocols and algorithmic approaches has been developed and implemented so far to avoid and remove the issues associated. In this manuscript, we have implemented an empirical and effective approach to optimize the packet loss frequency. The algorithmic approach is implemented in the network simulator ns2 to execute the scenarios and results
References
1. Clausen TH (2007) Introduction to mobile ad-hoc networks, Internet Draft 2. Yu C-F (1989) Security safeguards for intelligent networks. In: IEEE International Conference on World Prosperity Through Communications. ICC '89, BOSTONICC/89. Conference record, vol 3. GTE Lab. Inc, Waltham, MA, USA, pp 1154–1159 3. Choi S, Kim DY, Lee DH, Jung J-i (2008) WAP: wormhole attack prevention algorithm in mobile ad hoc networks, SUTC '08. IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing pp 343–348 4. Li JH, Das S, McAuley A, Lee J, Stuhrmann T, Gerla M (2010) A multi-layer approach for seamless soft handoff in mobile ad hoc networks. Hui Zeng Intell. Autom., Inc. (IAI), Rockville, MD, USA, pp 21–26, GLOBECOM Workshops (GC Wkshps), IEEE 5. Leonard J (1997) Interactive Game Scheduling with Genetic Algorithms, Minor Thesis, RMIT (Royal Melbourne Institute of Technology University). Department of Computer Science 6. Prasad S, Singh YP, Rai CS (2009) Swarm based intelligent routing for MANETs. Int J Recent Trends Eng 1(1) 7. Garg P (2009) “A comparison between memetic algorithm and genetic algorithm for the cryptanalysis of simplified data encryption standard algorithm”. Int J Netw Secur Appl (IJNSA) 1(1) 8. Sanjay R, Huirong F, Manohar S, John D, Kendall N (2003) Prevention of Cooperative Black Hole Attack in Wireless Ad Hoc Networks”. International Conference on Wireless Networks (ICWN’03), Las Vegas, Nevada, USA
142 of 321 ANATHOMY OF A HACK Suren OHANOV
Overview
The intent of this briefing to familiarize administrators with concepts related to hacking and computer attacks.
•Terms and Concepts
•Adversaries
•Progression of an Attack (phases)
•Reconnaissance
•Targeting/Attack Planning
•Attack Execution
•Network/System Penetration
•Denial of Service
•Consolidation of Goals
143 of 321
Terms and Concepts
First we will discuss some common Terms and Concepts
•Attack Surfaces
•Vulnerabilities
•Exploits
•Zero-Day Exploits
Attack Surfaces
•A system’s attack surface is the subset of the system’s resources (methods, channels, and data) potentially used in attacks on the system
•The sum of the different points (vectors) where an unauthorized user (“attacker”) can try to enter data to or extract data from an environment
•Reachable and exploitable resources
• A networks exposure to a threat
144 of 321
Attack Surfaces
•Example – Castle •Exploiting different attack surfaces
Vulnerability
•A vulnerability is a weakness which allows an attacker to reduce a system's information assurance
•A vulnerability is the intersection of three elements: •A system susceptibility or flaw
•An attacker’s access to the flaw
•An attacker’s capability to exploit the flaw
145 of 321
Exploit
•A piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on a computer system
•Exploits can be classified by several methods, the most common is how the exploit contacts the vulnerable software •A remote exploit works over a network and exploits the security vulnerability without any prior access to the vulnerable system
•A local exploit requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system administrator
Zero-Day Attacks
•A ‘zero-day’ (or ‘zero-hour’ or ‘day zero’ or ‘O-day’) is an attack that exploits a previously unknown vulnerability in a computer application •This means that the attack occurs on "day zero" of awareness of the vulnerability
•Publishing of countermeasures/patches often causes a second wave of attacks because of malware generation based on reversing the patch.
146 of 321
ADVERSARIES
In order to effectively resist attacks against its information and information systems, an organization needs to characterize it’s potential adversaries: •Types of adversaries
•Potential motivations and goals
•Classes of attack
A network can be exposed to various malicious Classes of Attack, which can be defined by the TTPs (Tactics, Techniques, and Procedures) used These can include, but are not limited to: •Passive monitoring of communications
•Active network attacks
•Exploitation of insiders
•Close-access attacks
•Attacks through IT industry providers TTPs are the actions and methods used to exploit a network VULNERABILITY
147 of 321
Progression of an attack Reconnaissance
Reconnaissance activities include: •OSINT (Open Source Intelligence)
•DNS research
•IP/Network research
•Physical recon of target
•War Driving (passive)
•Social Engineering (for information)
Targetting /Attack Planning
Weaponeering activities include: •Gathering specific targeting information •Active Scanning •Ports, Services, Banners, OS ID •Network Mapping
•Vulnerability Scanning
•Network Modeling
•War Dialing
•Physical
•Social Engineering •Developing an attack method •Constructing Phishing attacks
•Developing exploits
148 of 321
Attack Execution
Execution activities include: •Sending Phishing Emails •Drive by downloads
•Malicious attachments •Executing Technical Exploits •Buffer overflows
•SQL injection •Close-access attack •Physical Connection to Target
•Dropping “seed” media •Viable attack methods can change daily: •As systems are patched
•New vulnerabilities are discovered and exploits are created
Network / System Penetration
Penetration activities include: •Breaking out of a foothold condition •Initial connection to target •Network enumeration •Useful information about internal network •Local/System Escalation •System weaknesses •Network/Domain Escalation •Gathering and using credentials
149 of 321
Network/System Penetration
•Escalation cycle
•Generally a recursive process •Leverage local escalations to gain network (domain) escalation •Usually need local admin(often System) to run tools
•Gathering of credentials (Local and Network)
•Use the credentials to execute tasks
Network/System Penetration – Using enumeration data
•Targets are arranged as shown with the following definitions in no order •Interesting users or groups •Interesting groups are groups that hold elevated privileges. Examples would be Domain Admins, Enterprise Admins, Resource Admins, CSAs, etc.
•Interesting persons are people who are members of these groups. •Person is logged onto the computer •A person, any person, is logged onto the computer.
•This is not necessarily a person with elevated privileges. •There is a vulnerability on the computer •This could be any vulnerability that allows us to take control of the computer.
150 of 321
•This is a three tier process: •Tier 1 - Meets one of the three criteria
•Tier 2 - Meets two of the criteria
•Tier 3 - Meets all three of criteria •Most of the time we will find a tier 2 target or one that meets two of the criteria but not three. •For example, a vulnerable computer has a person logged onto it. This meets vulnerability on the computer and logged on criteria but misses the interesting person or group.
•A Tier 3 target is one that meets all three criteria (‘Golden Nugget’)
•Most of the time, we will end up hopping from one tier 2 to another tier 2 to get the desired results (that is expanding our control over a target network).
Denial of Service
DOS activities include: •Techniques across all levels of the OSI Model •Physical (Wired / Wireless)
•Datalink (ARPstorm)
•Network Layer attacks (Smurf)
•Transport attacks (Fraggle)
•Application (IRC chat flood) •DoS (Denial of Service) •System level attacks •DDoS (Distributed Denial of Service) •Network level attacks
151 of 321
Well-known attacks include: •DoS •Flood Attacks •Ping (ICMP)
•Syn •Teardrop
•Ping of Death
•Land attack •DDoS •Amplifier Nets •Smurf
•Fraggle •Botnets
Ping Flood •Attacker sends ICMP Echo Request packets – Victim Responds
•Only works when Attacker’s bandwidth outpaces Victim’s bandwidth
SYN Flood •Victim keeps port open waiting for response to SYN-ACK
•Attack repeats on multiple ports
152 of 321
LAND Attack •Attacker crafts packet with victim as the source AND destination address •Requires a service which responds to requests from itself
Teardrop •Attacker sends malformed IP packet (Overlapping fragmentation)
•Victim crashes interpreting packet
Ping Of Death •Attacker sends oversized ICMP Echo Request packets (65536 bytes)
•Victim crashes interpreting packet (max size is 65535 bytes)
Some well-known DDoS attacks: •Smurf Attack – Reflected ICMP
•Fraggle – Reflected UDP
1) Attacker sends forged packets containing a spoofed source address of the target machine
2) Amplifier networks respond to the target of the attack
153 of 321
Some well-known DDoS attacks: •Botnets (First seen ~2001) •Storm (160K to 50M bots) •Spread by email trojan •Zeus (3.6M bots in U.S.) •Spread by drive-by downloads and phishing •Conficker (10M+ bots) •Spread using Windows OS vulnerabilities, dictionary attacks against admin passwords •Mariposa (12M+ bots) •Spread using Windows Messenger, Peer-to -Peer, USB •BredoLab (30M+ bots) •Spread using malicious email attachments, drive-by downloads •Harder to block than amplifier nets •IPs from all over the Internet
154 of 321
Consolidation of Goals
Goals activities include: •CNE (computer network exploitation) •Expanding access •Agile
•Persistent •Working with Data •Access
•Enumeration
•Mining
•Exfiltration •CNA (computer network attack) •Damage assessment
•Common hacker goals involve the ability to access information •Persistent, agile connection to information •Persistent •Can connect to target when we want •Agile •Able to change our connection as needed •Information •Can access information we are interested in
155 of 321
Review
•Reconnaissance: •Preliminary information gathering stage •Targeting/Planning: •Matching a vulnerability to an exploit method to develop an attack plan •Attack Execution: •The point at which malicious code is sent to the target or physical compromise a machine/network •Network/System Penetration: •Gaining access to Network/System resources •Denial of Service: •Prevent access to a resource by legitimate users •Consolidation of goals: •Bringing objectives together
156 of 321
Conclusions
In this brief we have examined, in rather excruciating detail, how a network may get hacked. This brief does not prove that Windows-based networks are any less secure than any other network. Although the specifics of the attack demonstrated in this chapter are unique to Windows, minor modifications to the techniques and a new tool set would make the same compromise possible on any network running any platform. The problem is not the platform, it is in the practices. All platforms are securable, but all networks are exploitable if they are not architected and implemented carefully. The techniques may vary, but the end result does not. Poor implementation is poor implementation, regardless of the underlying platform.
We also saw that exploiting a network is entirely possible using only operational security problems. Note that we did not exploit a single vulnerability in the platform. We even are able to do this on a network where every host was fully patched! Patching alone is not the be-all and end-all of security. Patching is critical, but it is also important to understand what you accomplish by patching; it just allows you to focus on the architecture and implementation of your network.
Finally, we cannot stress enough that understanding the patterns and practices that an attacker exploits is crucial to understanding how to protect a network. This does not mean that the system and security administrators need to be capable of actually exploiting all these problems. They just need to understand what an attacker can do with them to gain an appreciation for how to protect against them. In the end, do we need to protect against all of these problems? No, probably not. It is all about risk management. Your security policy needs to cover which types of risks you are willing to accept to gain some functionality and ease of use. Do not forget the fundamental tradeoff between security, usability, and cost. Since most networks are designed in the face of limited resources, the policy needs to tell us which tradeoffs are acceptable.
What You Should Do Today
Investigate the security practices of any business partners who have connections into your network.
Close down all unnecessary holes in your firewall.
Filter outbound traffic on your firewall.
Patch everything.
Start thinking about attack-surface reduction on your hosts.
157 of 321
References
1. Search Engines (Google,Bing,etc.)
2. “Meta-Search” engines (dogpile.com)
3. “Expert” advice (Forums, discussion groups or blogs)
4. CEH Handbook
5. http:// www.securityfocus.com
6. http:// www.exploit-db.com
7. Wikipedia
8. http://cve.mitre.org
9. http://web.nvd.nist.gov
10. http://www.securitytube.net
11. http://ecconcil.org
158 of 321
INFORMATION SECURITY MANAGEMENT IN AN E-GOVERNMENT ENVIRONMENT Lotfi HACHANA
INTRODUCTION
Electronic Government (e-Government) can be defined as "the use of information technology and communication (ICT), and particularly the Internet in order to improve the management of public affairs"1. Vector of improving the relationship administration / citizen e-Government enables us to offer a more efficient supply of services to users and increase administrative transparency. It is also the heart of the issue of modernization of the state, because it is a tool to improve its procedures and its internal workings, and optimization of its costs. In terms of user services, there is a main goal: to make information available to citizens in order to simplify administrative procedures.
Due to the advances made in information, and communication technologies, with e-Government concept, users can easily use the available services from their places; it is convenient for them through browsers. To easily and securely provide the required services through information technology has been an important issue in e-Government. The time for the electronic based society has arrived. E-Government has received more and more importance and it can be provide a non-stop Government information services to citizens, enterprises, public officers, government administrations and agencies over a network. There are many issues in e-Government which need a careful examination such as security issues, service requirements of e-Government and domain of e-government.
When Governments make a decision to provide services and information on the Internet, assurance and security become imperative issues throughout the project cycles. It is hard to argue the convenience for citizens to access and process tasks like filing incoming taxes, casting votes on an election, etc...
In this paper, I focus on Information Security Management in an e-Government environment. First of all, I have to define the concept of the e-Government (I). The second
1 The e-Government: an Imperative, OECD Report 2003.
159 of 321 step, a presentation on the risk management in an e-Government (II) is proposed. Finally, the management of e- Government information security (III) is provided.
I - CHAPTER 1: E-Government a new concept E-Government aims to optimize processes between customers (population) on the one hand, and state services on the other, but also within the administration, exploiting the ICT. The processes are at the heart of e-Government. This is to increase the degree of automation of processes where customers want and where it makes sense economically. Development e-Government services enables governments to be more available their customers, to speed up processing tasks and improve the quality of services.
1.1 The concept of e-government The degree of exploitation of the electronic supply can range from the simple provision of information (publication opening hours and contact addresses) transactions completely automated, seamless between different media, through transactions with discontinuity between different media (downloading forms then given to administration as printed). The absence of discontinuity between different media means that all communication with customers is done electronically, that is to say, requests are submitted by electronic means and that paid services can be paid online. Internal monitoring of the treatment is also within the administration concerned. The following terminology (Figure1) has been established to describe the relationships between the different types of players: • Government to Business (G2B) for relations between government and business, or to Government to Organization (G2O) if they are non-profit organizations; • Government to Citizen (G2C) for relations between the administration and citizens; • Government to Government (G2G) for relations between governments, • Government internal (GI) for relations within an administration.
160 of 321
Figure 1 Current technology allows outsourcing activities that traditionally take place in one place, allowing a new design of work processes and improved the quality and efficiency of services provided. The customer contacts can indeed be maintained at the counter (front office) while treatment is concentrated in back offices (back-office) achieving economies of scale and leveraging the combination skills. The distribution and production of administrative services are therefore optimized.
1.2 Principles The practice approach is based on the following principles: Customer focus: activities of e-Government are focused on customers and benefits that they can derive. Guidance process: optimizing business processes is the core of e-Government. Computer systems are used to support the process so problems. The process between the administration and its clients are in the foreground. The change in working methods requires active communication and participation employees. Project Orientation: overall planning is subdivided into feasible projects, that is to say, clearly defined projects with the fewest dependencies.
1.3 E-Government infrastructure The target information technology (IT) architecture describes the infrastructure required for e-Government. The functions for increasing the degree of automation of service the administration provided via the Internet and electronic mail (email) are central to this architecture. These are computer functions that underlie specific work steps a business process. An example: for a work permit application can be done electronically, it is necessary
161 of 321 to provide services for data entry (web form or PDF form "smart"), the identification and authorization as well as for billing and payment of fees electronically. The target IT architecture is to determine what infrastructure elements must be carried out in coordination with other jurisdictions within the administration itself or finally decentralized. It also sets the technical standards that must be respected during the production. The following figure (Figure 2) gives a schematic overview based on the Model Architecture e-Government: • Clients communicate with management through electronic channels such as Internet, email and client-server solutions. • Portal: a portal provides access to the offer of the administration and structured way has a uniform corporate image of the company. • Services: Services correspond to typical functions that are repeated in many business processes. These are for example: - The provision of information (content management); - The data entry (web forms, PDF forms); - The identification and authorization (lists, digital signature); - Document management and electronic business process management; - Functions store and online payment, supply (management online purchases); - Calendar functions / calendar and booking.
Figure 2
162 of 321
1.4 Global trends in e-Government2 Due to a number of factors, there are wide disparities among regions and countries in e-Government development. Access to information communication technlogy (ICT) infrastructure and the provision of education, including ICT literacy, are related to the income level of a nation. The absence of these factors hinders the implementation of e-Government initiatives. However, the national income does not, by itself, constitute or guarantee e- Government development. There are many countries that have significantly advanced their e- Government despite relatively low national income. The Republic of Korea has retained the top spot in 2014 with its continued leadership and focus on e-Government innovation ( Figure 3). As in previous years, the 2014 Survey shows that Europe continues to lead with the highest regional e-Government Development Index (EGDI) followed by the Americas led by the United States of America, Asia led by the Republic of Korea; Oceania led by Australia; and Africa led by Tunisia. Nevertheless, the 2014 Survey shows that each geographical region exhibits high internal diversity. There is little doubt that underpinning this aggregate snapshot is the level of economic, social and political development of the countries concerned, and one of the primary factors contributing to a high level of e-Government development is past and current investment in telecommunication, human capital and provision of online services.
Figure 3
2 United nations : E-government Survey 2014, e-government for the future we want.
163 of 321
Benefits of e-government are many; it is convenient, cost effective for businesses, public benefits by getting easy access to the most current information available without having to spend time, energy and money to get it. But this also has some risks like increased surveillance, lack of privacy, etc. So how can we manage these risks? The answer to this question will be treated in the next chapter.
II - CHAPTER 2: Risk management in e-Government environment The implementation of e-Government is based on information technology, how to solve the security problem of the e-Government system is becoming an extremely urgent subject.
2.1 The E-Government Security Risks
The development of e-Government, which is based on internet, meets fatal security problems due to thecomplexity and vulnerability of network. Generally speaking, the security risks e-government facing includes the following aspects: 2.1.1 Information Intercepting It means that the related e-government users or invaders capture or steal the e-information from governments or other users. 2.1.2 Information Tampering The internet attackers tamper, insert or delete original data through various technical methods, and transmit them to the destination, in order to damage the integrality of the data. 2.1.3 Services Denying It is the complete invalidation of the network system or the servers system in some period. It mainly comes from the attack of the hackers or the virus, and the man-made destruction of the devices as well. 2.1.4 System Resources Stealing In the network system environment, the stealing of the system resources is very common. 2.1.5 Information Faking It means that after the attackers know the rules of the data in the network information or after they have decoded the government information, they could pretend legal users or
164 of 321 make false information to cheat other users. The main forms include pretending users to get illegal certifications, forging e-mails, etc.
2.2 The Procedures of Risk Management
Risk management is a route which includes identifying risks, analyzing risks, and drawing up risk management plans. The procedures of security risk management of egovernment include three steps: risk identifying, risk analyzing, and risk controlling. 2.2.1 Risk Identifying The security requirements for the e-Government system are confirmed by system evaluations of the risks. Risk identification is the first step of risk management in order to charge the security risks of e-Government effectively. Risk identification is based on the collecting of various relevant threats, bugs and corresponding countermeasures, and then recognizes any possible risks or potential threats to the e-Government system. There are many different kinds of methods to identify risks. The goal of risk identification is to recognize risks existing in network environment, in data or data exchange. One problem should be noticed is that risk identification can not charge all the e-Government system risks. Risk identification can only find the already known risks or potential risks which based on known risks. 2.2.2 Risk Analyzing Risk analysis, through various kinds of qualitative or quantitative methods, such as analysis, comparison, evaluation, etc. is to decide the importance of each factor of e-Government risks, rank the factors, and then evaluate every possible result to the e-Government system. Threat is a kind of potentiality which launched unintentionally by threat source, or threat source attacked the vulnerabilities of the system intentionally. It is that the system has vulnerabilities, so threat sources become risks. So in the process of risk analysis, threat sources must be identify and describe. Threat sources can be any kinds of environments or events include people, nature, and so on, which do harm to the system. The natural threat that system facing relates to its geographical location; however, the threats from people may have no intention or on purpose. To identify threats the system facing, we can use many different methods, such as brainstorming, Delphi, Scenarios Analysis, etc. Table 1 lists some possible threat sources.
165 of 321
Table 1 We can get the information about vulnerabilities through spot investigation, personnel investigation, network scanning, penetration testing, relative documents analyzing, or other open information sources on vulnerabilities. In the stage of vulnerability analyzing, if the system is still in designing, the emphasis is on the strategies or rules of the system security, and the definitions of security requirements. If the system is already implemented, we should also analyze some more specific information, such as design documents. If the system is in using, we need to do some further analysis, such as the system security functions, actual effects of the security control, etc. For the threats from people whose possible motivations are listed in Table 2.
166 of 321
Table 2
The ultimate goal of threat analyzing is to calculate the general risk probability. The factors influencing risk probability include motivations and ability of threat source, system vulnerabilities, and effect of relative security measures. There may be some history records about natural threats, those records can help to analyze the probability that natural threats happen. But we are often lack of the history information about the technical and operational threats from people. To evaluate probability of these kind threats, we can use analogy method. However, actually it often depends on analyzers’ practical experience. We have proposed a simple method to describe the risk probability in three levels: high, medium, and low. Table 3 shows the definitions of risk probability.
Table 3
2.2.3 Risk Controlling Risk controlling is to choose and use some risk controlling methods to guarantee the risk can be reduced to an acceptable level. Risk controlling is the most important step in the risk management. It is the key factor to determine whether the risk management is successful or not. The goal of e-Government security risk controlling is to reduce the risk degree which e-Government projects suffering. Generally speaking, there are two kinds of risk controlling Methods. First are risk controlling measures, such as risk reducing, avoiding, or transferring, and losses managing. We often use risk transferring and losses managing in e-Government
167 of 321 security risk management. Second kinds are measures funding for risk compensation, which include insuring, or taking risk by oneself. In e-Government security risk management, managers need to decide which measures to choose insuring or taking risk by their own. In addition, to make a proper choice, one should take risk costs into consideration. One effective and feasible risk controlling method for e-Government security is establishing a whole security plan to reduce risk, mastering some basic technology for security guarantee, and preparing solutions that the government can adopt when specific security accidents happen.
After the identification of e-Government security risks and the procedures of the risk management, it is necessary to know, how to garantee the security information in e-Government environment?. This will be the subject of the next chapter.
III - CHAPTER 3: The management of e-Government information security
3.1 Methodology for the information security management The methodology should focus on providing technically secure e-Government services, but also have to provide efficiency, effectiveness, flexibility and transparency. The security of information systems is essentially a grouping of security applications, infrastructure security and secure management. The deployment, management and security at all levels is essential to achieve a secure environment, the probability of simultaneous security breaches on all layers is less likely. This approach has been identified as the most effective in the context of the contemporary management of IT security.
The design of e-Government applications must be consistent,including existing legal requirements for management of data and relevant legal and regulatory requirements. It becomes clear that the value of information stored and processed by e-Government services must be protected at all levels applications, infrastructure, operation and active management of the service. Information security is designed to protect information assets and is determined in terms of Confidentiality, Integrity and Availability (CIA), and also, Accountability Auditability Authenticity, Non-repudiation and Privacy.3
3.2 Ensuring the e-Government information security
3 Information Security Management courses, DRESMARA 2015.
168 of 321
It was found that information security can be ensured only through the selection and implementation of appropriate security controls through proper risk management. The main activities in ensuring security of the information are as follows: a) Classification of information systems, b) Selection of controls and development of basic national requirements for information security management in the e-Government, including requirements for internal staff, infrastructure and applications management, software development, the management and delivery of services by government, c) Risk assessment, d) Improve the security controls based on risk assessment; e) Implementation of security controls, f) Monitoring and analysing the effectiveness of security controls, g) Continuous improvement of internal controls and improvement of the internal control system managing information security. Management as one of the determining factors for the success of the strategy and how to manage information security should be based on the methods which require constant improvement of internal controls and management approaches. Implementation of Information Security is not an event but a process. Continuous improvement is the basis on which the construction and implementation of an information security management system, with many compliance requirements, is build. Also, it is designed to optimize business operations and processes in the body of the company management. As with all management processes, an information security management system (ISMS) must remain effective and efficient in the long term, adapting to change in the internal organisation and external environment. ISO/IEC 27001,2005 incorporated the PDCA(figure4) cycle approach : Planning: Creating a policy, objectives and ISMS procedures relating to risk management and improving information security to deliver results in line with the overall policy objectives of the organization. Do: Implementation and operation of the policy, controls, processes and procedures of the ISMS. Check: Evaluation of the applicable performance measurement processes dependencies of security policies, objectives and practical experience and report results for a management review.
169 of 321
Action: Take corrective and preventive actions based on internal ISMS audit results and management review results or other relevant information, to achieve continual improvement of the ISMS.
Figure 4
3.3 Implementation of security controls based on risk assessment
Implementing an information security management system and its controls, based on the results of the risk assessment should be optimized. The first priority is the optimization and strategic development of the organizational structure. Thus security functions need to be clearly visible as separate units interconnected with the senior management. Clearly defined hierarchy and the main objectives are allocated to sub-tasks and teams. These teams are responsible for the management of information security and the information security integration through established information security organizational policies. Each policy regulates the obligations and responsibilities of officials.
3.4 Planning activities Planning activities aims to include, in short and long term, plans to improve the information security management system. Of course an additional important part is the planning of responsibilities. For this purpose, the administration creates an information security forum reporting to the senior management team. The forum is responsible for the management and improvement of the information security management system. Each unit has its own information security officer who is specially trained in compliance with all information security requirements in accordance with the specific activity of the structural unit.
170 of 321
3.5 Risk Management Countermeasures
Considering the importance of the security of e-Government, it is urgent to dispose a whole set of effective countermeasures. The purpose of disposing the countermeasures is to reduce the potential risks and security bugs, so that we can reduce the risk which the e- Government system environment facing. Among the e-Government risk management countermeasures, it is popular to use defense-in-depth strategy at present. Defense-in-depth strategy(figure5), exactly, is consisted of depth security and multi- level security. Through disposing multi-level security protection, we can guarantee that if one level got broken, other levels can still ensure the security of e-government system resources. For example, in case that the outer firewall of one unit got destroyed, by virtue of the inner firewall, the invader still can not get access to the sensitive data, neither commit any damage to them.
Defense in depth
Figure 5
3.6 Building a sustainable information security management
It is recommended to improve the information security management practices and principles in information security practices and strengthen its role. Initiatives that can be
171 of 321 suggested for the e-Government environment to consider incorporating in its strategic plan include : Developing information on the existing security risks associated with non-classified systems currently in use, Developing information and data structure on the risks associated with evolving practices, such as internet usage, Identifying best practices and principles regarding information security management programs so that they can be adopted by both governmental and private agencies, organization should also establish a methods for reviewing the adequacy of information security programs using interagency or IT professional consulting teams of reviewers, Ensuring adequate review coverage of information security practices by considering the scope of various types of information security management audits and to periodically review and performed gap analysis to address any identified gaps in coverage, because, information security management program should be integrated as
part of organization strategic.
The e-Government environment must put in place adequate information security management policies, practices and principles. It is recommended to follow standards and models such as ISO27001 (Figure 6). These standards and models are meant for effective information security and management and to address information breaches and threats that might confront data and information during information sharing.
172 of 321
Figure 6
CONCLUSION
E-Government can improve the administration and make it more effective. It improves the development and implementation of public policies and helps the public sector to meet the demands for more and better services with the reverse fewer resources. The security of electronic communications between the clients and the administration is an essential part of e-Government.
173 of 321
The first step is to scan and detect internal and external environment of the e-Government system, check the vulnerabilities and weaknesses of the system. Patch or append new devices immediately in order to reduce the losses as much as possible while risks happen. Secondly, do a full analysis about the e-Government security risk, and then make relevant plans and measures. Track and monitor those plans and measures in each implement stage. At last, adjust risk management measures at any time according to the environment changes, and draw up a whole disaster recovery plan. So the main purpose is to build and maintain an Information Security Management in an e-Government environment.
Officials are responsible for the compliance to the information security requirements of the e-Government environment. They guarantee all the technical means and apply all standards and procedures, but it seems impossible to assure zero % of risk or 100 % of security. So the officials of the security information management must always be on guard and awake to detect failures and take appropriate measures against threats and risks.
REFERENCES
- Information security Management courses, DRESMARA, Brasov, 2015. -Challenges in E-Government and security information, Information and security journal, vol 15, No 1, 2004 p 9-20. ‐ Frame / methodology for the information security management in an e-government environment, Ing. Mag. Kristian Tomov, Dr B. Balabanov. ITU Regional Forum on Cybersecurity, October 2012, Sofia, Bulgaria.
174 of 321
-Establishing a Sustainable Information Security Management Policies in Organization: A Guide to Information Security Management Practice (ISMP), International Journal of Computer and Information Technology (ISSN: 2279 – 0764) Volume 04–Issue 01, January 2015. -Local Government Information Security Risk in the Age of E-Government, Eunjung Shin, Lauren N. Bowman. PhD Students Eric Welch, Associate Professor Department of Public Administration, Science, Technology and Environment Policy Lab, University of Illinois at Chicago,2010. - United nations : E-government Survey 2014, E-government for the future we want. - Egovernment Manuel pratique de cyberadministration, Marche à suivre pour le développement e prestations électroniques dans les administrations publiques. Edition revue et complétée, mai 2009, Suisse. - L’administration électronique ou E-administration, ENA – Centre de documentation – Bibliographie – Mars 2015. - The e-Government: an Imperative, OECD Report 2003 - Security of e-Government Systems Final Report IP/A/STOA/FWC/2008-096 /LOT4/ C1/ SC10 July 2013, Science and Technology Options Assessment,Europeen Parlement.
175 of 321
THE MANAGEMENT OF INFORMATION SECURITY
Irakli GIGILASHVILI
Introduction
Development of information technologies and increase the exchange of personal information, make it necessary to use a variety of information security standards and the standards organizations or state agencies. All standards are based on each other because they need to be managed properly because the sequence of the politics of security. This subject will be discussed in the General Principles of Information Security Management.
What is Information Security? Information security is designed to protect all kinds of information and origins. This information can be stored either on paper or in computer systems or even in the minds of consumers. IT- Security protects and cares for the security of information stored in the first electronic processing. Information Security classic basic values of confidentiality, integrity and availability. Other general terms of information security is generated, for example, Authenticity, responsibility, trustworthiness and reliability. Information security is threatened not only intentional actions (for example, computer viruses, information seize / reading, computer theft), but : By force majeure (such as fire, water, storm, earthquake) and IT- systems were damaged or destroyed media access to the data center. Documents, IT- systems or services will no longer available; After the unsuccessful software update, applications do not function or data invisibly changed; Important business is delayed, because the only people who are familiar with the programs, is ill; Confidential information to unauthorized persons accidentally handed, because documents or files have been marked as "secret".
176 of 321 Information Security Standards - A Brief Overview Various standards have been developed in the field of information security. Safety standards for use in business or government to not only improve security, it also facilitates the coordination between different agencies, which security measures have to be implemented in any form. The following overview shows the most important standards in the areas below. I SO - Standards for Information Security ISO and IEC international standards organizations decided to unify information security standards 2700x series, which continues to grow. Important standards, example: ISO 2700X This standard provides a general overview of information security management systems (ISMS) and their interaction ISO 2700 x - family among the various standards. It should also set out the basic principles ISMS-, concepts, terms and definitions. ISO 27001 ISO 27001 provides the general recommendations, including the introduction (implementation), exploitation and documented information security management system, as well as risks and etc. Information Security Integration Information security should be integrated into the process and all projects in which the information is processed and used by IT. This means, for example, the safety requirements should be considered not only IT-'s purchase at a time, but the business process design (CAD), as well as staff training time.
Description of the process and the life cycle model The life cycle of information security Security is not a permanent condition that can be achieved once and then never change. Each facility is subject to the constant dynamic changes. Many changes associated with the business specialized tasks, infrastructure, organization structure of IT- and information-security changes. Notable changes with changing external conditions within the institution, such as legal or contractual requirements, as well as the information and communications technology can change radically. Therefore, it is necessary to the security of active management in order to maintain the level of safety achieved. It is not enough, for example, the business plan or new IT- system and the security measures carried out only once. After the implementation of security measures, they should be
177 of 321 checked on a regular basis the effectiveness and appropriateness, as well as their actual use, to find the weak points and improvement opportunities, and adaptation measures should be improved. This adaptation of the need to plan and implement the required changes from the beginning. If business processes or components and IT- systems change over or removed from service, then the security aspects should be reviewed (for example, removal of privileges or hard disks secure deleted). IT- better clarity the basic security measures to protect the catalogs distributed in the following phases: Planning and Concept; Purchase (if necessary); Commissioning (information security measures used to support the monitoring and control of the results); Separation (if necessary); Emergency preparedness. Information security processes Not only the business and IT- systems has "Life Cycles". It also comes with the concept of security, information security organization and, finally, the whole security process. Simply describe the dynamics of the security process, it is often presented with the following phases: 1. Planning; 2. The planned introduction or implementation of the project; 3. The results of the control or monitoring of goal achievement; 4. Eliminate any defects or deficiencies and optimization and improvement. Phase 4 describes the immediate elimination of minor defects. Profound changes in the process and it will certainly have to start again from the planning phase. The model in Figure 5, the individual phases definitions to ("Plan", "Do", "Check", "Act"), or both as the PDCA- model.
Planning and Concept
(“plan”)
Optimization,improvement
(“ACT”) (“DO”) The control of results, monitoring of goal achievement (“check”)
178 of 321
PDCA- model is also ISO-Standard 27001 Standard with. Its use is in principle possible to process all security tasks. Security strategy is implemented with the help of the security concept and a suitable structure for the organization informational security. The concept of security and information security organization to be designed in accordance with the implementation and control of the results.
At the top level of information security controls at the regularly checked, whether the conditions (for example, laws) was altered and whether the concept of security and information security organization efficient and effective. Since different institutions have different initial conditions, safety requirements and financial means, it really provides an effective method of orientation, although it should be adapted to each company and the establishment of its own needs. Each institution individually define or specify the form in which the life-cycle model is acceptable. A small institutions and companies should not be afraid, because the safety of the costs, usually depends on the size of the organization. Thus, a very large company in which many departments and employees, may require a more formal process and approved, which required internal and external audits, who is responsible for whom, who makes the decisions documents, when giving advice to the leadership of the security process. Small business is the annual meeting of the company and head of its IT- provider, which is discussed in the problems, costs, new technical solutions and adapted to other factors contributing to the success of the security process critically review.
Management Principles Information security management and a short note now-management planning and management tasks, which are necessary to structure a significant, practical and measurable security effectiveness principles and thought processes. It includes also the legislative requirements of the Act and all the necessary legal protection. There are different concepts of how to look better IS- management and organizational structures this is helpful. Irrespective of what looks IS- management system, the need for fundamental principles.
179 of 321 Rarely held such events, such as process optimization, educate and motivate employees or clear documents that are visibly improve the level of security in practice.
Management tasks and responsibilities Overall responsibility for information security: Each institution or organization is responsible for the company's senior management levels in the right and proper operation of, and therefore - to ensure security inside and outside. It can also regularity, and the organizational form of the various laws. Management level, as well as any individual manager, is required to realize their responsibility and clearly explain the importance of information security officers.
Information Security Integration: Information security should be integrated into the process and all projects in which the information is processed and used by IT-. This means, for example, the safety requirements should be considered not only IT-'s purchase at a time, but the business process design (CAD), as well as staff training time.
Information Security Management and Support The management and control of security levels should be governed by an active process. For the following tasks: - Information security strategy and security goals should be adopted; - The impact of security risks on business or tasks must be tested; - Information security should be allocated enough resources; - Security strategy should be checked regularly. Detected faults and errors should be corrected. -Employees must be motivated to discuss security issues and information security as an important aspect of their tasks. This requires, among others, lack of information and education activities on offer.
Support and continuous improvement of information security Information security is no time-limited project, but an ongoing process. All elements of the management system and the efficiency of information support for adaptation should be
180 of 321 checked regularly. This means that not only individual security measures need to be tested, but should be reviewed regularly in the security strategy. The security measures should be assessed on a regular basis by internal audits. They also provide daily functions include gathering and assessment practices. Training and awareness- raising measures are needed to conduct the audit, because the only way to prove whether or not in fact operate under the process and all of the emergency action. In addition, it is important to foresee the future development of the introduced techniques as well as organizational structures, to ensure timely identification of possible risks, precautions and safety measures to be adopted in place. If stems from significant changes in business processes or organizational structures, information security management should be involved here. Also, do not have to wait for the orders stipulated in advance stages, but should be integrated into interdependent processes. All audits should be paid attention to the fact that they do not hold those who participated in the conception and planning stages of the security requirements, as it is difficult to find their own mistakes. Consulting external audits of large organizations is desirable to eliminate the exploitation of Blindness (organizational blindness).
Communication and Knowledge Communication is important in all phases of the security process in order to achieve the set goals. Misunderstandings and lack of knowledge is the most common reason for the emergence of safety problems. Therefore it is necessary at all levels and in all areas of the institution to take care of the smooth flow of information security incidents and events. This includes the following points: Reports at the management level; Top-level management should regularly provide information to solve problems, and to verify the results of the audits, as well as new developments, changing conditions or opportunities for improvement in order to fulfill its management function; Information flows: Poor communication and lack of information on the possible emergence of security concerns, as well as a decision-making or extra steps to perform the job. Employees must be informed of the nature and purpose of the security measures, especially when it leads to additional work or follow him comfort loss. In addition, employees must be informed of their activities related to the provision of information on legal issues, as well
181 of 321 as data protection. Users will also need to be involved in the realization of the plan of measures in order to cooperate in the formation of their own ideas and their practical examination.
Documentation: To complete the security and continuity of the process is necessary to ensure sequence of document. Only in this way will be clear for various process steps and decisions. Work processes, organizational requirements and technical security measures need to be documented so that security incidents or human errors due to ignorance as far as possible excluded.
Instructions for IT: Work processes, organizational requirements and technical security measures need to be documented so that security incidents or human errors due to ignorance as far as possible excluded. For example, Internet use and security policies email- agencies, or social engineering instructions for the prevention of viral incident detection (information resources from unauthorized access method) as well as rules for the behavior of the security incidents are considered. Formal requirements for documentation: To store the documents in the paper form is not mandatory and must be determined according to the needs. Documents can be presented, for which protection is necessary, for example, the storage of data and depth of detail. Documentation can only fulfill its purpose, as he systematically created and is regularly updated. At the same time, they must be marked and stored to be accessed quickly if necessary. Some or all of the documents to be who and when. References should be indicated and described. Additional documents, if required, should be as easily available. Security documents may contain confidential information and should be properly protected. Security requirements should be based on the storage method, duration and options for the destruction of information. Description of the processes to be written, the documentation should be judged on whether and how.
Resources for Information Security:
182 of 321 Security always requires a certain level of support for financial, human and time resources, which should be sufficiently provided by the management. If the goals are not achieved due to lack of resources, you are responsible for employees not engaged in the process, but also the heads of the unrealistic goals outlined, or failed to provide the necessary resources to process. In order not to lose the chance of achieving the set goals, it is important to carry out the objectives of formation costs and benefit from the rate. This aspect will have to perform a key role in the security of the process, on the one hand, to avoid spending resources and, on the other hand, the necessary investments to ensure appropriate levels of security. IT- security often associated particularly with specific technical solutions. Another reason is that the IT- security instead of the term to be used for information security. First of all, it is important to note that investment in human resources is often more effective than investments in security technology. The technology cannot solve problems by itself, it should always be tied to the organizational environment Internal security experts often do not have enough practice time to analyze all the factors related to the safety and condition (for example, legal requirements or technical issues). In some cases they do not have a base. It is therefore more appropriate to use external experts when issues and problems could not be solved by its own means. This document must be certified by internal experts, to provide the necessary resources for the management level.
Employee involvement in the security process. Information security organization of each employee responsible job. It is therefore a necessary condition for the employees and managers about information security issues, as well as organizing and facilitating the learning process in this field. Security measures for the realization of, as provided for in advance, the necessary knowledge needed to co-exist, as well as certain security mechanisms of delivery, their goals, and the use of knowledge for the service. As well as the work environment, employees' commitment to common values and critically affect information security. Employees dismissed or transferred to another position, requires adequate safety measures. For example, identification documents, keys, etc. benefits seizure. The employee shall comply with all applicable laws, rules and regulations. To do that, it should be to provide information about existing rules and should be motivated to protect them.
183 of 321 At the same time, each employee is responsible for the safety of the alleged incidents, which are known or suspected to be, inform the security service.
Information security process: Leadership to must fix the security objectives, the environment and the company's business goals and objectives of the institution. The process is scheduled to security strategy, to create a continuous process of security. The strategy is being introduced to the concept of security (policy) and with the help of information security organization. Where should be used ISMS. Information security management system is not necessary to use the entire organization. Initially to determine the range, which will be responsible for ISMS. Range often includes the entire institution, but may also have one or more of the special relationship, the business process or organizational unit. It is therefore important that it be placed in the special or business in the selected range. Construction of information security organization. Information security is a part of the organizational structure of the way (for example, departments, groups, competence centers) and to define the roles and tasks. Information security manager must be nominated by one of the responsible leadership from the highest level, for example, the management board member. In addition, must be nominated by at least one IT- security officer, who will be able to systematically and independently supply the required information on the top level.
The monitoring of the results of safety. Level leadership must be held regularly by management, monitoring and evaluation of the safety of the trial. If necessary (for example, safety or environmental incidents accumulate significant changes in the terms and conditions) can be scheduled between the dates of. It should be done and all the results of the decision document [DOK]. The following issues and discussions should be considered with others: 1. Have the environmental conditions changed due to change in terms of processes to provide information?
184 of 321 2. Is the security objectives still relevant? 3. Is the information security guidelines still relevant? The problem lies not in control of the results of safety monitoring of certain security measures or organizational governance, but also to the whole discussion. For example, Internet portals for safe operation of a small business can be very expensive. At such a time as an alternative to the command level can hire a service for mobile care. Results gathered here should be considered a security strategy for the control of the results. If, for example, found that the security measures are ineffective or too expensive, it may be an analysis of the overall security strategy and adapted to be re-thought. The following issues should be considered: Is the security objectives still relevant? Is safety concept adapted to achieve these objectives? Is, for example, the legal requirements? Information security is acceptable in achieving the objectives of the organization? They need to be much more a solidifying facility or they are involved in the internal processes? Costs - the cost, personnel, materials, which are necessary for security purposes, is reasonable in terms of compliance to the benefit of the institution? He results of the control activities must be used consistently for the proofreading. This could mean that the safety objectives, strategy or concept (policy) should be modified to be adapted to the requirements of the organization and information security. In some special cases, a fundamental change in the business processes or IT- environment, or outsourcing of business processes to be refused or transferred, when, for example, the resources available are not reliable in operation should be provided. If a great many changes and improvement were introduced, the management control loop is closed in the planning phase of a new beginning.
Security concept (policy) Security concept creation To meet the information security objectives and achieve the desired level of security was needed to understand how business objectives and performance depend on the confidentiality of the information, integrity and availability.
185 of 321 At the same time should be considered, if the damage is due to the magnitude of the violence, the organizational deficiencies, human negligence or IT- also risks facing business processes. The following can be resolved in ways of preventing risk. Choose a method of risk assessment Company activity or security incidents due to injuries in the institution's objectives should be analyzed and evaluated. Risk assessment is an information security management system. Risk identification is needed to identify threats and their potential loss rate. Using cases, organizational limitations, attributing the area, as well as the required level of security depending on the risk assessment of the different methods used. Information Security Management should choose the method that would be suitable for the establishment of species and by size. Risk Assessment Each rate risk involves the following steps: To protect business information and should be identified; Protection of all business information, and the threat to be identified; Weak areas, which can impact threats, should be identified; The possible harm caused by the confidentiality, integrity and loss of access, should be identified; The likely impact on the business or perform tasks, caused by security incidents, should be analyzed; The risk of causing damage to security incidents, should be assessed. Types of risk avoidance should be documented and approved by the leadership at the top level. The necessary resources for implementation of the strategy should be planned and ensured.
Choose security measures General safety objectives and requirements, which are given by the leadership level, derived from the specific security measures. Technical and organizational security measures should be created as well as procedures and processes (such as consumer policy, access rights, security training, testing and production methods). Among other things, the following topics:
186 of 321 Organizational (including tasks and functions of distribution, control of information processing, applications and IT- components, hardware and software management, change management, etc.); Human (for example, new staff training, etc.) Training and awareness of information security; Reliability Data (all data, applications and backup IT- components); Data protection; Computer virus protection; The privacy of their processing, transmission and storage (for example, the introduction of cryptography); Hardware and software development; Security incidents Care (incident handling); Support for emergency preparedness and business continuity in emergency situations (business continuity); Outsourcing. The results of the monitoring and improvement of the security concept Security incidents should be detected and therefore must be immediately and react to it. Need for systematic control of the security concept. Introduced measures to assess the efficiency and effectiveness of internal audit. Adequacy and effectiveness of the security measures to check: It is necessary to conduct regular assessment of whether adequate security measures, which posed security goals. They can test the adequacy of, for example, the rate of incidents of the past, or penetration tests and poll workers. This includes also the effects of the company's business environment and the special performance. For example, the environment, technical or regulatory conditions may change. In order to maintain current status of a security should be responsible for external knowledge sources, attending conferences, as well as getting acquainted with Standard and relevant literature, as well as information on the Internet. If the organization cannot be within the knowledge of the time or not, then it becomes necessary to inviting external experts. Information Security Management Information Security Management (Information Security Management, or ISM) – is a process that ensures the confidentiality, integrity and availability to the organization's assets,
187 of 321 information, data and services. Information security management is part of the organizational approach to information security, which has a broader scope than the service provider, and includes a folder of documents to process, building access, phone calls, etc. ISM-'s main aim is to ensure the effective management of information security services to all the services and activities within the management. Information security is scheduled for the confidentiality, integrity and availability of the defense, as well as information systems and communications protection. 1. Confidentiality - Information status, which carries only subject having the right to access it; 2. Integrity - information condition, which cannot be any changes, or a change to an entity entitled to exercise only; 3. Availability - information on the condition, in which the subject can do with the right of access without delay.
Information security management goal is achieved, if: 1. Information is available when it is needed, and computer systems resistant to attack, can be avoided or rapid recovery; 2. Information is available only for those who are entitled to it; 3. Information on the correct, complete and protected from unauthorized changes; 4. Exchange of information with partners and other organizations to reliably protected.
Information Security Policy (Security Policy) - defines the organization's approach to information security management; Security control includes the following steps: Security watch list documenting the actions of their operation and management, as well as the related risks; Suppliers and contract management, which requires access to systems and services. Is carried out in cooperation with the management of suppliers; Security incidents and control all of the holes, which are linked to the systems and services; Proactive control of security and improvement of the information security risks of the violation;
188 of 321 Information security services to manage all aspects of the integration process. The information security policy should include the following: aspects of information security policy implementation; the possible misuse of the information security policy aspects; access control policy; passwords use policy; Email policy; Internet policy; active defense policy; Information Classification Policy; classification policy documents; remote access policy; providers access policy services, information and components;
Information security and its management is necessary for the implementation of information security management system support. Information Security Management System (Information Security Management System or ISMS) - is a system of policies, procedures, standards, guidelines and tools, to ensure the organization's information security management goals.
Conclusions: The never ending process of information security involves ongoing training, assessment, protection, monitoring and detection, incident response and repair, documentation, and review. This makes information security an indispensable part of all the business operations across different domains. Although there are a number of information security standards available, an organization can only benefit if those standards are implemented properly. Security is something that all parties should be involved in. Senior management, information security practitioners, IT professionals and users all have a role to play in securing the assets of an organization. The success of information security can only be achieved by full cooperation at all levels of an organization, both inside and outside.
References: BSI, Wikipedia, ISMS.
189 of 321 CRIMINAL IMPLICATIONS OF SOCIAL ENGINEERING
Liviu DOBRITOIU
INTRODUCTION
Security is all about knowing who and what to trust: Knowing when, and when not, to take a person at their word; when to trust that the person you are communicating with is indeed the person you think you are communicating with; when to trust that a website is or isn’t legitimate; when to trust that the person on the phone is or isn’t legitimate; when providing your information is or isn’t a good idea.
I. OVERVIEW ON SOCIAL ENGINEERING
I.1. Definition
Social engineering, in the context of information security, is the art of manipulating people so they give up confidential information. This is a type of confidence trick for the purpose of vital information gathering. It is a term that describes a non-technical attack that relies on human interaction and tricking people to break normal security procedures. Criminals use social engineering tactics because it is comparatively easier that other attacks. It is one of the most successful attacks, because its victims innately want to trust other people and are naturally helpful. The victims of social engineering are tricked into releasing information that they do not realize will be used to commit a crime. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it.
I.2. Types of social engineering
Social engineering can be broken into two common types: 1. Human based—Human based social engineering needs interaction with humans; it means person-to-person contact and then retrieving the desired information. People use human based social engineering techniques in different ways; 2. Technology-based: While the greatest area for success is human-based interaction by the social engineer, there are also some methods that attempt to retrieve the desired information by using electronic interface to either gather information or to deny service to a system.
190 of 321
I.3. Psychological aspects of social engineering
Recent research has discovered that there are certain terms and techniques that are associated with social engineering and go perhaps far beyond technology and more so into human error and social psychology. Three key aspects of social psychology, alternative routes to persuasion (i.e., central route and peripheral route), attitudes and beliefs that affect human interactions, and techniques for persuasion and influence, could help explain the emotional cues for manipulated social engineering attacks. In a central route to persuasion, social engineering attackers persuade victims to provide desired information without fabricating unreal scenarios. Thus, this comparatively direct route, which depends on the responder’s logical, thinking toward the marshaled information from the attacker, does not normally succeed. The other route, peripheral route to persuasion, can be leveraged by social engineering attackers to bypass logical argument and counterargument and seek to trigger intrusion. In the peripheral route to persuasion, the attacker tends to make the intended victim more susceptible to persuasion by triggering strong emotions such as fear or excitement in order to interfere with the victim’s ability to respond. Attitudes and beliefs refer to the differences between the victim’s attitude and beliefs about the social engineering attacker and social engineering attacker’s attitudes and beliefs about his anticipated or definite victims. Rooted in social psychology, persuasion and influence techniques rely on peripheral routes to persuasion that are effective to influence others. Six factors can constitute effectual persuasions: authority, scarcity, liking and similarity, reciprocation, commitment and consistency, and social proof. Furthermore, social engineering attacks are categorized into human-based and technology-based intrusions. Human-based attacks are interactions between the attacker and the victim who possesses valuable information. In contrast, technology-based attacks access confidential information by employing computer software programs such as pop-up windows, e-mail attachments, and websites, etc. While maliciously generated e-mail attachments and websites seek the victim’s natural tendency to trust others to divulge information or perform actions, a vicious script-embedded pop-up window manipulates the victim’s psychological fear of getting into trouble by repeatedly prompting the victim to re-enter his/her user username and password because the network connection was interrupted and the window will surreptitiously deliver the information entered to the attackers.
191 of 321
Figure 1. Four-step social engineering attack
As shown in Figure 1, a typical social engineering attack is composed of four steps: information gathering, relationship development, exploitation, and execution. A social engineering attacker initially gathers information about the target(s) such as names, phone numbers, and birth dates from publicly-accessible information such as directories and organizational charts. Applying this information, he then can try to build rapport with the intended victim to gain his/her trust. Exploiting the established trust, the social engineering attacker can then persuade the victim to perform desired actions (i.e., revealing confidential information) which would not normally occur otherwise. In the last stage, the attacker uses the information collected from the victim to carry out attacks. Social engineering attackers can exploit different psychological phenomena to specifically recognize the psychological and/or behavioral vulnerabilities of the potential victim in a bid to obtain desired information using specific personality traits. These leading psychology-driven personality traits for possible social engineering attacks include diffusion of responsibility, chance for ingratiation, trust relationship, and guilt. Diffusion of Responsibility: The target is made to believe that they are not solely responsible for their actions. The social engineer will create situations with many factors that dilute personal responsibility for decision making. Originating from social psychology and criminology, diffusion of responsibility explains that an individual (i.e., criminal) acting alone, compared with an individual group member, would be held more responsible for behavior leading to a negative consequence. Relating this psychological trigger to social engineering, researchers have found that targeted victims are made to believe that they are not solely responsible for their actions and this trait works well with moral duty when the individual victim conceives that what he/she responds to is of vital importance to the company or its employees. As such, the victim surmises that his/her actions could make the difference between success and failure of the company or the so-called employee (the actual social engineering attacker). Thus, the victim tends to comply with the request to avoid the feeling of guilt.
192 of 321
Chance for ingratiation is when victims are led to believe that compliance with a request will enhance their chances of receiving some benefit. This process includes such psychological motives as gaining advantage over a competitor and getting in good with management. Authority plays a vital role since people are conditioned to respond to authority figures without painstakingly verifying their legitimacy. Gender issue, normally opposite sex, can trigger effective and positive persuasions resulting in successful social engineering intrusions. This perspective is in line with such research in that a charming or sweet voice of the opposite sex can generally lead to more effective and successful persuasions or interpersonal influences. Social engineering attackers also tend to establish trust relationships with their intended victims through seemingly innocent conversations or email communications. Human nature is to trust others until they prove they are not trustworthy. Many people, especially customer service agents, help desk receptionists, and business assistants or secretaries who are trained to assist people and not to question the validity of each request, tend to trust others and are naturally helpful. Trust can be built through a number of small interactions which social engineering attackers try to maintain with the victims. A sign of positive trust is when the victims can recognize the attacker’s voice and are willing to converse with and assist the attacker. Some seemingly mundane information, such as knowing someone is on vacation and names of children, spouse and pets, can be effortlessly revealed by these victims through a series of slow and casual yet deceitful correspondence and are of vital value to social engineering attackers, who then can implement a fraudulent plan. Successful social engineering attacks can also be triggered by feelings such as guilt and sympathy. Human users have a tendency to believe other’s expressed attitudes (e.g., sad voice), behaviors (e.g., facial signs), and statements (e.g., poor performance) are true, and these individuals may attempt to avoid guilt. Social engineering attackers may exploit this weakness by confiding with the intended victims that they have failed to accomplish things and their survival solely depends on the victims’ assistance, otherwise significant consequence (normally sad or negative) may occur.
II. HUMAN BASED SOCIAL ENGINEERING
All social engineering techniques are based on specific attributes of human decision- making known as cognitive biases. These biases, sometimes called "bugs in the human hardware", are exploited in various combinations to create attack techniques, some of which are listed.
193 of 321
II.1. Types of Human Based social engineering
II.1.1. Pretexting Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. An elaborate lie, it most often involves some prior research or setup and the use of this information for impersonation (e.g., date of birth, Social Security number, last bill amount) to establish legitimacy in the mind of the target. This technique can be used to fool a business into disclosing customer information as well as by private investigators to obtain telephone records, utility records, banking records and other information directly from company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager, e.g., to make account changes, get specific balances, etc. Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, clergy, insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases, all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet to create a pretextual scenario. This simple yet effective attack focuses on the vulnerable psychological aspect of a human who tends to be helpful.
II.1.2. Shoulder surfing Shoulder surfing— refers to using direct observation techniques, such as looking over someone's shoulder, to get information. It is commonly used to obtain passwords, PINs, security codes, and similar data. Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they: fill out a form enter their PIN at an automated teller machine or a POS terminal use a telephone card at a public payphone enter a password at a cybercafe, public and university libraries, or airport kiosks enter a code for a rented locker in a public place such as a swimming pool or airport enter a PIN or password on their smartphone
194 of 321
Shoulder surfing can also be done at a distance using binoculars or other vision- enhancing devices. Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures to observe data entry. A survey of IT professionals in a white paper for Secure, the European Association for Visual Data Security found that: 85% of those surveyed admitted to seeing sensitive information on screen that they were not authorized to see 82% admitted that it was possible information on their screens could have been viewed by unauthorized personnel 82% had little or no confidence that users in their organization would protect their screen from being viewed by unauthorized people.
II.1.3. Information diving Information diving is the practice of recovering technical data, sometimes confidential or secret, from discarded material. In recent times, this has chiefly been from data storage elements in discarded computers, most notably recoverable data remaining on hard drives. Those in charge of discarding computers usually neglect to erase the hard drive. Other data may also be available, such as credit card information that was stored on the machine. Today, files, letters, memos, photographs, IDs, passwords, credit cards, and more can be found in dumpsters. Dumpster diving involves looking in the trash for information written on pieces of paper or computer printouts. The hacker can often find passwords, filenames, or other pieces of confidential information. Many people do not consider that sensitive information on items they discarded may be recovered. Such information, when recovered, is sometimes usable for fraudulent purposes.
II.2. Example: “The Accident”
The scam involves an unknown person calling someone and pretending that a family member had been involved in a car accident and needs money, either for medical treatment or for making up with the other implied parties. Working families and senior citizens appear to be the targets of this insidious activity. Until now, several persons have fallen victim to this fraud, even though police have been active in trying to protect the community from this type of crime. As reports of this telephone scam continue to come in from all over Europe, law enforcement agencies devote
195 of 321 appropriate resources and try continously to alert their communities about this criminal activity and locate the perpetrators. What is important here is that scammers obtain the information using social media sites, marketing lists and other sources.
III. TECHNOLOGY BASED SOCIAL ENGINEERING
III.1. Types of technology based social engineering
III.1.1. Phishing, Vishing, and SMiShing The delineation between the terms is based on the attack vector. Phishing is done through the computer, vishing is done through the phone, and SMiShing is done through text messaging. Phishing, now a “classic” of social engineering, involves false emails, chats, or websites designed to impersonate real systems with the goal of capturing sensitive data. The newer trend is called brand spoofing. "Brand spoofing" is the process of sending an e-mail to a user falsely claiming to be a legitimate enterprise in an attempt to scam the user into disclosing private information. Government, financial institutions and online auctions/pay services are common targets of brand spoofing. The attacker sends an HTML e-mail input form within an email or an e-mail providing a link to a deceptive replica of an existing web page. Voice phishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations known to the telephone company, and associated with a bill-payer. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals. Some fraudsters use features facilitated by Voice over IP (VoIP). Features such as caller ID spoofing (to display a number of their choosing on the recipients phone line), and automated systems (IVR).
III.1.2. Baiting Baiting involves dangling something you want to entice you to take an action the criminal desires. It can be in the form of a music or movie download on a peer-to-peer site or it can be a USB flash drive with a company logo labeled “Executive Salary Summary Q1 2015″ left out in the open for you to find. Then, once the device is used or downloaded, the
196 of 321 person or company’s computer is infected with malicious software allowing the criminal to advance into your system.
III.1.3. Malware attachments Emails sent by scammers may have attachments that include malicious code inside the attachment. Pop-up windows that advertise special offers may tempt users to unintentionally install malware (or malicious software). Most malware is a computer program, or part of a program, that has damaging or unwanted effects on your computer. When people think of malware they think of a virus, but the term malware is about much more than just viruses. Hackers have created worms and Trojans, root kits, logic bombs, spyware and botnets. Malware can be any of these, or it can package several of these together. It's difficult to label malware today as simply a virus, worm or even worm/trojan. Malware can teach security professionals about social engineering, software exploits, stealth and advancements in technology that show the skills of some serious programmers. Newer forms of malicious programs can be extremely sophisticated and require teams of well- funded programmers to create. Other pieces are simple exploits cooked up in someone's bedroom that sneak past security controls and wreak havoc. Malware didn't originally earn any money or bring any tangible gain for the person who wrote the program. This changed over the years as malware creators learned to take advantage of data theft, using credit card information to get access into the global banking systems. Since then, this category has thrived. Lots of new types of malware attempt to take advantage of you through scams, spam, bot-nets and spying. And it has created a billion dollar a year antivirus industry. Most malware consist in: A) Viruses. This is what most people think of when they think of malware. Computer viruses came from computer science studies of artificial life – known then as cellular automata – which gradually became more “life-like,” with the ability to propagate (make more of themselves), infect more hosts, become persistent, even hunt and kill each other. They resembled naturally occurring viruses in their behavior and thus the name stuck. Viruses or virii are self-replicating pieces of software that, similar to biological viruses, attach themselves to another program, or, in the case of macro viruses, to another file. The virus is only run when the program is run or the file is opened. That's what makes viruses different from worms. If the program or file isn't accessed in any way, then the virus won't run and
197 of 321
won't copy itself further. Variants of viruses can use different trigger mechanisms like a certain time and date or a keystroke combination. B) Worms - are similar to viruses in that they propagate, but they use network services to move around. But they don't rely on someone running or accessing a file to trigger the self-replicating code; it executes on its own as soon as it can find a vulnerable host. So a worm is a standalone program that, after it has been started, replicates without any need for human intervention. It will move from host to host, taking advantage of an unprotected network or service. Worms have overloaded severs and entire networks because of they're all about multiplying. Depending on how the worm was designed, a worm may not have a specific end point or target. Worms have been used to map networks, to dig into hidden areas and to report their findings at predetermined connection points. This type of malware can be autonomous or work within a command and control structure. There are several instances of worms in major systems in which nobody has been able to remove them, determine their purpose or keep taps on their location. Worms are excellent for reconnaissance because they don't normally have a payload and use covert channels for communication if the communicate at all. If the worm never communicates, it's impossible to tell where it is and what it is supposed to do. C) Trojans and Spyware. The bread and butter of malware fall into the category of spam. This is Trojan and spyware with a touch of adware for an extra kick. The original Trojan horse was created by the Greeks several thousand years ago. (Think about the film “Troy” if you've seen it). The basic concept is that you offer something that appears useful or benign to sneak something nasty into an otherwise secure computer. Examples include: game trailers; e- mail promising naked pictures of your favorite celebrity; a program, tool or utility; a file, such as a PDF; or pirated videos. You will often find them loaded into so-called freeware games. The concept of freeware is not to fill a free product with advertising or junk, but somehow that idea got mixed up. Trojans are pieces of malware which masquerade as something either useful or tasty in order to get you to run them. There are at least two types of Trojans. The first breed of Trojan malware pretends to be a useful program, picture, music, movie, or is an attachment within a program. The second type is a fake program that replaces the legitimate one on your system. Once they are inside a system they may do something unpleasant to your computer such as install a backdoor or rootkit , or – even worse – turn you machine into a zombie. Cue scary music in the background. Your first clue that a Trojan has been installed on your
198 of 321
computer might be a massive slowdown and loss of resources. Your computer that is, not you. If you have a massive slowdown of your body and/or loss of resources then you have the flu. Go get a shot from your doc. Your computer is not so easy to fix. You are going to need your strength. You might notice some applications won't load, or programs load that shouldn't be running at all. D) Rootkits and Backdoors. Often when a computer has been compromised by an attacker, they'll want to get back into the machine. Rootkits and backdoors are pieces of malware that create methods to keep access to a machine or network. They could range from the simple (a program listening on a port) to the very complex (programs which will hide processes in memory, modify log files, and listen to a port). Both hardware and software manufactures have been accused of installing backdoors in products. Some of this is state-sponsored hacking, while some is just nosy companies. Sony installed spyware on users devices to enforce Digital Rights Management (DRM). China has been charged with installing secret code in routers, hubs, and other products built in their country. These tactics have destroyed consumer trust in brands and products made in certain countries. Malware is nowadays trending more than ever. Malicious software usually gives the attacker access to files or data on your computer, network, tablet or smartphone. Yes, your mobile phone can get malware too. No computer system is immune from malware – including all personal electronics. Your mobile phone, or smartphone, is just a physically small computer. If you are surfing the web, using Facebook or opening email attachments, then you are vulnerable to malware on your phone. Malware may even come preinstalled. The issues are the same as with your computer; for example, you risk having your passwords hacked. More likely, the malware will wait for you to do some online banking and either clean out your bank account or steal your banking credentials and send them to the attacker. Internet TV is also here. Now you can watch television and surf the Internet all at the same time. You can connect things up and have a “smart” home. Again, you'll have the same issues as you have on your computer. Researchers have hacked into Internet enabled TVs, onboard computers on cars and even refrigerators. Pretty much anything with an onboard computer can be attacked. Criminals can infiltrate your home, a private space where you feel secure, through your online interactions. You may think you have nothing of value on your computer or smartphone, but your identity can be exploited. That is, an attacker could take information about you from your computer or phone together with publicly available information about you, say your Facebook photo, and there may be enough information to build a detailed profile. The attacker could try and open credit cards, or take out bank loans, in your name.
199 of 321
This is known as identity theft. Creditors will then expect you to pay them back for the things the attacker bought. It can take years to prove you didn’t spend the money and to clear your good name. It could delay you getting a loan to buy that “fast and furious” car you've been dreaming of. We are digitally connected almost 24 hours a day and we expect our devices to remain part of the Internet even when we are not using them. Malware creators like that. Our phones are synched to our tablets which are synched to our computers which are synched to our cloud accounts. All of this information is at our finger tips and we want access to our music, files, movies, and personal data everywhere we go. Malware creators like that, too. Currently, a lot of malware targets mobile devices. These devices have the least amount of security yet have the same accessibility to your data as a computer. On your computer, you probably have a firewall, antivirus software, and anti-spyware software installed. Your mobile devices probably don't have any of these protective measures. That needs to change. Malware creators may be changing tactics away from ransom and denial of service attacks towards complete destruction of an organization's network data. Sony was attacked in October 2014 in a multipronged effort to release incriminating evidence, while destroying vital data in the background. This cyber assault used sophisticated malware against Sony to disrupt daily operations and render critical data useless.
200 of 321
III.2. Example: “The job offer you can’t refuse”
Let’s assume that my target’s name is a Mr. Victim and we will start by searching for this person using a very simple method: Just type the name of your target in Google search and look at the results. From the above result we can see that a lot of information can be collected from a simple Google search. You can find a target’s Facebook profile link, LinkedIn profile, Twitter handle, websites related to that name and images also. Another way we can use social networks is to gather as much information as we need. We know that nowadays people are using social networking sites such as Facebook, Twitter, Orkut, LinkedIn, etc. Every person is using social networking, making online friends of strangers, chatting with them, and other things. People think that these social networks are helping them to make a network among them but these social networks are the world’s largest human identification database. Suppose you want to gather information about a particular person. Now you can find that person on Facebook with his photo, and personal information such as his address, educational background, family members, etc. Not only that, but you can also guess at the character of that person and learn more about the potential victim’s personal life from his/her Facebook profile, such as what type of status is used to update. After finding the accurate profile of a target, we will look for his friend list and make a list of his all friends; this will help in your social engineering attack. You can also clone his whole profile by downloading all of the pictures and the information that he has shown in his profile. After creating a fake profile, you can send friend requests to all from the people on his friend list and start to communicate with them. In that way, you can get some juicy information about the target and maybe about his girl friend. There are lots of fake profiles in Facebook and sometimes it is difficult to find which one is the genuine profile of the target. I use my own technique; I realized that if we search a person by giving the target’s name in the Facebook search bar, Facebook doesn’t crawl its own database for the user’s profile name. It works with a username that is in your Facebook profile’s URL, like this: http://www.facebook.com/victim; here “victim” is the username of the target. This username also helps the attacker to predict the target’s email id. How? Let us see. For example, I have a username john.doe.796. Now I open the Facebook login page, click on “Forgot password” and after giving username in search option click on “Search.” Now we have the name of our victim and also what email service he is using. The email looks like this: “j*****[email protected].”We can see that there are five stars between “j” and “e” so
201 of 321 the attacker can guess his name which is John Doe and the attacker will verify whether the email exists or not. There are some online services for email id verification, such as http://verify-email.org. LinkedIN is a different kind of service. We can’t consider it as a social network; it is a professional network. Here we can find about the target’s working background and qualifications also. You can identify which company your target is working with now and his past employment. We see how this service is used for gaining personal information about the target. There are also some tools available like Maltego, Harvester, Creepy, etc., that are used for information gathering. After doing all this stuff, we have some information about our target. Suppose we have this following information: Name: Mr. Victim, City: Bucharest, Profession: Web Developer, Email id: [email protected]. Now we know what kind of work he does and in which city, so if we will offer him a job from a big company, I think that he will not refuse this opportunity. First we will search for a company related to web designing in Bucharest and send him an email offering a position as a web developer with a good salary. Select a company and go to the website to look for the human resources email id or other email id where the applicant can apply for any position. There are many fake mailing services are available that we can use for sending a fake email in the name of a company’s HR. Suppose my selected company name is XYZ Private Ltd., so the HR email id will look like his [email protected].
Now send this email to the victim and let us see how it looks in the victim’s email:
202 of 321
After getting this kind of mail, many people will open it and even forward a resume to the address. The social engineering attack can stop here, through the instalment of malware or can continue in a more elaborate way, using the résumés for collecting even more intimate data.
IV. TYPES OF CRIMES COMMITTED THROUGH SOCIAL ENGINEERING
IV.1. Fraud
In law, fraud is deliberate deception to secure unfair or unlawful gain. Fraud is both a civil wrong (i.e., a fraud victim may sue the fraud perpetrator to avoid the fraud and/or recover monetary compensation) and a criminal wrong (i.e., a fraud perpetrator may be prosecuted and imprisoned by governmental authorities). In common law jurisdictions, as a criminal offence, fraud takes many different forms, some general (e.g., theft by false pretense) and some specific to particular categories of victims or misconduct (e.g., bank fraud, insurance fraud, forgery). The elements of fraud as a crime similarly vary. The requisite elements of perhaps most general form of criminal fraud, theft by false pretense, are the intentional deception of a victim by false representation or pretense with the intent of persuading the victim to part with property and with the victim
203 of 321 parting with property in reliance on the representation or pretense and with the perpetrator intending to keep the property from the victim.
IV.2. Threat
A threat is an act of coercion wherein an act is proposed to elicit a negative response. It is a communicated intent to inflict harm or loss on another person. It can be a crime in many jurisdictions. Some of the more common types of threats forbidden by law are those made with intent to obtain a pecuniary advantage or to compel a person to act against his or her will.
IV.3. Blackmail
Blackmail is an act, often a crime, involving unjustified threats to make a gain or cause loss to another unless a demand is met. Essentially, it is coercion involving threats of physical harm, threat of criminal prosecution, or threats for the purposes of taking the person's money or property. Blackmail may also be considered a form of extortion. Although the two are generally synonymous, extortion is the taking of personal property by threat of future harm. A refined type of blackmail is cyberextortion, which occurs when a website, e-mail server, or computer system is subjected to or threatened with repeated denial of service or other attacks by malicious hackers. These hackers demand money in return for promising to stop the attacks and to offer "protection". According to the Federal Bureau of Investigation, cyberextortionists are increasingly attacking corporate websites and networks, crippling their ability to operate and demanding payments to restore their service. More than 20 cases are reported each month to the FBI and many go unreported in order to keep the victim's name out of the public domain. Perpetrators typically use a distributed denial-of-service attack. A way of commiting cyberextortion is by the use of ransomware, a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive (cryptoviral extortion), while some may simply lock the system and display messages intended to coax the user into paying.
204 of 321
IV.4. Intellectual property infringement
An intellectual property infringement is the infringement or violation of an intellectual property right. There are several types of intellectual property rights, such as copyrights, patents, and trademarks. Therefore, an intellectual property infringement may for instance be a copyright infringement, a patent infringement or a trademark infringement.
IV.5. Unfair competition
Unfair competition in commercial law refers to a number of areas of law involving acts by one competitor or group of competitors which harm another in the field, and which may give rise to criminal offenses and civil causes of action. The most common actions falling under the banner of unfair competition include misappropriation of trade secrets, which occurs when one competitor uses espionage, bribery, or outright theft to obtain economically advantageous information in the possession of another.
IV.6. Cyberterrorism
Government officials and Information Technology security specialists have documented a significant increase in Internet problems and server scans since early 2001. But there is a growing concern among officials that such intrusions are part of an organized effort by cyberterrorists, foreign intelligence services, or other groups to map potential security holes in critical systems. A cyberterrorist is someone who intimidates or coerces a government or organization to advance his or her political or social objectives by launching a computer-based attack against computers, networks, or the information stored on them. Cyberterrorism in general, can be defined as an act of terrorism committed through the use of cyberspace or computer resources. As such, a simple propaganda in the Internet, that there will be bomb attacks during the holidays can be considered cyberterrorism. As well there are also hacking activities directed towards individuals, families, organized by groups within networks, tending to cause fear among people, demonstrate power, collecting information relevant for ruining peoples' lives, robberies, blackmailing etc.
205 of 321
V. PREVENTION OF SOCIAL ENGINEERING CRIMES
The most important thing that you can do to prevent being a victim of an attacker is to be aware of the common tricks. Never give out any confidential information or even seemingly non-confidential information about you or your company—whether it’s over the phone, online, or in person, unless you can first verify the identity of the person asking and the need for that person to have that information. You get a call from your credit card company saying your card has been compromised? Say okay, you’ll call them back, and call the number on your credit card rather than speaking to whoever called you. Always remember that real IT departments and your financial services will never ask for your password or other confidential information over the phone. Also, make good use of your shredder and dispose of your digital data properly. As we saw recently, some (poor) security systems can be bypassed with just the info found on a pizza delivery receipt. You can protect yourself from phishers, scammers, and identity thieves, but there’s only so much you can do if a service you use is compromised or someone manages to convince a company they’re you. You can, however, take a couple of preventive measures yourself. Use different logins for each service and secure your passwords: Never use the same password for all services. And make sure your passwords are strong and complex so they’re difficult to guess. Use two-factor authentication: This makes it harder for thieves to get into your account, even if your username and password are compromised. Get creative with security questions: The additional security questions websites ask you to fill in are supposed to be another line of defense, but often these questions are easily guessed or discoverable (e.g., where you were born). You can shift the letters into uppercase and lowercase and use numbers also to create a leet word to make sure only you know those security answers. Use credit cards wisely: Credit cards are the safest way to pay online (better than debit cards or online payment systems like PayPal), because of their strong protections. If you use a debit card and a hacker gets access to the number, your entire bank account could be drained. You can further secure your credit card by not storing card numbers on websites or using disposable or virtual card numbers. Frequently monitor your accounts and personal data: To be on the lookout for both identity theft and credit card fraud, check in with your account balances and credit score
206 of 321 regularly. Several services offer free ID theft monitoring, credit monitoring, and questionable credit charges. You can even use Google Alerts as an identity theft watchdog. Remove your info from public information databases: some sites publish our private information (like address and date of birth) online for all to see. Remove yourself from these lists with this resource. These steps won’t prevent your account from being compromised if a service provider falls for a social engineering hack and hands your account over to the attacker, but they may at least minimize the damage possible and also give you more peace of mind that you’re doing as much as you can to protect yourself.
CONCLUSIONS
Social engineering attacks are unpredictable because they can surface from external and internal sources. However, I believe that the likelihood of such attacks can be mitigated if people, regarded either as simple individuals or members of an organization, perceive their importance to the overall social engineering protection strategy and thereby exert concerted efforts to lessen the impact of social engineering attacks. Nonetheless, we must recognize the dilemma that, due to the inevitable exposure to social engineering attacks, organizations and their employees are at a manifest disadvantage facing infrequent social engineering intrusions and yet need to be on constant vigilance whereas the social engineering aggressors can practice social engineering attacks willingly. With the mushrooming emergence of social network websites where people look to keep in touch with their friends and expand social connections, social engineering aggressors might easily exploit the illogical social reactions of these potential victims. It is hoped that proper security tactics and defends, along with education efforts shall be applied in order to minimize the danger toward social engineering in our everyday’s life. Future research is therefore encouraged to analyse how social engineering can be conducted through these social networks and further into organization’s networks.
REFERENCES
1. Mitnick, K., & Simon, W. - The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons, New York, 2002 2. Peltier, T. - Social Engineering: Concepts and Solutions, 2006
207 of 321
3. Allen, M. - Social Engineering: A Means to Violate a Computer System, Bethesda, MD: SANS Institute, 2006 4. Xin Luo, Richard Brody, Alessandro Seazzu, Stephen Burd - Social Engineering: The Neglected Human Factor for Information Security Management - Information Resources Management Journal, 24(3), 1-8, July-September 2011 5. www.hackerhighschool.org 6. www.wikipedia.com 7. resources.infosecinstitute.com 8. www.infosectoday.com 9. http://backgroundchecks.org
208 of 321
DARKNET - SECURITY ASPECTS - Bebe Răducu IONAŞCU
1. INTRODUCTION
Surface web – the internet most of us know, all the web content seen by search engines. Deep web – Search engines can see only a small part of web content. All the content not seen by search engines is the Deep Web. Dark Net – virtual private network built on the infrastructure of the internet. The most known and used Dark Net Networks are TOR and I2P. Dark web – is the collection of all the web sites that are visible, but their identity is hidden. These sites are built on top of Dark Nets.
Deep Web refers to all parts of the Internet which cannot be indexed by search engines, and so can't be found through Google, Bing, Yahoo, and so forth. Experts believe that this Deep Web is hundreds of times larger than the Surface Web.
The Dark Web or Dark Net is part of the Deep Web, because its contents are not accessible through search engines. But it's something more: it is the anonymous Internet. Within the Dark Net both Web surfers and website publishers are entirely anonymous.
The Dark Web refers specifically to a wide collection of websites publicly visible, but with IP addresses of the servers that run them hidden. They can be visited by any web user, but it is very difficult to know who is behind the sites. And these sites cannot be found using search engines.
Almost all sites on this the so-called Dark Web hide their identity using the Tor encryption Network. Tor can be used to hide the identity, and spoof the location. When a website is run through Tor it can have much the same effect.
209 of 321
o Deep Web – Size and relevancy
Figure 1 Deep Web
The key findings of a study on the size and relevancy of the Deep Web, based on data collected by Bright Planet in 2000, are:
Public information on the deep Web is 400 to 550 times larger than the Surface Web. The Deep Web contains more than 7,500 terabytes of information compared to 19 terabytes of information in the Surface Web. The Deep Web contains more than 550 billion individual documents compared to 1 billion of the surface Web. More than 200,000 Deep Web sites. 60 of the largest Deep Web sites collectively contain more than 750 terabytes of information — sufficient by themselves to exceed the size of the Surface Web forty times. On average, the monthly traffic of the Deep Web sites receive 50% greater than surface web. The Deep Web is the largest growing category of new information on the Internet. Deep Web sites tend to have deeper content than conventional surface sites. Total quality content of the Deep Web is 1,000 to 2,000 times greater than Surface Web content.
210 of 3215
Deep Web content is highly relevant to every information need, market, and domain. 95% of the Deep Web is publicly accessible information — not subject to subscriptions or fees.
o Who Uses the Dark Net?
In the early days of internet, the 'onion network' architecture of the Dark Net was originally developed by the military – the US Navy to be precise. Amongst the main users of the Dark Net are still military, government and law enforcement organizations.
The Dark Net is very popular also amongst journalists and bloggers, especially those of them living in countries where censorship and political imprisonment are commonplace. Online anonymity allows people to communicate with sources and publish the information freely, without fearing retribution. Dark Net can also be used by news readers to access information on the surface Web which is normally blocked by national firewalls, such as the 'great firewall of China' which restricts Chinese Internet users access to a lot of websites.
Activists and revolutionaries also can use the Dark Net in order to organize themselves without fear of giving away their position to the governments they oppose.
Of course, Dark Net also allows terrorists and criminals communicate and organize criminal activities anonymously.
o Access:
All Dark Nets require specific software installed or network configurations made to access them, such as Tor which can be accessed via a customized browser, the Tor browser.
Tor (The onion router) is an anonymity network that also features a Dark Net - its "hidden services". It's the most popular instance of a Dark Net.
I2P (Invisible Internet Project). Not all Dark Web sites use Tor. Some use similar Dark Net services such as I2P, another overlay network that features a Dark Net.
211 of 3216
The principle remains the same. The visitor has to use the same encryption tool as the site and - crucially - know where to find the site, in order to type in the URL and visit.
The Tor browser can be used to surf the surface Web anonymously, giving the user increased protection against everyone from hackers to government spying to corporate data collection. It also enables visiting on the Tor network websites inaccessible to people not using Tor. This is one of the largest and most popular sections of the Dark Net.
2. TOR – THE ONION ROUTING
Onion routing is an anonymity protocol that was one of the first to be implemented on the new internet. It works quite simply: traffic is sent from the origin to a node, which sends it to another node, which sends it to another node, and after N nodes have been routed through, the traffic is forwarded to the destination.
Tor encrypts traffic with AES-128 and a Public Key system, then it is forwarding traffic through three nodes before the traffic is decrypted and leaves the network to go to its destination.
Figure 2 Tor Principle
Communication from the computer, to the internet relies on an entry node which basically “enters the computer” into the Tor network. This entry node communicates with the computer, this entry node knows the computer’s IP address. The entry node then passes the encrypted request onto the relay node. The relay node communicates with the entry node and the exit node but does not know the computer’s IP address. The exit node is where the request is decrypted and sent to the internet. The exit node does not know the computer’s IP, only the IP of the relay node. Using this model of three nodes it makes it harder, but not impossible to correlate the request to the original IP address.
212 of 3217
o Onion Structure
The ‘Onion’ structure exists only at the application level, at lower levels the onion runs over TCP for guaranteed delivery of data and IP for traversal of the internet. When a node obtains the next hop information from the application level onion payload, it is then entered into the destination field in the IP layer header of the packet to be sent to the next node. At this stage the IP information for the source host is also modify to reflect the current node. Constantly changing the source and destination IP addresses is what makes tracing a packet impossible and is what gives onion routing its online anonymity functionality. To anyone observing the network it appears as though the originator of the packet is the node and it is being sent to the next node, there is no indication of its true original and final destinations. Doing this makes it impossible to track any single packet through the entire network, as a message would appear to be multiple different messages as it traverses a network.
Figure 3 Structure of an onion as it traverses the network
o Security
As mentioned previously, the defining feature of an onion is its multiple layers of public key encryption that protect the data, its origin, and its destination. The onion is encoded with the public key of each of the routers it will traverse on its journey to the destination host. Each node that it passes through will decode the first or ‘outermost’ public key, which can be thought of as peeling the outermost layer of an onion. Removing this reveals the next host to be sent to, data which is used to create the IP header of the packet it sends out to the next host in the process. The only exception to this rule is at the exit funnel of the onion network. At this stage the last layer of encryption is removed, revealing the original message. The source IP of this output packet is set to the exit funnel and then sent on its way as any other packet would be to its end destination.
213 of 3218
Figure 4 Onion Layers
It is worth noting that onion routing does not provide end to end encryption of data, and thus is not suitable for transmitting sensitive data without using some other encryption schema. An attacker can intercept a targets message before it reaches the onion network just as with any other message transmitted across a network, as before it reaches the onion proxy the message is no different from any other message being sent across the network and it is not yet in the onion format. This is also true if an attacker obtains the data after it has left the exit node. However, even if data is sniffed at either of these points anonymity of communication will prevail, as the destination IP will be that of the onion proxy, or the source IP will be that of the exit funnel, depending on the location in transit that the message is attacked.
When using this technology any node in the chain only knows the source node and next hop node, not anywhere near enough to be of use to anyone trying to monitor traffic. This is true even if all of the nodes in the chain are compromised (extremely unlikely) as it is extremely difficult to trace the path of an onion from node to node due to the source and destination IP addresses change with every hop.
214 of 3219
o Return Onions
Anonymous communication would prove rather useless if the end host that was being communicated with sent the messages directly back to the source, as the direct communication could positively link the two together. Furthermore anonymity would be further compromised because the IP information of the source host would have to be included in the information sent to the destination, completely negating the purpose of onion routing. To get around this shortcoming something known as a return onion is implemented. When the original onion is created at the onion proxy a second identical onion is also created. This onions application data is a third onion, with this third onion being the actual return onion. It is exactly the same as the other two created except the routing data and public keys have been reversed, with the ‘outermost’ keys becoming the ‘innermost’ and vice versa. This return onion then sits at the exit funnel and waits for a return message from the destination host, as the source IP of the packet sent to the destination host is that of the exit funnel, so any return information would be sent there. Once a message is received from the destination host it is bundled into the return onion and sent back across the onion network to the source host, allowing for two way anonymous communication.
o Strengths
Tor's strength comes from its uniformity. At any point in the chain besides the exit, no node knows where in the chain it is. This means that encrypted traffic from a computer into the entry node and from the entry node into a circuit node is just traffic, and its origin can't be determined. Tor protects against forms of Traffic Analysis, an attack on anonymity that involves watching connections. If an adversary could see all the connections of all the Tor nodes in the world, they could break Tor. But since there are Tor nodes all over the world, in various countries with various diplomatic status between them, that won't happen. Previously it was thought that Tor would be trivial to break due to the low number of nodes, but since then Tor has grown from 400 nodes to 5000 nodes, with an average of 1000 online at any given time. To strengthen your anonymity and everyone else's, run a Tor node. Not only will this help the network, it'll make your anonymity stronger, as traffic coming from you could be originated from you OR forwarded by you.
215 of 32110
Tor is also low-latency. While it might not be low-latency compared to your normal net connection, it is certainly low latency compared to other anonymity systems, like Freenet or GNUnet.
o Weaknesses
The biggest drawback of Tor is the lack of trust in the node operators. While this won't compromise anonymity, it can compromise data. While using Tor, make sure to take the same precautions as you would on any other untrusted network. Encrypt everything. Passwords should be sent in SSL or secure hashed form, messages should be encrypted. While bad nodes on Tor aren't nearly as prevalent as good ones, there is no way to know if an exit node is sniffing your traffic.
Tor is also vulnerable to a few classic attacks on anonymity networks, including the "Giant Overseer" attack and timing/correlation attacks. The Giant Overseer attack is simple: If the adversary can see all traffic on all nodes of the Tor network, the game is over. But this attack isn't really feasible unless the Illuminati (exists and) wants to break Tor, or if one government took over the entire world. A more potent attack is a timing attack: If I watch Bob sending a request for a file, and then observe Alice getting a request of equal size, followed by Alice sending a 300MB file, if Bob gets a 300MB file, there is a good chance it might be Bob talking to Alice. This could be defeated with padding (making all data distributed on the network use a certain amount of data all the time), but that would be impractical and severely impact Tor's speed. This attack would be very useful in discovering the location of a Hidden Service, but it would take a very large amount of resources to successfully complete.
Tor is extremely vulnerable to attacks on centralized resources. Tor nodes look up hidden service and node addresses via a centralized directory, and while the directory is mirrored, only a few servers are "authoritative" and have supreme say over the network.
3. HIDDEN SERVICES – .ONION
Possibly the biggest advantage of using Tor is this feature: Hidden Services. Hidden Services are just like any other service on the net: IRC servers, websites, shell servers, chat servers, anything that runs on TCP (and most of the net runs on TCP), but with one important difference: Hidden Services are anonymous. With normal websites, you can always find the
216 of 32111
owner, and possibly persecute/prosecute him for his speech, but with a Hidden Service, he's hidden behind Tor. Plus, even plaintext content is safe, because ALL traffic is encrypted end- to-end with a Hidden Service.
Hidden services can be easily recognized by the address .onion
Tor website addresses look different than ordinary URLs. They are composed of a random-looking string of characters followed by .onion. An example of a hidden website address is: http://dppmfxaacucguzpc.onion
These services can offer so called end-to-end encryption. The server of the hidden service becomes the exit node, which means the website visited is decrypting the message, not some random exit node ran by a potential attacker. Only the exit node has the key for decrypting the request. The exit node can see the message sent in clear text once decrypted. So, if the message contains sender’s name, address, a credit card, a bank account, even sender login information, the exit node has all these information, compromising sender’s identity.
4. HTTP SECURE WEB SITES
Another security step is to visit websites that use something called HTTP Secure. The website visited is using HTTP Secure if the prefix at the beginning of the address is https://. HTTP Secure encrypts sender’s requests so that only the server can decrypt them, and not someone eavesdropping on the communication (for example a compromised Tor exit node). This is another form of end-to-end encryption. If somebody else intercepts the request over HTTP Secure, he would see only encrypted data and would have to decrypt it.
Figure 5 SSL
217 of 32112
Another reason for using HTTPS, whenever possible, is that a malicious Tor node can damage or alter the messages passing through it in an insecure mode and inject malware in the connection. This is particularly easier when the requests are sent in plain text, but HTTPS reduces this possibility. However, HTTPS can also be cracked depending on the length of the key used to encrypt it. If a website visited use HTTPS, the request is encrypted using the website public key and then is decrypted using its private key. This cryptographic mechanism uses a public key provided to those who want to send an encrypted message and only the one with the private key can decrypt it.
Unfortunately, many websites these days are still using private keys only 1,024 bits long which are no longer enough. For increased security, the level of encryption of the website visited should be based on keys on a minimum 2,048, if not 4,096 bits. Even doing all of this unfortunately is not enough. What happens if the web server itself was compromised? Maybe the TOR nodes are clean, maybe it was used HTTPS for all the requests, but the web server itself of the website visited has been compromised. In this case all the requests are again, as good as plain text.
5. USE PGP (PRETTY GOOD PRIVACY) ENCRYPTION
PGP: Pretty Good Privacy is a public-key encryption program that uses a combination of prime numbers and one-way math functions. When used correctly, it provides strong protection for confidential documents and email messages. It can be used to encrypt files on computer. It can be used to send encrypted email to recipients never met. Or it can be used to digitally sign an email so recipients can tell if it's been tampered with. PGP is available in a variety of freeware and commercial versions in standalone configurations or as plug-ins for various email programs and word-processors.
The important point about PGP, though, is that you never have to meet the person you're sending encrypted information to. This might not make sense at first, but this capability is essential to the benefits PGP can provide.
PGP is a cryptosystem developed by Phil Zimmerman, as a way to combat an attempt by the FBI to trick people into using the Clipper Chip, which was designed to have a back door for law enforcement agencies. Since then, PGP has become a popular method of encrypting and digitally signing documents and email.
218 of 32113
Traditional encryption techniques, like the familiar Certificate Authority system used for TLS and S/MIME, have one key. The two people meet first, and exchange this key; then, afterwards, one encrypts the data with the key, sends it to the other person, who uses the same key to decrypt it.
PGP uses a web of trust. People meet each other to verify public key signatures, often at "key signing parties," and then sign public keys (using their private keys). Some people choose to upload their public key, with others' signatures, to "key servers," which help to automate the process of exchanging keys. If a person chooses to "marginally" trust a key, then that key can be used to help establish the authenticity of a public key that is has been used to sign; if three marginally trusted keys have been used to sign a single key, that key is considered verified by the web of trust (but this is only allowed up to two levels). In this way, it is possible for a key that has not been directly verified to be trusted.
Figure 6 PGP
GnuPG is a popular implementation of PGP, which is shipped with most major GNU/Linux distributions and BSDs. Although Thunderbird does not directly support GPG or PGP, the Enigmail plugin can be used to add support.
219 of 32114
6. RUN A LIVE OPERATING SYSTEM
Using a Live Operating System, PGP encryption and decryption becomes very easy. A live operating system is an operating system that can run on top of the current operating system. For example, a Windows user has two choices:
He can download the live operating system, burn it to a CD or DVD and then boot the computer from that DVD or CD. He can also use a USB drive to perform this same feature.
Secondly, the user can run this live operating system in what’s called a Virtual Box. The benefits of this are that he can run Windows simultaneously and he can easily switch back and forth between the two operating systems without rebooting the computer.
Both methods have their pros and cons. The pros of running a live CD to boot, are that reduce the risk of having the computer compromised by viruses, malware or key-loggers that rely on Windows vulnerabilities to run.
o Tails
The Amnesic Incognito Live System or Tails is a security-focused Debian-based Linux distribution that aims at preserving privacy and anonymity. It is the next iteration of development on the previous Gentoo-based Incognito Linux distribution. All the outgoing connections are forced through Tor, meanwhile direct (non-anonymous) connections are blocked. The system is designed to be used from a live DVD or live USB stick, independently of the computer's original operating system, and will leave no trace (digital footprint) on the machine unless explicitly told to do so.
Tails comes with several built-in security applications pre-configured: web browser, email client, instant messaging client, image and sound editor, office suite, etc.
Most of the financial support for development has provided by the Tor Project.
220 of 32115
7. USING A VPN FOR ADDED PROTECTION
Many Dark Net users also want to add an extra layer of security by connecting to Tor using a VPN (Virtual Private Network). Although no one can see what a user is doing online when using an onion router, surveillance entities can see that he is using Tor to do something. In 2014, Wired UK communicated widespread confirmed speculation that the NSA was tagging users of Tor Network as extremists or persons of interest ("Use privacy services? The NSA is probably tracking you"). Connecting to Tor using a VPN means that no one will be able to see that a user is using Tor, and is therefore seen as a very good solution to this problem.
o Combining Tor with a VPN
All networks, but especially public wifi networks are very vulnerable to traffic analysis. Plus, some internet service providers can monitor online activity to some level, that’s why it might be a very good idea to always use an encrypted method for navigating on the internet, such as the VPN (Virtual Private Network).
Figure 7 VPN
It’s considered good practice to choose a VPN that uses encryption with at least 128 bit like TOR, and this will stop many of eavesdroppers. A 256 bit encryption enables even greater security.
221 of 32116
Using TOR over a VPN does hide someone’s internet activity from his internet service provider. Also, the VPN would only be able to see that the connection to TOR nodes and the encrypted data sent. The VPN cannot be able to see what data is sent over TOR unless it decrypted it, because all information over TOR is encrypted.
The downsides are that VPN providers may log everything that someone does and keep those logs for a very long time. Another thing to mention is that sometimes VPNs can unexpectedly drop connections and the user may not even be aware of it. If the reason for using a VPN is to hide TOR activity from the ISP, then if VPN drops, the ISP will start seeing the TOR traffic instead.
8. CONCLUSIONS The Deep Web can provide an environment where user’s privacy is protected, but, in the same time, there are different types of attacks that could expose someone’s identity. The Governments capabilities to monitor the hidden network are increasing, a spread practice being their infiltration with spying services. It’s a known fact that several U.S. cyber units are totally dedicated to the monitoring of the Deep Web.
Despite the security dangers of exploring the Deep Web, there are a lot of other benefits aside from access to more research material. The Deep Web can offer an avenue for expression, organization and a great amount of information for people living under oppressive or restrictive regimes. Connections in the Deep Web are anonymous and very difficult to monitor, enabling access to current news from around the world without government filtering and censorship.
222 of 32117
9. BIBLIOGRAPHY
1. http://www.ccs.neu.edu/home/priyanka/Onion%20Routing.html "Anonymous Routing in Wireless Networks: Onion Routing." Northeastern University. Web.
2. http://ntrg.cs.tcd.ie/undergrad/4ba2.05/group10/index.html O'Morain, Marc, Vladislav Titov, and Wendy Verbuggen. "Onion Routing for Anonymous Communications." NTRG: Networks & Telecommunications Research Group. Web.
3. http://lw.lsa.umich.edu/lsait/admin/TOR%20Routing%20Infomation%20.pdf "TOR (The Onion Router)." University of Michigan. Web.
4. http://www.onion-router.net/, "Onion Routing." United States Navy. Web.
5. http://ev3h5yxkjz4hin75.onion, Tails. Web.
6. http://freepress3xxs3hk.onion, Encryption works. Web.
7. http://deeowikizpkrt67e.onion, The Hidden Wiki. Web.
8. http://www.onion-router.net/Publications/IH-1996.pdf Goldschlag, David M., Michael G. Reed, and Paul F. Syverson. "Hiding Routing Information." Web.
9. http://en.wikipedia.org/wiki/.onion, ".onion." Wikipedia, the Free Encyclopedia.
10. https://www.torproject.org/, Tor Project: Anonymity Online. Web. 18 Apr. 2011.
11. http://securityaffairs.co/ “The good and the bad of the Deep Web”, September 17, 2012
12. https://tails.boum.org, Tails Operating System official site
13. http://anonet2.biz/, The hidden WiKi, PGP
10. LIST OF FIGURES
Figure 1 Deep Web ...... 5 Figure 2 Tor Principle ...... 7 Figure 3 Structure of an onion as it traverses the network ...... 8 Figure 4 Onion Layers ...... 9 Figure 5 SSL ...... 12 Figure 6 PGP ...... 14 Figure 7 VPN ...... 16
223 of 32118
224 of 321 225 of 321 226 of 321 227 of 321 228 of 321 229 of 321 230 of 321 231 of 321 232 of 321 233 of 321 234 of 321 235 of 321 236 of 321 237 of 321 238 of 321 239 of 321 240 of 321 241 of 321 242 of 321 243 of 321 244 of 321 FRAMEWORK OF PERSONNEL TRAINING MAJORING IN UKRAINE
Oleksandr BAKALYNSKYI
INTRODUCTION
The events of the last year and, above all, fast and unexpected loss of the Crimea by Ukraine give grounds to conclude that there is a range of serious problems in the field of national security of Ukraine. Moreover, these problems exist at all levels of the state governing from the quality and relevance of the Doctrine of National Security to that of training personnel for work in this area. One reason for this situation seems to be obvious underestimation of information component as part of modern weapons. Information Weapons of the Russian Federation has been developed very rapidly recently, reached the high level of theoretical elaboration and its practical mastery, but this point was overlooked by the military and political leadership of Ukraine. The most striking instance of information weapons application by the Russian Federation in the course of annexation of the Crimea demonstrated that the power of such weapons can be considered identical to the power of nuclear weapons. Hence the main conclusion: the issue of the state information security must become dominant in Ukrainian policy at the present stage, get a powerful impetus to development as well as political, ideological and financial support. This is especially true of more relevant training in the subject area of 6.170103, the "Management of information security". The training of specialists in information security was not carried by higher educational institutions of Ukraine in general until the mid 90's. The beginning of the history of the national system of training in the field of information security is considered signing in 1995 a joint order of the State Service of Ukraine on Technical Information Protection and Ministry of Education of Ukraine of 28.12.1995 № 66/358 "On Cooperation between the Ministry of Education of Ukraine and State Service of Ukraine in Technical Protection of Information "[1]. At this point educational institutions of Ukraine began training in the following specialties: 7.160101 - "Protection of Classified Information and Automation of its Processing (computer systems)"; 7.160102 - "Protection of Classified Information and Automation of its Processing"; 7.160103 - "Protection of Systems against Unauthorized Access"; 7.160104 - "Administrative Management in Systems of Classified Information Protection "; 7.160105 - "Information Security in Computer
245 of 321 Systems and Networks." It should be noted that the list of specialties survived virtually unchanged. The first publications on the methodology of training specialists in information security appeared only in 2000-2001 (Lazarev G.P., Kliotskin S.M., Khoroshko V.A. - 2000; Bogdanov A. M., Dodonov A.V., Kornieiko O.V., Mohor V.V., Khoroshko V.A. - 2001; Bondarenko M.S., Gorbenko V.I., Zinkovskyi Y.U., Klimenko V.P. - 2001; Maklakov G.Y., Ryzhkov E.V. - 2001). Today, training in information security is provided by curricula and programs of leading educational institutions of the country, the National Technical University of Ukraine "KPI", the National Aviation University, Kharkiv State Technical University of Radio Electronics and State University of Telecommunications among them. State of Information Security is determined not only by the level of training, but also professional development of experts in the field. This is especially essential because mature adult executives, who hold a certain place in their field and only need specific knowledge increase, will benefit from retraining. This training in our country is also given due attention. Back in 1994 on the basis of "KPI" the "Science Training Center for the professional development of specialists in the field of technical protection of classified information" was established, which was later renamed the "Special courses of postgraduate education in the field of protection of classified information." In addition, training is based on a sufficiently large number of private or commercial training centers, including training courses in the offices of powerful Vendors or auditing companies, such as "Network Academy of CISCO», «PricewaterhouseCoopers Ukraine», «Microsoft», «BSI Management System CIS», «TÜV SÜD» and others.
I. TRAINING SPECIALISTS IN THE FIELD OF INFORMATION SECURITY IN UKRAINE
I.1. Educational Standards in the "Information Security" Subject Area
According to the Resolution of the Cabinet of Ministers of Ukraine № 787 of 27.08.2010 "On the List of Specialties that are Trained in Higher Education Institutions for Education and Skills Levels of Specialist and Master" [2] and the Ministry of Education and Science of Ukraine № 1067 of 09.11.2010, the list of specialties, which are trained in higher educational institutions of Ukraine for the educational level of Specialist and Master was put in place in 2011-2012 school year [3].
246 of 321 Denomination Direction of Cod Name specialties
Information Information and 6.170101 Information and Communications Security Communications Systems Security Systems Security Security of Government Information Resources
Systems of Technical 6.170102 Systems of Technical Information Information Protection and automation of its Protection processing
According to this list of specialties training in information security at higher educational institutions of Ukraine is carried out by the following specialties (Table 1):
247 of 321 Table 1
Information Security 6.170103 Information Security Management Management Administrative Management in the Field of Information Security
Table 2 lists the primary positions, which according to educational qualification characteristics a graduate can take:
Table 2 Bachelor Qualification Primary Appointments
6.170101 3439 Specialist in – Inspector Information and Information –Specialist of Public Service Communications security in Systems Security Information and Communications Systems 6.170102 3439 Specialist in – Engineer Systems of Technical – Specialist of Public Service Technical Information – Specialist Information Security – Specialist in technical audit Protection – Radio Frequency Control Operator – Telecommunications Engineer
6.170103 3439 Specialist in – Specialist in Classified Information Security Information Organization of Organization Security Information – Specialist in Security Order Management Security – Specialist in Surveillance, Security and Other Types of Protection – Specialist in Organization of Information Security
I.2. Analysis of the Professional Training Level in Ukraine
248 of 321 According to the "Analysis of Education and Training on IT and Information Security Management in Ukraine" dated 23.02.2011, which was prepared by the Director of the certification of the Kiev branch of ISACA [4], the level of training of information security does not meet the requirements of the market. The main observations are: • Education in Ukraine is aimed at preparing purely technical specialists with high technical inclination on data protection and cryptography. • Basic special academic disciplines are designed to train purely technical skills, and do not consider such skills as leadership, resource management, human resources, business processes, risk management, etc. • Requirements for abilities and skills that relate to graduates of higher education institutions (HEIs) of Ukraine in the field of "Information Security" do not represent the skills needed for information security management. • That is without even considering the subjects taught in Universities, the level of teacher professional development and the level of students, but analyzing only the tasks imposed upon university graduates instead, it is clear, that university graduates do not have background and skills needed to manage information security. These comments should be considered as an example that needs consideration.
II. FRAMEWORK OF PERSONNEL TRAINING IN THE INSTITUTE OF SPECIAL COMMUNICATIONS AND INFORMATION SECURITY OF NATIONAL TECHNICAL UNIVERSITY «KYIV POLITECHNICAL INSTITUTE
II. 1. Objectives for Graduates
According to the leadership of the State Service for Special Communications and Information Security of Ukraine (further - SSSCIS) the Institute obtained a license to train specialists in information security management for: a) training personnel for the Main Department of Courier Communications of State Service of Special Communication and Information Security; b) training specialists, capable of practical implementation of electronic paperwork elements in the units of SSSCIS, furthermore, and the emphasis should be made on classified information handling. A characteristic feature of the curriculum for "Information Security Management" is that it takes into account the specificity of a courier future professional performance. It is thought of,
249 of 321 that the tasks will be accomplished in individual work conditions with increased responsibility for delivering particularly valuable cargos, both in Ukraine and abroad. To do this, high requirements to graduate competences are put forward regarding making innovative decisions in terms of time limit and physical threats to his person, and in other countries. To meet these requirements, additional time for physical training, fire training and advanced study of foreign languages are allocated in the curriculum.
II. 2. Rationale for Choosing ISO 27001 as the Basis for Creating the Curriculum
Why was the ISO / IEC 27001: 2005 standard chosen as a basis? First we must consider the order and sequence of adoption of standards ISO [5]. ISO standards are developed by a group of experts under the Technical Committee. Once the need for a standard is set, the experts meet to discuss and agree on the draft standard. As soon as the project is developed, it is passed to the members of ISO for further review and if necessary can be commented. If consensus is reached, then the project becomes ISO standard, otherwise it returns to the Technical Committee for further editing.
Figure 1. Standards development process
Basic principles of designing standards are as follows. 1. ISO standards respond to market needs and are developed to meet them. Development of new ISO standards is determined by market needs, but not at the discretion of the organization. ISO develops standards on requests from manufacturers and other
250 of 321 stakeholders such as consumer groups. As a rule, representatives of industries or interest groups inform a national body for standardization which is a member of ISO, about the need to develop a standard, which then communicates with ISO. 2. The ISO standards are based on expert opinion. ISO standards are developed by a group of experts from around the world that is part of a larger group, the Technical Committee. These experts discuss all aspects of the standard being developed, including its scope, basic definitions and content. 3. ISO standards are developed in the framework of a multilateral process involving discussions with experts. Technical committees are composed of experts of the industry, as well as representatives of consumer associations, academia, NGOs and the Government. 4. The basis of ISO standards is consensus. ISO standards are developed by consensus, which takes into account comments from interested parties. Technical Committee of ISO / IEC JTC 001 / SC 27 / WG 01 in "Information Security Management Systems" is responsible for developing a series of standards 27k. That is, the first argument was that the ISO standards are focused on the needs of the market. The second argument for choosing ISO 27k Series as the basis of the curriculum for training specialists was that the information security has traditionally been dealt with by state special services, so we can expect that a good half of the experts who participated in the developing this standard are specialists of the highest level in the ISO members states. Thirdly, the standard is non-technical, but managerial. And fourthly, the standard is not independent, it is structurally the family of international ISO 27k standards, comprising more than 30 standards; the standard which defines terminology, informational nature standards and normative standards among them (Fig. 2). That is there are many supporting standards which can ensure a high level of information security, but most importantly, to achieve a high degree of information security system control [6].
251 of 321
Figure 2. ISO/IEC 27k Information Technology. Security Techniques.
II. 3. Educational Strategy of Training Personnel Majoring in Information Security Management
The educational activity of the department “ The Management and Tactical and Special Training”, responsible for bachelor training and headed by honored worker of Ukraine, doctor of technical sciences, professor A. Bogdanov, is based on The National Standard of specialty of 6.170103 “The Information Security Management ". The standard was made by the National Academy of Security Service of Ukraine, that’s why normative references of curriculum include a set of nontechnical, humanitarian subjects, which differentiates it from curricula of other departments of the Institute, which mainly teach purely technical subjects. The main competence, achieved in the course of training as part of this specialty is the ability to manage various aspects of reality, including information security of different objects. The curriculum of department is aimed at realization of this objective. A distinctive feature of the curriculum is its full correspondence with ISO 27001:2005 “The Information Security Management Systems. Requirements”. The Standard was developed and accepted in 2005 and its next adjusted version was published in 2013. The requirements of this version became the basis for the work out of the curriculum and were reflected there. Therefore, we can claim that training cadets is based on the most advanced trends and ideas of the world. Thus, the following model became the foundation of training strategy:
252 of 321 a) It’s believed that the loss in the object functioning arises due to violation of the properties of its assets, in the other words, its constituent elements and relations between them; b) In turn, assets may have different nature, including information; c) The quantity of information loss due to violation of the asset is determined by a combination of asset’s value and probability of realization of different threats due different vulnerabilities of object information protection system (which can be defined as the risk for three factors model); d) The risk can be processed (reduced) by means of effective measures based on the results of its approval. In general, a performance of a manager as to prevent or reduce object losses due to violations of its information assets can be estimated by the equation:
WW ;;
Where, W – parameter of efficiency; –vector of known parameters which are taken into account in the decision; – vector of unknown parameters (indetermination parameters); – vector of parameters of control steps which maximize overall efficiency parameter. Vector describes a person’s level of mastery of the art of management and it may be a standard of any two managers comparison. It eventually is the goal of learning. The main competence of a graduate of the department is formulated as follows: «The ability to prevent or reduce the risks of an object loss to arise, due to the violation of its information assets, by means of effective management of an information security system. In other words, “the effective information security system management of the object is aimed at prevention of loss due to violation of information assets». Subsidiary competences, providing the filling of the core competence are the abilities to: - Describe the object assets; single out informational ones; evaluate their value; - Predict the list of threats for each information asset; - Identify the vulnerabilities of each asset as to all its threats; - Assess the risks of threats through vulnerabilities for each asset; - Draw up a comprehensive matrix of risks at the object; - Identify measures for dealing with risks and safeguards against threats;
253 of 321 - Design and implement an information security system of the object and its management. Information security of an object and its information assets is assessed on the criteria to meet the requirements to its generally accepted main components: - Confidentiality; - Integrity; - Availability. That’s why, it is believed that information can leak away in an unauthorized way, be changed (substituted) and blocked in time, as well as imposed from outside in the form of misinformation during information impacts. In terms of size, objects are classified into individual, group or global. In this respect, technical objects such as personal computer, local area network and the global network, as well as public objects like an individual or a group of people, a state or the whole population are considered.
III. THE DIRECTIONS OF BUILDING THE INFORMATION SECURITY MANAGEMENT SYSTEM ACCORDING TO ISO 27001 AND CURRICULUM CONTENT.
III. 1. Look-up table of the curriculum subjects and directions of information security provision, according to ISO/IEC 27001
According to the Decree №101 of the Ministry of Education and Science of Ukraine dated 10.02.2010 "On the structure of the educational and professional programs and curricula for Bachelor’s training" [7] a curriculum must consist of the following components: compulsory courses (must make up 50-60%) which are disciplines of the standard of education, variable part (40-50%), which in turn includes disciplines selected by a university (25-30%) and disciplines which are chosen by a student (15-20%). As we remember, it was noted above that a range of subjects are not technical higher educational institution specific, but they build cadet's management skills, and have made up the bulk of compulsory courses of professional direction. They are as follows: State Information Security, Provision of State Information Security, the Fundamentals of National Security, Organizational Maintenance of Information Security, Fundamentals of Management, Organization of Business administration, Human Resources Management, National Security Information Protection System, Psychology of
254 of 321 Management and Ethical and Psychological Support of Professional Activities, Forecast and Simulation in Social Field, Information Security Management, Information Maintenance of Management Activity. Other, mentioned below subjects are classed as selective. Let’s consider the structure of the ISO/IEC 27001: 2013 [8], which includes the following sections: 1. Scope; 2. Normative references; 3. Terms and definitions; 4. Context of the organization; 5. Leadership; 6. Planning; 7. Support; 8. Operation; 9. Performance evaluation; 10. Improvement. Standard is built on the Deming's cycle, known as the PDCA (Plan-Do-Study-Act), Shuhart (Plan-Do-Сheck-Act). In order to implement the requirements set out in the standard, the main directions of information security were identified, which are in turn defined in Annex A. Generally, there are 14 such areas, each being implemented through a set of recommendations that is controls.
Figure 3. The Structure of ISO/IEC 27001:2013
The strategy of establishing Information Security Management Systems is based on the analyses of information security risks, that is why an academic subject area called Risks Theory
255 of 321 is aimed at exploring the basic requirements of risks management. Having considered basic demands to the information security management system, put forward by the standard to fully meet the requirements of modern world, the filling of curriculum with content was made in the following way: Table 3. CHAPTER OF ANNEX A ISO/IEC 27001 ACADEMIC SUBJECT NAME A.5 Information security policies State Information Security Provision of State Information Security The Fundamentals of National Security A.6 Organization of information security Fundamentals of Management Information Security Management Information Maintenance of Management Activity A.7 Human resource security Human Resources Management Psychology of Management and Ethical and Psychological Support of Professional Activities Forecast and Simulation in Social Field A.8 Asset management Fundamentals of Management Activity A.9 Access control Organizational Maintenance of Information Security Computer Networks A.10 Cryptography Fundamentals of Cryptographic Security A.11 Physical and environmental security Comprehensive Information Protection Systems Fundamentals of Technical Information Protection A.12 Information security Fundamentals of Technical Information Protection Operating Systems Computer Circuit Engineering and Computer Architecture Computer-aided Design Object-oriented Programming
256 of 321 Programming Techniques A.13 Communication security Modern Technologies of Communications Networks and Systems Electronic Control Fundamentals of Information and Coding System A.14 System acquisition, development and Information Security in Information maintenance Communications Systems A.15 Supplier relationships Special Paperwork Management A.16 Information security incident Information Security Management management A.17 Information security aspects of Implementing Internet Technologies in business continuity management Employment Activity Fundamentals of Computer Systems Technical Maintenance and Power Supply A.18 Information security reviews Law National Security Information Protection System In addition, there is a list of academic subjects facilitating mindset formation of a person acquiring higher education, represented by: Philosophy, Ukrainian language (for professional purposes), History of Ukraine, History of Ukrainian Culture, Economics, Sociology, Ecology, and Political Science. There is also a range of mathematical sciences and natural sciences training, including Higher Math, Physics, Computer Science, Theory of Probability, Probabilistic Processes and Mathematical Statistics, Engineering and Computer Graphics.
III. 2. Cadets’ scientific activity
Over a period of 2014-2015 academic year: Cadets have made 9 presentations at conferences and round tables; Students of second and third-year have participated in conferences at the National Defense University and the National Academy of Security Service of Ukraine; Cadets have taken part at round table on information security management which is organized and always held by the two Departments of the Institute in Kiev House of Scientists;
257 of 321 We have implemented the first National Olympiad of "Ways and mechanisms of protection Ukraine's information space against harmful information and psychological influences" (out cadets took a prize-winning place ).
III. 3. Cadets’ volunteerism
Cadets formed a team of information countermeasures where each member implements knowledge and skills acquired in process of training to monitor cyberspace, provide content authors analysis and technical support. Cadets together with teachers developed instructions, rules of using social networks, protecting accounts and e-mail; encrypted access to the Internet based on Windows, Android, Unix and iOS platforms. The task of team is: elucidative work among the population of the temporarily occupied territories; denial of false information which is being spread by mass media or the Russian Federation; Performing data searching about persons, implicated in terrorism, and filling the «Peace - maker» website, established by the Ministry of Interior Affairs of Ukraine to gather evidences about famous members of terror organizations, with content related to these data. Target audience: Population of temporarily occupied territories (mostly the same age group with cadets); population, who is under Ukrainian’s law;
cadets of military schools of the Russian Federation;
officers, who graduated from Military Universities of Ukraine and Russia.
CONCLUSIONS
Proper functioning of any Information Security Management System is based on organization of training and professional development of specialists capable of meeting all the challenges of the modern world and aptly manage information security. All known existing approaches to information security management were created before the annexation of the Crimea and the outburst of conflict in Donbas, so they do not draw
258 of 321 conclusions about the real power of information weapons. The need for the increased focus on social media monitoring for the internal presence of information influences and mass media evaluation wasn’t taken into account. It is clear today that in the context of the conflict in Donbas the liberation of a settlement from terrorists is made possible in two ways by means of: destroying terrorists by fire along with the residents of this village who have not yet had time to leave, and their houses; Information influence on these people (through social networks), who then will expel terrorists themselves, each from his garden and thus save themselves and their homes. It is believed that the second way is much more effective and humanist. What is different about it is that it has not been developed yet, although, there is a potential resource for its practical implementation in the course of a warfare in the form of cadets and students taught in this area. Through this, they can be the basis for the newly created so-called "Facebook (armchair warriors) troops." (Incidentally, this idea was further developed after personal communication with the Minister of Information Policy of Ukraine). On virtue of the analysis of the latest conflicts in the world (Tunis, Egypt, Ukraine, etc.) the need to form «Facebook (armchair) warriors» has become obvious. (As a matter of fact, Great Britain, has already claimed about such units formation). Besides, having completed training program of Information Security Management (ISM) Postgraduate Course in DRESMARA we hope for meaningful future cooperation with the goal of further integration into the European system of collective security. In view of the above, we believe the educational process is built taking into account advanced requirements and challenges in today's information security.
REFERENCES
1. A joint order of the State Service of Ukraine on Technical Information Protection and Ministry of Education of Ukraine of 28.12.1995 № 66/358 "On Cooperation between the Ministry of Education of Ukraine and State Service of Ukraine in Technical Protection of Information "– Available from http://mon.gov.ua/activity/education. 2. The Resolution of the Cabinet of Ministers of Ukraine № 787 of 27.08.2010 "On the List of Specialties that are Trained in Higher Education Institutions for Education and Skills Levels of Specialist and Master" –Available from http://www.rada.gov.ua. 3. A order of the Ministry of Education and Science of Ukraine № 1067 of 09.11.2010 «On the List of specialties, which are trained in higher educational institutions of Ukraine for the
259 of 321 educational level of Specialist and Master»– Available from http://mon.gov.ua/activity/education. 4. Sisoev Valentin. "Analysis of Education and Training on IT and Information Security Management in Ukraine"/ Sisoev Valentin // CISM, 23.02.2011. – p.24 [Electronic resource]. – Available from http://auditagency.com.ua/blog/ISACA_ research_Education.pdf. 5. How does ISO develop standards? [Electronic resource] – Available from - http://www.iso.org. 6. ISO/IEC 27000:2014 Information technology — Security techniques — Information security management systems — Overview and vocabulary. – Available from http://www.iso.org/iso/ru/home/standards/management-standards/iso27001.htm. 7. The Decree №101 of the Ministry of Education and Science of Ukraine dated 10.02.2010 "On the structure of the educational and professional programs and curricula for Bachelor’s training " - Available from http://mon.gov.ua/activity/education. 8. ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements. – Available from http://www.iso.org/iso/ru/home/standards/management-standards/iso27001.htm.
260 of 321 CYBER WAR GAMING AT NATO
Aamra NAQVI
INTRODUCTION
Cyber Defence in NATO has a paramount importance. The growing complexity and rise in number of cyber attacks against NATO networks is agitating towards a comprehensive framework and guide lines with the intention of providing safe networks and Information Systems to NATO alliance.
“Cyber attacks can be as dangerous as conventional attacks. They can shut down important infrastructure and they can have a great impact on our operations,”1
In April 2007, a NATO member state Estonia came under cyber attack (Denial of Service) for three weeks against the Government web sites and set off a national crisis. 2The member state asked for help from NATO point in time. Subsequently, cyber attacks were counter measured after cordoning off all International web traffic by NATO alliance.3
Soon, it was realized that NATO required a comprehensive and concrete cyber infrastructure along with well defined policies and guidelines. Consequently in 2008, NATO’s first Cooperative Cyber Centre of Excellence (CCD COE) has established in the victim state of cyber attack; Estonia, it is also the Europe’s most wired nation. “Centre’s main objective is to enhance the cyber defence capability of NATO and its partners and exercises such as this are invaluable for training the specialists’ skills and cooperation,”4.
Figure 1: NATO CCDCOE in Estonia, Tallinn
1 (NATO Secretary General Stoltenberg 2014) 2 (Richards 2009) 3 (Hughes 2009) 4 (Director of the Centre 2012)
261 of 321 Afterwards, NATO also has fully upgraded (2013) NATO Computer Incident Response Capability (NCIRC) to provide the capability to detect and respond to cyber security threats and vulnerabilities rapidly and effectively.5
The purpose of CCDCOE is to develop and continually maintain a doctrine and strategy to strengthen the cyber infrastructure of member states of NATO. In association to this rationale, first CCDCOE conducted a proof of concept exercise in 2008. Further it has started conducting cyber defence exercises annually.
Features of all exercises are stated in the coming chapters. The exercise scenarios were different for all annual exercises. However, the framework and infrastructure for conducting the exercises are relatively similar.
I. Exercise Framework
The frame work can be comprehended with help of following diagram. It encompasses of 4 teams; White Team, Green Team, Red Team, Yellow Team and Blue Team.
Yellow Team Yellow Team (S(Situationalituational Awareness) Awareness)
White Team (Control, scoring, media, Comm)
Reports
Blue Red Team Team
Green Team (Infrastructure)
Figure 2: Framework of Cyber Defence Exercises 5 (NATO Computer Incident Responsibiltiy and Capability 2012)
262 of 321
I.1 Blue Team
A Blue team has further sub blue teams. All these teams are on the same network but located in different countries. In the beginning there were 6 blue teams and lastly the number has reached 16. Every team member has different skills set, roles and responsibilites. NCIRC Team is also one of the sub blue team. . Each sub blue team comprises of 6-10 IT professionals from military, private and public domains and academics. One person out of each sub blue team acts as a liasion officer with White team. One or two Legal experts are also part of blue team to provide legal advices well in time.
The objective of Blue teams is to defend the virtual network of its fictious country and keep it up and running . The competition is also among the sub blue teams. Blue teams also have to submit the the reports to White team.
I.2 Red Team
The aim of red team is to attack in a pre planned phase manner to down grade the performance of Blue teams. A Red team also has sub red teams. Each sub red team has different set of responsibilities. The participants of red team have exeperties in penetration testing and red teaming.
I.3 White Team
The white team exercises control over the whole exercise. It defines the rules for both red and blue team. It acts as a exercise control cell during the exercise execution. It declares the phases and manages the scoring of Blue team.
I.4 Yellow Team
The basic purpose of yellow team is to provide situational awareness to the white team and also to the other teams. This situational awareness extracts from the submitted reports of Blue teams. Perhaps the red, white, green and yellow teams are management teams.
I.5 Green Team
263 of 321 This team builds the infrastructure for the exercise with the typical Itcomponents. It has got only one main team and 10-15 participants. Mainly, these are Network administrators and Software developers.
II Baltic Shields 20106
The first annual real-time cyber network defence exercise was Baltic Shields 2010 (BS 2010). It was organized by Swedish National Defence College and Estonian Cyber
Defence League. It was the real head start of cyber war gaming.
II.1 Exercise Scenario A fictional exercise scenario for Baltic Shields is ; A “cyber warfare division” of the extreme environmentalist movement called Klimate Kaos Krew (K3) threatened to attack six power companies located in Belgium, Latvia, Lithuania and Sweden, unless they agree to convert to green power unconventional power stations. Coincidentally, the subject power companies had just failed a cyber security audits and as a result these companies had fired many IT professionals. The exercise was of 02 days and distributed in 04 phases. II.2 Blue Team and Red Team In the exercise 06 Blue teams had to defend their virtual network against a Red Team. Each blue team has 10 members. Many rules had been given to Blue team. II.3 Objectives The objective was to enhance the private- public sector cooperation in terms of defending big Cyber attacks and to get prepare for facing and mitigating cyber attacks. III. LOCKED SHIELDS 20127
The next Cyber defence exercise was named as Locked Shields. It has a historical back ground. Locked Shield was a defensive ancient tactic used by the various militaries.
NATO CCDCOE has organised Locked Shields 2012(LS 12) with its partners from 26th to 28th of March. The goal of the exercise is to support the Multinational Experiment 7(MNE7)*, train IT specialist and legal experts, and learn from the activities of the teams.
In order to sort out the legalities for Cyber Defence Exercise (CDX) a whole legal team took part in it.
6 (Baltic Shields Exercise 2010 n.d.) 7 (Cyber Defence Exercise Locked Shields 2013 n.d.)
264 of 321 III.1 Exercise Scenario
Blue Teams were scattered all over Europe . They were small telecommunications companies and facing cyber attacks. They were expected to defend and secure their networks with their specialised skill sets. They were also requireed to provide poised information to the media. Blue teams were also assigned to jot down the reports on the attacks to envisage the damage and further submit these report to the White team.
There will be one Red Team, whose objective is to provide equally balanced attacks against all Blue Team networks. To measure the success of different defence strategies and tactics, efforts of Blue Teams are assessed on a predefined scale.
III.2 Blue Team and Red Team
These were from Switzerland, Germany, Spain, Finland, Italy, NATO (NCIRC), Slovakia and combined teams from Germany-Austria and Denmark-Norway-Sweden. The core of the Red Team is composed of specialists and volunteers from Finland and Estonia, with additional contributors from Germany, Latvia, Italy and NCIRC.
III.3 Objective
The objectives of Locked Shields 2012 (LS12) were :-
(a) To strengthen the cyber campaign of the Multinational Experiment 7 (MNE7).8 Yellow Team made the most out of the exercise environment to explore and asses different solutions for situational awareness (SA) in the cyber domain.
(b) To train Blue team for cyber attacks in real time environment in order to detect and mitigate the cyber attacks.
(c) To train legal experts by providing them with the real time cyber attack environment. (d) To learn from the activities of Blue and Red Teams: in case of similar real- world scenarios, which tactics and methods of defence are the best and what kind of steps from the attackers to expect. (e) To test and develop tools and methods that provides decision-makers with situational awareness about the cyber environment. (f) To have good documentation for future reference. (g) Effort to automate the installation processes of LS12.
8 (Viita-aho 2013)
265 of 321
Figure 3: Network Scheme of LS12
III.4 Technicalities (a) The network, virtual machines, and network elements were set up and deployed in a private cloud. This private cloud was running on Supermicro Super blades. (b) Open VPN access for the management segment of the virtual machines and they could use SSH (Secure Shell), RDP (Remote Desktop Protocol) or VNC for remote administration. (c) Full VPN access to Gamenet. (d) Network Attacks; backdoor, DoS (e) Client-side Attacks (f) Web attacks; web defacement, SQL injection (g) Breaking the Infrastructure III.5 Remedial Measures by Blue Team (a) Patching the systems. (b) Securing the configuration of applications and services.
266 of 321 (c) Applying security-related Group Policies (d) Removing and disabling unnecessary services and applications. (f) Changing passwords
(g) Installing software firewalls on systems.
(h) Blacklisting Red Team IP addresses.
(i) Carrying out audits, applying difficult Firewall rules.
(k) Removing unnecessary user accounts. (l) Scanning networks and web applications for vulnerabilities through Nessus, Appscan and Netsparker. (m) Network traffic monitoring with tcpdump, Wireshark and others. (n) Protecting clients with Anti Virus softwares. (o) Deploying IDS/IPS systems: Snort. III.6 Duration The duration of the exercise was 02 days. It was distributed in 04 phases. III.7 Winner The winner Blue Team was of Poland.
IV LOCKED SHIELDS 2013
Locked Shields 2013(LS13) was organised from by NATO CCD COE in cooperation with
Estonian Defence Forces, the Estonian Information Figure 4: Locked Shields 2013 Systems' Authority, the Estonian Cyber Defence League, Finnish Defence Forces, and many other partners. It was executed from 23rd to 26th April, 2013. 9 European countries, Estonia, Finland, Lithuania, Germany, Poland, The Netherlands, Italy, Slovakia and Spain have taken part.9
IV.1 Exercise Scenario A fictional country Boolea had volatile law and order situation; the clashes were between northern and southern tribes. Day by day the situation had worsened. The government of Boolea had asked for international community help. Meanwhile cyber attacks had also began against the IT systems of local Aid organisations. 10 Blue Teams were requested to be
9 (Cyber Defence Exercise Locked Shields 2013 n.d.)
267 of 321 deployed in order to protect unclassified military networks and Aid organisations' networks. It was divided into 4 phases.
IV.2 Blue and Red Team Members
Blue Team had IT professionals from different background and also 1 or 2 legal advisor with each blue team. Blue teams got simplified edition of rules from the previous exercises.
IV.3 Objective
The objectives of Locked Shields 2013 (LS13) were :-
(a) Learning the Networks, System administration and prevention of attacks. (b) To dealt with Administrative tasks and hardening the configurations of Network elements. (Day 0 vulnerabilities were simulated by not allowing the teams to patch certain systems). (c) Teamwork: delegation, dividing and assigning roles, leadership. (d) National and international cooperation. (e) Information sharing. (f) Blue Teams were expected to continuously provide lightweight reports to the White Team. The main aspects measuring their success were timeliness, correctness, accuracy, and clarity. (g) Blue Teams were expected to compile management reports and respond to media requests. (h) Crisis communication; the speed, accuracy, logic and reaction of Blue Teams' spokespeople when responding to media requests.
268 of 321
Figure 5: Network Scheme of LS13
IV.4 Technicalities The infrastructure was initially insecure and full of vulnerabilities. (a) Each Blue Team had to defend an identical network consisting of 34 virtual machines (VM), Cisco VSR 1000v virtual router, Endian Linux firewalls, Windows and Linux workstations, Domain controllers, file servers, DNS and mail servers. (b) Linux and Windows servers for hosting web applications and database servers. (c) Red Team members were allowed to bring legal and standardised softwares; (d) Kali and BackTrack5 Linux. (e) Cobalt Strike; Raphael Mudge is the developer of the software, he sponsored the event and provided LS13 Red Team an option to test it out during the Execution. (f) Metasploit Framework (free open-source version of Metasploit). (g) PHP protocol wrappers became useful when exploiting file inclusion vulnerabilities. (h) SQL injection was a common vector to steal data. (i) Scanning and testing own networks with Nessus, Acunetix, Armitage. (j) Patching the systems; one of the winning team's strategies was ‘Don’t patch unless you really need to’. (k) Updating and using standardised Anti-Virus
269 of 321 (l) Scanning was done through shares (C$) to allow users continue working. (m) Suspicious files were submitted to malware analysing services such as VirusTotal.com and ThreatExpert.com. (n) Network Intrusion Detection and Prevention Systems (IDS/IPS). (o) Snort (e.g. already existed on Endian Firewall and Security Onion). (p) Host-based IDS. (q) Personal and perimeter firewalls. (r) System hardening. i. Applying restricted GPOs for white listing, password policy, firewall, etc. ii. Restricting user rights. iii. Disabling unnecessary accounts and services. iv. TTL security for BGP (Border Gateway Protocol). v. PHP configuration (s) Restricting the applications that could be run on the systems; AppLocker. (t) Web Application Firewalls; mod_security e.g. using OWASP core rule set. (u) Central logging and SIEM systems; Splunk. (v) Reinstalling important binaries such as bind9, vsftpd, proftpd. (w) Central monitoring of file changes; audited in Linux. (x) A very common activity was to block any IP address which seemed to be a source of suspicious actions. IV.5 Security Software on Windows Systems (a) Microsoft Security Essentials 4.2 (b) Kasper sky Anti Virus 2013,2 different AV products on some (c) Malware bytes Anti-Malware 1.75 VMs (d) Avast Free Antivirus 8.0 (DCs and WS4) (e) McAfee Virus Scan Enterprise 8.8 and ?McAfee Agent 4.6 - (f) ESET Endpoint Security 5.0 IV.6 Information Sharing Shared XMPP (Jabber)-based chat was the main communication channel for the Blue Teams. IV.7 Media Injects The aim of the media simulation was to illustrate the exercise with ‘news from the real world’ and add pressure to the Blue Teams with injects other than Red Team activities.
270 of 321 IV.8 Winner The overall winner of the LS13 was NATO team, where as Estonia stood second.
V LOCKED SHIELDS 2014
In Locked Shields 2014 , 17 nations and more than 300 participants have taken part. NATO NCIRC (NATO team) became the overall winner of Locked Shields 2014. The exercise control was located in Tallinn, Estonia. V.1 Exercise Scenario
Locked Shields (LS) 2014 was conducted from 20th to 24th May, 2014. A fictional country of Berylia was under increasing cyber attacks. The real-time network defence exercise was built along with media pressure. The legalities of International Law to fight a cyber war were also taken into consideration. V.2 Blue Team and Red Team A blue team has 12 sub blue teams. Each team was consisting of up to 16 members.
V.3 Objective
The objectives of Locked Shields 2014 (LS14) were :-
(a) This time network was larger than the previous CDX.
(b) Effective response to legal, media and excercise scenario.
(c) Solve forensics challenges.
V.4 Technicalities
(a) consisted of 50 Virtual Machines per team.
(b) technical environment had full IPv6 support, which was implemented in dual stack
configuration.
(c) FreeBSD based pfSense firewalls.
(d) Voice-over-IP infrastructure built on Cisco Unified Communications Manager (e) IP cameras and Android VMs (f) Based on the lessons learned from Locked Shields 2013 (g) Filtering and detecting malicious traffic over IPv6 was quite challenging. (h) Monitoring for malicious WAN route changes and preventing BGP hijacking/man- in-the-middle. (i) Protecting custom web applications.
271 of 321 (a) Finding pre-planted malicious programs and coping with RT’s Anti-Virus evasion techniques (publicly available free tools were in most cases enough to evade AV solutions).
VI LOCKED SHIELDS 2015
Locked Shields (LS) 2015 was conducted from 20th to 24th April, 2014. So far, it is the largest International "live-fire" cyber defence exercise – Locked Shields 2015. The winning team had to set-up a virtual network, secure it, and then defend it from relentless and skillful. Red Team attacks over a two-day period. It was one-week event. It was financed by the Government of Canada.16 nations and NCIRC participated as the Blue Teams of Locked Shields 2015. This time participants were 400.10
Figure 6: White Team at Locked Shields 2015
"The key to winning Locked Shields is keeping your networks within the exercise open and running". 11
VI.1 Excercise Scenario A fictional country Berylia, she was a new NATO member. It came under cyber attack from his enemy Crimsonia. Berylia also had a drone industry. NATO blue team had to deploy a Rapid Reaction Team (RRT) to support Berylia. The largest of its kind globally, Locked Shields is unique in using realistic technologies, networks and attack methods. In addition to technical and forensic challenges, Locked Shields also includes media and legal injects; therefore, providing insight into how
10 (NATO Team Tops Cyber Exercise 2015) 11 (Priisalu n.d.)
272 of 321 complex a modern cyber defence crisis can be, and what is required from nations in order to be able to cope with these threats.12
VI.2 Red Team and Blue Team Red Team used to do attacks over a two-day period. VI.3 Objective The objective is to defend the NATO country against cyber attack and regain the power by following international laws strictly and it is not to hack back . VI.4 Technicalities (a) New attack vectors were ICS/SCADA systems. (b) Windows 8 and 10 Operating Systems have also been used. (c) Media injects to build pressure and create real feel of cyber attacks. (d) legal injects to prepare legal advisors inorder to cope up with the International laws for cyber warfare. VI.5 Winner NATO Computer Incident Response Capability (NCIRC) stood first , Estonia and Poland took second and third place respectively. NATO also collected the Special Scenario prize.
Figure 7: Locked Shields Exercise 2015
CONCLUSION
In Baltic Shields 2010, technical environment, management team involvement, and international participation were at preliminary stages. Gradually, all the elements are becoming mature. Information sharing and situational awareness are having due concernment in the last two exercises. Blue teams have been more prepared and serious in conducting
12 (NATO's cyber defenders win Locked Shields exercise 2015)
273 of 321 exercises. In this connection, it is substantial to have Red team members on some permanent bases. Infrastructure developed for CDX is time-taken, costly and require enormous efforts. This huge cyber infrastructure should be reused for training purposes. CDX should have pre- exercise practice on the same infrastructure. Before an exercise physical meetings of Blue team members are essential with the purpose of excelling team coordination and better acquaintance.
274 of 321
REFERENCES
1- NATO Secretary General Stoltenberg, Jens. "NATO holds largest cyber war games." www.ft.com. 2014. http://www.ft.com/intl/cms/s/0/9c46a600-70c5-11e4-8113- 00144feabdc0.html#axzz3d1SEc2yd (accesat june 2015).
2- Priisalu, Jaan. NATO Cooperative Cyber Defence Centre of Excellence Richards, Jason. "Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security." International Affairs Review, 2009.
3- Hughes, Rex B. "Mission Accomplished.” NATO and Cyber Defence, 2009.
4- Director of the Centre, Colonel Ilmar Tamm. "International-cyber-defence-exercise- locked-shields-2012-begins-today.html." https://ccdcoe.org. 26 March 2012.
5- "NATO Computer Incident Responsibiltiy and Capability." Northrop Grumman. 2012.http://www.northropgrumman.com/Capabilities/Cybersecurity/Documents/Litera ture/NATO_CIRC.pdf.
6- ”Baltic Shields Exercise 2010.” CCDCOE. https://ccdcoe.org/baltic-cyber-shield- 2010.html. 7- "Cyber Defence Exercise Locked Shields 2013." CCDCOE.org. https://ccdcoe.org/publications/LockedShields13_AAR.pdf. 8- Viita-aho, Commander Auvo. THE MNE7 OBJECTIVE 3.4 CYBER SITUATIONAL AWARENESS. Lakeview Parkway Suffolk: JOINT STAFF-MN//ACT, 2013. 9- "Cyber Defence Exercise Locked Shields 2013." CCDCOE.org. https://ccdcoe.org/publications/LockedShields13_AAR.pdf. 10- "NATO Team Tops Cyber Exercise". NATO News. April 2015. http://www.nato.int/cps/en/natohq/news_119085.htm.
11- Priisalu, Jaan. NATO Cooperative Cyber Defence Centre of Excellence Richards, Jason. "Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security." International Affairs Review, 2009. 12- "NATO's cyber defenders win Locked Shields exercise." SC Magazine UK. 2015.http://www.scmagazineuk.com › News › News Bytes.
* MNE 7 Access to the Global Commons (AGC) is a two year multinational and interagency effort to develop improved coalition capabilities to ensure access to and use of Maritime, Air, Space, and Cyberspace.
275 of 321 COMPUTER SECURITY INCIDENT HANDLING
Alzoubi FERAS
INTRODUCTION
Organizing an effective computer security incident response capability involves several major decisions and actions. One of the first considerations should be to create an organization-specific definition of the term “incident” so that the scope of the term is clear. The organization should decide what services the incident response team should provide, consider which team structures and models can provide those services, and select and implement one or more incident response teams. Incident response plan, policy, and procedure creation is an important part of establishing a team, so that incident response is performed effectively, efficiently, and consistently, and so that the team is empowered to do what needs to be done. The plan, policies, and procedures should reflect the team’s interactions with other teams within the organization as well as with outside parties, such as law enforcement, the media, and other incident response organizations.
Attacks frequently compromise personal and business data, and it is critical to respond quickly and effectively when security breaches occur. The concept of computer security incident response has become widely accepted and implemented. Incident response helps personnel to minimize loss or theft of information and disruption of services caused by incidents. Another benefit of incident response is the ability to use information gained during incident handling to better prepare for handling future incidents and to provide stronger protection for systems and data. An incident response capability also helps with dealing properly with legal issues that may arise during incidents.
Incident handling professionals divide the process into four phases: preparation, detection and analysis, containment, eradication, recovery and post-incident activity. Understanding these stages, and what can go wrong in each, facilitates a more methodical response, and avoids duplication of effort. It also helps you deal with unexpected aspects of incidents.
276 of 321
I. INCIDENT RESPONSE POLICY, PLAN, AND PROCEDURE CREATION
This chapter discusses policies, plans, and procedures related to incident response, with an emphasis on interactions with outside parties.
I.1. Policy Elements Policy governing incident response is highly individualized to the organization. However, most policies include the same key elements: Statement of management commitment Purpose and objectives of the policy Scope of the policy (to whom and what it applies and under what circumstances) Definition of computer security incidents and related terms Organizational structure and definition of roles, responsibilities, and levels of authority Prioritization or severity ratings of incidents Performance measures Reporting and contact forms.
I.2. Plan Elements Organizations should have a formal, focused, and coordinated approach to responding to incidents, including an incident response plan that provides the roadmap for implementing the incident response capability. The incident response plan should include the following elements: Mission Strategies and goals Organizational approach to incident response How the incident response team will communicate with the rest of the organization and with other organizations Metrics for measuring the incident response capability and its effectiveness Roadmap for maturing the incident response capability How the program fits into the overall organization.
277 of 321 Once an organization develops a plan and gains management approval, the organization should implement the plan and review it at least annually to ensure the organization is following the roadmap for maturing the capability and fulfilling their goals for incident response
I.3. Procedure Elements Procedures should be based on the incident response policy and plan. Standard operating procedures (SOPs) are a delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team. SOPs should be reasonably comprehensive and detailed to ensure that the priorities of the organization are reflected in response operations. In addition, following standardized responses should minimize errors, particularly those that might be caused by stressful incident handling situations. SOPs should be tested to validate their accuracy and usefulness, then distributed to all team members. Training should be provided for SOP users; the SOP documents can be used as an instructional tool.
II. INCIDENT RESPONSE TEAM STRUCTURE An incident response team should be available for anyone who discovers or suspects that an incident involving the organization has occurred. One or more team members, depending on the magnitude of the incident and availability of personnel, will then handle the incident. The incident handlers analyze the incident data, determine the impact of the incident, and act appropriately to limit the damage and restore normal services. This section identifies such individuals, discusses incident response team models, and provides advice on selecting an appropriate model.
II.1. Team Models Possible structures for an incident response team include the following: Central Incident Response Team. A single incident response team handles incidents throughout the organization. This model is effective for small organizations and for organizations with minimal geographic diversity in terms of computing resources. Distributed Incident Response Teams. The organization has multiple incident response teams, each responsible for a particular logical or physical segment of the organization. This model is effective for large organizations (e.g., one team per division) and for
278 of 321 organizations with major computing resources at distant locations (e.g., one team per geographic region, one team per major facility). Coordinating Team. An incident response team provides advice to other teams without having authority over those teams—for example, a departmentwide team may assist individual agencies’ teams. Incident response teams can also use any of three staffing models: Employees. The organization performs all of its incident response work, with limited technical and administrative support from contractors. Partially Outsourced. The organization outsources portions of its incident response work. Although incident response duties can be divided among the organization and one or more outsourcers in many ways, a few arrangements have become commonplace: - The most prevalent arrangement is for the organization to outsource 24-hours-a-day, 7- days-a-week (24/7) monitoring of intrusion detection sensors, firewalls, and other security devices to an offsite managed security services provider (MSSP). - Some organizations perform basic incident response work in-house and call on contractors to assist with handling incidents, particularly those that are more serious or widespread. Fully Outsourced. The organization completely outsources its incident response work, typically to an onsite contractor. This model is most likely to be used when the organization needs a full-time, onsite incident response team but does not have enough available, qualified employees.
II.2. Team Model Selection When selecting appropriate structure and staffing models for an incident response team, organizations should consider the following factors: The Need for 24/7 Availability. Most organizations need incident response staff to be available 24/7. This typically means that incident handlers can be contacted by phone, but it can also mean that an onsite presence is required. Full-Time Versus Part-Time Team Members. Organizations with limited funding, staffing, or incident response needs may have only part-time incident response team members, serving as more of a virtual incident response team. In this case, the incident response team can be thought of as a volunteer fire department. When an emergency occurs, the team members are contacted rapidly, and those who can assist do so.
279 of 321 Cost. Cost is a major factor, especially if employees are required to be onsite 24/7. Organizations may fail to include incident response-specific costs in budgets, such as sufficient funding for training and maintaining skills. Because the incident response team works with so many facets of IT, its members need much broader knowledge than most IT staff members. Staff Expertise. Incident handling requires specialized knowledge and experience in several technical areas. Outsourcers may possess deeper knowledge of intrusion detection, forensics, vulnerabilities, exploits, and other aspects of security than employees of the organization.
II.3. Dependencies within Organizations It is important to identify other groups within the organization that may need to participate in incident handling so that their cooperation can be solicited before it is needed. Every incident response team relies on the expertise, judgment, and abilities of others, including: Management. Management establishes incident response policy, budget, and staffing. Ultimately, management is held responsible for coordinating incident response among various stakeholders, minimizing damage, and reporting to Congress and other parties. Information Assurance. Information security staff members may be needed during certain stages of incident handling (prevention, containment, eradication, and recovery)— for example, to alter network security controls (e.g., firewall rulesets). IT Support. IT technical experts (e.g., system and network administrators) not only have the needed skills to assist but also usually have the best understanding of the technology they manage on a daily basis. Public Affairs and Media Relations. Depending on the nature and impact of an incident, a need may exist to inform the media and, by extension, the public. Human Resources. If an employee is suspected of causing an incident, the human resources department may be involved—for example, in assisting with disciplinary proceedings. Business Continuity Planning. Organizations should ensure that incident response policies and procedures and business continuity processes are in sync. Computer security incidents undermine the business resilience of an organization.
280 of 321 Physical Security and Facilities Management. Some computer security incidents occur through breaches of physical security or involve coordinated logical and physical attacks.
III. HANDLING AN INCIDENT The incident response process has several phases. The initial phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments. However, residual risk will inevitably persist after controls are implemented. Detection of security breaches is thus necessary to alert the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it. During this phase, activity often cycles back to detection and analysis—for example, to see if additional hosts are infected by malware while eradicating a malware incident. After the incident is adequately handled, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to prevent future incidents. This section describes the major phases of the incident response process—preparation, detection and analysis, containment, eradication and recovery, and post-incident activity—in detail. Figure 3-1 illustrates the incident response life cycle.
Figure 3-1. Incident Response Life Cycle
III.1. Preparation Incident response methodologies typically emphasize preparation—not only establishing an incident response capability so that the organization is ready to respond to
281 of 321 incidents, but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure. This section provides basic advice on preparing to handle incidents and on preventing incidents.
III.1.1 Preparing to Handle Incidents The lists below provide examples of tools and resources available that may be of value during incident handling. These lists are intended to be a starting point for discussions about which tools and resources an organization’s incident handlers need. Example of such mechanisms are: Incident Handler Communications and Facilities, which includes Contact information, On-call information, Issue tracking system, Smartphones and Encryption software . Incident Analysis Hardware and Software, which includes Digital forensic workstations and/or backup devices, Laptops, Spare workstations, Blank removable media and Packet sniffers and protocol analyzers. Incident Analysis Resources, which includes Port lists, Documentation, Network diagrams and lists of critical assets, Current baselines and Cryptographic hashes. Incident Mitigation Software. Each incident handler should have access to at least two computing devices (e.g., laptops). One, such as the one from the jump kit, should be used to perform packet sniffing, malware analysis, and all other actions that risk contaminating the laptop that performs them. In addition to an investigative laptop, each incident handler should also have a standard laptop, smart phone, or other computing device for writing reports, reading email, and performing other duties unrelated to the hands-on incident analysis.
III.1.2 Preventing Incidents Keeping the number of incidents reasonably low is very important to protect the business processes of the organization. If security controls are insufficient, higher volumes of incidents may occur, overwhelming the incident response team. This can lead to slow and incomplete responses, which translate to a larger negative business impact (e.g., more extensive damage, longer periods of service and data unavailability). A brief overview of some of the main recommended practices for securing networks, systems, and applications:
282 of 321 Risk Assessments. Periodic risk assessments of systems and applications should determine what risks are posed by combinations of threats and vulnerabilities. Host Security. All hosts should be hardened appropriately using standard configurations. Network Security. The network perimeter should be configured to deny all activity that is not expressly permitted. Malware Prevention. Software to detect and stop malware should be deployed throughout the organization. User Awareness and Training. Users should be made aware of policies and procedures regarding appropriate use of networks, systems, and applications.
III.2. Detection and Analysis Incidents can occur in countless ways, so it is infeasible to develop step-by-step instructions for handling every incident. Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors. Different types of incidents merit different response strategies.
Figure 3-2. Incident Response Life Cycle (Detection and Analysis)
The attack vectors listed below are not intended to provide definitive classification for incidents; rather, they simply list common methods of attack, which can be used as a basis for defining more specific handling procedures. External/Removable Media: An attack executed from removable media or a peripheral device—for example, malicious code spreading onto a system from an infected USB flash drive.
283 of 321 Web: An attack executed from a website or web-based application—for example, a cross- site scripting attack used to steal credentials or a redirect to a site that exploits a browser vulnerability and installs malware. Email: An attack executed via an email message or attachment—for example, exploit code disguised as an attached document or a link to a malicious website in the body of an email message. Impersonation: An attack involving replacement of something benign with something malicious—for example, spoofing, man in the middle attacks, rogue wireless access points, and SQL injection attacks all involve impersonation. Loss or Theft of Equipment: The loss or theft of a computing device or media used by the organization, such as a laptop, smartphone, or authentication token.
Most attacks do not have any detectable precursors from the target’s perspective. If precursors are detected, the organization may have an opportunity to prevent the incident by altering its security posture to save a target from attack. At a minimum, the organization could monitor activity involving the target more closely. Examples of precursors are: Web server log entries that show the usage of a vulnerability scanner. A new exploit that targets a vulnerability of the organization’s mail server. A threat from a group stating that the group will attack the organization.
While precursors are relatively rare, indicators are all too common. Too many types of indicators exist to exhaustively list them, but some examples are listed below: A network intrusion detection sensor alerts when a buffer overflow attempt occurs against a database server. Antivirus software alerts when it detects that a host is infected with malware. A system administrator sees a filename with unusual characters. A host records an auditing configuration change in its log. An application logs multiple failed login attempts from an unfamiliar remote system. An email administrator sees a large number of bounced emails with suspicious content. A network administrator notices an unusual deviation from typical network traffic flows. The incident response team should work quickly to analyze and validate each incident, following a pre-defined process and documenting each step taken. To Make incident analysis easier and more effective we do the following:
284 of 321 Understand Normal Behaviors The Use a Knowledge Base of Information Use Internet Search Engines for Research Run Packet Sniffers to Collect Additional Data Filter the Data
III.3. Containment, Eradication, and Recovery Containment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making. Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident.
Figure 3-3. Incident Response Life Cycle (Containment, Eradication, and Recovery) Containment strategies vary based on the type of incident. For example, the strategy for containing an email-borne malware infection is quite different from that of a network-based DDoS attack. Organizations should create separate containment strategies for each major incident type, with criteria documented clearly to facilitate decision-making. Criteria for determining the appropriate strategy include: Potential damage to and theft of resources Need for evidence preservation Service availability (e.g., network connectivity, services provided to external parties) Time and resources needed to implement the strategy
285 of 321 Effectiveness of the strategy (e.g., partial containment, full containment) Duration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution). After successfully contained the incident, the next step entails removing the cause of the incident. In the case of a virus incident it may simply require removing the virus. On other complex incident cases you might need to identify and mitigate exploited vulnerabilities. It’s on this step that you should determine how it was initially executed and apply the necessary measures to ensure don’t happen again. Recovery means back in production. Eventually, restoring a backup or re-image a system. It’s where you return to normal operational status.
III.4. Post-Incident Activity One of the most important parts of incident response is also the most often omitted: learning and improving. Each incident response team should evolve to reflect new threats, improved technology, and lessons learned. Holding a “lessons learned” meeting with all involved parties after a major incident, and optionally periodically after lesser incidents as resources permit, can be extremely helpful in improving security measures and the incident handling process itself.
Figure 3-4. Incident Response Life Cycle (Post-Incident Activity)
III.4.1. Lessons Learned Multiple incidents can be covered in a single lessons learned meeting. This meeting provides a chance to achieve closure with respect to an incident by reviewing what occurred, what was done to intervene, and how well intervention worked. The meeting should be held
286 of 321 within several days of the end of the incident. Questions to be answered in the meeting include: Exactly what happened, and at what times? How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? What would the staff and management do differently the next time a similar incident occurs? How could information sharing with other organizations have been improved? What corrective actions can prevent similar incidents in the future? What precursors or indicators should be watched for in the future to detect similar incidents? What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
III.4.2. Using Collected Incident Data Organizations should focus on collecting data that is actionable, rather than collecting data simply because it is available. For example, counting the number of precursor port scans that occur each week and producing a chart at the end of the year that shows port scans increased by eight percent is not very helpful and may be quite time-consuming. Absolute numbers are not informative—understanding how they represent threats to the business processes of the organization is what matters. Organizations should decide what incident data to collect based on reporting requirements and on the expected return on investment from the data (e.g., identifying a new threat and mitigating the related vulnerabilities before they can be exploited.) Possible metrics for incident-related data include: Number of Incidents Handled. Time Per Incident. Objective Assessment of Each Incident. Subjective Assessment of Each Incident. Besides using these metrics to measure the team’s success, organizations may also find it useful to periodically audit their incident response programs. Audits will identify problems and deficiencies that can then be corrected. At a minimum, an incident response audit should
287 of 321 evaluate the following items against applicable regulations, policies, and generally accepted practices: Incident response policies, plans, and procedures Tools and resources Team model and structure Incident handler training and education Incident documentation and reports The measures of success discussed earlier in this section.
III.4.3. Evidence Retention Organizations should establish policy for how long evidence from an incident should be retained. Most organizations choose to retain all evidence for months or years after the incident ends. The following factors should be considered during the policy creation: Prosecution. If it is possible that the attacker will be prosecuted, evidence may need to be retained until all legal actions have been completed. In some cases, this may take several years. Furthermore, evidence that seems insignificant now may become more important in the future. For example, if an attacker is able to use knowledge gathered in one attack to perform a more severe attack later, evidence from the first attack may be key to explaining how the second attack was accomplished. Data Retention. Most organizations have data retention policies that state how long certain types of data may be kept. For example, an organization may state that email messages should be retained for only 180 days. If a disk image contains thousands of emails, the organization may not want the image to be kept for more than 180 days unless it is absolutely necessary. Cost. Original hardware (e.g., hard drives, compromised systems) that is stored as evidence, as well as hard drives and removable media that are used to hold disk images, are generally individually inexpensive. However, if an organization stores many such components for years, the cost can be substantial. The organization also must retain functional computers that can use the stored hardware and media.
288 of 321
CONCLUSION Computer security incident response has become an important component of information technology (IT) programs. Cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. Continually monitoring for attacks is essential. Establishing clear procedures for prioritizing the handling of incidents is critical, as is implementing effective methods of collecting, analyzing, and reporting data. It is also vital to build relationships and establish suitable means of communication with other internal groups and with external groups.
Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors. Organizations should emphasize the importance of incident detection and analysis throughout the organization. Organizations should use the lessons learned process to gain value from incidents.
REFERENCES
1. Computer security incident handling http://itsecurity.gmu.edu/Resources/upload/ComputerIncidentHandling.pdf 2. Computer security incident management http://en.wikipedia.org/wiki/Computer_security_incident_management 3. CSIRT Frequently Asked Questions
289 of 321 http://www.cert.org/incident-management/csirt-development/csirt-faq.cfm? 4. Incident Management Publications http://www.cert.org/incident-management/publications/ 5. Establishing a Computer Security Incident Response Capability https://www.terena.org/activities/tf-csirt/archive/800-3.pdf 6. Incident Handler's Handbook http://www.sans.org/reading‐room/whitepapers/incident/incident‐handlers‐handbook‐33901
290 of 321
THE IMPORTANCE OF INFORMATION SECURITY AWARENESS TRAINING FOR THE EMPLOYEES OF THE ROMANIAN PRISON SYSTEM
Andreea NETEDU
„Security is Everyone’s Responsibility”1 INTRODUCTION
Information security training is a vital component in addressing mounting security threats. Many organizations are aware that committing their IT professionals to rigorous information security training, especially quality and advanced information security training courses will go a long way in preventing or lessen cyber attacks. The need for advanced and highly technical information security training is ever increasing. A company-wide security awareness program should be part of the overall information security strategy. A September 2012 study from research company Forrester2 reported that the majority of data security breaches in North America and Europe are caused by employees, with a large majority of those being due to inadvertent actions rather than malicious insiders. The same study indicated that only a little over half of those employees classified as information workers said they were aware of their organizations’ security policies. If employees are causing data breaches because they don’t know the company’s policies or don’t understand how to implement safe practices, then it makes sense to take steps to educate them.
I. Information Security
Many workplaces today are subject to governmental or industry regulation and failure to comply can result in censure, fines or worse. In some organizations there are legal mandates that require workers to be trained in and/or “informed” about information security awareness.
1 CIO and Vice Provost of Information Technology, University of Wisconsin - Madison 2 http://www.pcworld.com/article/2010527/forrester-report-finds-most-data-breaches-are-caused-by- employees.html
291 of 321 I.1. Terminology
Information security is designed to protect the confidentiality, integrity and availability of computer system data from those with malicious intentions. Confidentiality, integrity and availability are sometimes referred to as the CIA Triad of information security. This triad has evolved into what is commonly termed the Parkerian hexad, which includes confidentiality, possession (or control), integrity, authenticity, availability and utility. Information security continuity refers to an integrated set of policies, procedures, and processes that are used to ensure that a predefined level of security continues during a disaster or crisis (when disruptive incidents occur or adverse situations exist). Continuity is achieved by identifying potential threats and vulnerabilities, by analyzing possible impacts, and by taking steps to build organizational resilience. Information security event An information security event is a system, service, or network state, condition, or occurrence that indicates that information security may have been breached or compromised or that a security policy may have been violated or a control may have failed. Information security incident An information security incident is made up of one or more unwanted or unexpected information security events that could possibly compromise the security of information and weaken or impair business operations. Information security incident management Information security incident management is a set of processes that organizations use to deal with information security incidents. It includes a detection process, a reporting process, an assessment process, a response process, and a learning process.3
I.2. Information security related concerns
Accordingly to the information security specialists the size, severity and complexity of cyber threats are expected to continue increasing. Looking ahead to 2016, Steve Durbin, managing director of the Information Security Forum (ISF), a nonprofit association that assesses security and risk management issues, says that there are five security trends that will dominate the year.
3 Based on ISO IEC 27000 2014, section 2, Terms and definitions
292 of 321
I.2.1. Cybercrime If in 2014 we saw cybercriminals demonstrating a higher degree of collaboration amongst themselves and a degree of technical competency that caught many large organizations unawares, next year, organizations must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events.4 While law enforcement agencies are trying to tackle this problem, it is growing steadily and many organizations have become victims of hacking, theft, identity theft and malicious software. Cyber crimes are quite different from old-school crimes, such as robbing, mugging or stealing. Unlike these crimes, cyber crimes can be committed single handedly and does not require the physical presence of the criminals. The crimes can be committed from a remote location and the criminals need not worry about the law enforcement agencies in the country where they are committing crimes. The same systems that have made it easier for people to conduct e-commerce and online transactions are now being exploited by cyber criminals.
I.2.2. Privacy and Regulation Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of Personally Identifiable Information (PII), with penalties for organizations that fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and loss of customers. Furthermore, we are seeing increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification; this is particularly true across the European Union. This is expected to continue and develop further, requiring legal, HR and Board participation as well as overhead for regulatory management above and beyond the security function.
I.2.3. Threats from Third-Party Providers Supply chains are a vital component of every organization’s global business operations and the backbone of today’s global economy. However, security chiefs everywhere are growing more concerned about how open they are to numerous risk factors. A range of valuable and sensitive information is often shared with suppliers, by which direct control is
4 http://insights.wired.com/profiles/blogs/from-the-watchtower-five-security-threats-to-look-out-for-in- 2015#axzz3ceLWBgQM
293 of 321 lost. This leads to an increased risk of data confidentiality, integrity or availability being compromised. Over the next year, third party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data security. Organizations of all sizes need to think about the consequences of a supplier providing accidental access to their intellectual property, customer or employee information, commercial plans or negotiations. Information security specialists should work closely with those in charge of contracting for services to conduct thorough due diligence on potential arrangements. It is imperative that organizations have robust business continuity plans in place to boost both resilience and senior management’s confidence in the functions’ abilities.
I.2.4. BYO5 Trends in the Workplace As the trend of employees bringing mobile devices, applications and cloud-based storage into the workplace continues to grow, businesses of all sizes are seeing information security vulnerabilities being exploited at a greater rate than ever before. The risks stem from both internal and external threats, including mismanagement or loss of the device itself, external manipulation of software flaws and the deployment of poorly tested, unreliable business applications.
Strong policies and monitoring can help prevent business information being held and accessed in an unprotected manner on consumer devices.
I.2. 5. Engagement With Your People Over the past few decades, organizations have spent millions, if not billions, of dollars on information security awareness activities. The rationale behind this approach was to take their biggest asset – people – and change their behavior, thus reducing risk by providing them with knowledge of their responsibilities and what they need to do.
Organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that affect risk positively. The risks are real because people remain a ‘wild card’. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.
5 Bring Your Own (Device)
294 of 321
Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior becoming a habit, a value ingrained into the organization’s culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk.
II. The particularities of the Romanian prison system
The National Administration of Penitentiaries is a public service responsible for the enforcement of detention regimes and for the rehabilitation intervention, under the conditions that ensure human's dignity, by facilitating responsibility and social reintegration into society of the persons in custody and by contributing to the increase of community safeguard, public order and national security maintenance. The National Administration of Penitentiaries applies the Strategy of Romanian Government in the fields of its competence by the enforcement of penalties or measures involving deprivation of liberty as ordered by judicial courts. Information Technology and Communications Directorate ensures the continuity of information services, the development of a coherent and integrated information system, as well as the ability to efficiently use the IT&C resources of the institution. The central structure, together with workers from the territory, manage the equipment of the system of penitentiary administration, enrolled in a structure of type field, named anp.ro, with a tree-like organization in which are installed on the same operating system and the same antivirus system in all working spaces. System and security updates are available in a timely manner and apply automated, security policies are applied uniformly, users and computers obeying the same restrictions and the same set of standardized rules. The institution's computer system performance is high as a result of the implementation of modern technologies of virtualization of server resources, outsourced or in- house data centre and server protection systems to ensure continuity of their operation. The computer system of the institution is complex and in a continuous development, annual new modules being added to existing applications or new applications being created.
295 of 321
Figure 1.
Figure 2: PMSWeb6 interface
II.1. Legal frame regarding the public status
The constitutions of Romania (since 2003) established that there are three powers within the state: legislative, executive and judicial power. The instrument through which the executive power exercises its competence is the public administration. But administration, as an institution, operates through its staff, through its employees. They are civil servants. The holder of a public office in the state administration is not a simple employee, but a person with rights and responsibilities well determined by the Law regarding public function and the status of public servants no.158- XVI of July 04, 2008 and Law no. 188/1999 on the Status of
6 Penitentiary Management System - Integrated application for keeping the record of and calculating prison sentences and inmates' rights
296 of 321 public servants amended and supplemented by O.U.G. no.37/2009, as well as Law No. 293/2004 on the Status of public servants in the National Administration of Penitentiaries. The exercise of the public function in the prison system is subordinated to some principles, which govern the organization and career development in the prison administration system: • competence, the principle according to which people who want to gain or to be promoted in a public office in the National Administration of Penitentiaries and its subordinate units must hold and confirm the knowledge and skills necessary for the exercise of the public function in the prison administration system; • competition, the principle according to which the confirmation of knowledge and skills necessary for the exercise of a public function in the prison administration is done through competition or exam; • equal opportunities, the principle which ensures the recognition of vocations for the public function in the prison administration system to any person who meets the conditions established by law; • professionalism, the principle according to which the exercise of public functions is made in compliance with the legal provisions; • motivation, the principle according to which, in the purpose of career development, the National Administration of Penitentiaries and its subordinate units have the obligation to identify and apply, in accordance with the law, the moral and material motivation of civil servants, as well as to support their professional development initiatives; • transparency, the principle according to which the National Administration of Penitentiaries and its subordinate units have the obligation to make available to those interested the information of public interest regarding the career in the penitentiary administration system. • the stability of civil servants with special status in public function for which they were employed, determine their professionalization.
II.2. Classified/confidential information in the employee’s daily activity
In the Romanian prison system, the concept of counterintelligence protection represents all the protective measures against the dissemination of information that could cause harm to the organization and implies limiting the vulnerabilities that could lead to information disclosure. It is well known that the most vulnerable link in the protection of classified information is the man who holds them.
297 of 321
Therefore, in the last years grew the idea of a proactive and protective education that represents all the staff training and guidance measures that can be taken in order to limit situations that can cause vulnerabilities to the protection of classified information. Categories of classified or confidential information held by the Romanian prison system’s units: • Personal data of employees of the prison; • Personal data of detainees held in the databases of the prison; • Information resulting from administrative, disciplinary research or criminal investigation within the prison; • Information on the economic interests of penitentiary – that can be used to negotiate from an privileged position or to conclude contracts to supply goods or services advantageous for potential traders. Persons who might be interested in these information: • Potential traders interested in concluding contracts with the penitentiary to supply goods or services; • Organizations and terrorist or organized crime structures and inmates family members - for information on the safety of the prison and personal data of employees or information on ongoing investigation, disciplinary or criminal proceedings; • Organizations and foreign military intelligence structures - for information regarding the defense system, public order, national security and specific operational information. Means of obtaining confidential/classified information: • The speculation of the negligence and the superficiality of employees in carrying out their duties; • The corruption of the holder of the information; • The blackmail of the holder of the information; • The swindle of the holder of the information.
II.3. Specific vulnerabilities regarding information disclosure
All organizations and individuals interested in obtaining information held by the prison administration units which are excluded from public access will take steps to obtain them directly or indirectly through vulnerabilities generated by people handling them - the man being the weak link in this system. The unauthorized dissemination of information can occur through the following acts or omissions (direct vulnerabilities):
298 of 321
- unprotected communication of classified/confidential information (discussions in public spaces through unprotected communication channels, sending documents via other courier services than the legal ones, data package transmission through a network of unaccredited communications); - negligence in storage, transport or use data storage media; - reduced protection of copying and transmission of documents means; - improper destruction of drafts and scraps containing classified information. Usually, those accessing classified/confidential information classification to fulfill their duties fail to willfully disseminate them in an unauthorized way unless they are vulnerable to the following (indirect vulnerabilities): -financial issues; - problems with alcohol consumption or psychotropic hallucinogenic substances; - can be subjected to blackmail and other pressures. These issues are set out in the exceptions of incompatibility with access to classified information set out in art. 159 and 160 of Government Decision no. 585/2002.
III. Information Security Awareness Training in the Romanian Prison System One of the greatest threats to information security could actually come from within the organization. Inside ‘attacks’ have been noted to be some of the most dangerous since these people are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the nonmalicious, uninformed employee.7 The focus of an information security awareness training program should be on users who can do harm to the network by visiting websites infected with malware, responding to phishing e-mails, storing their login information in an unsecured location, or even giving out sensitive information over the phone when exposed to social engineering. One of the best ways to make sure company employees will not make costly errors in regard to information security is to institute company-wide security-awareness training initiatives that include, but are not limited to classroom style training sessions, security awareness website(s), helpful hints via e-mail, or even posters. These methods can help ensure employees have a solid understanding of company security policy, procedure and best practices.
7 Cindy Brodie - The Importance of Security Awareness Training, SANS Institute Reading Room, 2008
299 of 321
III.1. Importance of Information Security Awareness
Security awareness can be defined as helping establish an understanding of the importance and how to comply with security policies within the organization.8 One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead to security incidents—for example, through disclosure of information that could be used in a social engineering attack, not reporting observed unusual activity, accessing sensitive information unrelated to the user’s role without following the proper procedures, and so on. It is therefore vital that organizations have a security awareness program in place to ensure employees are aware of the importance of protecting sensitive information, what they should do to handle information securely, and the risks of mishandling information. Employees’ understanding of the organizational and personal consequences of mishandling sensitive information is crucial to an organization’s success. Examples of potential consequences may include penalties levied against the organization, reputational harm to the organization and employees, and impact to an employee’s job. It is important to put potential organizational harm into perspective for personnel, detailing how such damage to the organization can affect their own roles. As far as the Romanian Prison System’s need for information security awareness is concerned, the institutional objectives established for this year include: - Initiating the implementation of integrated security, video surveillance and access control systems - Adequately endowing the staff involved into guarding, supervising, escorting and intervention missions with specific equipment and means - Introducing and upgrading digital technologies necessary for providing the right to information and the right to consult private documents, the right to online communication, meetings - Jamming/reducing the GSM signal in the unit in order to eliminate/reduce the possibility for inmates to illegally use mobile phones - Implementing a videoconference hearing system for resolving civil cases, criminal cases (interrupting a prison sentence, appeal against the prison sentence, conditional release) and complaints made by prisoners according to Law no. 254/2013 with its subsequent amendments and completions - Developing two new modules of the integrated PMSWeb computer application:
8 Adam Gordon - Guide to the Certified Information Systems Security Professional (ISC)2 , Fourth edition
300 of 321
o Standard tool for assessing the inmate’s progress in the prison environment and crime risk with a view to determining/changing the prison regime and making conditional release proposals; o Applying the Credit System9 in the unit. The employees have to be trained adequately in order for them to use these new technologies in their daily activities, to understand how they function, the nature of the information they process and to become aware of the risk implied concerning the information security.
III.2. Creating the Culture of Awareness in the Romanian Prison System
Creating an information security and privacy awareness and training program is often a challenging task. And many times, unfortunately, it is a thankless task. However, providing the personnel with the security and privacy information they need, and ensuring they understand and follow the requirements, is an important component of the Romanian Prison System’s objectives fulfillment. If the employees do not know or understand how to maintain confidentiality of information, or how to secure it appropriately, the organization not only risks having one valuable assets (information) mishandled, inappropriately used, or obtained by unauthorized persons, but also risks being in noncompliance of a growing number of laws and regulations that require certain types of information security and privacy awareness and training activities. Also, it is recommended that communication of security awareness be included in new-hire processes, as well as role changes for existing personnel. Security awareness training may be combined with other organizational requirements, such as confidentiality and ethics agreements. It is important to train every employee on basic cybersecurity principles and techniques so that they have a solid understanding of the threats, vulnerabilities, and risks confronting them and your organization. They should know what they should do to protect the organization’s information and thus their own vital interests. Demonstrating how the
9 For every category of activity, to participant inmate is allocated a number of credits, established depending on the complexity of the activity or graduated/completed programme. It is used for passing from one sentence regime to another, both progressive and regressive, respectively for individual analysis and formulating proposals for conditional release Centralizing the cumulated/reduced credits is implicitly ensured by the computer program application platform.
301 of 321 individual can be personally affected is a powerful technique to reinforce the importance of the subject.10 Topics that can be investigated within the security awareness training course include: Security policies The organization’s security program Regulatory compliance requirements for the organization Social engineering Disaster recovery Emergency management, to include hazardous materials, biohazards, and so on Security incident response Data classification Information labeling and handling Personnel security, safety, and soundness Physical security Appropriate computing resource use Proper care and handling of security credentials, such as passwords Risk assessment Accidents, errors, or omissions There is a variety of methods that can be used to promote security awareness. Some of the more common methods include: Formalized courses, as mentioned above, delivered either in a classroom fashion using slides, handouts, or books, or online through the e-learning platform for the employees vocatinal training. Use of posters that call attention to aspects of security awareness, such as password protection, physical security, personnel security, and others. Advices to aid workers in identification of practices that should be avoided (such as posting passwords on post-it notes in a conspicuous place on the desktop) and practices that should be continued (such as maintaining a clean desk or using a locked screensaver when away from the computer). Use of the organization’s intranet to post security reminders or to host a weekly or monthly column about information security happenings within the unit or other similar organizations.
10 Gregory J. Touhill, C. Joseph Touhill – Cybersecurity for executives, John Wiley & Sons, Inc., Hoboken, New Jersey, 2014
302 of 321
Sponsor an enterprise-wide security awareness day, complete with security activities, prizes, and recognition of the winners. Provide trinkets for the users within the organization that support security management principles. Provide security management videos, books, websites, and collateral for employees to use for reference. It is important to note that activities should be interesting and rewarding for the organization’s people. To facilitate this interest, the program should be adaptable, and the content and format of the awareness materials should be subject to change on a periodic basis.
III.3. Best practices in Organizational Information Security Awareness that could be applied
Security awareness should be conducted as an on-going program to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a daily basis. III.3.1. Assemble the Security Awareness Team The first step in the development of a formal security awareness program is assembling a security awareness team. This team is responsible for the development, delivery, and maintenance of the security awareness program. It is recommended the team be staffed with personnel from different areas of the organization, with differing responsibilities representing a cross-section of the organization. Having a team in place will help ensure the success of the security awareness program through assignment of responsibility for the program. III.3.2. Determine Roles for Security Awareness Role-based security awareness provides organizations a reference for training personnel at the appropriate levels based on their job functions. The training can be expanded upon—and subject areas combined or removed—according to the levels of responsibility and roles defined in the organization. The goal is to build a reference catalogue of various types and depths of training to help organizations deliver the right training to the right people at the right time. Identify levels of responsibility The first task when scoping a role-based security awareness program is to group individuals according to their roles (job functions) within the organization.
303 of 321
Figure 3: Security Awareness Roles for Organizations
Establish Minimum Security Awareness Establishing a minimum awareness level for all personnel can be the base of the security awareness program. Security awareness may be delivered in many ways, including formal training, computer-based training, e-mails and circulars, memos, notices, bulletins, posters, etc. The security awareness program should be delivered in a way that fits the overall culture of the organization and has the most impact to personnel. The following diagram depicts how the depth of awareness training should increase as the level of risk associated with different roles. Figure 4: Depth of Security Awareness Training
304 of 321
III.3.3. Security Awareness throughout the Organization The key to an effective security awareness program is in targeting the delivery of relevant material to the appropriate audience in a timely and efficient manner. To be effective, the communication channel should also fit the organization’s culture. By disseminating security awareness training via multiple communication channels, the organization ensures that personnel are exposed to the same information multiple times in different ways. This greatly improves how people remember the information presented to them. Content may need to be adapted depending on the communication channel—for example, the content in an electronic bulletin may be different than content in an instructor-led training seminar, even though both have the same underlying message. The communication channel used should match the audience receiving the training content and the type of content, as well as the content itself. Management leadership and support for the security awareness program is crucial to its successful adoption by staff. Managers are encouraged to: Actively encourage personnel to participate and uphold the security awareness principles. Model the appropriate security awareness approach to reinforce the learning obtained from the program. Include security awareness metrics into management and staff performance reviews. 11
CONCLUSIONS
Although there are a number of information security standards available, an organisation can only benefit if those standards are implemented properly. Security is something that all parties should be involved in. Senior management, information security practitioners, IT professionals and users all have a role to play in securing the assets of an organisation. The success of information security can only be achieved by full cooperation at all levels of an organisation, both inside and outside.
11 Security Awareness Program Special Interest Group PCI Security Standards Council - Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0, October 2014
305 of 321
REFERENCES
1. Adam Gordon - Guide to the Certified Information Systems Security Professional (ISC)2 , Fourth edition, Auerbach Publications, 2015 2. Cindy Brodie - The Importance of Security Awareness Training, SANS Institute Reading Room, 2008 3. Gregory J. Touhill, C. Joseph Touhill – Cybersecurity for executives, John Wiley & Sons, Inc., Hoboken, New Jersey, 2014 4. Security Awareness Program Special Interest Group PCI Security Standards Council - Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0, October 2014 5. ISO IEC 27000 2014, section 2, Terms and definitions 6. www.pcworld.com 7. www.insights.wired.com 8. www.infosec.gov.hk 9. www.windowsecurity.com 10. www.cio.com 11. www.eccouncil.org 12. www.infosectoday.com 13. National Administration of Penitentiaries Activity Report 2014 14. National Administration of Penitentiaries – Brochure presentation
306 of 321
ANALYSIS METHODS OF PENETRATION TESTING
ZHYLIN A.V.
INTRODUCTION
Penetration testing, often abbreviated as “Pentest”, is a process that is followed to conduct an in-depth security assessment or audit. A methodology defines a set of rules, practices, and procedures that are pursued and implemented during the course of any information security audit program. A penetration testing methodology defines a roadmap with practical ideas and proven practices that can be followed to assess the true security posture of a network, application, system, or any combination thereof. This work is dedicated to analysis of several key penetration testing methodologies. As a result, the author proposes the generalized method of penetration testing.
I. ROLE Of PENETRATION TESTING IN INFORMATION SECURITY MANAGEMENT SYSTEM
Effective penetration testing involves the simulation of a malicious attack (either from malicious outsiders or your own staff) on an organization’s information security arrangements, often using a combination of methods and tools. The resulting findings from a pen test provide a basis upon which security measures can be improved. There is a range of potential attack vectors and methodologies that can allow your information to be exploited. These include open ports, Wi-Fi passwords, packet sniffing, phishing schemes, browser exploits and social engineering. Penetration testing aims to exploit known vulnerabilities but should also use the tester’s expertise to identify specific weaknesses (unknown vulnerabilities) in an organization’s security arrangements. New vulnerabilities are identified and exploited by hackers every week, therefore it is necessary regular testing of systems in order to: • discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities); • determine weaknesses in the infrastructure (hardware), application (software) and people in order to develop controls; • test applications that are often the avenues of attack (applications are built by people, and people can make mistakes despite best practices in software development);
307 of 321 • ensure controls have been implemented and are effective, which provides assurance to information security and senior management; • produce evidence that security measures are adequate and working in the form of reports to managers, demonstrating that IT spending is appropriate and cost-effective; • ensure compliance with information security standards. Will be shown below compliance Penetration Testing in accordance with the requirements of the information security standards.
I.1. Analysis of the need for Penetration Testing in accordance with the requirements of the information security standards
Penetration testing is an essential component in ISO 27001 "Information technology - Security techniques - Information security management systems - Requirements". It can be applied in building of information security management system (ISMS), from initial development to ongoing maintenance and continual improvement. This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. In the following paragraphs of the standard put forward requirements that can be met with method of penetration testing [1]: A.9.4 System and application access control (Objective: To prevent unauthorized access to systems and applications). A.12.7 Information systems audit considerations (Objective: To minimise the impact of audit activities on operational systems). A.14.2 Security in development and support processes (Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems). Also control A.12.6.1 of ISO27001:2013 specifies that “Information about technical vulnerabilities of information systems be obtained in a timely fashion, the organization's exposure to such vulnerabilities be evaluated and appropriate measures be taken to address the associated risk.” A vulnerability assessment or penetration test is the best method for identifying these vulnerabilities in systems, infrastructure and web applications.
308 of 321 There are three specific points in ISMS project at which penetration testing can make a significant contribution: • As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats. • As part of the risk treatment plan: ensuring that controls that are implemented actually work as designed. • As part of the continual improvement processes: ensuring that controls continue to work as required, and that new and emerging threats and vulnerabilities are identified and dealt with. Requirement 11 of the PCI DSS covers the need to regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks. The Standard states that penetration testing should be performed at least annually, and whenever there is a significant infrastructure or application upgrade or modification (for example, new system component installations, addition of a sub-network or addition of a webserver). It is also said that methods that may be used in the process of Penetration testing include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.
I.2. Types of Penetration Testing
Although there are different types of penetration testing, the three most general approaches that are widely accepted by the industry are the black box, white box and gray box [3]. Black box testing. While applying this approach, the security auditor will be assessing the network infrastructure and will not be aware of any internal technologies deployed by the targeted organization. By employing a number of real-world hacker techniques and going through organized test phases, vulnerabilities may be revealed and potentially exploited. It is important for a pentester to understand, classify, and prioritize these vulnerabilities according to their level of risk (low, medium, or high). The risk can be measured according to the threat imposed by the vulnerability in general. An ideal penetration tester would determine all attack vectors that could cause the target to be compromised. Once the testing process has been completed, a report that contains all the necessary information regarding the targets' real-world security posture, categorizing, and translating the identified risks into a business context, is generated.
309 of 321 White box testing. An auditor involved in this kind of penetration testing process should be aware of all the internal and underlying technologies used by the target environment. Hence, it opens a wide gate for a penetration tester to view and critically evaluate the security vulnerabilities with minimum possible efforts and utmost accuracy. It does bring more value to the organization in comparison to the black box approach in the sense that it will eliminate any internal security issues lying at the target infrastructure's environment, thus making it more difficult for a malicious adversary to infiltrate from the outside. The number of steps involved in white box testing is similar to that of black box testing. Moreover, the white box approach can easily be integrated into a regular development life cycle to eradicate any possible security issues at an early stage before they get disclosed and exploited by intruders. The time, cost, and knowledge level required to find and resolve the security vulnerabilities is comparably less than with the black box approach. Gray box testing. When we talk about gray box testing, we're talking about testing a system while having at least some knowledge of the internals of a system. This knowledge is usually constrained to detailed design documents and architecture diagrams. It is a combination of both black and white box testing, and combines aspects of each. Gray box testing allows security analysts to run automated and manual penetration tests against a target application. And it allows those analysts to focus and prioritize their efforts based on superior knowledge of the target system. This increased knowledge can result in more significant vulnerabilities being identified with a significantly lower degree of effort and can be a sensible way for analysts to better approximate certain advantages attackers have versus security professionals when assessing applications.
II. DESCRIPTION KNOWN METHODS OF PENETRATION TESTING
II.1. Open Source Security Testing Methodology Manual Guide "Open Source Security Testing Methodology Manual" (OSSTMM) Institute for Security and Open Methodologies United States - is an open source project security check state of the US, which consists of a list of steps to be performed during testing information security organization [4]. The purpose OSSTMM - develop a method whose rules will be instruction for checking and under which will be held licensing companies, indicating that their security. To maintain the relevance of this document, it is always refinement and replacement of outdated information on the new one.
310 of 321 In OSSTMM methodology developed validation rules described in six sections: • test physical security; • verification of information security; • checking security communication; • checking security Internet resources; • checking the security of wireless communications; • checking personnel in compliance with the rules of information security. Each section has modules that define the review process in certain areas. Each of these modules explained briefly and warned the results are listed. The modules have a fairly short description and structure, consisting of: • objective testing, • tasks, • the results expected. OSSTMM also contains several documentation templates in the process of checking the organization, which displays results of each step test in different modules. Also in the method implemented two different approaches, using OSSTMM: serial and parallel. In the sequential approach modules are executed in succession, one after the other, and in a parallel independent modules can be implemented simultaneously. In addition, the methodology OSSTMM provides risk detection system (RAV), to determine the frequency of specific modules depending on the amount of risk vulnerability in the implementation of information objects to be checked by this module. The frequency of checks provided for the continuous monitoring of security and no possibility of implementation vulnerabilities. Each module is a pair of values, providing cyclical process RAV. Frequency redo determined in days for each module. During the measurement of risk realization vulnerability taken into account during the updating properties of protective mechanisms and time, which is needed for its implementation. The last parameter is determined experimentally and depends entirely on the quality of the experimenter, i.e. a subjective value. Analyzing the text OSSTMM methodology can be seen that the process of determining risk assessment RAV does not provide absolute protection, but depends on the level of specialist qualification when trying experimental realization vulnerability. It simply provides a general characterization of security and the approximate time of re-audit. In particular, the method is no description of how to perform the described tasks and process verification flow. It's kind of a versatile program that can be adapted to suit individual requirements inspector. In addition, short description of each module can not use this document as a standard, rather it can be seen as a structured set of recommendations. It should also be noted that modules and stage performance
311 of 321 audits did not rank in order of their priority. This means that revealed widespread vulnerability, which has a high priority for hazard information system will be allocated against other discovered vulnerabilities that do not constitute a critical hazards. Thus it should be noted that the methodology OSSTMM not without drawbacks, which leaves room for further improvement technology security testing.
II.2. Information Systems Security Assessments Framework Information Systems Security Assessment Framework (ISSAF) [5] is another open source security testing and analysis framework. Its framework has been categorized into several domains to address the security assessment in a logical order. Each of these domains assesses different parts of a target system and provides field inputs for the successful security engagement. The ISSAF Penetration testing methodology is designed to evaluate your network, system and application controls. It consists three phases approach and nine steps assessment. The approach includes following three phases: • Phase – I: Planning and Preparation • Phase – II: Assessment • Phase – III: Reporting, Clean-up and Destroy Artefacts By integrating its framework into a regular business life cycle, it may provide the accuracy, completeness, and efficiency required to fulfill an organization's security testing requirements. ISSAF was developed to focus on two areas of security testing—technical and managerial. The technical side establishes the core set of rules and procedures to follow and create an adequate security assessment process, while the managerial side accomplishes engagement with the management and the best practices that should be followed throughout the testing process. It should be remembered that ISSAF defines the assessment as a process instead of an audit. As auditing requires a more established body to proclaim the necessary standards, its assessment framework does include the planning, assessment, treatment, accreditation, and maintenance phases. Each of these phases holds generic guidelines that are effective and flexible for any organizational structure. The output is a combination of operational activities, security initiatives, and a complete listing of vulnerabilities that might exist in the target environment. The assessment process chooses the shortest path to reach the test deadline by analyzing its target against critical vulnerabilities that can be exploited with minimum effort. ISSAF contains a rich set of technical assessment baselines to test the number of different technologies and processes. However, this has introduced another problem of maintenance to
312 of 321 keep updating the framework in order to reflect new or updated technology assessment criteria. When compared to the OSSTMM methodology, these obsolescence issues affect the OSSTMM less, because the auditor is able to use the same methodology over the number of security engagements using a different set of tools and techniques. On the other hand, ISSAF also claims to be a broad framework with up-to-date information on security tools, best practices, and administrative concerns to complement the security assessment program. It can also be aligned with OSSTMM or any other similar testing methodology, thus combining the strengths of each other. The following are the key features and benefits of ISSAF: • ISSAF provides you with a high value proposition to secure the infrastructure by assessing the existing security controls against critical vulnerabilities. • It addresses different key areas of information security. These include risk assessment, business structure and management, controls assessment, engagement management, security policies development, and general best practices. • ISSAF penetration testing methodology examines the security of a network, system, or application. The framework can transparently focus on target specific technology that may involve routers, switches, firewalls, intrusion detection and prevention systems, storage area networks, virtual private networks, various operation systems, web application servers, databases, and so forth. • It bridges the gap between the technical and managerial view of security testing by implementing the necessary controls to handle both areas. • It enables the management to understand the existing risks that float over an organization's perimeter defenses and reduces them proactively by identifying the vulnerabilities that may affect the business integrity.
II.3. Guideline on Network Security Testing This document, which was also designed to provide more secure public bodies and companies, was also developed in the US in the walls National Institute of Standards and Technology - NIST and called: "Guideline on Network Security Testing". In the register of publications of the Institute this guide has a record NIST Special Publication 800-42 [6]. This document is derived from the same direction, as described in another document developed by the same institute, called "Guide for Information Security". "Guideline on Network Security Testing" describes a methodology for testing network security. It aims to use information in the field of organizations interested in checking the security of their network infrastructure and its evaluation. The structure is similar to the previous
313 of 321 techniques document also consists of modules, which is a brief description of the stages of testing performed in accordance with the tasks described in the module. But the main difference is the different approach to the audit. If in the previous case, the testing process was implemented specialists of developers, in this document, primary emphasis on independent verification organization. In this regard, after describing the methodology of audit in a separate annex shows the description of software employed for this purpose. Description has a table, which contains: • the name of the program; • operating System for its use; • brief description of its functions; • resource where you can read the program and how to use it. In addition, the document NIST SP 800-42 present application, which describes the basic operation of essential software tools for testing. Described their main features and how to use the examples. Despite such advantages, which should be in the document, no complete information about its development. Moreover, the lack of information on finalizing leads to the conclusion that it is still pending. Also, having the description of software used in testing, does not compensate for the small number of issues covered in comparison with the method developed at the Institute for Security and Open Methodologies.
II.4. Durchführungskonzept für Penetrationstests This is document was prepare of a German unit «Federal Office for Information Security». The document describes the correct test of the strength of the system. Describes in detail not only the methodology of the tests, but and necessary requirements, legal aspects of the methodology and procedures that you must follow for successful tests [7]. Present sections such as: • the introduction and training facilities; • it-security and penetration testing; • classification and penetration testing facilities; • legal issues; • general requirements; • methodology for penetration testing; • perform penetration testing. According to this document, there are 3 types of methods by which you can apply IT- system damage or prepare an attack:
314 of 321 • attacks through the network; • social engineering; • bypass physical security measures. The five defined procedures to be performed for the strength test: • search for information about the target system; • scan the target system to determine whether services; • identification system and applications; • research vulnerabilities; • the use of vulnerabilities. A classification test for strength and defines its criteria. The document also describes six phases of tests of strength: 1. Training. With customer defined test objects. Tests must be performed with all legal aspects. The auditor must be sure that the tests do not violate any laws or contractual obligations. The procedure and its risks should be discussed and documented. 2. Exploration. After the first phase, the auditor may begin to collect information on goal. This passive phase of testing for strength. The goal - to get a complete and detailed overview of installed systems, including areas open to attacks and known security flaws. 3. Analysis of the information and risks. For a successful, transparent and cost-effective procedure collected information must be analyzed before the active penetration testing. The analysis should include setting goals penetration testing, the potential risks of the system and the time required for evaluation of possible safety problems for further active tests. 4. Attempts to active invasion. This phase entails high risk and should be carried out with due care. However, only this phase can show that the alleged risk vulnerabilities identified in the exploration phase. 5. The final analysis. The final report should include an assessment of vulnerabilities as a form of potential risks and recommendations to eliminate vulnerabilities and risks. The report should also ensure transparency and disclosure vulnerability tests. 6. Documentation. When all the above phases is recording, processing and making recommendations. The annex contains a description of software that can be used to test objects described in the method. This technique is recommended for testing the final product. It is quite detailed and trying to foresee all aspects of the strength test as technical, organizational and legal.
II.5. PTES - Penetration Testing Execution Standard - Technical Guidelines
315 of 321 The Penetration Testing Execution Standard (PTES) was created by some of the brightest minds and definitive experts in the penetration testing industry. It consists of seven phases of penetration testing and can be used to perform an effective penetration test on any environment [8]. The seven stages of penetration testing that are detailed by this standard are as follows: • pre-engagement interactions; • intelligence gathering; • threat modeling; • vulnerability analysis; • exploitation; • post-exploitation; • reporting. Each of these stages is provided in detail on the PTES site along with specific mind maps that detail the steps required for each phase. This allows for the customization of the PTES standard to match the testing requirements of the environments that are being tested. More details about each step can be accessed by simply clicking on the item in the mind map. This standart has the key features and benefits of the PTES: • It has detailed instructions on how to perform many of the tasks that are required to accurately test the security posture of an environment. • It is inclusive of the most commonly found technologies as well as ones that are not so common. • It is a very thorough penetration testing framework that covers the technical as well as other important aspects of a penetration test, such as scope creep, reporting, and protecting you as a penetration tester. • It is easy to understand and you can adapt it to your own testing needs. • It is put together for penetration testers by experienced penetration testing experts who perform these tasks on a daily basis.
III. THE GENERALIZED METHOD OF PENETRATION TESTING
As can be seen from the analysis of different methods have similar steps. At the same time there are also many copyright general techniques from which you can select [9]. The general testing framework presented in this section will constitute both the black box and white box approaches. It offers you a basic overview of the typical phases through which an
316 of 321 auditor or penetration tester should progress. Either of these approaches can be adjusted according to the given target of assessment. The framework is composed of a number of steps that should be followed in a process at the initial, medial, and final stages of testing in order to accomplish a successful assessment. These include the following: • Target scoping. • Information gathering. • Target discovery. • Enumerating target. • Vulnerability mapping. • Social engineering. • Target exploitation. • Privilege escalation. • Maintaining access. • Documentation and reporting. Will explain each stage of testing with a brief description, definition, and its possible applications. This general approach may be combined with any of the existing methodologies and should be used as a guideline rather than a penetration testing catch-all solution. Target scoping. Before starting the technical security assessment, it is important to observe and understand the given scope of the target network environment. It is also necessary to know that the scope can be defined for a single entity or set of entities that are given to the auditor. To lead a successful penetration testing, an auditor must be aware of the technology under assessment, its basic functionality, and its interaction with the network environment. Thus, the knowledge of an auditor does make a significant contribution towards any kind of security assessment. Information gathering. Once the scope is finalized, it is time to move into the reconnaissance phase. During this phase, a pentester uses a number of publicly available resources to learn more about his or her target. This information can be retrieved from Internet sources such as forums, bulletin boards, newsgroups, articles, blogs, social networks, commercial or non-commercial websites. Additionally, the data can also be gathered through various search engines, such as Google, Yahoo!, MSN Bing, Baidu, and others. Moreover, an auditor can use the tools provided in Kali Linux to extract the network information about a target. These tools perform valuable data mining techniques to collect information through DNS servers, trace routes, Whois
317 of 321 database, e-mail addresses, phone numbers, personal information, and user accounts. As more information is gathered, the probability of conducting a successful penetration test is increased. Target discovery. This phase mainly deals with identifying the target's network status, operating system, and its relative network architecture. This provides you with a complete image of the interconnected current technologies or devices and may further help you in enumerating various services that are running over the network. By using the advanced network tools one can determine the live network hosts, operating systems running on these host machines, and characterize each device according to its role in the network system. These tools generally implement active and passive detection techniques on the top of network protocols, which can be manipulated in different forms to acquire useful information such as operating system fingerprinting. Enumerating target. This phase takes all the previous efforts forward and finds the open ports on the target systems. Once the open ports have been identified, they can be enumerated for the running services. Using a number of port scanning techniques such as fullopen, half-open, and stealth scan can help determine the port's visibility even if the host is behind a firewall or Intrusion Detection System (IDS). The services mapped to the open ports help in further investigating the vulnerabilities that might exist in the target network's infrastructure. Hence, this phase serves as a base for finding vulnerabilities in various network devices, which can lead to a serious penetration. An auditor can use some automated tools to achieve the goal of this phase. Vulnerability mapping. The time to identify and analyze the vulnerabilities based on the disclosed ports and services. This process can be achieved via a number of automated network and application vulnerability assessment tools. It can also be done manually but takes an enormous amount of time and requires expert knowledge. However, combining both approaches should provide an auditor with a clear vision to carefully examine any known or unknown vulnerability that may otherwise exist on the network systems. Social engineering. Practicing the art of deception is considerably important when there is no open gate available for an auditor to enter the target network. Thus, using a human attack vector, it is still possible to penetrate the target system by tricking a user into executing malicious code that should give backdoor access to the auditor. Social engineering comes in different forms. This can be anybody pretending to be a network administrator over the phone forcing you to reveal your account information or an e-mail phishing scam that can hijack your bank account details.
318 of 321 Someone imitating personnel to get into a physical location is also considered social engineering. There is an immense set of possibilities that could be applied to achieve the required goal. Note that for a successful penetration, additional time to understand human psychology may be required before applying any suitable deception against the target. It is also important to fully understand the associated laws of your country with regards to social engineering prior to attempting this phase. Target exploitation. After carefully examining the discovered vulnerabilities, it is possible to penetrate the target system based on the types of exploits that are available. Sometimes, it may require additional research or modifications to the existing exploit in order to make it work properly. This sounds a bit difficult but might get easier when considering a work under advanced exploitation tools. Moreover, an auditor can also apply client-side exploitation methods mixed with a little social engineering to take control of a target system. Thus, this phase mainly focuses on the target acquisition process. The process coordinates three core areas, which involve pre- exploitation, exploitation, and post-exploitation activities. Privilege escalation. Once the target is acquired, the penetration is successful. An auditor can now move freely into the system, depending on his or her access privileges. These privileges can also be escalated using any local exploits that match the system's environment, which, once executed, should help you attain super-user or system-level privileges. From this point of entry, an auditor might also be able to launch further attacks against the local network systems. This process can be restricted or non-restricted depending on the given target's scope. There is also a possibility of learning more about the compromised target by sniffing the network traffic, cracking passwords of various services, and applying local network spoofing tactics. Hence, the purpose of privilege escalation is to gain the highest-level access to the system that is possible. Maintaining access Sometimes, an auditor might be asked to retain access to the system for a specified time period. Such activity can be used to demonstrate illegitimate access to the system without performing the penetration testing process again. This saves time, cost, and resources that are being served to gain access to the system for security purposes. Employing some secret tunneling methods, which make a use of protocol, proxy, or end-to-end connection strategy that can lead to establishing a backdoor access, can help an auditor maintain his or her footsteps into the target system as long as required. This kind of system access provides you with a clear view on how an attacker can maintain his or her presence in the system without noisy behavior. Documentation and reporting
319 of 321 Documenting, reporting, and presenting the vulnerabilities found, verified, and exploited will conclude your penetration testing activities. From an ethical perspective, this is extremely important because the concerned managerial and technical team can inspect the method of penetration and try to close any security loopholes that may exist. The types of reports that are created for each relevant authority in the contracting organization may have different outlooks to assist the business and technical staff understand and analyze the weak points that exist in their IT infrastructure. Additionally, these reports can serve the purpose of capturing and comparing the target system's integrity before and after the penetration process.
CONCLUSIONS In this paper was discussed several penetration testing methodologies. The summary of key points • Penetration testing is very importent part of information security management system. • Penetration testing can be broken into different types such as black box and white box. The black box approach is also known as external testing, where the auditor has no prior knowledge of the target system. The white box approach refers to an internal testing, where the auditor is fully aware of target environment. The combination of both types is known as a gray box. • There are a number of security testing methodologies but very few provide stepwise, consistent instructions on measuring the security of a system or application. Was discussed five such well-known open source security assessment methodologies. These include OSSTMM, ISSAF, GNST, DPT and PTES. • Was also presented a simplified and structured testing framework for penetration testing. This process involves a number of steps, which have been organized according to the industry approach towards security testing. These include target scoping, information gathering, target discovery, enumerating target, vulnerability mapping, social engineering, target exploitation, privilege escalation, maintaining access, and documentation and reporting.
REFERENCES
1. ISO 27001:2013 "Information technology - Security techniques - Information security management systems - Requirements". 2. Payment Card Industry Data Security Standard (PCI DSS): 2013, Version 3.0.
320 of 321 3. David M. Hafele, – Three Different Shades of Ethical Hacking: Black, White and Gray” February 23, 2004. URL: http://www.sans.org/reading-room/whitepapers/hackers/shades- ethical-hacking-black-white-gray-1390. 4. Pete Herzog – OSSTMM 2.1 Open-Source Security Testing Methodology Manual Ed. Institute for Security and Open Methodologies. 2003. 5. Information Systems Security Assessment Framework (ISSAF) draft 0.2, Open Information Systems Security Group, 2005. 6. NIST Special Publication 800-42. Guideline on Network Security Testing. Recommendations of the National Institute of Standards and Technology. 2003. 7. Studie Durchführungskonzept für Penetrationstests. Bundesamt für Sicherheit in der Informationstechnik. 2003. 8. The Penetration Testing Execution Standard http://www.pentest- standard.org/index.php/Main_Page. 9. Lee Allen, Tedi Heriyanto, Shakeel Ali – Kali Linux – Assuring Security by Penetration Testing. Pb Packt Publishing Ltd, 2014.
321 of 321