Sifu - a Cybersecurity Awareness Platform with Challenge Assessment and Intelligent Coach Tiago Espinha Gasiba1* , Ulrike Lechner2 and Maria Pinto-Albuquerque3
Total Page:16
File Type:pdf, Size:1020Kb
Espinha Gasiba et al. Cybersecurity (2020) 3:24 Cybersecurity https://doi.org/10.1186/s42400-020-00064-4 RESEARCH Open Access Sifu - a cybersecurity awareness platform with challenge assessment and intelligent coach Tiago Espinha Gasiba1* , Ulrike Lechner2 and Maria Pinto-Albuquerque3 Abstract Software vulnerabilities, when actively exploited by malicious parties, can lead to catastrophic consequences. Proper handling of software vulnerabilities is essential in the industrial context, particularly when the software is deployed in critical infrastructures. Therefore, several industrial standards mandate secure coding guidelines and industrial software developers’ training, as software quality is a significant contributor to secure software. CyberSecurity Challenges (CSC) form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry. These cybersecurity awareness events have been used with success in industrial environments. However, until now, these coached events took place on-site. In the present work, we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online. The introduced cybersecurity awareness platform, which the authors call Sifu, performs automatic assessment of challenges in compliance to secure coding guidelines, and uses an artificial intelligence method to provide players with solution-guiding hints. Furthermore, due to its characteristics, the Sifu platform allows for remote (online) learning, in times of social distancing. The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events. We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding. Keywords: Cybersecurity, Awareness, Training, Artificial intelligence, Serious games, Secure coding, Static application security testing, Capture-the-flag, Software development in industry Introduction was uncovered attacking the petrochemical industry in Over the last years, several attacks that target indus- Saudi Arabia. The industry’s financial impact due to these trial control systems and cyberphysical systems have been and other forms of malware has already exceeded 10 identified. In 2010 Stuxnet, which attacks Programmable billion USD and affected more than 140 countries (Apex- Logic Controllers, was uncovered; in 2014, the Havex mal- techservices 2017). ware, a Remote Access Trojan that contains code targeting The Industrial Control System - Computer Emergency industrial devices communicating over Open Platform Response Team (ICS-CERT (Department of Homeland Communications, was discovered. In the same year, Black- Security 2020a)) has been tasked with issuing ICS-specific Energy V3 attacked the Ukrainian power grid and energy alerts and advisories. Industrial Control Systems (ICS) distribution. More recently, in 2017, the Triton malware, alerts are information put out by the ICS-CERT with which was coined “the world’s most murderous malware”, the intention to provide timely notification to critical infrastructure owners and operators concerning threats or *Correspondence: [email protected] activity with the potential to impact critical infrastructure 1Siemens AG Corporate Technology, Otto-Hahn-Rin 6, 81379 Munich, Bavaria, computing networks.Figure1)showsthenumberofICS Germany alerts and advisories issued per year by the ICS-CERT. Full list of author information is available at the end of the article © The Author(s). 2020 Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/. Espinha Gasiba et al. Cybersecurity (2020) 3:24 Page 2 of 23 Fig. 1 ICS-CERT Over the last decade, the number of security advisories Addressing code defects during software development issued per year has been steadily growing. Before 2014 According to Mead et al. (2004), addressing security less than 100 advisories per year have been issued, while vulnerabilities in source code early in the software from 2017 to 2019 more than 200 advisories per year development life-cycle can save many costs. Their work have been issued. These numbers of security advisories presents an empirical model that shows the incurred correlate well with the observed increase in the number costs of fixing software vulnerabilities at the following and sophistication of cyber-attacks to industrial control phases: requirements engineering, architecture, design, systems. implementation, testing, deployment, and operations. According to an estimation by the United States Depart- The validity of this model is corroborated by Black (2004), ment of Homeland Security (DHS), about 90% of the which describes how addressing software defects early in reported security incidents result from exploits against the software development stages (in particular, by early defects in the design or code of software (Department of involvement of the software testing team) can also lead to Homeland Security 2020b). Related to this, a recent large- cost savings. scalestudybyPatelelal.2020 has shown that more than In an industrial setting, due to the requirements 50% of software developers cannot spot vulnerabilities in imposed by standards (e.g. ISO27k 2013, IEC 62443 2018, source code (Schneier 2020). These two factors consid- PCI/DSS 2015, BSI5.21 2014), the requirements engineer- ered together mean that: 1) special care must be exer- ing, architecture and design phases are typically well cov- cised during software development, software developers, ered. The compliance to these standards is checked during and 2) software developers lack awareness about secure industry audits. Recent data (Department of Homeland coding. Security 2020b;Patel2020), however, suggests that soft- Exploitation of low quality software can result in severe ware defects (and vulnerabilities) are being introduced consequences for both customers, companies that pro- when the software is being developed - by software devel- duce the software (or product), and even unrelated third opers - in the implementation stage. In this early software parties. The negative consequences are especially acute development stage, we would like to address the software when the vulnerable software is deployed in critical infras- implementation stage in our work. tructures. In this scenario, the negative consequences can One possible method that can be used to reduce the range from monetary losses to loss-of-life. number of introduced software vulnerabilities is Static The work present aims to improve the current situ- Application Security Testing Tools (SAST) at the software ation utilizing a serious game -that we coined Cyber- implementation stage. However, these have been shown to Security Challenges (CSC)- designed to raise awareness not perform well in detecting security vulnerabilities in the on secure coding, secure coding guidelines, and software source code (Goseva-Popstojanova and Perhinschi 2015), development best practices of software developers in the and consequently, additional mechanisms must be used. industry. This work also presents the Sifu platform, a In our work, we concentrate on the human factor, the soft- software tool developed to implement the CSC serious ware developer, since the software developer ultimately game. writes the software by hand. Espinha Gasiba et al. Cybersecurity (2020) 3:24 Page 3 of 23 For the implementation, there is a vast number of pos- to address a specific need such as learning or improv- sible programming languages. We have decided to focus ing a given skill. Serious games are a well-established our work on the C and C++ programming languages. instrument in information security. They are discussed Our motivation to choose this programming language is in de-facto standards as in the German Federal Office twofold: 1) because this programming language is being for Information Security - IT Baseline Protection (BSI actively (and highly) used in the industry where the first Grundschutzkatalog) (Bundesamt für Sicherheit in der author works as a consultant and 2) a recent study by Informationstechnik 2019; Bundesamt für Sicherheit in WhiteSource (2019) shown that C and C++ are among der Informationstechnik 2020)asameantoraiseIT the most vulnerable programming languages in terms of security awareness and increase the overall level of IT cybersecurity vulnerabilities. security. A Capture-the-Flag (CTF) game is one possible instance Industrial standards and guidelines of a serious game. CTF games were initially developed in In recognition of the importance of secure products and the penetration testing community and are mostly used by a consequence