DOCSLIB.ORG

Improving PKI Solution Analysis in Case of CA Compromisation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Improving PKI Solution Analysis in Case of CA Compromisation Master Game and Media Technology Improving PKI Solution analysis in case of CA compromisation Samira Zaker Soltani January 2013 Utrecht University Faculty Computer Science Deloitte Nederland Deloitte Risk Services Supervisors: Gerard Tel - Univeristy Utrecht Henk Marsman - Deloitte Nederland To my mother, for she is the reason. Abstract Creating a secure connection on the Internet is made possible through the usage of certificates, binding an entity to its public key. These certificates can be issued by any of the Certificate Authorities (CA), where each CA has the same privileges. During the last year, we have seen many CA compromises, resulting into the issuance of fraudulent certificates. Fraudulent certificates can be used, in combination with the man-in-the-middle attack, to eavesdrop the communications of Internet users. This research focuses on solutions that can remove or limit the impact of a CA com- promisation and provides a description and analysis of each solution. The solutions have been chosen through interviews and literature. Among the discussed solutions are Public Key Pinning, Sovereign Keys, Certificate Transparency, Perspectives & Convergence, DANE, and MCS. In order to identify each solution’s advantages and disadvantages, we have created a metric of aspects. The aspects have been categorized into security, usability, and costs. The focus of this research has been on security, since that is the aspect in Public Key Infrastructure we are trying to solve. The results indicate that Certificate Transparency and DANE are the most promis- ing solutions for limiting the risks of a compromised CA. Further research will be needed to complete each solution, since both solutions are not yet ready for deploy- ment. v Preface This document presents my master thesis for Game and Media Technology at the Utrecht University. The research and work was done between July 2012 and Jan- uary 2013 at the Security & Privacy team of Deloitte Nederland in Amstelveen. My supervisors were Henk Marsman from Deloitte Nederland and Gerard Tel from Utrecht University. Acknowledgment I am grateful to Gerard Tel for his guidance during this master thesis, the inspir- ing discussions, encouragements, and for giving me the freedom to take this project into the direction that I found most interesting. I would also like to express my sincere appreciations to Henk Marsman for his extensive vision, great wisdom, and for helping me to better structure my master thesis. I would also like to thank the interviewees, who helped me to develop the indispensable information that was needed for this research. Without the interviewees, this master thesis would not have been the same. Finally, I would like to thank my colleges for the enlightening discussions, remarks, and for the overall atmosphere that made my stay at Deloitte very pleasant and enjoyable. Samira Zaker Soltani vii Contents Abstract v Acknowledgments vii 1. Introduction 1 1.1. Motivation . .3 1.1.1. DigiNotar . .4 1.2. Goal . .6 1.2.1. Research questions . .6 1.2.2. Research restrictions . .7 1.3. Approach . .7 1.3.1. Solution aspects . .7 2. Public Key Infrastructure 11 2.1. Overview . 11 2.2. Cryptography . 11 2.2.1. Symmetric key cryptography . 12 2.2.2. Public key cryptography . 12 2.3. Public Key Infrastructure . 16 2.4. Certificates . 18 2.4.1. X.509 . 18 2.4.2. Certificate Validation . 20 2.4.3. Certification Path . 22 2.5. Certificate Authority (CA) . 23 2.5.1. Cross-domain certification . 24 2.6. PKI weaknesses . 24 2.6.1. Audit reports . 25 2.6.2. Automatic processes . 26 2.6.3. Trust anchor . 26 2.6.4. Trust in CAs . 27 2.6.5. The weakest link . 27 2.6.6. Competition between CAs . 28 3. Companies and certificates 29 3.1. Risks of certificates . 30 ix 3.2. Measurements . 31 3.2.1. Prevent . 31 3.2.2. Detect . 32 3.2.3. Limit . 32 3.2.4. Correct . 32 4. Game companies 35 4.1. Cheating classification . 36 4.2. Possible solutions . 37 4.2.1. Game level solutions . 37 4.2.2. Application level solutions . 38 4.2.3. Protocol level solutions . 40 4.2.4. Infrastructure level solutions . 41 4.3. Games & PKI . 41 4.3.1. Authenticator: How does it work? . 42 5. Possible PKI solutions 43 5.1. Overview . 43 5.2. Public Key Pinning . 45 5.2.1. Analysis . 46 5.2.2. Solution aspects . 47 5.3. Perspectives & Convergence . 49 5.3.1. Analysis . 52 5.3.2. Solution aspects . 54 5.4. Sovereign Keys . 55 5.4.1. Analysis . 58 5.4.2. Solution aspects . 60 5.5. Certificate Transparency (CT) . 62 5.5.1. Analysis . 64 5.5.2. Solution aspects . 65 5.6. DNS-based Authentication of Named Entities (DANE) . 67 5.6.1. Analysis . 71 5.6.2. Solution aspects . 72 5.7. Multiple Certificate Signatures (MCS) . 74 5.7.1. Solution aspects . 76 6. Conclusion 79 A. Appendix: Interviews 83 A.1. Roland van Rijswijk and Gijs van den Broek - SURFnet . 83 A.1.1. Introduction ................................... 83 A.1.2. Current PKI model . 85 A.1.3. DNSsec . 86 x A.2. Program Manager Information Security - Governmental organization 89 A.3. Cooperative Information Security Officer - The Company . 91 A.3.1. Possible solutions to PKI . 92 A.4. Dr. Benne de Weger - University Eindhoven . 93 A.4.1. Solutions . 94 A.5. Pablo Valcárcel and Tanausú Cerdeña Hernández - Geosophic . 95 A.6. Co-founder - Game company . 97 A.7. Game hacker . 98 A.7.1. Possible security solutions and their drawbacks . 99 A.7.2. How do you perform reverse engineering . 101 A.7.3. Certificates . 101 A.8. Game developer - Game company . 101 A.8.1. Security Issues . 102 A.8.2. Banning cheaters . 103 A.8.3. Platforms . 104 A.8.4. Which data would be put in the cloud, if this was possible? . 104 Bibliography 105 xi 1. Introduction Internet security has become more and more important since the Internet started changing our world and E-commerce became a part of our business and personal life. In the late 90’s, Public Key Infrastructures (PKIs) were widely recognized as an essential ingredient to provide secure electronic communications and transactions in open environments [FB00, FW98]. The most important goal of PKI is to secure the communication between parties in an insecure public network, such as the Internet, and make sure the parties communicate with the parties they think they are communicating with. In the last year, however, PKI has shown not to be as bullet proof as we hoped it would be. PKI works through the use of certificates, which can be thought of as digital pass- ports. These digital passports are issued by Certificate Authorities (CAs) to various parties. A certificate guarantees a party’s identity, allowing the party to identify itself towards users on the Internet. Users can validate the certificate authenticity by checking if the certificate has been issued by a trusted CA. Once the certificate has been validated, the user can start communicating with the party corresponding to the certificate. If a CA is not trusted by the user, they can refuse to start a communication with the party presenting the certificate. To not burden users with the choice between the approximately 600 CA organizations in the world, this choice is performed by the user’s browser and operating system software. Most users will never change these settings and keep trusting the default set of CAs [Lan11f]. PKI has a design weakness though, granting all CAs to issue certificates for any domain, which will be accepted by users trusting the CA. Compromised, but still trusted CAs, can issue certificates for any domain and use these certificates to de- ceive users into thinking the certificates are from the righteous party. This means that when a by browsers trusted CA is compromised, many users will trust the fraudulently issued certificates. This weakness was shown in practice when DigiNotar, a trusted CA, was com- promised and used to issue fraudulent certificates for domains such as Google and Yahoo! in 2011. Using these certificates, the attackers could, for example, pretend to be a legitimate website, where visitors would submit their credentials such as username and password, as the presented certificates seemed valid. Although the chance of a CA compromisation was thought to be very little, after some trusted CAs were compromised in 2011, with the most important incident being the DigiNotar compromisation in July 2011 [Dig12], it became clear that this 1 Chapter 1 Introduction was not the case. The incidents revealed some interesting problems in PKI, regard- ing trust anchor management, the dependency of the complete Internet PKI on the weakest trusted CA, the lack of preparation at companies when a CA compromisa- tion occurs and many more weaknesses. Of course, if the compromised CA would be detected immediately, there would be little to no problem, depending on the time frame. However, if we take DigiNotar as an example, we can see it took a couple of months before the trust in DigiNotar was revoked by all browser and operating system vendors, giving the hacker enough time to use the fraudulently issued certificates. The only thing we know for sure, regarding the DigiNotar incident, is that the OCSP requests were mostly from Iran [Pri11]. OCSP is an Internet protocol used to obtain the status of a certificate. When users want to know the status of a certificate, they can send an OCSP re- quest to the corresponding CA. The CA will then answer whether the certificate is still valid or not. In the case of DigiNotar, they were able to revoke most of the fraudulently issued certificates.
Load more

Recommended publications
  • Business Analytics
    SPRING 2017 Business Analytics Meeting the need for talent. PAGE 4 VIRGINIA TECH BUSINESS is published twice a year by: RANKINGS Pamplin College of Business, Virginia Tech No. 2 1030 Pamplin Hall (0209) U.S. 880 West Campus Drive Blacksburg, VA 24061 540-231-6601 No. 2 No. 7 No. 6 World www.pamplin.vt.edu Master of Evening Hospitality and Address changes: [email protected] Information Technology MBA Tourism Management Editorial inquiries and story suggestions: [email protected] U.S. News & World Report QS Top Universities In this magazine, alumni, with some exceptions, are DONNIE GRAY identified by degree and the year it was received. VIRGINIA TECH’S EVENING MBA ranking in U.S. News & World Report has improved DEAN to No. 7 among the nation’s part-time Robert T. Sumichrast MBA programs, according to the 2018 EDITOR survey released in March. It was ranked Sookhan Ho No. 16 for the previous two years. Offered DESIGN by the Pamplin College of Business, the Uncork-it, Inc. Evening MBA program serves aspiring FEATURE WRITERS business leaders in the Washington, D.C., Sookhan Ho, Dan Radmacher area with classes taught at the Northern PHOTOGRAPHERS Virginia Center, and has seen significant STUDENTS such as Mala Lal balance work, Christina O’Connor, Jim Stroup, Logan Wallace, growth in recent years. study, and family in the highly ranked Evening Oliver Meredith MBA program. ALUMNI INFORMATION Gina French, Bonnie Gilbert DISTRIBUTION MANAGER Jodi Jennings Charles Schwab Financial Planning Suite ABOUT enhances learning for business students Virginia Tech’s nationally ranked Pamplin College of JIM STROUP Business offers undergraduate and graduate programs in accounting and information systems, business information technology, economics, finance, hospitality and tourism management, management, and market- ing.
    [Show full text]
  • Technical Education Landscape in the UAE: Qualifications & Opportunities
    Technical Education Landscape in the UAE: Qualifications & Opportunities GLOBAL INNOVATIONS 2013 – DOHA, QATAR Sajida H. Shroff, April 2013 Agenda • Executive Summary • UAE Parameters for Technical Education • Current Status of TECH Education in the UAE • Enrollment Growth in Vocational/Technical/Career Track Education in the UAE • UAE’s Regulatory Landscape • Proposed and (sample) Private Qualifications Frameworks in the UAE • Current Career Track Training Options in the UAE • Public and Private Providers • Gaps and Potential Programmes • Next Steps • Potential Impact • Appendices: Sources Technical Education Landscape in the UAE- updated 04Apr13 2 Executive Summary The Technical (TECH) Landscape Study identifies the current status, prospects and challenges related to the expansion of TECH offerings in Dubai • There is a need for expanded Vocational/Technical Educational Programmes in Dubai to serve the UAE and the Region • Programmes would primarily serve the Expatriate population as there is sufficient capacity for the National population • The key target market is high school graduates from the UAE and the Region who DON’T/CAN’T go to university • To mitigate the identified skills gap, the focus of VTECH Education in the UAE needs to be on ‘white collar’ “career track opportunities” • In order for these career track programmes to have credibility, a qualifications framework aligned with global best practices and enabling transferability of qualifications is necessary • Due to the negative perception surrounding Vocational/Technical Education in this region as well as current labor market practices (i.e. importing blue collar workers) – VTECH Education needs to be repositioned in the UAE Technical Education Landscape in the UAE- updated 04Apr13 3 UAE’s parameters for Technical Education & Training (TECH) have to take into account regional nuances so they should be different from the global understanding; i.e.
    [Show full text]
  • The Deloitte Global 2021 Millennial and Gen Z Survey
    A call for accountability and action T HE D ELO IT T E GLOB A L 2021 M IL LE N N IA L AND GEN Z SUR V E Y 1 Contents 01 06 11 INTRODUCTION CHAPTER 1 CHAPTER 2 Impact of the COVID-19 The effect on mental health pandemic on daily life 15 27 33 CHAPTER 3 CHAPTER 4 CONCLUSION How the past year influenced Driven to act millennials’ and Gen Zs’ world outlooks 2 Introduction Millennials and Generation Zs came of age at the same time that online platforms and social media gave them the ability and power to share their opinions, influence distant people and institutions, and question authority in new ways. These forces have shaped their worldviews, values, and behaviors. Digital natives’ ability to connect, convene, and create disruption via their keyboards and smartphones has had global impact. From #MeToo to Black Lives Matter, from convening marches on climate change to the Arab Spring, from demanding eco-friendly products to challenging stakeholder capitalism, these generations are compelling real change in society and business. The lockdowns resulting from the COVID-19 pandemic curtailed millennials’ and Gen Zs’ activities but not their drive or their desire to be heard. In fact, the 2021 Deloitte Global Millennial Survey suggests that the pandemic, extreme climate events, and a charged sociopolitical atmosphere may have reinforced people’s passions and given them oxygen. 01 Urging accountability Last year’s report1 reflected the results of two Of course, that’s a generality—no group of people is surveys—one taken just before the pandemic and a homogeneous.
    [Show full text]
  • Episode 230: Click Here to Kill Everybody
    Episode 230: Click Here to Kill Everybody Stewart Baker: [00:00:03] Welcome to Episode 230 of The Cyberlaw Podcast brought to you by Steptoe & Johnson. We are back and full of energy. Thank you for joining us. We're lawyers talking about technology, security, privacy, and government. And if you want me to talk about hiking through the rain forest of Costa Rica and just how tough my six-year-old granddaughter is, I'm glad to do that too. But today I'm joined by our guest interviewee Bruce Schneier, an internationally renowned technologist, privacy and security guru, and the author of the new book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. We'll be talking to him shortly. For the News Roundup, we have Jamil Jaffer, who's the founder of the estimable and ever-growing National Security Institute. He's also an adjunct professor at George Mason University. Welcome, Jamil. Jamil Jaffer: [00:00:57] Thanks, Stewart. Good to be here. Stewart Baker: [00:00:58] And David Kris, formerly the assistant attorney general in charge of the Justice Department's National Security Division. David, welcome. David Kris: [00:01:07] Thank, you. Good to be here. Stewart Baker: [00:01:08] And he is with his partner in their latest venture, Nate Jones, veteran of the Justice Department, the National Security Council, and Microsoft where he was an assistant general counsel. Nate, welcome. Nate Jones: [00:01:23] Thank you. Stewart Baker: [00:01:25] I'm Stewart Baker, formerly with the NSA and DHS and the host of today's program.
    [Show full text]
  • Core Renaissance: Revitalising the Heart of IT
    ChapterUK extractEdition Core renaissance Revitalising the heart of IT Tech Trends 2015: The fusion of business and IT B Core renaissance Core renaissance Revitalising the heart of IT Organisations have significant investments in their core systems, both built and bought. Beyond running the heart of the business, these assets can form the foundation for growth and new service development – building upon standardised data and automated business processes. To this end, many organisations are modernising systems to pay down technical debt, replatforming solutions to remove barriers to scale and performance, and extending their legacy infrastructures to fuel innovative new services and offerings. NVESTING in technologies that support Leading organisations are building a Ithe heart of the business has been IT’s roadmap for a renaissance of their core – emphasis since its earliest days – policy focussed not on painting their legacy as the administration, claims management, and “dark ages,” but on revitalising the heart of billing in insurance; order management, their IT and business footprint. resource planning and manufacturing for consumer and industrial products; Business first inventory management, pricing and Amid continuously evolving business distribution for retail; and universal needs pressures and technology trends, several such as finance and human resources. questions arise: How will the core hold up? Core systems drive process and data (Consider, first, the business angle.) How automation, standardisation and intelligence well do existing solutions meet today’s – and represent decades of investment needs? (Consider not just functional in buying packages, building custom completeness, but increasingly relevant solutions and integrating an increasingly dimensions like usability, analytics insights hybrid environment.
    [Show full text]
  • A Roadmap to Initial Public Offerings
    A Roadmap to Initial Public Offerings 2019 The FASB Accounting Standards Codification® material is copyrighted by the Financial Accounting Foundation, 401 Merritt 7, PO Box 5116, Norwalk, CT 06856-5116, and is reproduced with permission. This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. As used in this document, “Deloitte” means Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Tax LLP, and Deloitte Financial Advisory Services LLP, which are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright © 2019 Deloitte Development LLC. All rights reserved. Other Publications in Deloitte’s Roadmap Series Business Combinations Business Combinations — SEC Reporting Considerations Carve-Out Transactions Consolidation — Identifying a Controlling Financial Interest Contracts on an Entity’s Own Equity
    [Show full text]
  • 858003 Getting Unstuck Working As One in Government
    Getting Unstuck How to work As One in government A GovLab study About GovLab Deloitte’s GovLab works closely with senior government executives and thought leaders from across the globe. As GovLab Fellows, we conduct research into key issues and emerging ideas shaping the public, private and non-profit sectors. Through exploration and analysis of government’s most pressing challenges, we seek to develop innovative yet practical ways that governments can transform the way they deliver their services and prepare for the challenges ahead. As used in this document, “Deloitte” means Deloitte Consulting LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Contents 1 Executive summary 2 Why does government need As One thinking? 4 A new approach 8 Getting unstuck: Seeing through the As One lens 21 Putting As One to work: Interventions 23 Broaden perspectives with social media monitoring 24 Conclusion Executive summary Why do some transformative government initiatives tools at their disposal to answer those questions, they can succeed on a grand scale while others fail? The answer antici pate challenges and address them before they grow lies in the abilities of agencies to translate individual into crippling obstacles. actions into collective power. Getting big things done in government requires employees and organizational The identity of a government organization, its commitment partners to commit to a single set of objectives. Working to an initiative’s objectives, and the way its employees cultures should match what needs to be done.
    [Show full text]
  • The Changing Face of Cyber-Attacks: Understanding and Preventing Both External and Insider Security Breaches
    WHITE PAPER | June 2013 The Changing Face of Cyber-Attacks: Understanding and preventing both external and insider security breaches Russell Miller CA Security Management PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS Table of Contents Executive Summary 3 Section 1: Challenge 4 External Cyber-Threats are Changing Rapidly Section 2: Opportunity 7 Where Organizations Fall Short Section 3: 12 Conclusions Section 4: 12 Refernces Section 5: 13 About the Author 2 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS Executive Summary Total number of records containing Challenge sensitive personal Techniques to attack computer networks are never static. Methods and tools evolve, as do the information attackers themselves. The attacker landscape from a few years ago—where individuals or small involved in groups attacked organizations for fun and profit—no longer exists. The environment is much more security breaches complex today. Semi-organized “Hacktivist” groups, such as Anonymous and LulzSec, attempt to in the U.S. is cause damage for causes they find worthwhile. Even state-sponsored actors are becoming prominent, 607,611,003 bringing dramatically expanded resources to bear. Advanced Persistent Threats (APTs) are perhaps not in 3,716 data new, but have come to the forefront of cyber-security awareness as a result of these changes. Insider breaches between threats are also ever more complex, with the potential for damage increasing due to rapidly January 2005 expanding stores of sensitive information and highly-dynamic and virtualized IT environments. and April 2013. – A Chronology of Data Breaches, Privacy Rights Clearinghouse Opportunity Fortunately, an organization’s toolbox to defend against security breaches is more complete than ever.
    [Show full text]
  • Information Security Survey
    Central Asian Information Security Survey Results (2014) Insight into the information security maturity of organisations, with a focus on cyber security Introduction and Executive summary From September to November 2014 Deloitte performed its first “information security Executive summary survey” in Central Asia to better understand the current state of information security The survey identified the five most relevant conclusions on the current state of programmes and governance structures at organisations in the region. The survey information security programmes (cyber security) in Central Asia, as follows: covers various industries and addresses how organisations view, formulate, implement and maintain their information security programmes. 1. Majority of companies have not been exposed to cybersecurity incidents. The 39 survey questions covered the following areas: 2. Information security policies, procedures and responsibilities are mostly in place and defined. 1. organisational information 3. Insufficient controls to ensure third parties, (i.e. vendors / partners), comply with 2. information security attacks and threats appropriate security standards. 3. information security data and technologies and 4. Awareness of business (senior) management and end-user around 4. monitoring and reaction to identified security threats cybersecurity risks is insufficient. The survey focused on cyber security risks and to that end we approached 5. Though basic security measures are in place, more advanced solutions are approximately 100 companies to fill in the online survey questionnaire. uncommon. We stipulate that we present the survey results without making a distinction by Later in this report we provide more detailed insight on survey findings. industry or organisation size and that the results are ‘anonymous’ to avoid making reference to individual organisations.
    [Show full text]
  • SONY Pictures Entertainment - Hack of the Century 1
    SONY Pictures Entertainment - Hack of the Century 1 SONY Pictures Entertainment - Hack of the Century SONY Pictures Entertainment - Hack of the Century 2 Submitted to the 2016 Arthur Page Society Case Study Competition Table of Contents Executive Summary ............................................................................................................................................... 3 Hacking Overview ................................................................................................................................................. 3 Guardians of Peace ........................................................................................................................................... 3 The Interview .................................................................................................................................................... 4 Sony Inc. ................................................................................................................................................................ 4 Sony Background .............................................................................................................................................. 4 Sony Pictures Entertainment ............................................................................................................................ 4 Sony Pictures Entertainment Market ................................................................................................................... 5 Market and Industry Analysis
    [Show full text]
  • An Integrated Approach to Combat Cyber Risk Securing Industrial Operations in Ming February 2019
    An integrated approach to combat cyber risk | Foreword An integrated approach to combat cyber risk Securing industrial operations in ming February 2019 01 An integrated approach to combat cyber risk | Foreword Introduction Foreword 3 Introduction 4 Understanding the risks 7 Conduct a maturity assessment 10 Build a unified programme 13 Implement key controls 15 Embrace good governance 17 Expand the conversation 18 Conclusion 19 Contacts 20 End Notes 21 02 An integrated approach to combat cyber risk | Foreword Foreword Although numerous consumer The combination of greater companies have been thrust into connectivity and proliferating the spotlight due to data threat vectors has already breaches, the alarm bell has been resulted in cyber-attacks that slow to sound within the mining have compromised both sector. For years, mining production and safety. organisations largely had a false sense of security, believing they These attacks have made cyber could operate under the radar of security a hot discussion topic cyber criminals who had more within boardrooms around the lucrative targets to pursue. Why globe and now a growing number would malicious actors hack a of organisations are developing mining operation when they could transformation programmes to attack a consumer organisation address these new operational that moves financial data? Today, threats. that reasoning has become as faulty as a patch on decades-old However, making operational software. processes secure, vigilant and resilient is a challenge. For The mining industry is moving example, deploying the into its next stage of evolution, organisation’s existing cyber which is sometimes referred to as capabilities within the operations “intelligent mining.” As detailed in environment requires the recent Deloitte report, harmonising two cultures, which Intelligent Mining: Delivering real is challenging.
    [Show full text]
  • A Meta-Study on the Key Issues for Organisations to Implement Cyber
    INSTITUTE OF SECURITY AND GLOBAL AFFAIRS FACULTY OF GOVERNANCE AND GLOBAL AFFAIRS – LEIDEN UNIVERSITY MASTER THESIS CRISIS AND SECURITY MANAGEMENT Cyber resilience in organisations A meta-study on the key issues for organisations to draft a cyber resilience policy Program: Master Crisis and Security Management Student: Meret Keeris Student number: 2106183 Date of submission: 13 January 2019 Subject: Cyber resilience in organisations Word count: 19954 Thesis Supervisor: Dr. E. de Busser Second Reader: Dr.ir. V. Niculescu-Dinca Cyber resilience in organisations Master Thesis Meret Keeris Contents 1. Introduction ............................................................................................................................ 3 2. Context ................................................................................................................................... 5 2.1 Current frameworks .......................................................................................................... 5 2.2 Need for research ............................................................................................................. 6 3. Methods .................................................................................................................................. 7 3.1 Literature review .............................................................................................................. 7 3.2 Case studies .....................................................................................................................
    [Show full text]