Security Management: Risks, Policies, Laws and Ethics

- 2017 GenCyber Camp

Fengjun LiAssociate Professor

The University of Kansas, Lawrence, KS, USAfli@ku.edu; http://www.ittc.ku.edu/~fli

Cyber Attack Sophistication

Why Security Management?§Observations:

§ Technical solutions are available – but NOT always correctly adopted

§ Human is the weakest link in information security§ Simple technique and simple control turned out to be very

effective

“Information security in the modern organization is a management problem, but not one that technology alone can answer.”

-- [Management of Information Security by M. Whitman and J. Mattord]

Principles of Info Security Management§Six P’s:

1. Planning2. Policy3. Programs4. Protection5. People6. Project management

Principles of Info Security Management§Six P’s:

1. Planning2. Policy3. Programs4. Protection5. People6. Project management

Policy planningIncident response planningDisaster recovery planningBusiness continuity planningRisk management planningTechnology rollout planningPersonnel planningSecurity program planning…

Principles of Info Security Management§Six P’s:

1. Planning2. Policy3. Programs4. Protection5. People6. Project management

Enterprise information security policy (EISP)Issue-specific security policy (ISSP)• Password policy• Remote access policySystem-specific policies (SysSPs)• Policy for the payroll system

Principles of Info Security Management§Six P’s:

1. Planning2. Policy3. Programs4. Protection5. People6. Project management

Physical security programSecurity education and training programRisk analysis and management program…

Risk Management“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

-- [Sun Tzu, The Art of War]

§Risk management all is about(1) knowing yourself(2) know the enemy

Knowing Yourself§Asset Assessment

§ “The organization should be in a position to understand what information assets it holds, and to manage their security appropriately.” [ISO17799]

§ Identify your assets§ ICMP discorvery, TCP/UDP port discovery

§ Nmap –sV –O –p <1-65535> <ip range>§ OpenVAS§ Nessus

Knowing Yourself§Asset Assessment

§ Maintain an inventory of information assets§ IP address of the asset§ MAC address of the asset§ DNS/NetBIOS name of the asset§ Operating system of the asset§ Listening services on the asset§ Physical location of the asset§ Owner of the asset§ Classification of the asset

Knowing Yourself§Asset Assessment

§ Classify assets according to sensitivity to loss or disclosure, access rights, …

§ Assign a relative value to each asset and rank them

ID Asset Owner Value Impact Area

Safety Efficiency SocialA1 Automated reservation, check-in

and boarding procedureAirport, airlines, citizens

4 2 4 2

A2 Electronic visa issuing process State, citizens 4 2 4 3

A3 Luggage and goods handling Airlines, airport 3 2 3 2

A4 Automated traffic management Airport, state, commercial operators

4 2 3 1

Example: IoT-enable automated travel system

Knowing the Enemy§Threat Assessment

12 Common Threat Categories in Information Security

Knowing the Enemy§Threat Assessment

§ Determine if an adversary has§ intent and capability to cause an attack, and§ the history of successful attacks against identified assets

Threat ID Threats Threat Agent TA

MotivationTA

Capacity Value

T1 Denial of service attack / flood / buffer overflow

Vandals/terrorists/Corporate raiders /professional criminals /hackers/rogue

Medium Varies low to high

3

T2 Spoofing of credentials / bypass authentication

Corporate raiders/professional criminals/hackers

Medium High 4

T3 Large-scale and/or inappropriate data mining and/or surveillance

Marketing companies, online service providers, malicious attackers

High Very high 5

T4 Traffic analysis / scan / probe

Corporate raiders/professional criminals/hackers

Medium High 3

T5 Man-in-the-middle attack Hacker High H/M/L 3

Example: IoT-enable automated travel system

Knowing Yourself§Vulnerability Assessment

§ A security survey§ Poor access control§ Lack of stringent software/service

§ Study the assets and ask questions: “if I were a hacker, I would break into this by …”

Vulnerabilities Vulnerability Description Exposure Severity ValueV1 Inappropriate design of procedures 3 5 3

V2 Lack of back-up / failover procedures 3 3 2

V3 Lack of or low user awareness and/or training in procedures, use of devices, security aspects etc.

2 4 2

Example: IoT-enable automated travel system

Network Vulnerability Assessment§1st Step: information gathering

DNS lookup for 108.177.112.99

Network Vulnerability Assessment§1st Step: information gathering

nmap -sP

Network Vulnerability Assessment§2nd Step: Enumeration

nmap –sV for service detection

Network Vulnerability Assessment§3rd Step: Detection

Vulnerability scanners: OpenVAS, Nessus, OWASP ZAP

Network Vulnerability Assessment§3rd Step: Detection

Vulnerability scanners: OpenVAS, Nessus, OWASP ZAP

2 vulnerabilities with Medium severity (i.e., CVSS score 4.0-6.9)

Network Vulnerability Assessment§CVE: Common Vulnerabilities and Exposures

§ http://cve.mitre.org§ An industry standard for vulnerability and exposure names§ It maintains a directory of publicly known cybersecurity

vulnerabilities§CVSS: Common Vulnerability Scoring System

§ https://nvd.nist.gov/vuln-metrics/cvss§ An industry standard for quantitatively measuring the

characteristics and impacts of IT vulnerabilities§ Also provides a calculator to

§ Adjust the value of vulnerability based on its characteristics § CVSS score goes up or down depending on the risk presented

to your specific environment

Network Vulnerability Assessment§3rd Step: Detection

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Network Vulnerability Assessment§Baseline Scan

§ Create a baseline scan of assets§ Scan without credentials – “hacker’s view”§ Scan with credentials – comprehensive view

§ When to scan§ When you want a point-in-time assessment of your system§ When a new threat becomes evident – scan to verify if your

system is vulnerable§ When a vendor releases a patch – scan to verify if your system

is patched

Risk Assessment§Risk is a function of assets, threats and vulnerabilities

§ What are the most likely vulnerabilities that the adversary will use to target the identified asset?

§ What is the likely effect if an identified asset is harmed by the unwanted event?

§ How likely is it that an adversary can and will attack the identified asset?

𝑅𝑖𝑠𝑘 = 𝐴𝑠𝑠𝑒𝑡𝑣𝑎𝑙𝑢𝑒×𝑣𝑢𝑙𝑛𝑒𝑟𝑎𝑏𝑖𝑙𝑖𝑡𝑦𝑙𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑×𝑒𝑥𝑝𝑜𝑠𝑢𝑟𝑒𝑓𝑎𝑡𝑜𝑟

Risk Control§Risk Control Strategies

§ Defense§ Applying safeguards that eliminate or reduce the remaining

uncontrolled risks for the vulnerability§ Mitigation

§ Reducing the impact of the exploited vulnerability§ Transferal

§ Shifting the risk to other areas or to outside entities§ Acceptance

§ Understanding the consequences and accept the risk without control or mitigation

§ Termination§ Removing info assets from operating environment

Risk Control§Risk defense is a most preferred approach

§ Removing vulnerabilities in assets§ Countering threats § Adding protective safeguards§ …

§ In general, it can be accomplished by:§ Application of policy§ Application of training and education§ Implementation of technology

Policy§Policy is a set of rules that describe acceptable and unacceptable behavior within the organization.§ The least expensive means of control§ Important reference documents for internal audits§ Never conflict with law; can stand up in court if challenged§ Properly implemented

Policy§ ISSP provides detailed, targeted guidance for the use of specific technology-based resources§ Use of e-mails, instant messaging (IM), …§ Use of the Internet on company and personal time§ Malware protection requirements§ Use of non-organizationally issued software or hardware§ Prohibitions against hacking or testing the organization’s security

controls§ Home use of company-owned computer equipment or removal of

equipment from organizational property§ Use of personal equipment on company networks§ Use of telecommunications technologies (fax, phone, mobile

phone)§ Use of photocopying and scanning equipment

Policy§Policy components

§ Statement of purpose§ Authorized uses§ Prohibited uses§ Systems management§ Violations of policy

§Policy distribution and verification

Industry-specific Regulation§Organizations that deal with critical and/or sensitive data should comply with industrial standards and regulations.

§For example,§ Merchants and credit card service providers: the Payment

Card Industry (PCI) standard

§ Hospitals and healthcare providers: the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

§ Banks, insurance companies, and security firms: Gramm-Leach Bliley Act (GLBA)

Industry-specific Regulation§ Payment Card Industry Data Security Standard (PCI DSS)

§ Maintain an Information Security Policy§ Protect Cardholder Data

§ Protect stored data; Encrypt transmission across open networks§ Implement Strong Access Control Measures

§ Restrict access to data; Formal access control; Physical security management

§ Build and Maintain a Secure Network§ Install firewall; Not use vendor defaults for passwords/parameters

§ Maintain a Vulnerability Management Program§ Use and update malware and antivirus programs§ Develop secure systems and applications

§ Regularly Monitor and Test Networks§ Monitor, track and audit all access; Test security systems

Industry-specific Regulation§ Health Insurance Portability and Accountability Act

§ Regulates all healthcare organizations for protection of electronic protected health information (ePHI)§ Covered healthcare providers§ Health plans and healthcare clearinghouses

§ Entities subject to HIPAA must appoint a security official to conduct HIPAA risk assessment against§ Administrative risks§ Technical risks§ Physical risks

§ There has been some enforcement activity

Industry-specific Regulation§ Gramm-Leach Bliley Act (GLBA) of 1999

§ Requires all financial institutions to create, implement and disclose policies to protect private information from foreseeable threats

§ To provide privacy protections against the sale of individuals’ private financial information

§ Two sets of regulations:§ Interagency guideline (Treasury Dept.)§ Safeguard rule (Federal Trade Commission)

Computer Crime and Cyber Laws§Computer crime laws are generally ad hoc

§ Developed after some bad incident occurred

§Computer crime§ Interfering with the use of computers

§ Trespass into a computer system or database§ Manipulation or theft of data§ Sabotage of equipment and data§ Extortion by threat to a computer system

§ Using computers to commit other crimes§ Fraud § Harassment § Hate crimes§ Promoting terrorism

Federal Computer Crime Laws§Computer Fraud and Abuse Act

§ Enacted by Congress in 1986; Amended several time later§ CFAA prohibits certain acts against “protected computers”

that affect interstate commerce§ ''protected computer'' means

§ A computer exclusively for the use of a financial institution, or the United States Government, …

§ A computer used in interstate or foreign commerce or communication

§ “prohibited acts” include§ Unauthorized access to any department or agency of the US or

any protected computer AND obtain anything of value, cause loss, use in fraud

§ Damaging a computer§ Trafficking in password§ Extortion

Federal Computer Crime Laws§Computer Fraud and Abuse Act

§ Example: AOL, Inc. v. LCGM, Inc. (11-10-1998)§ LCGM is a porno site; it was an AOL customer and harvested

email addresses from AOL chat rooms§ LCGM spammed users through AOL (300,000 emails per day)§ Bulk emails violate AOL’s Terms of Service

Under the CFAA, § LCGM’s use of AOL was unauthorized§ LCGM obtained information (email addresses) and value (use of

AOL mailing services)

Materials from MICHAEL I. SHAMOS @CMU

Federal Computer Crime Laws§Computer Fraud and Abuse Act

§ Example: Oracle v. SAP (N.D. Cal., 3-22-2007)§ Oracle and SAP are huge competitors in Enterprise Resource

Planning§ Oracle customers had access to a restricted Oracle site to

download technical information§ SAP induced Oracle customers who were about to change over

to SAP to reveal their passwords; using these passwords, SAP downloaded more than 10,000 documents from the Oracle site (traced to an IP address at SAP Headquarters)

Alleged violations of the CFAA, § Obtaining information from a protected computer§ With intent to defraud – accessing a protected computer and

obtaining anything of value >$5K§ Causing damage to a protected computer

Materials from MICHAEL I. SHAMOS @CMU

Federal Computer Crime Laws§Computer Fraud and Abuse Act

§ Example: PharMerica, Inc. v. Arledge (M.D. Fla. 3-21-2007)§ PharMerica is a huge pharmaceutical company§ Arledge was a top member of its management team

§ On March 9, 2007, Arledge resigned to become VP at Omnicare, PharMerica’s main competitor Omnicare is three times the size of PharMerica. Two days before leaving, Arledgedeleted 475 files from his hard drive. He copied the files to a USB drive and emailed them to his own AOL account.

Under the CFAA, “damage” means any impairment to the integrity or availability of data, a program, a system, or information (covers viruses, denial of service)Arledge was authorized to use his own computer, but wasn’t authorized to delete company files – damaging the computer

Materials from MICHAEL I. SHAMOS @CMU

Federal Computer Crime Laws§ Computer Fraud and Abuse Act of 1986 (CFAA)

§ Defines and formalizes laws to counter threats from computer-related acts and offenses

§ Electronic Communications Privacy Act of 1986 (ECPA)§ Regulates interception and disclosure of electronic information

§ Electronic Espionage Act of 1996 (EEA)§ Prevents abuse of information gained while employed elsewhere

§ Child Pornography Prevention Act (CPPA)§ Restricts child pornography on the internet

§ Digital Millennium Copyright Act of 1998§ Provides specific penalty for removing copyright protection from media

§ Children's Online Privacy Protection Act (COPPA)§ Provides requirements for online service providers and website providers to

ensure the privacy of children under 13 is protected§ USA Patriot Act

§ Combats terrorism-related activities§ …

State Computer Crime Laws§Often versions of federal laws where interstate commerce is not involved

§Specialized crimes§Computer trespass (Washington)§Spam (e.g. West Virginia)§Cyberstalking (Rhode Island)§ “deceiving a machine” Alaska Stat. §11.46.985§Tampering with an electronic voting machine (Texas)§ Introduction of false data into a bank computer (Idaho)

Ethics

Ethics

Ethics§Computer ethics, emerged in the 1980s, analyzes moral responsibilities of computer professionals and computer users and ethical issues for IT use.

§Ethics is an objectively defined standard of “right” and “wrong”§ Consequentialist approaches assume that actions are

wrong to the extent that they have bad consequences§ Deontological approaches assume that people have moral

duties that exist independently of any good or bad consequences that their actions may have

§ How does computer security pose ethical issues?

Computer Security Ethics§Explore the relation between computer security and rights, harms and interests§ Breaches of computer security may cause economic harm§ Breaches of computer security may cause safety harm§ Compromises of the confidentiality of information may cause

harms and rights violations§ Property rights such as IP§ Privacy rights

§ Compromises of the availability of information may violate freedom rights

Ethical Issues in Computer Security§Hacking and Computer Crime

§ Hacking is the use of computer skills to gain unauthorized access to computer resources

§ Hacking vs. Cracking§ When hacking causes no real harm and instead has a positive

impact?§ E.g., improving systems and software by exposing security

holes§ E.g. free data to the benefit of all

Ethical Issues in Computer Security§Hacking and Computer Crime

§ CodeRed§ Randomly scans the Internet from infected hosts looking for

unpatched IIS web servers on port 80 to infect using a IIS buffer overflow vulnerability

§ CodeGreen§ Herbert HexXer posted to the mailing list on the Security Focus

website about his Code Green worm release§ “... i have been developing a code, that should patch the isdapi-

filter buffer overflow vulnerability (the vulnerability CodeRed is exploiting) discovered by eEye (walk through the code for details).”

Des HexXer's CodeGreen V1.0 beta CodeGreen has entered your system it tried to patch your system and to remove CodeRedII's backdoors

Ethical Issues in Computer Security§Privacy and surveillance

§ Dataveillance: the large-scale, computerized collection and processing of personal data in order to monitor people’s actions and communications

§ Consumer surveillance: when corporations extend surveillance from the workspace to their customers

§ Internet privacy: cookie, spyware, tracking, profiling

§ Record merging/matching and data mining

§ Ubiquitous Computing

Ethical Issues in Computer Security§Data collection/sharing plans should go beyond legal issues to consider:§ De-identifying data (and possibilities of reidentifying it) to

protect individuals§ Costs, benefits of limited disclosure versus unrestricted

publication§ How to enforce limited disclosure agreements

§ e.g., compliance with privacy policies

§ It is essential to vet plans with IT and legal officials from the host organization