Embed Size (px)
Citation preview
Situational Crime Prevention and the Mitigation of Cloud Computing Threats
Chaz VidalSupervisor: Raymond Choo
Agenda
• Introduction• Cloud Computing• Cybercrime and the Cloud• Situational Crime Prevention• SCP and Cybercrime• Research Questions• Conceptual Model• Methodology• Future Work
2
3
Introduction
• Cloud Computing and Services has emerged as viable platform for the deployment of key computing resources.
• Security of the Cloud Computing platform is a primary challenge in the deployment and acceptance of cloud computing services.
• Attacks on Cloud environment may be considered as cybercrime and that situational crime prevention theories could be used to protect the cloud
Cloud Computing
• Model for enabling network access to configurable computing resources quickly and with minimal interaction from service providers (Mell &Grance, NIST 2011)
• Different models• Software as a Service• Platform as a Service• Infrastructure as a Service
• Different delivery structures• Private• Public• Community• Hybrid
• Although ubiquitious, security is still a primary concern for those who choose to use Cloud Computing.
4
Cybercrime and the Cloud
• Cloud Technology Vulnerabilities exploited for criminal gain and compromising information security
• Virtual machine extraction of private information (Zhang et al. 2012)
• Utilizing Cloud Computing servers for DDoS attacks (Dawoud, Takouna & Meinel 2010)
• Storage of contraband or illegal material on cloud storage. (Choo 2010)
• Cybercrime as defined by the Australia Cybercrime Working Group (2013)
• Crimes directed at networked technologies• Crimes where computers or ICT technologies are an
integral part of of an offence.5
Cybercrime Growth
• Cybercrime incidents estimated cost $12M each. (Paganini 2013)
• Small and Medium business are growing targets for cybercrime. (Hutchings 2013)
• These businesses are moving to cloud based resources because of cost effectiveness but criminals are expected to follow suit.
• Number of incidences of cyber-crime against cloud services set to rise. (Price Waterhouse Coopers 2014)
• Techniques to prevent or counteract cybercrime can be used based on traditional crime theories.
6
7
Situational Crime Prevention
• Crime science seeks to explain how crime transpires. (Hartel, Junger & Wieringa 2010)
• Different from criminology which seeks to frame the crime in the context of criminals and their motivations.
• Prominent approach is Crime Opportunity Theory (Felson & Clarke 1998)
• Opportunity “plays a role in all crime”
• Aspects of Crime Opportunity Theory• Routine Activity • Crime Pattern• Rational Choice
• SCP Theory (Clarke, R 1997) • Directed at highly specific forms of crime• Management of the environment of crime• Makes crime less rewarding, more risky and less
excusable for offenders
• Physical crime changes introduced• More lighting• Frequent policing/monitoring• Removing expensive goods from shop fronts.
8
Situational Crime Prevention
SCP Techniques (Clarke, R 1997)
9
Preventing Cybercrime in the Cloud
• Traditional Methods (Vidal and Choo 2015)• Implementation of security policies ala ISO 27002 standards to
implement security controls and increase security awareness.• Technology solutions to mitigate known Cloud Computing threats.
• Crime Opportunity theories used in previous research:• Routine Activity Theory to model incidence of internet fraud. (Pratt
2010)• Phishing attempts to show where victimization rates are higher.
(Leukfeldt 2014)• General cyber crime prevention using SCP (Beebe & Rao 2005) • Relationships of Information Security and SCP (Willison & Backhouse
2006)
10
Cloud Computing and SCP
• Given the available material and research, there is a lack of specific models that uses SCP against Cloud Computing threats.
• Challenging because SCP needs to be addressed for specific types of crime and Cloud Computing can have varied threats against it.
11
Research Questions
• Can SCP be utilized to develop a Conceptual Model for Cloud Computing Security?
• Will the deployment of this Conceptual Model aid in change the environment sufficiently to affect Cloud Computing threats?
• Will a Private Cloud Service Provider be receptive to the deployment of additional security measures?
• Will Private Cloud Service consumers be affected by the deployment of additional security measures?
12
Conceptual Model Components
• Cloud Computing Threats• Cloud Security Alliances Top Cloud Threats (Cloud Security
Alliance 2013)
• Using technological and process/policy based solutions to populate the model
• ISO 27002 Information Security Standards • ASD Top 35 Mitigation Strategies.
• Change the environment for crime• Increase Effort• Increase Risk• Decrease Reward• Remove Provocations• Remove Excuses
13
ISO Security Standards
14
ASD Top 35 Strategies to Mitigate Cyber Intrusions
15
16
ASD Top 35 Strategies to Mitigate Cyber Intrusions
CSA Top Threats
• Data Breaches• Data Loss• Account or Service Traffic Hijacking• Insecure Interfaces• Denial of Service• Malicious Insiders• Abuse of Cloud Services• Insufficient Due Diligence• Shared Technology Vulnerabilities
17
Conceptual Model
18
ExampleP5 = Increase Effort = Implement physical and environmental access controlsA4 = Decrease Reward = Restrict admin privilages
Conceptual Model
19
ExampleP15 = Increase Risk = Implement Monitoring controlsA20 = Remove provocations = Blocking spoofed emails
Conceptual Model
20
ExampleP8 = Increase Effort = Effective Management of 3rd party servicesA1 = Remove excuses = Application whitelisting
Conceptual Model
21
ExampleP14 = Decrease Reward = Implementing security controls for financial servicesA2 = Increase Effort = Patching of applications
Conceptual Model
22
ExampleP9= Increase Effort = Implementing security controls for malicious codeA12 = Increase Risk = Using application firewalls
Conceptual Model
23
ExampleP1 = Remove Excuses = Implementing a security policyA15 = Increase Risk = Logging and monitoring computer events for analysis
Conceptual Model
24
ExampleP19 = Decrease Reward = Implement Business Continuity Management ControlsA16 = Increase Risk = Logging and monitoring of network activity for analysis
Conceptual Model
25
ExampleP17 = Increase Effort = Implement controls for sytems acquisitionA28 = Remove Excuses = User education
Conceptual Model
26
ExampleP10 = Decrease Reward = Implementing BackupsA35 = Increase Risk = Logging of network events for post intrusion analysis
Methodology• Approaching a Private IaaS Service Provider
• Studied through work done and published in Vidal, Choo 2015.
• Qualitative Research through semi-structured Interviews with a Private Cloud administrators, managers and consumers
• Understand their awareness of Cloud Security threats• Understand awareness of security measures already
available• Indicate receptiveness to additional or enhanced security
measures• View of effectiveness of changing environment to deter
criminal activity
27
Findings and Conclusions
• Results of interviews
28
Future Work
• Possibility of implementation parts of the conceptual model to existing Cloud Computing or IaaS environments.
• Measuring effectiveness of the model through reduction of security incidents
29
References
Mell, P & Grance, T 2011, 'The NIST definition of cloud computing'.
Zhang, Y, Juels, A, Reiter, MK & Ristenpart, T 2012, 'Cross-VM side channels and their use to extract private keys', Proceedings of the 2012 ACM conference on Computer and communications security, ACM, pp. 305-316.
Dawoud, W, Takouna, I & Meinel, C 2010, 'Infrastructure as a service security: Challenges and solutions', Informatics and Systems (INFOS), 2010 The 7th International Conference on, IEEE, pp. 1-8.
Choo, K-KR 2010, Cloud computing challenges and future directions, Australian Institute of Criminology, Canberra.
Attorney-General's Department 2013, National Plan to Combat Cybercrime, Canberra, ACT, Australia.
Paganini, P 2013, 2013 - The Impact of Cybercrime, Infosec Institute.
Hutchings, A, Smith, RG & James, L 2013, 'Cloud computing for small business: Criminal and security threats and prevention measures'.
30
References
PWC 2014, US Cybercrime: Rising risks, reduced readiness. Key findings from the 2014 US State of Cybercrime Survey, Price Waterhouse Coopers
Hartel, P, Junger, M & Wieringa, R 2010, 'Cyber-crime science= crime science+ information security'.
Felson, M & Clarke, RVG 1998, Opportunity makes the thief: Practical theory for crime prevention, Home Office, Policing and Reducing Crime Unit, Research, Development and Statistics Directorate London.
Clarke, R 1997, Situational crime prevention, Criminal Justice Press Monsey, NY.
Vidal, C & Choo, R 2015, 'The current state of an IaaS provider', in R Ko & K-KR Choo (eds), The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues, Syngress, Massachusetts, USA, pp. 401-426.
Pratt, TC, Holtfreter, K & Reisig, MD 2010, 'Routine Online Activity and Internet Fraud Targeting: Extending the Generality of Routine Activity Theory', Journal of Research in Crime and Delinquency, vol. 47, no. 3, pp. 267-296.
31
References
Leukfeldt, ER 2014, 'Phishing for suitable targets in the Netherlands: Routine activity theory and phishing victimization', Cyberpsychology, Behavior, and Social Networking, vol. 17, no. 8, pp. 551-555.
Beebe, NL & Rao, VS 2005, 'Using situational crime prevention theory to explain the effectiveness of information systems security', Proceedings of the 2005 software conference, Las Vegas.
Willison, R & Backhouse, J 2006, 'Opportunities for computer crime: considering systems risk from a criminological perspective', European journal of information systems, vol. 15, no. 4, pp. 403-414.
Cloud Security Alliance 2013, 'The Notorious nine: cloud computing top threats in 2013', Cloud Security Alliance.
AS/NZS 2006, ISO/IEC 27002:2006 - Information Technology - Security Techniques - Code of Practice for Information Security Management,
Australian Signals Directorate 2014, Strategies to Mitigate Targeted Cyber Intrusions, Canberra.
32
