The document discusses cybersecurity threats and issues. It notes that many nations and non-state actors now have sophisticated cyber capabilities, and that cyber attacks are becoming more advanced, targeted, and potentially damaging. The document warns that nations are increasingly dependent on digital networks and systems, so major cyber attacks could significantly disrupt economies and undermine confidence in digital systems and services.
Carlo Prisco, Profili giuridici della corrispondenza elettronica
Francesca Bosco, Le nuove sfide della cyber security
1. Le nuove sfide della cybersecurity: Internet for
peace...o for war?
Ms. Francesca Bosco
Project Officer
Interregional Crime and Justice Research Institute (UNICRI)
01 Aprile 2011
Università degli Studi di Milano Bicocca
5. Vulnerability:root causes
• A highly interconnected system of general
purpose computers, not designed with security
in mind
– vulnerable software provides “launch pads” for easy
propagation of attacks
– erosion of the traditional perimeter (access systems
and data “anytime, anywhere”)
• Shift from“attacks against networks”
to “attacks against (web) applications”
and “attacks against users and data”
• Insufficient security awareness of (some)
application developers and end users
6. Example:
How Vulnerable are UN Systems ?
-which system?
– publicly accessible websites
– central internal applications (IMIS, email, etc.)
– end user systems (desktops, laptops, BB, etc.)
-which threat?
– denial of service
– “defacement”
– abuse / threat to third parties
– “APT” type attacks
7. State of Play
UN systems are frequently attacked
– defacements (political, “commercial”)
– abuse of web sites to disseminate “malware”
– abuse of email systems to send spam/fraudulent email
– forging of UN email addresses to commit fraud
Several known examples of “APT” type attacks
– very credible email messages
– attachments deemed safe by Anti-Virus software
– successful compromise of a single computer leads to
further compromises on internal networks
8. Current situation:general
• All systems are “compromisable”; perfect
security is unattainable
• Objective is to continue safe operation in a
compromised environment, to have
systems that are defensible, rather than
perfectly secure
• Cybersecurity is an adversarial science
9. Evolution of the threat landscape
Mobile threats – voracious malware targeting mobile
devices and the proliferation of mobile banking.
(More) Web 2.0 malware – Attackers leveraging Social
Networks.
Attackers exploiting the erosion of network boundaries
after the adoption of cloud computing.
Highly-motivated attackers with strong logistic or
financial support.
11. Top 5 security threats for 2011
1) Traditional malware
Traditional malware will remain the primary mechanism of distributing software to computers on the
internet. Recent numbers indicate roughly 55,000 new malware pieces identified every day, which
continues the exponential growth pattern into 2010. This trend will only continue.
2) Shift to advanced persistent threat (APT)
Attacks will be more advanced, targeted at a specific institution with a goal to acquire specific data.
Often described as Advanced Persistent Threat (APT), these attacks are designed to infiltrate an
organisation, hop the firewall and acquire a target. Once the software gets behind the firewall, it hops
around the organisation investigating and gathering information about the internal system. It then uses
this information to gain privileged access to critical information (e.g., transactions processing,
customer lists or HR records) and begins stealing sensitive data. Without proper monitoring in place, it
can be weeks or months before an organisation detects that it is under attack.
3) Focus on finance, hospitality and retail
Financial services, hospitality and retail industries will face an increased number of threats. As data
from the 2010 data breach report issued by the Verizon RISK team and the U.S. Secret Service
shows, these three industries combined currently represent 71% of all data breaches.
4) Mobile devices increase vulnerabilities
Seven out of ten companies still don’t have explicit policies outlining which devices can be logged on
to the network or on working in public places. As more people work and access information remotely,
the threat levels from existing vulnerabilities will increase and new ones will appear.
5) Hactivism as a new type of threat
The most visible example of hactivism were the recent attacks by Anonymous, a group that targeted
MasterCard, Visa and PayPal after those companies cut off financial services to WikiLeaks. We may
see more of these types of attack by groups representing political and environmental organisations.
12. What is Cyber Security?
Cyber security refers to measures for protecting computer systems, networks, and
information systems from disruption or unauthorized access, use, disclosure,
modification, or destruction.
The basic objectives of Cyber Security are to ensure the Confidentiality, Integrity,
and Availability of data.
13. What is Cyber Security?
Confidentiality has been defined by the International Organization for
Standardization (ISO) as "ensuring that information is accessible only to
those authorized to have access" and is one of the cornerstones of
information security. Confidentiality is one of the design goals for many
cryptosystems, made possible in practice by the techniques of modern
cryptography.
Integrity of the information implies that the data in question has not been
tampered with through accidental or malicious activity. Source integrity also
plays into this - ensuring that any piece of data actually came from the
source claimed and not a "man-in-the-middle" or third party.
Availability means that the information, the computing systems used to
process the information, and the security controls used to protect the
information are all available and functioning correctly when the information
is needed = timely, reliable access to data and information services for
authorized users.
14. Information security incidents
• Information Security Incident:
– an attempted or successful unauthorized access, use,
disclosure, modification or destruction of information;
– interference with the operation of ICT resources; or
– violation of explicit or implied acceptable usage policy
(as defined in ST/SGB/2004/15)
• Classification by common observable elements:
§ - Agent (internal/external)- Action
§ - Asset - Attribute
• does not include “motive” or “attributable source”
15. Cybersecurity as a Balancing Act
Investigative readiness vs. Privacy
Availability vs. Security
Regulation vs. Innovation
Enterprise vs. Protection
How can we make the Internet and our “Cyber -Assets” safer
without sacrificing simplicity, privacy or availability?
16. Why do we need to talk about it?
Government agencies constantly face cyber attacks
Businesses are losing revenue to cybercriminals
Users are being targeted for their Personal Identifiable
Information (PII)
Cybersecurity is a global issue, which can only be solved
with global solutions
Need for increased cooperation and coordination at the global
level
International community must work together to ensure a
coordinated response.
18. Information technology...for war?
• Military history scholars argue that warfare has shifted towards a
Fourth Generation of Warfare
• Technology not only enables asymmetry in power relations, but can
also be used to overcome it, undermining the enemy from within
• Information Age, military operations have been impacted and
transformed. Likewise no civil society sector has remained immune
from the information revolution. The ―national information
infrastructure- (NII) is defined as the set of information systems and
networks on which a nation depends to function
• In net-wars the confrontation takes place between “states and non-
state actors, non-state actors that use states as arenas, or states
that use non-state actors as their proxies”
19. What’s cyberwar
The United Nations Institute of Training and Research
defines cyberwar as:
―The deliberate use of information warfare by a state,
using weapons such as electro-magnetic pulse waves,
viruses, worms, Trojan horses, etc., which target the
electronic devices and networks of an enemy state-
Richard Clarke, a U.S. government security expert, defines
cyberwar as:
―Actions by a nation-state to penetrate another nation’s
computers or networks for the purposes of causing
damage or disruption.
20. Cyber Warfare &
Cyber Terrorism
Cyber Warfare and Terrorism is one of the fifteen
modalities of UnRestricted Warfare (URW) also
called asymmetric warfare.
Cyber Warfare & Terrorism
“The premeditated use of disruptive activities,
or the threat thereof, against computers
and/or networks, with the intention to cause
harm or further social, ideological, religious,
political or similar objectives. Or to intimidate
any person in furtherance of such objectives.”
Source: U.S. Army Cyber Operations and Cyber Terrorism Handbook 1.02
21. Cyberterrorism
Cyberterrorism is a phrase used to describe the
use of Internet based attacks in terrorist activities,
including acts of deliberate, large-scale disruption
of computer networks, especially of personal
computers attached to the Internet, by the means
of tools such as computer viruses.
Cyber terrorism is generally understood as the crossing over of
terrorism and cyberspace. This leads to unlawful attacks and threats of
attacks against computer, networks and the info stored therein.
23. Focus
THE INTERNET: AN ATTRACTIVE
ARENA FOR TERRORIST PUBLICITY
The internet is an ‘informational weapon’ for terrorists, as it provides:
Easy access
A decentralised structure
Little or no regulation, censorship, or other forms of government
control
Potentially huge audiences spread throughout the world
Anonymity of communication
Fast flow of information
Inexpensive development and maintenance of web presence
A multimedia environment (the ability to combine text, graphics, audio,
video, and allow users to download films, songs, books, posters etc)
The ability to shape coverage in the traditional mass media
Source: “www.terror.net: How Modern Terrorism Uses the Internet” by Prof. Gabriel Weimann
24. Focus
TERRORIST PURPOSES IN USING THE INTERNET
Data Mining (using the internet to
collect intelligence)
Training
Fundraising
Networking
Recruitment and Radicalisation
The internet is an important source for
discovering and grooming potential
jihadists
Publicity
25. Focus
MAIN AREAS OF CYBER PRESENCE
Mass media
Official ‘jihadist’ websites
A well-designed and well-maintained Web site gives a group
an aura of legitimacy and increasingly attracts attention
from the mass media in and of itself
Unofficial websites
Forums and blogs
Distributor sites
Video sites
Youtube and liveleak
26. Focus
OBJECTIVES OF ONLINE TERRORIST
PUBLICITY
1. To wage psychological warfare
(through terror) and advance a cause
Terrorist use internet publicity to:
• amplify panic
• spread fear
• facilitate economic loss (eg. scaring away
investment and tourism)
• make populations loose faith in their
governments' ability to protect them
• trigger government and popular overreaction to
specific incidents and the overall threat of
terrorism
27. Focus
OBJECTIVES OF ONLINE PUBLICITY
2. To gain sympathy and support of their cause
The Internet has significantly
increased the opportunities for
terrorists to secure publicity for their
ideological causes and spread
propaganda.
The Internet has become a virtual
library of terrorist material, granting
easy access to everything from
political, ideological and theological
literature, via fatwas and khutbas, to
videos of assaults and attacks, and
even video games.
28. When does a computer attack become an
act of terrorism or of war?
Information warfare, in information
technology, is that series of actions aimed
at exploiting, corrupting, wasting or
destroying the information or information
resources of the enemy in order to achieve
a significant advantage, using the same
weapon.
29. Modern Weapons
Economics
What does a stealth bomber cost? $1.5 to $2 billion
What does a stealth fighter cost? $80 to $120 million
What does a cruise missile cost? $1 to $2 million
What does a cyber weapon cost? $300 to $50,000
30. Interesting Quote
NATO's cyber defense chief has warned that
computer-based terrorism poses the same threat
to national security as a missile attack. He went on
to say that “Cyber war can become a very
effective global problem because it is low-risk,
low-cost, highly effective and easily globally
deployable. It is almost an ideal weapon that
nobody can ignore.“
Using this as a framework, we can put into context
the evolving architecture for cyber weapons.
31. How to build a cyber weapon:
Cyber Weapons Design-1
Cyber Weapon – Delivery Vehicle
There are numerous methods of delivering cyber
weapons to their targets. Emails with malicious
code embedded or attached is one mechanism of
delivery. Another delivery vehicle is web sites that
can have malicious links and downloads. Hacking
is a manually delivery vehicle that allows a cyber
soldier to place the malicious payload on a target
computer, system or network. Counterfeit
hardware, software and electronic components can
also be used as delivery vehicles for cyber
weapons.
32. Cyber Weapons Design-2
Cyber Weapon – Delivery Vehicle
Just as a navigation system guides a missile, it allows
the malicious payload to reach a specific point inside
a computer, system or network. System
vulnerabilities are the primary navigation systems
used in cyber weapons. Vulnerabilities in software
and computer system configurations provide entry
points for the payload of a cyber weapon. These
security exposures in operating systems or other
software or applications allow for exploitation and
compromise. Exploitation of these vulnerabilities
may allow unauthorized remote access and control
over the system.
33. Cyber Weapons Design-3
Cyber Weapon – Delivery Vehicle
The payload of a missile is sometimes called a
warhead and is packed with some type of explosive.
In a cyber weapon the payload could be a program
that copies information off of the computer and sends
it to an external source. It can also be a program that
begins to ease or alter information stored on the
system. Finally, it can allow remote access so that
the computer can be controlled or directed over the
internet. A “bot” (a component of a botnet) is a great
example of a payload that allows remote use of the
computer by an unauthorized individual or
organization.
34. Cyber Weapons Design-4
Cyber Weapon – Architecture
This three element architecture demonstrates how
advanced and sophisticated cyber weapons are
becoming. The architecture creates reusability and
reconfiguration of all three components. As one
software or system vulnerability is discovered,
reported and patched, that component can be
removed and replaced while the other two
components are still viable. This not only creates
flexibility but also significantly increase the
productivity of the cyber weapons developers.
35. Recent events discussed
on the media
• Cyber Attack on Estonia [April 2007]
– sometimes referred to as “Web War 1”
– sophisticated and large set of denial of service (DoS) attacks on Estonian
parliament, banks, ministries, newspapers, other web sites
– severe effect on above institutions for approximately three weeks
• Cyber Attack against Georgia [August 2008]
– denial of service against gov’t web sites
– concurrent with armed conflict
• Advanced Persistent Threat (APT) [December 2009]
– (a.k.a. “Google war”)
– “deep infiltration” of several technology providers
• Stuxnet [June 2010]
– technically highly sophisticated “malware” that appears to target Iranian
nuclear facilities
36. Estonia depended largely on the Nearly every bank in the United The U.S. is
internet because of the country's States runs its operations on an increasingly
"paperless government" and web- internal network that connects to dependent on "...
based banking. If these services are the Internet the unimpeded
made slower, we of course lose Sandeep Junnarkar and secure flow
CNET News, 2002 of technology.“
economically
Mihkel Tammet, head of CIA Report
IT security at the Hackers are intensifying Cyber Threats and
Estonian defence ministry, 2007 the US Economy,
their efforts to 2007
compromise social-
networking sites using
unsecure Web 2.0 With global attacks on data networks
Jon Swartz increasing at an alarming rate, in a more
USA TODAY, 2008 organized and sophisticated manner, and
….repercussions go beyond the loss of often originating from state-sponsored
personal data, security experts say. As sources, there is precious little time to lose.
more consumers are victimized, it could Tim Bennett, president of the
undercut their confidence in legitimate Cyber Security Industry Alliance, 2008
websites
Billy Hoffman, manager of
Hewlett-Packard Security Labs Several nations, including China and Russia, “have the
technical capabilities to target and disrupt elements of the
U.S. information infrastructure and for intelligence
…regarding counter-terrorism must be pursued collection.”
“Information sharing with our allies and Mike McConnell, Director of National Intelligence
partners to support counter-terrorist operations during the Senate Intelligence Committee
overseas”;
The National Security Strategy of the United Kingdom -
Security in an interdependent world
38. Stuxnet
Iran was prime target of SCADA worm
July 23 2010
http://www.computerworld.com/s/article/9179618/Iran_was_prime_target_of_SCADA_worm
The First Cyber Attack Specifically Targeting Control Systems
According to antivirus company Symantec Corp., Stuxnet looks for industrial control systems and then
changes the code in them to allow the attackers to usurp controls of industrial equipment such as sensors,
actuators, pumps, and valves without the operators knowing.
“Stuxnet searches for industrial control systems, often generically (but incorrectly) known as SCADA
systems, and if it finds these systems on the compromised computer, it attempts to steal code and design
projects,” Symantec explained. “It may also take advantage of the programming software interface to also
upload its own code to the Programmable Logic Controllers (PLC), which are ‘mini-computers’, in an
industrial control system that is typically monitored by SCADA systems.”
Very complex Windows-specific computer worm that infects computers and connected industrial control
equipment (PLCs)
First known worm to attack industrial infrastructure
Spreads through USB thumb drives as well as network connections
Utilizes four “zero-day” exploits
Uses stolen valid security certificates
Initial high rate of infection in Iran, specifically found at nuclear facilities
May be government (Israel, US, UK?) attempt to damage
Iranian nuclear facilities
Unclear if delay or damage actually occurred
Worm has spread to many other countries (including large infection of Chinese systems)
39. Focus
SCADA: Why do I care?
SCADA systems are essentially the arteries of national infrastructure, the behind-the-
scenes devices that make our day to day life convenient and safe. Any disruption could
lead to major inconvenience, or even loss of life…
The dangers inherent in obscure or rustic SCADA architectures are very real, and no
vendor or governmental body responsible for NCIs can afford to let a lack of
communication be an excuse for passivity…
41. Focus
SCADA
• Supervisory Control And Data Acquisition
NCI
• National Critical Infrastructure
Other terms:
• ICS – Industrial Control Systems
• PCS – Process Control System - Also known as Distributed Control System
(DCS)
SCADA Generations and Evolution:
1. Monolithic – Mainframe computing, limited to no connectivity.
2. Distributed – Proprietary networking technology led to increased
efficiency and redundancy due to real-time information sharing and
specialization of tasks.
3. Networked – Transition to modern, °open° networking standards such as
IP (Internet Protocol) and the deployment of “thin clients” and web
applications to facilitate operations.
42. Focus
NCI Examples
Modern NCIs can be resumed as:
Food
Agricultural and processing industry
Food safety
Food distribution
Water
Drinking water treatment
Wastewater management
Transportation
Air
Land (rail, roads)
Marine
43. Focus
NCI Examples
Modern NCIs can be resumed as:
Safety
Chemical, biological, radiological and nuclear safety
Hazardous materials
Emergency services (police, fire, amublance, etc)
Manufacturing
Chemical industry
Defense industrial base
44. Cybersecurity:
What we’re doing wrong
1) We tend to seek a “centralized” solution to
what is a very multi-dimensional problem with
hidden interdependencies.
2) Opacity – We are not enforcing enough
transparency nor regulating the disclosure of
data breaches.
3) We aren’t moving away from a purely technical
view towards a global shared approach with
Political Vision, Strategy, Policies and
Standards.
45. Cybersecurity:
What we’re doing right
1) Public – Private Partnerships
2) Developing technical solutions.
3) Information exchange and awareness raising
at various levels.
46. Why cybersecurity partnership matters
• Public and private sectors need to share more
information--more parties must be included and new
platforms used.
• They must pay more attention to defending against
attacks that threaten critical IT infrastructure and even
damage physical facilities
• Much of the activity revolves around information sharing
in key industries.
• Their collaboration must be ratcheted up to the next
level--real-time identification and response as threats
occur and, more to the point, "moving security practices
from a reactionary posture to one that's proactive and
pre-emptive"
48. Example
Critical Infrastucture Protection in Italy
(2010)
• Information security is an integral part of the e-government 2010
plan
• 2010-A Technical group was established, under the Presidency of
the Council of Ministers, to “foster coordination at the national and
international level with regard to critical infrastuctures and its
protection from cyberattacks”
• June 2009-Centro nazionale anticrimine informatico per la
protezione delle infrastrutture critiche (CNAIPIC)
• In 2007, the Bank of Italy approved a set of guidelines to ensure
continuity for the main financial actors, in case of cyberattack.
49. Creating a culture of security
Despite our best efforts over the years,
we need a new,
comprehensive doctrine and perspective
to face the innovative threats.
50. 1.Towards a new Policy Framework
Recognise the Internet as a key infrastructure in
addressing mainstream policy challenges (e.g.
ageing, health, environment, globalisation…)
Reaffirm fundamental principles (e.g. privacy,
security, policies to promote broadband access
on fair terms and competitive prices…)
Recognise the Internet as an agent of change and
foster an enabling environment so that it can
make positive contributions
51. 2. Building Confidence
The Internet reflects the real world – shapes it and is shaped by it – and has a dark
side. Confidence and trust in the Internet and about its vulnerability to events,
both accidental and malicious.
Issues:
Multilateral efforts to ensure the security and integrity of the Internet have
been limited
We need to embed privacy protection in the design of applications and
devices (social networking sites; profiling and advertising; geolocation;
sensors and RFID)
We need to identify and enforce the rights and obligations to protect digital
identity
Security Considerations: (i) technical – diffusion of traffic rather than
optimisation of traffic for DoS; security of connection (SSL) vs.
authentication of content; use of virtual machines (ii) social -- Co-operation
to protect availability, integrity, confidentiality (security)
Protect and inform consumers, redress and enforcement of consumer
protection measures, including across jurisdictional borders
Rising concerns regarding “cybersecurity”.
52. 3.Public-Private Partnerships (PPP)
To emphasize: Both the private sector and the
public sector have crucial roles to play. The
private sector leads, the government enables.
It is important that both agree and are
aware of their respective roles.
53. International cooperation
The European Convention on cybercrime
• The Council’s of Europe Convention on
Cybercrime was opened for signatures on the
23rd of November 2001.
• In January 2003, an additional Protocol was
adopted, concerning the criminalization of acts
of racism and xenophobia committed through
computer systems. This protocol has not been
signed by several states and has not yet entered
into force.
• At the present time, 46 States among Member
and non-Member States of the Council of
Europe signed the Convention
• Italian ratification: 2008
54. Why Council of Europe Convention on cybercrime?
The only multilateral treaty dealing with cybercrime matters already implemented in many
countries while others are taking into consideration to become Party
A guideline for drafting the legislation on cybercrime
Provides important tools for law enforcement to investigate cybercrime
Ensure adequate protection of human rights and liberties according to the relevant international
documents
Flexible mechanisms to avoid conflicts with national legislations and proceedings
CC provides for countries:
Coherent national approach to legislation on cybercrime
Harmonisation of criminal law provisions on cybercrime with those of other countries
Legal and institutional basis for international LE and judicial cooperation with other parties
Participation in the Consultations of the Parties
The treaty as a platform facilitating public-private cooperation
Source:COE
Convention provides global standards and a
framework for an effective fast international
cooperation October, 2008
55. Legal
What needs to be done next
• Develop international law to accommodate cyber warfare offensive and defensive activities,
thus making it operative for the cyber age.
• In that regard, elaborate on the UN Charter in the direction of topical interpretations: Define
Article 2 armed attack and Article 51 limits of self-defense, define the concept of cyber
weapon, define operational modes for Chapter VII action in case of cyber attack, develop and
analyze scenarios of cyber war and cyber terrorism with a view to their legal consequences.
• Drawing upon NATO’s Strasbourg/Kehl Summit Declaration, and previous NATO work in
analyzing gaps in the international legal framework with respect to collective response, develop
proposed amendments to NATO Treaty definitions of armed attack and territorial integrity and
clarification of collective responses to accommodate collective cyber activities, self defence
actions, and communication requirements.
• Encourage the ratification of the Council of Europe Convention on Cybercrime (“Convention”)
and internal implementation by signatory states, and, where this does not obtain, encourage the
harmonization of cybercrime laws (substantively and procedurally) around the globe consistent
with the Convention and the cybercrime laws enacted in developed nations.
56. What needs to be done next
Technical
• Develop enterprise level security metrics so security progress can be
measured
• Enable time-critical system availability and resiliency across distributed
systems.
• Improve the ability to track and trace cyber communications to enable
source identification (accountability) and use of digital assets by technical
means
• Improve transparency of network operations to enable visibility of
activities, knowledge of status of operations, and identification of issues as a
diagnostic tool to enhance security.
• Develop digital identification mechanisms to protect and advance the
interconnection of devices, information, and networks.
• Address the security challenges of mobile/wireless systems. The
widespread and exponential deployment of such devices and systems
presents security challenges in and of themselves and the risks they
present to interconnected systems and devices.
57. It’s a Collective Effort:
Example
Shared datasets
Red Teaming
System stress tests
Shared common problem to tackle
… Academia
ecosystem
Industry Government
New models of engagement
Sustained investment models
Lightweight submission and reporting
…
58. “The pursuit of peace and progress cannot end
in a few years in either victory or defeat. The
pursuit of peace and progress, with its trials
and its errors, its successes and its setbacks,
can never be relaxed and never abandoned.”
Dag Hammarskjold, UN Secretary-General, 1953 - 1961
58
59. Q&A
Only by joining forces and bringing together our
strategic capabilities will we be able to address current and
emerging cyberthreats !
60. Ms. Francesca Bosco
Project officer on Cybercrime
Emerging Crimes Unit
E-mail: bosco@UNICRI.it
Thank you
www.unicri.it for your attention.
http://www.unicri.it/wwd/cyber_crime/index.php