2. Introduction to cybersecurity, 2013 Slide 2
The cybersecurity problem
• How big a problem is cybersecurity for
individuals, businesses and nations?
• Why is it difficult to make networked
systems secure?
3. Introduction to cybersecurity, 2013 Slide 3
The scale of the problem
• It’s a big problem
• How big ? We really do not know
• Many surveys on cyber-security related
losses but very wide variations and
different methodologies
4. Introduction to cybersecurity, 2013 Slide 4
Individuals
• Cyber fraud
• Identity theft
• Cyber bullying and cyber stalking
7. Introduction to cybersecurity, 2013 Slide 7
Businesses
• Differing estimates:
– The extent of losses depends on how these
losses are measured and what data is
collected
• Industry reluctant to release figures but
when they do, they tend to overvalue
assets
10. Introduction to cybersecurity, 2013 Slide 10
Nations
• Cyberattacks on critical infrastructures
are seen as a critical economic risk by
all countries
• Significant resources now being
devoted to cyberdefence
13. Introduction to cybersecurity, 2013 Slide 13
• Why has cybersecurity become such a
major problem
– Scale and ubiquity of the internet
– Lower level of physical risk to criminals
– Fundamental business and technical
reasons for insecurity
14. Introduction to cybersecurity, 2013 Slide 14
Business reasons
• Connection of computers to the internet
can cut costs, improve the efficiency
and responsiveness of business
processes and open up new
opportunities for interaction. Therefore
business has focused on connectivity
rather than security
15. Introduction to cybersecurity, 2013 Slide 15
• Security is inconvenient and slows down
transactions. Businesses have decided
to prioritise convenience and usability
over security.
• Accepting the cost of losses through
cyber fraud may be a cost-effective
strategy
16. Introduction to cybersecurity, 2013 Slide 16
Internet vulnerabilities
• The Internet was invented in the 1970s
as a network between organisations that
were trustworthy and which trusted each
other
• The information maintained on their
computers was non-commercial and not
thought to be of interest to others
17. Introduction to cybersecurity, 2013 Slide 17
• Consequently, security was not a factor
in the design of internet protocols,
practices and equipment.
• Security slows things down so efficiency
was prioritized
18. Introduction to cybersecurity, 2013 Slide 18
• These protocols made it easy for the
Internet to be universally adopted in the
1990s
• However, the problems can only be
properly addressed by a complete
redesign of Internet protocols, which is
probably commercially impractical.
19. Introduction to cybersecurity, 2013 Slide 19
Internet vulnerabilities
• Unencypted traffic by default
• Packets can be intercepted and the
contents read by anyone who intercepts
these packets
20. Introduction to cybersecurity, 2013 Slide 20
Internet vulnerabilities
• DNS system
– Possible to divert traffic from legitimate to
malicious addresses
– Easy to hide where traffic has come from
• Domain name servers vulnerable to
DoS attacks
21. Introduction to cybersecurity, 2013 Slide 21
Internet vulnerabilities
• Mail protocol
– No charging mechanism for mail
– Hence spam is possible
22. Introduction to cybersecurity, 2013 Slide 22
Technology is not the only
problem
• Internet vulnerabilities make possible
some kinds of cyber-attack but it is
important to remember that
cybersecurity is a socio-technical
systems problem
• Problems almost always stem from a
mix of technical, human and
23. Introduction to cybersecurity, 2013 Slide 23
Risk classification
• Risks due to actions of people
• Risks due to hardware or software
• Risks due to organisational
processes
24. Introduction to cybersecurity, 2013 Slide 24
Actions of people
• Deliberate or accidental exposure of
legitimate credentials to attackers
• Failure to maintain secure personal
computers and devices
25. Introduction to cybersecurity, 2013 Slide 25
• Insider corruption or theft of data
• Preference for convenience and usability over
security
– Weak passwords set because they are easy to
remember and quick to type
26. Introduction to cybersecurity, 2013 Slide 26
Hardware and software
• Misconfigured firewalls and mail filters
• Programming errors and omissions in
software lead to malicious penetration
– Buffer overflow attacks
– SQL poisoning attacks
27. Introduction to cybersecurity, 2013 Slide 27
Organisational processes
• No established process and checks for
updating and patching software
• Lack of security auditing
• Lack of systematic backup processes
28. Introduction to cybersecurity, 2013 Slide 28
Summary
• Cyber attacks are a major cost for business,
government and individuals. But quantifying
this cost is difficult.
– The Internet was not designed as a secure network
and making it secure is practically impossible
– To make systems useable, people take actions
that introduce vulnerabilities into sociotechnical
systems.