note6 -- version: Wed Mar 31 20:32:13 EDT 2010
SECURITY IN CYBERSPACE pp. 173-196
---------------------------------------------------------
** COMPUTER SECURITY & CYBERSECURITY
"virtually every security violation involving cybersecurity is criminal"
What's the difference between security and privacy?
security - protection of system resources
privacy - protection of personal information/autonomy
Privacy has already been discussed.
What about security....
What are the categories of cybersecurity?
(based on what is being attacked)
Cybersecurity categories:
Data security - unauthorized access to data
System security - attacks on system resources
Network security - attacks on computer networks
Data security - confidentiality
- proprietary (usually commercial)
- sensitive (usually personal)
- integrity
- no unauthorized alteration
- availability
- accessed on demand
- what are the potential problems?
System security - viruses
- self-replicating
- usually triggered by human action
- spread via networks
- worms
- activate themselves
- spread via networks
- malware
- e.g., Trojan horse
- e.g., Spyware -- why is this an issue?
- what are the potential problems?
Network security - private nets & internet
- what are the potential problems?
The national infrastructure is vulnerable!
- not just computer networks.
** ETHICAL ASPECTS OF CYBERSECURITY
Should individual freedom & autonomy yield to public safety & security?
e.g., should we be free to "hack"?
Hackers - changing definitions?
Hacker Philosophy:
- computer systems are flawed and need improvement
- hackers provide an important service (really?)
- certified ethical hacker (useful?)
"Charlie Miller, principal security analyst at Independent Security
Evaluators, won $10,000 after hacking Safari on a MacBook Pro
without having physical access to the machine. Miller won $5,000
last year by exploiting a hole in Safari, and in 2008 nabbed
$10,000 hacking a MacBook Air"
- annual Pwn2Own contest at the CanSecWest security show
"IE's security techniques aren't designed to thwart every attack
forever, but more to slow down the bad buys and make it harder for
them to exploit vulnerabilities."
- Microsoft defends IE8 following hacking contest:
- information should be free (really?)
- cyberspace activity is virtual and can't harm the real world (really?)
Or see The Hacker Attitude:
1. The world is full of fascinating problems waiting to be solved.
2. No problem should ever have to be solved twice.
3. Boredom and drudgery are evil.
4. Freedom is good.
5. Attitude is no substitute for competence.
Back to security and hackers...
Are computer break-ins ever ethically justified?
** CYBERTERRORISM
What's a cyberterrorist?
What do they do?
To whom/what?
Why do they do it?
Is it effective?
Is it widespread?
"Politically motivated hacking operations intended to cause grave harm"
"Goal of intimidating or coercing governments or societies"
Dorothy E. Denning,
Distinguished Professor,
Department of Defense Analysis,
Naval Postgraduate School
"Cyberterrorism is the convergence of terrorism and cyberspace.
It is generally understood to mean unlawful attacks and threats
of attack against computers, networks, and the information stored
therein when done to intimidate or coerce a government or its
people in furtherance of political or social objectives.
Further, to qualify as cyberterrorism, an attack should result in
violence against persons or property, or at least cause enough
harm to generate fear.
Attacks that lead to death or bodily injury, explosions, plane
crashes, water contamination, or severe economic loss would be
examples.
Serious attacks against critical infrastructures could be acts of
cyberterrorism, depending on their impact.
Attacks that disrupt nonessential services or that are mainly a
costly nuisance would not."
- http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html
Introducing the New Cybersecurity Coordinator - 17th December 2009
Free Cyberterrorism Training:
Run by FEMA -- "The Cyberterrorism Defense Initiative (CDI) is a
national counter-cyberterrorism training program,
developed for technical personnel and managers who
monitor and protect our nation's critical
infrastructures. CDI reaches all levels of public
service, including state and local government, law
enforcement, firefighting, public utilities, public
safety and health, emergency medical services, and
colleges and universities. Classes are free of charge
to qualified personnel"
"FBI has increased surveillence of individuals and
organizations...suspected of possessing the combination
of skills and motives"
...That's you! right?
If you were a cyberterrorist, what would you attack & why?
Hacktivism - electronic political activism
- civil disobedience
-- no damage
-- non violent
-- not for personal profit
-- ethical motivation (e.g., law is unjust)
-- willing to accept personal responsibility
Is a denial of service attack Hacktivism?
** INFORMATION WARFARE
Note the increasing role of computers in 'normal' warfare.
What are the vulnerabilities of such a role?
Information Warfare - Target or exploit information media to win some objective
e.g., jam communications, make computers ineffective
Is information warfare a just kind of warfare?
The Just War - war can only be just under certain conditions
Just War Principles
i. Principles for Engaging in War
...
"Competent authority. War cannot be initiated justly except by
those who hold the proper authority and responsibility."
...
Possible in information warfare? who are the authorities?
ii. Principles for Conducting War
...
"A strong distinction must be maintained between combatants and
non-combatants. Non-combatants must never be deliberate or primary
targets of military action."
...
Possible in information warfare? who are the combatants?
** SECURITY COUNTERMEASURES
Countermeasure - "action, device, procedure, techniques or other
measure that reduces the vulnerability of a
threat to a system"
Examples?
Firewalls
Antivirus software
Antispyware
Encryption
Digital signatures
Anonymity tools - http://www.anonymizer.com/
- why a good idea?
- why a bad idea?
Are cybersecurity solutions too reliant on technology?
Security must be built into software systems. Why?
Security must be considered throughout software development. Why?
** TOTAL SECURITY IN CYBERSPACE
Can total security in cyberspace be achieved?
Trade offs - cost - security costs money
- your experience?
- convenience - security causes inconvenience
- your experience?
- flexibility - restrictions on user autonomy
- your experience?
A problem:
Information security now cuts across traditional "security perimeters"
Due to trends - e.g., employees want to work at home
- mobile devices
- software/hardware/service interdependence
Consequences for security?
Who should pay for cybersecurity? - user?
- companies?
- government?
-------------------------------
|