note6  --  version: Wed Mar 31 20:32:13 EDT 2010




"virtually every security violation involving cybersecurity is criminal" 

What's the difference between security and privacy?

security - protection of system resources
privacy  - protection of personal information/autonomy

Privacy has already been discussed.

What about security....

What are the categories of cybersecurity? 
        (based on what is being attacked) 

Cybersecurity categories:

   Data security    - unauthorized access to data
   System security  - attacks on system resources
   Network security - attacks on computer networks

Data security    - confidentiality
                      - proprietary (usually commercial)
                      - sensitive   (usually personal)
                 - integrity 
                      - no unauthorized alteration
                 - availability
                      - accessed on demand

                 - what are the potential problems? 

System security  - viruses 
                     - self-replicating 
                     - usually triggered by human action
                     - spread via networks
                 - worms
                     - activate themselves
                     - spread via networks
                 - malware
                     - e.g., Trojan horse
                     - e.g., Spyware -- why is this an issue? 

                 - what are the potential problems? 

Network security - private nets & internet

                 - what are the potential problems? 

The national infrastructure is vulnerable!
      - not just computer networks. 


Should individual freedom & autonomy yield to public safety & security? 

e.g., should we be free to "hack"?

Hackers - changing definitions? 

Hacker Philosophy:

  - computer systems are flawed and need improvement 
         - hackers provide an important service   (really?)
         - certified ethical hacker               (useful?)  

  "Charlie Miller, principal security analyst at Independent Security
   Evaluators, won $10,000 after hacking Safari on a MacBook Pro
   without having physical access to the machine. Miller won $5,000
   last year by exploiting a hole in Safari, and in 2008 nabbed
   $10,000 hacking a MacBook Air"
   - annual Pwn2Own contest at the CanSecWest security show 

  "IE's security techniques aren't designed to thwart every attack
   forever, but more to slow down the bad buys and make it harder for
   them to exploit vulnerabilities." 
   - Microsoft defends IE8 following hacking contest:

  - information should be free   (really?)

  - cyberspace activity is virtual and can't harm the real world   (really?)

Or see The Hacker Attitude: 

   1. The world is full of fascinating problems waiting to be solved.
   2. No problem should ever have to be solved twice.
   3. Boredom and drudgery are evil.
   4. Freedom is good.
   5. Attitude is no substitute for competence.

Back to security and hackers...

     Are computer break-ins ever ethically justified?


  • What's a cyberterrorist?
  • What do they do?
  • To whom/what?
  • Why do they do it?
  • Is it effective?
  • Is it widespread? "Politically motivated hacking operations intended to cause grave harm" "Goal of intimidating or coercing governments or societies" Dorothy E. Denning, Distinguished Professor, Department of Defense Analysis, Naval Postgraduate School "Cyberterrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not." - Introducing the New Cybersecurity Coordinator - 17th December 2009 Free Cyberterrorism Training: Run by FEMA -- "The Cyberterrorism Defense Initiative (CDI) is a national counter-cyberterrorism training program, developed for technical personnel and managers who monitor and protect our nation's critical infrastructures. CDI reaches all levels of public service, including state and local government, law enforcement, firefighting, public utilities, public safety and health, emergency medical services, and colleges and universities. Classes are free of charge to qualified personnel" "FBI has increased surveillence of individuals and organizations...suspected of possessing the combination of skills and motives" ...That's you! right? If you were a cyberterrorist, what would you attack & why? Hacktivism - electronic political activism - civil disobedience -- no damage -- non violent -- not for personal profit -- ethical motivation (e.g., law is unjust) -- willing to accept personal responsibility Is a denial of service attack Hacktivism? ** INFORMATION WARFARE Note the increasing role of computers in 'normal' warfare. What are the vulnerabilities of such a role? Information Warfare - Target or exploit information media to win some objective e.g., jam communications, make computers ineffective Is information warfare a just kind of warfare? The Just War - war can only be just under certain conditions Just War Principles i. Principles for Engaging in War ... "Competent authority. War cannot be initiated justly except by those who hold the proper authority and responsibility." ... Possible in information warfare? who are the authorities? ii. Principles for Conducting War ... "A strong distinction must be maintained between combatants and non-combatants. Non-combatants must never be deliberate or primary targets of military action." ... Possible in information warfare? who are the combatants? ** SECURITY COUNTERMEASURES Countermeasure - "action, device, procedure, techniques or other measure that reduces the vulnerability of a threat to a system" Examples? Firewalls Antivirus software Antispyware Encryption Digital signatures Anonymity tools - - why a good idea? - why a bad idea? Are cybersecurity solutions too reliant on technology? Security must be built into software systems. Why? Security must be considered throughout software development. Why? ** TOTAL SECURITY IN CYBERSPACE Can total security in cyberspace be achieved? Trade offs - cost - security costs money - your experience? - convenience - security causes inconvenience - your experience? - flexibility - restrictions on user autonomy - your experience? A problem: Information security now cuts across traditional "security perimeters" Due to trends - e.g., employees want to work at home - mobile devices - software/hardware/service interdependence Consequences for security? Who should pay for cybersecurity? - user? - companies? - government? -------------------------------