Professional Documents
Culture Documents
Warfare
CSCE 727 - F 2
Information Warfare
Information resources
Players
Offensiveoperations
Defensive operations
CSCE 727 - F 3
Value of Resources
Exchange value
Determined by market value
Quantifiable
Operational value
Determined by the benefits that can be derived from using
the resource
May no be quantifiable
May not be the same value for each player
(offensive and defensive players)
Actual (before) and potential (after) value
CSCE 727 - F 4
Players
Offense: motives, means, opportunity
Insiders, hackers, criminals, corporations, government,
terrorists
Defense: protection
Federal Bureau of Investigation
U.S., Secret Service
Department of Treasury
Department of Defense
National Institute of Standards and technology
ROLE OF GOVERNMENT
CSCE 727 - F 5
Offensive Information Warfare
Target: particular information resources
resources does not need to be owned or managed
by the defense
Objective: increase the value of the resource for
the offense and decrease it for the defense
Gain: financial, strategic, thrill, etc.
Loss (defense): financial, strategic, reputation,
human loss, etc.
CSCE 727 - F 6
Cost of Information Warfare
Monetary expense
Personal time
Risk of getting caught
Punishment
Resources used
CSCE 727 - F 7
Offense
Increaseavailability of resource
Decrease integrity of resource
Decrease availability of resource for
defense
CSCE 727 - F 8
Defense
Prevent availability of resource for offense
Ensure integrity
Ensure availability
CSCE 727 - F 9
Offense: Increased availability
Collection of secret:
Espionage (illegal) and intelligence (may be
legal)
Piracy
Penetration (hacking)
Superimposition fraud
Identity theft
Perception management
CSCE 727 - F 10
Offense: Decrease Availability
for Defense
Physicaltheft
Sabotage
Censorship
CSCE 727 - F 11
Offense: Decreased Integrity
Tampering
Penetration
Cover up
Virus, worm, malicious code
Perception management
Fabrication, forgeries, fraud, identity theft,
social engineering
CSCE 727 - F 12
Defense
Prevention: keeps attacks from occurring
Deterrence: makes attack unattractive
Indications and warning: recognize attacks
before it occurs
Detection: recognize attacks
Emergency preparedness: capability to
recover from and response to attacks
Response: actions taken after the attack
CSCE 727 - F 13
Open Sources
Open Source
Unclassified information in the public
domain or available from commercial
services
Example: newspapers, magazines, scientific
publications, television and radio
broadcasting, databases, etc.
CSCE 727 - F 15
Open Source Intelligence
Intelligence operation that uses open source
data
Goal: answer specific question in support of
some mission
Process:
Requirement analysis
Data collection/filtering/analysis
Information integration Intelligence about
CSCE 727 - F 16
IW and Open Source
Intelligence
Generally legal (uses readily available information)
Attacker gains access to protected information,
e.g.,
Business trade secrets
Military strategy,
Personal information
Protectedinformation: readily available in public
domain, can be inferred from public data, or
deduced from aggregated public data
CSCE 727 - F 17
Open Source Intelligence
Widely used (e.g., Department of Defense)
Cheap, fast, or timely
Most often legal
Advantages: no risk for collector, provides
context, mode of information acquisition, cover
for data discovery by secret operations
Disadvantages: may not discover important
information, assurance of discovery(?)
CSCE 727 - F 18
Online Open Source
Intelligence
Large amount of public data online
Web pages, online databases, digital
collections, organizations on line, government
offices, etc.
Freedom and Information Act (FOIA):
industry data
U.S. Patent Office: copies of U.S. patents
Trade shows, public records, etc.
CSCE 727 - F 19
Privacy
Use open source to find out confidential
data about people
Find confidential data about people while
they browse through open source (e.g., Web
searches)
CSCE 727 - F 20
Online Investigative Tools
Find out confidential data for small fee
Net Detective (http://ndet.jeanharris.com/
Dig Dirt (http://www.classified3.com/ )
Accurate Info Search (
http://www.accurate-people-finder.com/links/b
ackgroundchecks.html
)
Privacy Tools (
http://www.epic.org/privacy/tools.html )
CSCE 727 - F 21
Legislations
Privacy Act of 1974, U.S. Department of Justice (
http://www.usdoj.gov/04foia/04_7_1.html )
Family Educational Rights and Privacy Act (FERPA), U.S.
Department of Education, (
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html )
Health Insurance Portability and Accountability Act of 1996
(HIPAA), (http://www.cms.hhs.gov/hipaa/ )
Privacy Initiatives, Federal Trade Commission, (
http://www.ftc.gov/privacy/ )
Telecommunications Consumer Privacy Act (
http://www.senate.leg.state.mn.us/departments/scr/billsumm/SF487
.HTM
)
Electronic Privacy Information Center (http://www.epic.org/ )
CSCE 727 - F 22
Privacy Violations
Snooping via Open Sources
Online activities
Questionnaires
Customers data
Web site data collection (Cookies, IP address,
operating system, browser, requested page, time
of request, etc.) without users permission
CSCE 727 - F 23
Other Open Source Attacks
Piracy
Available in open source, but still protected by copyright, patent,
trademark, etc.
Copyright Infringement
Acquisition of protected work without the owners permission
and sold for a fee
Human perception: not serious crime
Significant loss for marketing/manufacturing/owner
Berman Bill (http://www.digitalspeech.org/berman.shtml )
Copyright Law of the United States (
http://www.copyright.gov/title17/ )
Trademark Infringement
CSCE 727 - F 24
Domestic Intelligence,
Counterintelligence
What is Intelligence?
Information
Activities
Organization
CSCE 727 - F 26
Activity
Activities:
Collection and analysis on intelligence
information
Counterintelligence
CSCE 727 - F 27
Counterintelligence
National Security
Nature of regime
Law
CSCE 727 - F 28
Goal of
Counterintelligence
National Security
Kinds of threats
Information to be collected
Purpose served
Legislation
Democracy
CSCE 727 - F 29
Counterintelligence
Foreign intelligence guidelines: classified
Investigation of:
Illegal activities: detecting and preventing foreign
espionage and terrorist activities
Legal activities: foreign legal political activities like fund-
raising, organizational work, etc.
Domestic intelligence guidelines (Levi Guidelines):
public
Investigation of groups that
hostile to government policies and fundamental principles
seeks to deprive some class of people
CSCE 727 - F 30
Domestic
Surveillance
Surveillance of own citizens
Legislations
Circumstances permitting surveillance
Limits
Amount and kind of surveillance
U.S.: Constitutional law
Fourth Amendment: prohibition against unreasonable
searches and seizures (e.g., wiretap)
CSCE 727 - F 31
FISA
1978: Foreign Intelligence Surveillance Act (FISA)
Regulates governments collection of foreign intelligence for
the purpose of counterintelligence
Electronic eavesdropping and wiretapping
1994: amended to physical entries in connection with security
investigations
1998: amended to permit pen/trap orders
FISA applications for search warrant:
Probable cause that the surveillance target is a foreign power or
agent
Does not need to be criminal activity
Foreign Intelligence Surveillance Court
Attorney General
CSCE 727 - F 32
Psyops and Perception
Management
Perception
Management
Information operations that aim to affect
perception of others to influence
Emotions
Reasoning
Decisions
Actions
CSCE 727 - F 34
Covert Action
CSCE 727 - F 36
Perception of a
Foreign Government
Goal: change foreign governments policy
to support offenses political interest
Influence
Foreign governments perception
Perceptions of elements of foreign society
CSCE 727 - F 37
Agents of Influence
Influence directly government policy
Data collection is not necessary
Persuade colleagues to adopt certain policies
E.g., government officials
1930-40s: Soviet intelligence agents working for U.S.
government (Harry Dexter White Assistant Secretary
of the Dept. of Treasury)
1976: in France Pierre-Charles Pathe founded Synthese
(political newsletter). 1979: convicted for espionage
and being an agent of influence.
CSCE 727 - F 38
Agent of Influence
CSCE 727 - F 39
Use of Information
and Disinformation
Providing information (or misinformation)
Influence a desired action
E.g., revealing identities of opponents intelligence
agents
Originof information
Sender of information
Misinformation
Plausible
silent forgery
deception operation
CSCE 727 - F 40
Perception of Foreign
Society
Hardto measure
Cumulative effect over long period of time
Agents of Influence
Reach public journalists, TV commentator,
etc.
Prominent person political figure, aid
organization, etc.
Culture
CSCE 727 - F 41
Unattributed
Propaganda
Black propaganda: origin is concealed
Disseminating opinions, information or
misinformation via media
Government may not be directly associated
with materials
Increase believability
Government may not want to be associated
with certain opinions
CSCE 727 - F 42
Unattributed
Propaganda
Gray propaganda: origin not public
knowledge
E.g., Radio Free Europe, Radio Liberty
Information about targets own countries
Information about the West
Set up as private U.S. organizations but were
run by CIA
Planting stories in independent news media
CSCE 727 - F 43
Offensive
Operations
Information Space
Communication Medium: any (TV, radio,
Internet, Web sites, e-mail, news groups,
etc.)
Target: individuals, groups, nations, World
CSCE 727 - F 44
Internet
Global Access mass audiences
Easy to set up Web sites
Low cost (compare with broadcasting
radio, TV, etc.)
great equalizer
Authority over Internet?
CSCE 727 - F 45
Tools for Perception
Management
In War and Anti-War by Alvin and Heidi Toffler:
1. Atrocity accusations
2. Hyperbolic inflations
3. Demonization and/or dehumanization
4. Polarization
5. Claim of divine sanction
6. Meta-propaganda
CSCE 727 - F 46
Psyops
CSCE 727 - F 47
Lies and
Distortions
Widely used
Destroys the integrity of the carrying media
Ethical/unethical?
Bad/Useful?
Digital media
Fabrication, spoofed originator, modification, etc.
Easy to carry out
Trust in observation (senses: see, hear, touch, taste,
etc.)
CSCE 727 - F 48
Distortion
Distort information
Conscious/Unconscious
Important elements ignored, down played
Insignificant elements made to appear
important
Digital media:
Web page metatags: hidden data
CSCE 727 - F 49
Fabrication
Fake information
Must seem legitimate
Goal: influence decision/activities of enemy
or competition, financial gain, popularity,
etc.
Can be very effective
Must know target
Errors and intentional fabrications
CSCE 727 - F 50
Hoaxes
Fabrications to
Amuse
Create fear
Discredit/damage
Digital media:
Easy to send hoax mail or post information
Virus hoaxes
CSCE 727 - F 51
Social
Engineering
Trickpeople into doing something they
would not do if the truth is known.
Means:
Impersonating
Threatening
Pretend position/relationship/urgency/etc.
CSCE 727 - F 52
Denouncement
Discredit, defame, demonize, or dehumanize an
opponent
Goal: gain of support for the entity performing the
denouncement and loss for the adversary
Military/politics/economy/personal
Hate groups
Conspiracy theory
Defamation: damage the reputation and good
name of another
CSCE 727 - F 53
Harassment
Targets
opponent directly
Unwanted, threatening messages
Communication: in person, via medium
Examples:
Physical threat
Hate mails
Sexual harassment
CSCE 727 - F 54
Advertising
Scam: cone artists lure customers into scam
Fake prizes, telemarketing, etc.
Internet: easy solicitations junk e-mail, chat
room, newsgroups, Web site, etc.
Spam: junk e-mail
Time consuming: read/process/delete
Unwanted/useless/harmful data
CSCE 727 - F 55
Censorship
Offensive: denies population access to certain
materials
Defensive: protect society from materials that would
undermine its culture or governance
Internet: makes censorship difficult
Children Internet Protection Act, 2000 (
http://www.ifea.net/cipa.html ,
http://www.cybertelecom.org/cda/cipa.htm )
Free speech online
Electronic Frontier Foundation http://www.eff.org/br/
http://www.anu.edu.au/mail-archives/link/link9810/0378.html
CSCE 727 - F 56
Incident Response
Incident Response
Federal Communications Commission: Computer
Security Incident Response Guide, 2001,
http://csrc.nist.gov/fasp/FASPDocs/incident-response
/Incident-Response-Guide.pdf
CSCE 727 - F 59
What is Survivability?
To decide whether a computer system is
survivable, you must first decide what
survivable means.
CSCE 727 - F 60
Vulnerable Components
1. Hardware
2. Software
3. Data
4. Communications
5. People
CSCE 727 - F 61
Effect Modeling and Vulnerability
Detection
Seriously Weakly
effected effected
components component
Cascading
effects Not effected
components
CSCE 727 - F 62
Robust System Development
Effects and system dependencies cascading effects
Cascading and escalating effect modeling
vulnerabilities
Vulnerabilities and their priorities reduce
vulnerabilities: installing safeguards, reconstruct
network, redundancy, etc.
Reduced vulnerabilities estimation of components
security (reliability, correctness, trustworthiness)
Estimation of components security: cost effective
dynamic network resource allocations
CSCE 727 - F 63
Due Care and Liability
Organizational liability for misuse
US Federal Sentencing Guidelines: chief executive
officer and top management are responsible for fraud,
theft, and antivirus violations committed by insiders or
outsiders using the companys resources.
Fines and penalties
Base fine
Culpability score (95%-400%)
Good faith efforts: written policies, procedures, security
awareness program, disciplinary standards, monitoring
and auditing, reporting, and cooperation with
investigations
CSCE 727 - F 64
How to Respond?
CSCE 727 - F 65
How to Respond?
CSCE 727 - F 66
How to Respond?
CSCE 727 - F 67
How to Response?
Actions to avoid further loss from intrusion
Terminate intrusion and protect against reoccurrence
Law enforcement prosecute
Enhance defensive security
Reconstructive methods based on:
Time period of intrusion
Changes made by legitimate users during the effected
period
Regular backups, audit trail based detection of effected
components, semantic based recovery, minimal roll-back
for recovery.
CSCE 727 - F 68
Roles and Responsibilities
User:
Vigilant for unusual behavior
Report incidents
Manager:
Awareness training
Policies and procedures
System administration:
Install safeguards
Monitor system
Respond to incidents, including preservation of evidences
CSCE 727 - F 69
Computer Incident Response
Team
Assist in handling security incidents
Formal
Informal
Incidentreporting and dissemination of incident
information
Computer Security Officer
Coordinate computer security efforts
Others: law enforcement coordinator, investigative
support, media relations, etc.
CSCE 727 - F 70
Incident Response Process 1.
Preparation
Baseline Protection
Planning and guidance
Roles and Responsibilities Training
Incident response team
CSCE 727 - F 71
Incident Response Process 2.
Identification and assessment
Symptoms
Nature of incident
Identify perpetrator, origin and extent of attack
Can be done during attack or after the attack
Gather evidences
Key stroke monitoring, honey nets, system logs, network
traffic, etc.
Legislations on Monitoring!
Report on preliminary findings
CSCE 727 - F 72
Incident Response Process 3.
Containment
Reduce the chance of spread of incident
Determine sensitive data
Terminate suspicious connections, personnel,
applications, etc.
Move critical computing services
Handle human aspects, e.g., perception
management, panic, etc.
CSCE 727 - F 73
Incident Response Process 4.
Eradication
Determine and remove cause of incident if
economically feasible
Improve defenses, software, hardware,
middleware, physical security, etc.
Increase awareness and training
Perform vulnerability analysis
CSCE 727 - F 74
Incident Response Process 5.
Recovery
Determine course of action
Reestablish system functionality
Reporting and notifications
Documentation of incident handling and
evidence preservation
CSCE 727 - F 75
Follow Up Procedures
Incident evaluation:
Quality of incident (preparation, time to
response, tools used, evaluation of response,
etc.)
Cost of incident (monetary cost, disruption, lost
data, hardware damage, etc.)
Preparing report
Revise policies and procedures
CSCE 727 - F 76
The Economic Impact of
Cyber Attacks
The Global Picture
Csilla Farkas John Rose
farkas@cse.sc.edu rose@cse.sc.edu
RISK
Vulnerabilities Consequences
CSCE 727 - F 78
Financial Loss
Dollar Amount Losses by Type
Total Loss (2006): $53,494,290 CSI/FBI Computer Crime and Security Survey
Computer Security Institute
CSCE 727 - F 79
Security
Percentage of IT Budget
Protection
Percentage of Organizations
Spent on Security Using ROI, NPV, or IRR Metrics
CSCE 727 - F 80
Real Cost of Cyber Attack
Damage of the target may not reflect the real
amount of damage
Services may rely on the attacked service,
causing a cascading and escalating damage
Project Goal: support decision makers to
Evaluate risk and consequences of cyber attacks
Support methods to prevent, deter, and mitigate
consequences of attacks
CSCE 727 - F 81
THEMIS: Threat Evaluation
Metamodel for Information
Systems
OFFENSE DEFENSE
Computer
Attack System
Cascading and Escalating
Effects
Affected
Assets
Attacker
Characteristics
Policy
Response
CSCE 727 - F 82
Jess-Based Modeling
Graphicaltool to model system
components, values,
dependencies, and
compensating rules
CSCE 727 - F 83
Cascading and Escalating Effects
Model cascading and escalating damage.
CSCE 727 - F 84
Ongoing Work
Developing simulation components and requirements
Requirement analysis
Level of abstraction
Information hiding
Types of dependencies
Compensating dependencies
Throughput
Adaptation
CSCE 727 - F 85
Ongoing Work
Temporal modeling
Real time analysis and response
Long-term analysis
Macro- and microeconomics
National-level perspective
Organizational level perspective
CSCE 727 - F 86
Legal Aspects
National law
International law
Legal regime to apply
Gray areas of law
Legal response
Evidence preservation
CSCE 727 - F 87
THEMIS: Threat Evaluation Metamodel
for Information Systems
CSCE 727 - F 89
Rules Defining the Use of Force
Schmitt Analysis
Sources:
Thomas Wingfield: The Law of Information Conflict:
National Security Law in Cyberspace
Michael N. Schmitt: Computer Network Attack and the
Use of Force in International Law: Thoughts on a
Normative Framework
CSCE 727 - F 90
CSCE 727 - F 91
Spectrum of Conflict
CSCE 727 - F 92
Spectrum of Conflict
CSCE 727 - F 93
Spectrum of Conflict
Art. 39
CSCE 727 - F 94
Spectrum of Conflict
Art. 2(4)
CSCE 727 - F 95
Spectrum of Conflict
Art. 51
CSCE 727 - F 96
Rules Defining the Use of Force
CSCE 727 - F 97
Use of Force in Cyberspace
CSCE 727 - F 98
Schmitt Factors
Severity
Immediacy
Directness
Invasiveness
Measurability
Presumptive Legitimacy
Responsibility
CSCE 727 - F 99
Severity
Weeks to Months
Action Played No
Identifiable Role in
Result
Conflict
ARP
resolution specification
Default
policy
Computer
Attack System
Cascading
Effects
Affected
Assets
Attacker
Characteristics
Policy
Response