Lecture 06 - Organizational Security.pdf

Full Transcript

IT and Society
Lecture 6: Security – Organizations

Prof. Jens Grossklags, Ph.D.
Professorship of Cyber Trust
Department of Computer Science
School of Computation, Information and Technology
Technical University of Munich
May 27, 2024
Recap – Cybercrime

Huge diversity of cybercrimes and impact
– Traditional forms of crime that migrate to IT
– Publication of illegal content over electronic media
– Crimes unique to electronic networks
 Ranging from huge monetary impact to niche crimes
 Direct costs, indirect costs, costs to society, defense costs vs.
criminal revenues

How to respond/invest effectively?
2
 Lecture 6

Security in Organizations

3
Beyond Cybercrime:
Types of Attackers
Cyber criminals pursuing monetary objectives through fraud or from
the sale of valuable information
Industrial competitors and foreign intelligence services interested in
gaining an economic advantage for their companies or countries
Employees, or those who have legitimate access, misusing systems
accidentally or deliberately (i.e., insider threats)

Hackers, who find interfering with computer systems an enjoyable
challenge
Hacktivists, who wish to attack companies for political or ideological
motives
4
Evolving Attacks
Attackers in the past:
– Untargeted, opportunistic attacks designed for mischief
Attackers today:
– Advanced attacks to acquire valuable data from an organization
– Targeted attack against persons, organizations
– Often conducted across multiple vectors and stages
– Specialized teams using sophisticated tools & techniques
– Often: Traditional security measures, e.g. Anti-Virus, Firewalls, that
only address inbound attack are not sufficient to defeat, as
advanced attacks are designed to evade traditional security
5
Trends
 Source: Any security industry reports (e.g., Symantec)
 Attacks move faster, defense does not
 Attacks are more targeted, but can hit anywhere
 Attackers upgrade their techniques: stealthy attacks from
inside
 Each year, number of attacks increases
 Number of unique malicious executables (malware): Number grew from
about one million in 2008 to over one billion in 2014
Source: Ugarte-Pedrero et al. (2018) A Close Look at a Daily Dataset of Malware Samples
6
VirusTotal – Distinct Malware Files

Daily Data!

https://www.virustotal.com/gui/stats
VirusTotal – Distinct URLs

Daily Data!

https://www.virustotal.com/gui/stats
The Evolution of Security and Risk
Management
Concept of security and risk management has evolved as
information technology has evolved
– In the early days of IT - the days of EDP (electronic data
processing) -- the focus was on securing specific systems

Scope of security and risk management has now become
much larger

9
Setting the Scene: Complexity

Vertical data-driven collaboration
− Collected by sensors (e.g., shop floor) and then stored in cloud
systems (e.g., backend, cloud provider) and used by many
Horizontal data-driven collaboration
− Cross-domain, inter-organizational (e.g., manufacturing,
logistics, sales, maintenance)

Trends: Internet of Things (IoT), Big Data, Industrie 4.0,
Connected Mobility, Cyber Physical Systems (CPS)
10
Data are the key assets!

Examples – Data is everywhere:
− Production processes, maintenance, logistics
− Customer business processes, contracts
− Individual profiles, movements, behavior

Data-driven ICT systems are critical:
− Coordinate (critical) processes
− Control and govern entire systems
− Act even autonomously on behalf of humans

11
Networks vs. Security

“Value” of a networked system emerges from
interconnection
– Businesses, social networks, etc.
– Positive network effects
Interference from outside/inside attackers diminishes
value and may lead to losses
– Losses increase through interdependence of systems
 How to manage these trade-offs?
12
Many Technology Options

Need arises to manage security within an organization
– Coordinate, plan and measure success of security efforts
– Necessary alignment of ICT and business processes

But also beyond organizational boundaries
– Coordination between different organizations or many parts of
one organization required to manage networked risks
– Example: Security information sharing… but there are
challenges
13
 Organizational
cyber harms
can be quite
diverse

https://doi.org/10.10
93/cybsec/tyy006

List continues

14
 Standards for Information Security
Management &
Information Security Management Systems:
Theoretical Perspective

15
Benefit of Standards for
Information Security
Cost reduction
– Application of existing and proven process models
– Methodical alignment and traceability
– Unification of qualifications, interoperability
Appropriate security level
– Based on state of the scientific and technical knowledge
– Increased comparability and improved orientation
Competitive advantage
– Certification of enterprise or products + Strengthening of legal certainty
– Market differentiation
16
Information Security Management
System (ISMS)
ISMS consists of policies, procedures, guidelines, and
associated resources
– That are collectively managed by an organization
– In the pursuit of protecting information assets
ISMS allows an organization to
– Ensure (international) competitiveness
– Satisfy information security requirements of customers
– Improve an organization’s plans and activities
– Meet the organization’s information security objectives
– Comply with regulations, legislation, and industry mandates
– Manage information assets
– Select, implement, and monitor efficient security controls 17
EU Lawmaking
Data: Discussed GDPR in detail
– Also: AI Act, Data Governance Act, Data Act, Digital Services
Act, Digital Markets Act
Security:
– NIS Directive, NIS2 Directive (focus on critical infrastructure
and organizations; to be implemented until October 2024)
– eIDAS (electronic IDentification, Authentication and trust
Services; revision signed on 11 April 2024)
– Cyber Resilience Act (CRA) (common cybersecurity
standards for products; draft March 2024)
18
Success Factors for Information
Security Management Systems

Top management
support
Comprehensive
Security awareness approach

ISMS
Performance Alignment with
evaluation corporate objectives
Incident and Understanding of
business continuity protection
management requirements

19
Example of Security Management
Approach:
International Standard
ISO/IEC 27000 Series (short: 27K)
ISO = International Organization for Standardization
IEC = International Electrotechnical Commission

Focus: What are requirements for an ISMS.
20
 ISO/IEC 27000 Family of Standards:
Overview
Standard type Number Title
Vocabulary 27000 ISMS – Overview and vocabulary
Requirements 27001 ISMS – Requirements
History of 27002 Code of practice for information security management
20+ years 27003 ISMS implementation guidance
27004 Information security management – Measurement
Guidelines
Regularly 27005 Information security risk management
updated
27007 Guidelines for information security management systems auditing
New parts Information security management guidelines for inter-sector and
27010
are added Sector-specific inter-organizational communications
guidelines Information security management guidelines for telecommunications
27011
organizations
Control-specific
27034 Application security
guidelines

Now a total of 46 approved individual standards (plus appendices) 21
 ISO/IEC 27001 Requirements
of ISO 27000 series
STRUCTURE:
Requirements and expectations PDCA Process (originates from
1) Scope quality assurance)
2) Normative reference
Plan Decide, Plan-Do-Check-Act was explicitly
3) Terms and definitions Do it! what to do!
named in older versions such as
Establish
4) Context of the organization the ISMS
27001:2005

5) Leadership The structure of the newer
Implement Maintain and
6) Planning Do and operate improve the Act 27001:2013 implicitly captures this
the ISMS ISMS notion only in the structure of the
7) Support document:
Monitor
8) Operation and review - Planning (Sec. 6)
the ISMS
Did it Fix things - Operation (Sec. 8)
9) Performance evaluation work? that did
- Performance evaluation (Sec. 9)
Check not!
10) Improvement - Improvement (Sec. 10)

Annex A) Reference control Managed information security Organization can be audited and
objectives and controls certified against ISO 27001
Bibliography
22
Establishing (and improving) ISMS

Identify assets Assess and Select and Monitor and
and treat risks implement improve
requirements controls effectiveness
Information assets Suitable risk Balanced controls Performance
and their value assessment and Implementation reports
Business needs treatment method effort Evidence for
for information Risk criteria Statement of verification
management Prioritize and applicability Corrective actions
External manage risks
requirements

Suggested process; details are left to organizations 23
 ISO/IEC 27002 Controls: Overview
STRUCTURE: 14 CORE CHAPTERS
Best practice recommendations on information 5) Information security policies
security controls (i.e., safeguards or counter- 6) Organization of information security
7) Human resource security
measures to avoid, detect, counteract, or 8) Asset management
minimize security risks) 9) Access control
10) Cryptography
Set of commonly accepted control objectives (35) 11) Physical and environmental security
and controls (113) grouped in clauses (14) 12) Operations security
13) Communications security
Focus on control selection 14) System acquisition, development and
maintenance
Documentation includes 15) Supplier relationships
– Control objective 16) Information security incident management

– Control description 17) Information security aspects of business
continuity management
– Implementation guidance 18) Compliance
– Other information, e.g., precautions necessary before
distributing documentation 24
ISO/IEC 27701 PIMS

Privacy Information Management System (PIMS)
– Created in response to the GDPR requirement to adopt
appropriate technical and organizational measures to protect
personal data
– Adding privacy processing controls to ISO 27001
– Published August 6, 2019

25
 ISO/IEC 27001 Certification

Getting certified is a key factor for applying standard in the first place
Survey with 128 industry professionals about reasons applying ISO 27001
1. Improve organizations’ information security practices (72%)
2. Gain trust of potential and actual customers with ISO 27001 certificate (57%)
3. Using standard’s best practices to tackle various legal requirements beyond GDPR (52%)
4. Using the standard’s framework as the basis for GDPR implementation project (48%)
5. Adopted the standard at the request of their partners (or contractual requirements) (46%)
Further economic benefits: e.g., lower cyber-insurance premiums
Certification costs: about 10-20000 Euro for a 500-employee organization
(does of course not include costs of building ISMS); certificate valid for 3 years

https://web.archive.org/web/20201001182230/https://www.itgovernance.eu/blog/en/the-5-most-common-reasons-for-implementing-iso-27001 26
Summary of Theory
ISO/IEC 27K series for risk-driven information security management:
Selection and implementation of controls is based on risk assessment
Continuous improvement should correspond with changing (risk)
environment
Documentation-centered approach
Built-in performance evaluation (process & controls)
Applicability
– Generic, adoptable, flexible
– Domain and expert know-how necessary
– Scales with different security needs
– Applicable outside ICT and operations
Certification schema available and increasingly used in practice
27
Security Management in Practice

28
(Information) security is a process, not a product. (Schneier)

… how well does this work out in practice?

29
 Study of German SMEs

5000 computer-
assisted phone
interviews
– Aug 2018 – Feb 2019
– Different categories:
< 49 employees; … ;
>500 employees

Source: Huaman et al. Usenix Security 2021
30
Perceptions

Organization’s security
sensitivity rated as high
Management staff reported Being hit by a targeted
higher sensitivity attack rated as relatively
low, compared to the risk of
being hit by a mass attack 31
Note: Blurry Boundaries

Technology facilitates automation of attacks

Discussion: Spearphishing
Spearphishing is a targeted type of phishing attack that involves sending an
email or other electronic message to a specific individual, organization, or
business to try to get them to reveal private information. The message is
specially crafted to appear authentic and come from a trusted source, which
makes spearphishing attacks especially dangerous. (Source: AVG)

Targeted: Yes! Significant effort for attackers: ?
32
Deployed Security Controls

Basic technical security
measures are widely
deployed, even in small
companies
Differences based on
industry sector, company
headcount, company age
and the use of external
information security
expertise (from regressions)

33
Attacks
45.1% of companies had to
actively react to at least one
incident in the last year
Reported organizational controls
more frequently map to the
reporting of security incidents
than reported technical security
controls
Larger companies, especially
with tech departments reported
more incidents
Industry sector correlated with
the reporting of security incidents 34
Key Challenges

35
Challenge 1: Decisions should be based on
Reliable Data

36
Example: Ransomware

FBI Estimate: Based on what data?

37
 Total Reported Loss by Crime Category

FBI Data:

FBI Internet Crime
Report: Internet
Crime Complaint
Center (IC3)

Year 2016

38
Example: Data Breaches

From Bloomberg: Large data breaches (> 1 million records)
https://www.bloomberg.com/graphics/corporate-hacks-cyber-attacks/
Germany: 4 entries
U.S.: 117 entries
Was Germany safer? 39
Impact of Disclosure Laws

The United States was at the top of the list for
both the number of breaches by country and
the number of identities stolen by country. This
is an unsurprising finding for several reasons.
The US has a large population, high adoption
of technology, and a large number of
companies based there. There are also strict
legal requirements in the US around reporting
data breaches. Data breaches are often
underreported in territories where there are no
legal requirements in place.
(2017 Symantec Internet Threat Report)
40
GDPR and Disclosure Laws (1)

Article on Privacy in Germany: https://doi.org/10.37307/j.2196-9817.2019.04.12 41
 GDPR and Disclosure Laws (2)

Source:
DLA Piper GDPR fines and
data breach survey:
January 2022

* Not all the countries covered by this report
make breach notification statistics publicly
available, and many provided data for only
part of the period covered by this report.
We have, therefore, had to extrapolate the
data to cover the full period. For the UK and
Germany, no recent data is available regarding
breaches notified during 2021 so we have had
to extrapolate using the daily average rate for
the previous year. It is also possible that some
of the breaches reported relate to the regime 42
before GDPR.
Knowledge about Security is Always
Imperfect

[T]here are known knowns; there are things we
know that we know.

There are known unknowns; that is to say there are
things that we now know we don't know.

But there are also unknown unknowns – there
are things we do not know, we don't know.
Donald Rumsfeld, 2002

In response to a question about the lack of evidence linking the government of Iraq 43
with the supply of weapons of mass destruction to terrorist groups
Challenge 2: Do not reinvent the wheel.

44
Example:
Attacks on SONY and SWIFT
November 2014:
 Advanced Persistent Threat (APT) attack targeting
SONY leading to theft and destruction of data
 Taskforce combining efforts of government
agencies and industry to understand compromise
and exchange data
Since October 2015:
 Continued usage of attack code to compromise
SWIFT network in various countries by the same
attack group
https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks 45
 The Realities of the Current Security
Information Sharing Paradigm

People Don’t
Share

Privacy Secrecy Tradecraft of Lack of Lack of Absence Lack of
of Victims of Attack Investigators Lineage/ Structure of Ledger Incentive
Patterns Context
46
Challenge 3: Security Standards should be
based on Scientific Evidence

47
 Example: Passwords
2003
 NIST Special Publication 800-63, App. A
 Standardization of password rules
2010 - now
 Empirical and experimental studies [e.g.,
CUPS Lab CMU] motivating rewriting of
standard
 Retrospective:
 „Back in 2003, there just wasn’t much
[data] to find, and [Mr. Burr] said he was
under pressure to publish guidance
quickly.” (Wall Street Journal)
 NIST standard has been (finally) updated
See: https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/
48
 Attention needed to positive/negative externalities:
Every security standard impacts millions of users and
billions of interactions
49
Does Security Management Matter?

Yes - Importance of concrete technical security measures
– Nagle, Ransbotham & Westerman
Significant positive impact of restrictive port configuration in large corporate
networks (based on data of 480 of Fortune 500 companies) on botnet and
malware activities

No? - Influence of (written) security policies on security
outcomes
– No current studies  Not enough collaboration with companies
– Doherty-Fulford : No significant effect

50
Challenge 4: We should act quickly!

51
 Example German Federal Parliament (Bundestag):
Monatelang, mindestens aber von April und
eventuell gar bis zur Abschaltung und zum
Neuaufbau des Netzes im August konnten die
Angreifer im Active Directory und im gesamten
Netz tun und lassen was sie wollten. Sie konnten
eigene, neue Benutzeraccounts anlegen und mit
kompletten Rechten ausstatten. Über Wochen
blieben sie unter dem Radar der IT-Verwaltung…
[Linux Magazin]
- Quote about the 2015 attacks
- Other attacks happened also in 2016, 2021 52
Sparse Data Tells Sad Story
How long until an attack is detected?
– Analysis of data from VERIS Community Database (VCDB)
[Farhang & Grossklags, 2017]
– Sparse data: 1795 records for compromises due to malware and hacking;
150 with concrete time measurements
Theoretical contributions needed: Economic model to understand
when to act to thwart stealthy threats

Average:
198.25 days

53
Another German Example: 8fit

https://8fit.zendesk.com/hc/en-us/articles/360017746394-Notice 54
Summary: Challenges
Many high-quality IT security research projects, but too little
data-driven collaboration with industry and policy actors
– We often do not know exactly how effective security management is
in practice, but public data does not show a pretty picture
Science of security management: Scientifically validated
approach to prioritize security measures is missing, but
needed
- Cybersecurity is different from reliability and safety policy: Attackers
are creative and persistent… and they keep coming, and coming,
and coming.
55
Takeaways
External and internal drivers push for a systematic information
security management
– Need for strategic protection of assets; compliance regulations;
growing complexity etc.
Information security management systems (ISMS)
– Meet security objectives, satisfy external requirements &
regulations, improve security-related activities, …
– Need support for planning, implementation, monitoring, and
improvement of an ISMS
Established standards available to help, but practice is messy, and
challenges are hard to solve
56
That’s it. The End. For Today.

See you next week later today.

57