IT and Society Lecture 6: Security – Organizations PDF
Document Details
Uploaded by HardWorkingAestheticism
Technical University of Munich
2024
Jens Grossklags
Tags
Summary
This document is a lecture on organizational security. It covers topics such as cybercrime, types of attackers, evolving attacks, and trends in the field. It was given at Technical University of Munich on May 27, 2024.
Full Transcript
IT and Society Lecture 6: Security – Organizations Prof. Jens Grossklags, Ph.D. Professorship of Cyber Trust Department of Computer Science School of Computation, Information and Technology Technical University of Munich May 27, 2024 Recap – Cybercrime Huge diversity of cybercrimes and impact...
IT and Society Lecture 6: Security – Organizations Prof. Jens Grossklags, Ph.D. Professorship of Cyber Trust Department of Computer Science School of Computation, Information and Technology Technical University of Munich May 27, 2024 Recap – Cybercrime Huge diversity of cybercrimes and impact – Traditional forms of crime that migrate to IT – Publication of illegal content over electronic media – Crimes unique to electronic networks Ranging from huge monetary impact to niche crimes Direct costs, indirect costs, costs to society, defense costs vs. criminal revenues How to respond/invest effectively? 2 Lecture 6 Security in Organizations 3 Beyond Cybercrime: Types of Attackers Cyber criminals pursuing monetary objectives through fraud or from the sale of valuable information Industrial competitors and foreign intelligence services interested in gaining an economic advantage for their companies or countries Employees, or those who have legitimate access, misusing systems accidentally or deliberately (i.e., insider threats) Hackers, who find interfering with computer systems an enjoyable challenge Hacktivists, who wish to attack companies for political or ideological motives 4 Evolving Attacks Attackers in the past: – Untargeted, opportunistic attacks designed for mischief Attackers today: – Advanced attacks to acquire valuable data from an organization – Targeted attack against persons, organizations – Often conducted across multiple vectors and stages – Specialized teams using sophisticated tools & techniques – Often: Traditional security measures, e.g. Anti-Virus, Firewalls, that only address inbound attack are not sufficient to defeat, as advanced attacks are designed to evade traditional security 5 Trends Source: Any security industry reports (e.g., Symantec) Attacks move faster, defense does not Attacks are more targeted, but can hit anywhere Attackers upgrade their techniques: stealthy attacks from inside Each year, number of attacks increases Number of unique malicious executables (malware): Number grew from about one million in 2008 to over one billion in 2014 Source: Ugarte-Pedrero et al. (2018) A Close Look at a Daily Dataset of Malware Samples 6 VirusTotal – Distinct Malware Files Daily Data! https://www.virustotal.com/gui/stats VirusTotal – Distinct URLs Daily Data! https://www.virustotal.com/gui/stats The Evolution of Security and Risk Management Concept of security and risk management has evolved as information technology has evolved – In the early days of IT - the days of EDP (electronic data processing) -- the focus was on securing specific systems Scope of security and risk management has now become much larger 9 Setting the Scene: Complexity Vertical data-driven collaboration − Collected by sensors (e.g., shop floor) and then stored in cloud systems (e.g., backend, cloud provider) and used by many Horizontal data-driven collaboration − Cross-domain, inter-organizational (e.g., manufacturing, logistics, sales, maintenance) Trends: Internet of Things (IoT), Big Data, Industrie 4.0, Connected Mobility, Cyber Physical Systems (CPS) 10 Data are the key assets! Examples – Data is everywhere: − Production processes, maintenance, logistics − Customer business processes, contracts − Individual profiles, movements, behavior Data-driven ICT systems are critical: − Coordinate (critical) processes − Control and govern entire systems − Act even autonomously on behalf of humans 11 Networks vs. Security “Value” of a networked system emerges from interconnection – Businesses, social networks, etc. – Positive network effects Interference from outside/inside attackers diminishes value and may lead to losses – Losses increase through interdependence of systems How to manage these trade-offs? 12 Many Technology Options Need arises to manage security within an organization – Coordinate, plan and measure success of security efforts – Necessary alignment of ICT and business processes But also beyond organizational boundaries – Coordination between different organizations or many parts of one organization required to manage networked risks – Example: Security information sharing… but there are challenges 13 Organizational cyber harms can be quite diverse https://doi.org/10.10 93/cybsec/tyy006 List continues 14 Standards for Information Security Management & Information Security Management Systems: Theoretical Perspective 15 Benefit of Standards for Information Security Cost reduction – Application of existing and proven process models – Methodical alignment and traceability – Unification of qualifications, interoperability Appropriate security level – Based on state of the scientific and technical knowledge – Increased comparability and improved orientation Competitive advantage – Certification of enterprise or products + Strengthening of legal certainty – Market differentiation 16 Information Security Management System (ISMS) ISMS consists of policies, procedures, guidelines, and associated resources – That are collectively managed by an organization – In the pursuit of protecting information assets ISMS allows an organization to – Ensure (international) competitiveness – Satisfy information security requirements of customers – Improve an organization’s plans and activities – Meet the organization’s information security objectives – Comply with regulations, legislation, and industry mandates – Manage information assets – Select, implement, and monitor efficient security controls 17 EU Lawmaking Data: Discussed GDPR in detail – Also: AI Act, Data Governance Act, Data Act, Digital Services Act, Digital Markets Act Security: – NIS Directive, NIS2 Directive (focus on critical infrastructure and organizations; to be implemented until October 2024) – eIDAS (electronic IDentification, Authentication and trust Services; revision signed on 11 April 2024) – Cyber Resilience Act (CRA) (common cybersecurity standards for products; draft March 2024) 18 Success Factors for Information Security Management Systems Top management support Comprehensive Security awareness approach ISMS Performance Alignment with evaluation corporate objectives Incident and Understanding of business continuity protection management requirements 19 Example of Security Management Approach: International Standard ISO/IEC 27000 Series (short: 27K) ISO = International Organization for Standardization IEC = International Electrotechnical Commission Focus: What are requirements for an ISMS. 20 ISO/IEC 27000 Family of Standards: Overview Standard type Number Title Vocabulary 27000 ISMS – Overview and vocabulary Requirements 27001 ISMS – Requirements History of 27002 Code of practice for information security management 20+ years 27003 ISMS implementation guidance 27004 Information security management – Measurement Guidelines Regularly 27005 Information security risk management updated 27007 Guidelines for information security management systems auditing New parts Information security management guidelines for inter-sector and 27010 are added Sector-specific inter-organizational communications guidelines Information security management guidelines for telecommunications 27011 organizations Control-specific 27034 Application security guidelines Now a total of 46 approved individual standards (plus appendices) 21 ISO/IEC 27001 Requirements of ISO 27000 series STRUCTURE: Requirements and expectations PDCA Process (originates from 1) Scope quality assurance) 2) Normative reference Plan Decide, Plan-Do-Check-Act was explicitly 3) Terms and definitions Do it! what to do! named in older versions such as Establish 4) Context of the organization the ISMS 27001:2005 5) Leadership The structure of the newer Implement Maintain and 6) Planning Do and operate improve the Act 27001:2013 implicitly captures this the ISMS ISMS notion only in the structure of the 7) Support document: Monitor 8) Operation and review - Planning (Sec. 6) the ISMS Did it Fix things - Operation (Sec. 8) 9) Performance evaluation work? that did - Performance evaluation (Sec. 9) Check not! 10) Improvement - Improvement (Sec. 10) Annex A) Reference control Managed information security Organization can be audited and objectives and controls certified against ISO 27001 Bibliography 22 Establishing (and improving) ISMS Identify assets Assess and Select and Monitor and and treat risks implement improve requirements controls effectiveness Information assets Suitable risk Balanced controls Performance and their value assessment and Implementation reports Business needs treatment method effort Evidence for for information Risk criteria Statement of verification management Prioritize and applicability Corrective actions External manage risks requirements Suggested process; details are left to organizations 23 ISO/IEC 27002 Controls: Overview STRUCTURE: 14 CORE CHAPTERS Best practice recommendations on information 5) Information security policies security controls (i.e., safeguards or counter- 6) Organization of information security 7) Human resource security measures to avoid, detect, counteract, or 8) Asset management minimize security risks) 9) Access control 10) Cryptography Set of commonly accepted control objectives (35) 11) Physical and environmental security and controls (113) grouped in clauses (14) 12) Operations security 13) Communications security Focus on control selection 14) System acquisition, development and maintenance Documentation includes 15) Supplier relationships – Control objective 16) Information security incident management – Control description 17) Information security aspects of business continuity management – Implementation guidance 18) Compliance – Other information, e.g., precautions necessary before distributing documentation 24 ISO/IEC 27701 PIMS Privacy Information Management System (PIMS) – Created in response to the GDPR requirement to adopt appropriate technical and organizational measures to protect personal data – Adding privacy processing controls to ISO 27001 – Published August 6, 2019 25 ISO/IEC 27001 Certification Getting certified is a key factor for applying standard in the first place Survey with 128 industry professionals about reasons applying ISO 27001 1. Improve organizations’ information security practices (72%) 2. Gain trust of potential and actual customers with ISO 27001 certificate (57%) 3. Using standard’s best practices to tackle various legal requirements beyond GDPR (52%) 4. Using the standard’s framework as the basis for GDPR implementation project (48%) 5. Adopted the standard at the request of their partners (or contractual requirements) (46%) Further economic benefits: e.g., lower cyber-insurance premiums Certification costs: about 10-20000 Euro for a 500-employee organization (does of course not include costs of building ISMS); certificate valid for 3 years https://web.archive.org/web/20201001182230/https://www.itgovernance.eu/blog/en/the-5-most-common-reasons-for-implementing-iso-27001 26 Summary of Theory ISO/IEC 27K series for risk-driven information security management: Selection and implementation of controls is based on risk assessment Continuous improvement should correspond with changing (risk) environment Documentation-centered approach Built-in performance evaluation (process & controls) Applicability – Generic, adoptable, flexible – Domain and expert know-how necessary – Scales with different security needs – Applicable outside ICT and operations Certification schema available and increasingly used in practice 27 Security Management in Practice 28 (Information) security is a process, not a product. (Schneier) … how well does this work out in practice? 29 Study of German SMEs 5000 computer- assisted phone interviews – Aug 2018 – Feb 2019 – Different categories: < 49 employees; … ; >500 employees Source: Huaman et al. Usenix Security 2021 30 Perceptions Organization’s security sensitivity rated as high Management staff reported Being hit by a targeted higher sensitivity attack rated as relatively low, compared to the risk of being hit by a mass attack 31 Note: Blurry Boundaries Technology facilitates automation of attacks Discussion: Spearphishing Spearphishing is a targeted type of phishing attack that involves sending an email or other electronic message to a specific individual, organization, or business to try to get them to reveal private information. The message is specially crafted to appear authentic and come from a trusted source, which makes spearphishing attacks especially dangerous. (Source: AVG) Targeted: Yes! Significant effort for attackers: ? 32 Deployed Security Controls Basic technical security measures are widely deployed, even in small companies Differences based on industry sector, company headcount, company age and the use of external information security expertise (from regressions) 33 Attacks 45.1% of companies had to actively react to at least one incident in the last year Reported organizational controls more frequently map to the reporting of security incidents than reported technical security controls Larger companies, especially with tech departments reported more incidents Industry sector correlated with the reporting of security incidents 34 Key Challenges 35 Challenge 1: Decisions should be based on Reliable Data 36 Example: Ransomware FBI Estimate: Based on what data? 37 Total Reported Loss by Crime Category FBI Data: FBI Internet Crime Report: Internet Crime Complaint Center (IC3) Year 2016 38 Example: Data Breaches From Bloomberg: Large data breaches (> 1 million records) https://www.bloomberg.com/graphics/corporate-hacks-cyber-attacks/ Germany: 4 entries U.S.: 117 entries Was Germany safer? 39 Impact of Disclosure Laws The United States was at the top of the list for both the number of breaches by country and the number of identities stolen by country. This is an unsurprising finding for several reasons. The US has a large population, high adoption of technology, and a large number of companies based there. There are also strict legal requirements in the US around reporting data breaches. Data breaches are often underreported in territories where there are no legal requirements in place. (2017 Symantec Internet Threat Report) 40 GDPR and Disclosure Laws (1) Article on Privacy in Germany: https://doi.org/10.37307/j.2196-9817.2019.04.12 41 GDPR and Disclosure Laws (2) Source: DLA Piper GDPR fines and data breach survey: January 2022 * Not all the countries covered by this report make breach notification statistics publicly available, and many provided data for only part of the period covered by this report. We have, therefore, had to extrapolate the data to cover the full period. For the UK and Germany, no recent data is available regarding breaches notified during 2021 so we have had to extrapolate using the daily average rate for the previous year. It is also possible that some of the breaches reported relate to the regime 42 before GDPR. Knowledge about Security is Always Imperfect [T]here are known knowns; there are things we know that we know. There are known unknowns; that is to say there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know, we don't know. Donald Rumsfeld, 2002 In response to a question about the lack of evidence linking the government of Iraq 43 with the supply of weapons of mass destruction to terrorist groups Challenge 2: Do not reinvent the wheel. 44 Example: Attacks on SONY and SWIFT November 2014: Advanced Persistent Threat (APT) attack targeting SONY leading to theft and destruction of data Taskforce combining efforts of government agencies and industry to understand compromise and exchange data Since October 2015: Continued usage of attack code to compromise SWIFT network in various countries by the same attack group https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks 45 The Realities of the Current Security Information Sharing Paradigm People Don’t Share Privacy Secrecy Tradecraft of Lack of Lack of Absence Lack of of Victims of Attack Investigators Lineage/ Structure of Ledger Incentive Patterns Context 46 Challenge 3: Security Standards should be based on Scientific Evidence 47 Example: Passwords 2003 NIST Special Publication 800-63, App. A Standardization of password rules 2010 - now Empirical and experimental studies [e.g., CUPS Lab CMU] motivating rewriting of standard Retrospective: „Back in 2003, there just wasn’t much [data] to find, and [Mr. Burr] said he was under pressure to publish guidance quickly.” (Wall Street Journal) NIST standard has been (finally) updated See: https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/ 48 Attention needed to positive/negative externalities: Every security standard impacts millions of users and billions of interactions 49 Does Security Management Matter? Yes - Importance of concrete technical security measures – Nagle, Ransbotham & Westerman Significant positive impact of restrictive port configuration in large corporate networks (based on data of 480 of Fortune 500 companies) on botnet and malware activities No? - Influence of (written) security policies on security outcomes – No current studies Not enough collaboration with companies – Doherty-Fulford : No significant effect 50 Challenge 4: We should act quickly! 51 Example German Federal Parliament (Bundestag): Monatelang, mindestens aber von April und eventuell gar bis zur Abschaltung und zum Neuaufbau des Netzes im August konnten die Angreifer im Active Directory und im gesamten Netz tun und lassen was sie wollten. Sie konnten eigene, neue Benutzeraccounts anlegen und mit kompletten Rechten ausstatten. Über Wochen blieben sie unter dem Radar der IT-Verwaltung… [Linux Magazin] - Quote about the 2015 attacks - Other attacks happened also in 2016, 2021 52 Sparse Data Tells Sad Story How long until an attack is detected? – Analysis of data from VERIS Community Database (VCDB) [Farhang & Grossklags, 2017] – Sparse data: 1795 records for compromises due to malware and hacking; 150 with concrete time measurements Theoretical contributions needed: Economic model to understand when to act to thwart stealthy threats Average: 198.25 days 53 Another German Example: 8fit https://8fit.zendesk.com/hc/en-us/articles/360017746394-Notice 54 Summary: Challenges Many high-quality IT security research projects, but too little data-driven collaboration with industry and policy actors – We often do not know exactly how effective security management is in practice, but public data does not show a pretty picture Science of security management: Scientifically validated approach to prioritize security measures is missing, but needed - Cybersecurity is different from reliability and safety policy: Attackers are creative and persistent… and they keep coming, and coming, and coming. 55 Takeaways External and internal drivers push for a systematic information security management – Need for strategic protection of assets; compliance regulations; growing complexity etc. Information security management systems (ISMS) – Meet security objectives, satisfy external requirements & regulations, improve security-related activities, … – Need support for planning, implementation, monitoring, and improvement of an ISMS Established standards available to help, but practice is messy, and challenges are hard to solve 56 That’s it. The End. For Today. See you next week later today. 57