De Montfort University Kazakhstan CSEC1001K: Cyber Ethics Lecture 1 PDF
Document Details
Uploaded by InvigoratingWormhole
De Montfort University Kazakhstan
Tags
Summary
This De Montfort University Kazakhstan lecture covers cybersecurity ethics, including ethical hacking, social engineering, and cyber threats. The lecture also outlines ethical frameworks and best practices for cybersecurity professionals.
Full Transcript
CSEC1001K : Foundation of Computing and Cyber Security Week 7 – Cyber Ethics Lecture 1 Module Aims Examine the ethical and social aspects/issues of cybersecurity; Explore the available ethical frameworks in cybersecurity; Identify an...
CSEC1001K : Foundation of Computing and Cyber Security Week 7 – Cyber Ethics Lecture 1 Module Aims Examine the ethical and social aspects/issues of cybersecurity; Explore the available ethical frameworks in cybersecurity; Identify and evaluate the ethical role/responsibilities of the cybersecurity professionals Module Outcomes To be able to recognise social and ethical issues of practices in cybersecurity and to identify solutions for them 1. Demonstrate understanding of current ethical concerns in cybersecurity 2.Recognise, contextualise and apply ethical arguments to cases relevant to cybersecurity 3.To be able to identify applicable solutions to the ethical issues in cybersecurity practices Key Topics in Cybersecurity (Reminder) CIA Triangle:(Confidentiality, Integrity, Availability) + Privacy+ Authenticity+ non-reputation Vulnerability:a weakness in a particular product or organization or system Threat: Exposing a system mis-using its vulnerabilities in order to achieve financial gains, obtain secrets, influence politics, take revenge, hobbyists, etc Risk & Risk Management: Process of identifying, controlling and minimizing or eliminating security risks that may affect information systems Security Strategy: a high-level plan for how an organization will secure its assets Security Control: Security controls are countermeasures or safeguards used to reduce the chances that a threat Defence: Taking proactive or reactive approaches to secure a system against attacks: – Preventive controls: firewalls, etc – Deterrence: two-factor authentication, etc – Deflection: honeypots, etc – Detection controls: IDS, etc – Mitigation controls: network segmentation, etc – Recovery controls: off-site backups, etc Ethical Hacking Incident Response Penetration Testing Cyber Threats & Ethical Issues Denial of Service, Distributed DOS an adversary tries to occupy a massive amount of the victim’s resources The goal is to deny these resources to legitimate users Due care , Availability, Integrity DDOS: compromising thousand of other hosts for DOS Port Scanning It is used to enumerate all publicly available reachable hosts and services Strict firewall rules can avoid it Confidentiality? It can be used to proceed to other types of explosion Ransomware Cryptors and Blockers Cryptors encrypt data on the victim’s device. Usually, the black hat will demand money and in receipt of same will restore the encrypted data Blockers, otherwise known as lockers, do not interfere with the data stored on the device, instead they prevent the victim from accessing it Confidentiality, availability Main Ethical Values in Cybersecurity Value Clusters Security: Individual security, National security, Cybersecurity (CIA) Privacy: autonomy, human dignity, identity, personhood, liberty, anonymity and confidentiality Fairness: justice, fairness, equality, accessibility, freedom from bias, non-discrimination, democracy and the protection of civil liberties. Accountability: transparency, openness, explainability, responsibility Conflicts between Security/Privacy & other Ethical Principles Privacy VS Security Privacy VS Fairness Privacy VS Accountability Security VS Accountability Security VS Fairness Most rated Ethical Issues in Cybersecurity The Ethics of Cybersecurity-MarkusChristen-2021 Cyber Security Practices & Ethical Issues Ethical Hacking Word cloud around “Hacker”, The Ethics of Cybersecurity, Markus Christen Ethical hackers are white hats mandated by clients (companies) who want their own IT-security to be assessed and they are abiding to a code of ethics privileging business-friendly values. However, there is no guarantee that respecting such values is always compatible with the all-things considered morally best act. It is recognised, however, that in terms of assessment, it may be quite difficult to determine who is an ethical hacker in the ‘all things considered’ sense. Penetration Testing Usually done by special firms It simulates a real attack scenario Also to check if previous trainings such as for social engineering was useful Metasploit toolkit Network Traffic Analysis: Wireshark Ethical issue: sharing of exploit code/vulnerability to mailing lists for awareness, aggressive tests/Social engineering and employees challenges/disclosing report Security, trust, consent, transparency, honestly, due care Source Code Analysis Attacks such as Buffer overflow, SQL injection, etc (software bugs) need performing a code audit to discover the vulnerabilities Code audit requires access to the software/application source code Source codes are not available to external auditors (except open source apps) Analysing software codes need instructions from the software vendor External auditors have to do reverse engineering to understand source codes IP rights of the vendor Security, integrity, trust, consent, transparency, honestly, due care Fuzzing is to test applications unintended behaviour by feeding the application by millions of different random inputs Disclosing Vulnerability Test Results Hired testers: NDA (Non-disclosure agreement) should be signed in situations where ethical hackers are hired Cybersecurity researchers shall follow responsible disclosure procedures: Full disclosure and responsible disclosure, keep it secret Keep secret: planned criminal action, secret service espionage, accessing a suspect’s device by law -> Zero day vulnerability Vender can not fix the vulnerability-> Security, Privacy issues Consideration for others /Professional Competence Vendors should have adequate approaches to handle vulnerabilities: – provide contact of Info security on their website – Provide public key on website to encrypt reporting emails – Acknowledge receipt of the report and confirm the problem – Suggest and inform a schedule to fix the problem and release the outcome – No legal threat, it may cause Streisand effects – Offer a bug bounty program or engagement payment – Be transparent to system users Green and red report Reconnaissance Whois service: a database of releases IP addresses to domain owners Attackers can use these information to gain other useful information of their targets such admin employees for social engineering attacks Cybersecurity officers can also use these information to contact each other in case of problem arising. Transparency or Privacy or Security? DNS lookup Port scan reports: Shodan.io, censys.io Cybersecurity Professionals Faulty Tasks Wrong configuration No updating Security bugs Security, privacy, Due Care, Negligence Using AI in Cybersecurity IDS/TLS: It intercept all encrypted traffics Network admin can eavesdrop through encrypted communication Respect, Confidentiality, Privacy It also decrease the actual security of encrypted communication IDS makes huge rate of false positive/false alarms Security Surveillance in Cybersecurity/Profiling Governmental surveillance Organisational surveillance Profiling “may be used by the police or security agencies to find criminals or terrorists; by airports to decide who to check more carefully” (Yaghmaei et al. 2017: 29–30) In profiling “people are approached, judged or treated in a certain way because these have characteristics that fit a certain profile Accountability, Privacy, Discrimination, Democracy Digital Forensic Investigators Disturbing evidence data Accessing to personal data Providing wrong evidences Privacy, Negligence, integrity Ethic Frameworks in Cybersecurity Human Rights (The European Convention on Human Rights (ECHR)) GDPR (General Data Protection Regulation) Ethical code of practices for cybersecurity professionals Ethical Best Practices for cybersecurity professionals Ethical Code of conduct for Cybersecurity UK Cybersecurity Council: Code of Ethic for Member Organisations – Credibility – Integrity – Professionalism – Responsibility & Respect https://www.ukcybersecuritycouncil.org.uk/ Best Ethical Practices for Cybersecurity Professionals Customer data handling; personal data, GDPR Information about breaches; Threat intelligence; Vulnerability-related information; Data involved when collaborating with peers; Special consideration to run penetration testing; Cybersecurity research groups; etc Questions