1 The Economic Impact of Cyber Attacks The Global Picture Chapter 9

 NEW: Final Project deadline:  December 7, 2:00 am,

3 Risk Assessment RISK Threats VulnerabilitiesConsequences

4 Risk Management Framework (Business Context) Understand Business Context Identify Business and Technical Risks Synthesize and Rank Risks Define Risk Mitigation Strategy Carry Out Fixes and Validate Measurement and Reporting

5 Allocating Resources  Limited resources  Acceptable level of risk  Tie technical risk to business risk

6 Making a Business Case  Description of the problem  List of possible solutions  Constraints on solving the problem  List of underlying assumptions  Analysis of each alternative, including risks, costs, and benefits  Summary of why the proposed investment is good

7 Influences on Cyber Security Investment Strategy  Regulatory requirements  Network history or IT staff knowledge  Client requirements  Results of internal or external audit  Response to current events  Response to compromised internal security  Reaction to external mandate or request

8 Determining Economic Value  Many different ways to determine value  Internal rate of return  Return on investment  Net present value  Investment analysis: best way to allocate capital and human resources  Accounting measures are inappropriate for evaluating information security inverstments

9 Quantifying Security  Difficult problem  Not fully understood  Limited historical data to estimate likelihood  Attacks that are possible but haven’t happened  Threat estimation uses:  Number and types of assets needing protection  Number and types of vulnerabilities that exist in a system  Number and types of likely threats to a system

10 Data to be Protected  National and global data  Enterprise data  Technology data  Social vulnerability

11 Real Cost of Cyber Attack  Damage of the target may not reflect the real amount of damage  Services may rely on the attacked service, causing a cascading and escalating damage  Need: support for decision makers to  Evaluate risk and consequences of cyber attacks  Support methods to prevent, deter, and mitigate consequences of attacks

Legal and Ethical Issues in Computer Security

CSCE Farkas 13  Pfleeger: Chapter 11

CSCE Farkas 14 Law and Computer Security  International, national, state, and city laws: affect privacy and secrecy  Laws: regulate the use, development, and ownership of data and programs  Laws: affect actions that can be taken to protect the secrecy, integrity, and availability of computing resources

CSCE Farkas 15 Lack of Legislation  Reactive procedures  Not addressed improper acts  Lack of technical expertise of legal personnel

CSCE Farkas 16 Protection of Computer Systems  Protecting computing systems against criminals  Protecting code and data  Protecting programmers’ and employers’ rights  Protecting users of programs

CSCE Farkas 17 Protecting Programs and Data  Copyright  Patents  Trade secrets  Protection for computer objects

CSCE Farkas 18 Copyrights  Protect the expression of ideas  1978: U.S. copyright law  Updated in 1998: Digital Millennium Copyright Act (DMCA) – deals with computers and other electronic media  Give the copyright holder the exclusive right to make copies of the expression and sell them to the public  Simple procedure to register copyright  U.S. copyright expires 70 years beyond the death of last surviving holder

CSCE Farkas 19 Intellectual Property  Copyright  Does not cover the idea being expressed  Applies to original work and it must be in some tangible medium of expression  Originality of work!

CSCE Farkas 20 Fair Use  The purchaser has the right to use the product in the manner for which it was intended and in a way that does not interfere with the author’s right.  Piracy  First sale  Copyright infringement

CSCE Farkas 21 Copyright for Digital Objects  Digital Millennium Copyright Act  Digital objects can be copyrighted  It is a crime to circumvent or disable anti-piracy functionality  It is a crime to manufacture, sell, or distribute devices that disable anti-piracy functionality or that copy digital objects  Exempt: when used for educational and research purposes  It is legal to make a backup to protect against loss  Libraries can make three backups

Patent  What can be patented?

CSCE Farkas 23 Patents  Protects inventions – results of science, technology, and engineering  Requirement of novelty  Truly novel and unique  only one patent for a given invention  Non-obvious  U.S. Patent and Trademark Office: register patent  Patent attorney: verifies that the invention has not been patented and identifies similar inventions

CSCE Farkas 24 Patent Infringement  Copyright: holder can decide which violations prosecute  Patent: all violations must be prosecuted or patent can be lost  Suing for patent infringement may cause the patent owner to loose the paten. Infringer may argue that:  This isn’t infringement (different inventions)  The patent is invalid (a prior infringement was not opposed)  The invention is not novel  The infringer invented the object first

CSCE Farkas 25 Trade Secret  Information that gives one company a competitive edge over the others  Must always be kept secret  If someone obtains it improperly, the owner can recover  Profits  Damages  Lost revenues  Legal cost  Reverse Engineering!

CSCE Farkas 26 Protection of Computer Objects  Look at Table 11-1 on page 660 to compare copyright, patent, and trade secret  Protecting hardware, firmware, object code software, source code software, documentation, web content, domain names, etc.

CSCE Farkas 27 Computer Crime  Least clear area of law in computing  Separate category for computer crime  No access to the physical object  Is it a serious crime?  Rules of evidence  How to prove the authenticity?  Threats to integrity and confidentiality  How to measure loss of privacy?  Value of data  How to measure it?

CSCE Farkas 28 Why Computer Crime is Hard to Prosecute?  Lack of understanding  Lack of physical evidence  Lack of recognition of assets  Lack of political impact  Complexity of case  Age of defendant

CSCE Farkas 29 Laws for Computer Crime  U.S. Computer Fraud and Abuse Act  U.S. Economic Espionage Act  U.S. Electronic Fund Transfer Act  U.S. Freedom of Information Act  U.S. Privacy Act  U.S. Electronic Communication Privacy Act  HIPAA  USA Patriot Act  CAN SPAM Act

CSCE Farkas 30 Ethical Issues  Ethic: objectively defined standard of right and wrong  Ultimately, each person is responsible for deciding what to do in a specific situation  Ethical positions can and often do come into conflict

CSCE Farkas 31 Ethics vs. Law LawEthics Formal, written documentUnwritten principles Interpreted by courtsInterpreted by each individual Established by legislaturesPresented by philosophers, religious, professional groups Applicable to everyonePersonal choice Priority decided by courtPriority determined by individual Court makes final decisionNo external decision maker Enforceable by police and courts Limited enforcement

It is a Risky World

CSCE Farkas 33 Reading List Pfleeger: Chapter 8

CSCE Farkas 34 Vulnerabilities  Security objectives:  Prevent attacks  Detect attacks  Recover from attacks  Attacks: against weaknesses in the information systems  Need: find weaknesses

CSCE Farkas 35 Identifying and Eliminating Weaknesses I.Vulnerability monitoring II.Secure system development III.User training and awareness IV.Avoiding single point of failure

CSCE Farkas 36 I. Keeping up with Security Publications  Legal publications: how to remove vulnerabilities  CERT advisories  SANS Security Digest  Hacker publications: “how to” exploit known vulnerabilities  Security mailing lists

CSCE Farkas 37 II. Building Secure Systems  1960s: US Department of Defense (DoD) risk of unsecured information systems  1981: National Computer Security Center (NCSC) at the NSA  DoD Trusted Computer System Evaluation Criteria (TCSEC) == Orange Book

CSCE Farkas 38 II. Orange Book  Orange Book objectives:  Guidance of what security features to build into new products  Provide measurement to evaluate security of systems  Basis for specifying security requirements  Security features and Assurances  Trusted Computing Base (TCB) security components of the system

CSCE Farkas 39 II. Orange Book Levels Highest Security  A1 Verified protection  B3 Security Domains  B2 Structured Protection  B1 labeled Security Protections  C2 Controlled Access Protection  C1 Discretionary Security Protection  D Minimal Protection No Security

CSCE Farkas 40 II. Orange Book Classes  C1, C2: simple enhancement of existing systems. Does not break applications.  B1: relatively simple enhancement of existing system. May break some of the applications.  B2: major enhancement of existing systems. Will break many applications.  B3: failed A1  A1: top-down design and implementation of a new system from scratch. (from lecture notes of Jajodia

41 II. NCSC Rainbow Series  Orange: Trusted Computer System Evaluation Criteria  Yellow: Guidance fro applying the Orange Book  Red: Trusted Network Interpretation  Lavender: Trusted Database Interpretation

CSCE Farkas 42 II. European Criteria  German Information Security Agency: German Green Book (1988)  British Department of Trade and Industry and Ministry of Defense: several volumes of criteria  Canada, Australia, France: works on evaluation criteria  1991: Information Technology Security Evaluation Criteria (ITSEC)  For European community  Decoupled features from assurance  Introduced new functionality requirement classes  Accommodated commercial security requirements

CSCE Farkas 43 II. United State  January 1996: Common Criteria  Joint work with Canada and Europe  Separates functionality from assurance  Nine classes of functionality: audit, communications, user data protection, identification and authentication, privacy, protection of trusted functions, resource utilization, establishing user sessions, and trusted path.  Seven classes of assurance: configuration management, delivery and operation, development, guidance documents, life cycle support, tests, and vulnerability assessment.

CSCE Farkas 44 II. Common Criteria  Evaluation Assurance Levels (EAL)  EAL1: functionally tested  EAL2: structurally tested  EAL3: methodologically tested and checked  EAL4: methodologically designed, tested and reviewed  EAL5: semi-formally designed and tested  EAL6: semi-formally verified and tested  EAL7: formally verified design and tested

CSCE Farkas 45 II. National Information Assurance Partnership (NIAP)  1997: National Institute of Standards and Technology (NIST), National Security Agency (NSA), and Industry  Aims to improve the efficiency of evaluation  Transfer methodologies and techniques to private sector laboratories  Functions: developing tests, test methods, tools for evaluating and improving security products, developing protection profiles and associated tests, establish formal and international schema for CC.

Next Class  Current issues and future trends  Class discussion CSCE Farkas 46