Cyber Security Challenges

Prof.dr.ir. Jan van den Berg (email: j.vandenberg@tudelft.nl)

Cyber Security Chair TUDelft/Leiden University/Cyber Security Academy

Natuurkundig Gezelschap Middelburg, 23-03-2018

Agenda

▪ Why cyber security?

▪ Conceptualization of Cyberspace

▪ Cyber Security Challenges

▪ Dealing with the challenges

▪ Case study: privacy-security dilemma

▪ Conclusions

2

Our complex society is a “society at risk” (U. Beck)

3

21th century: smart digitization

4

The world we are living in:

Cyber Incidents

5

6

Example cyber incidents

credit/debet card fraud

cyber stalking

identity theft

7

DDOS attacks, KPN hack

8

Stuxnet, first example of cyber warfare

9

NSA espionage

Citizenfour: E. Snowden

Internet espionage: NRC (economy news 2-3-2015)

10

Cybercrime ex.

▪ Case of silk-road (started by Ross Ulbricht alias Dread Pirate Roberts):

• “Silk Road was an online black market and the first modern darknet market, best

known as a platform for selling illegal drugs”

• “Was operated as a Tor hidden service, such that online users were able to browse it

anonymously and securely without potential traffic monitoring”

• Ulbricht was sentenced to “two for life imprisonment” (sic!)

• More recent cases: AlphaBay and Hansa

11

Energy blackout: Ukraine, 23-12-2015

• 225.000 customer affected [source]

• VPN networks and administrative tools at OS level used for

intruding energy ICS-systems (malware via spear phishing emails)

• Add picture

12

Swift hack

▪ Febr. 2016, perpetrators attempted to steal $951 million from the

Bangladesh central bank's account [source]; based on stolen user data

14

Googling for video’s: a few wake-up calls

▪ click here for several examples of Privacy Breaches

▪ click here for a Cyber Warfare video (on drones/UAVs)

▪ click here for general background of the Deep Web

▪ click here for top 10 disturbing discoveries on the Dark Web

▪ click here for a video on Wikileaks, a type of Cyber Protesting

▪ click here for an example of ICS vulnerabilities

▪ click here for a video on the Cyber Warfare incident Stuxnet

▪ click here for an Information Security Breach in Healthcare

▪ click here for more background info on PRISM (NSA activities)

▪ click here for an example of remotely hacking a car

Cyber incidents, con’t.

• Ashley-Madison enabling extramarital affairs

(“Life is short. Have an affair.”) was being

hacked by “The Impact Team” (July 2015)

• Actually, a continuous, endless list of incidents!

• Another conclusion (from the many incidents):

any targeted attack can be successful (sic!)

provided enough motivation, means, and time are (made) available…

15

State(-sponsored) cyber attacks

• Stuxnet (see above)

• NSA e-espionage (see above)

• Cyber attacks on elections: information warfare to harm

democratic candidate Hillary Clinton

• Will this become common practice??

16

One of the biggest DDOS attacks

• IoT will be the future?:

“a botnet of millions of infected devices was used to launch the

biggest DDoS attack

known to date (Sept. 2016) ,

with peaks of

over 1 Tbps of

traffic”

• IoT devices strongly

enhance the ‘attack

surface’

17

Other Cyber(space) Incidents 1

Heartbleed:

‘worst vulnerability ever’

(2014; in open SSL)

Great Bank Robbery (Carbanak)

‘biggest ever cybercrime’

(1 billion dollars, 2015, global)

IS TV4 attack

‘TV5Monde went black’

(2015)

2

Wikileaks Revelations

‘secret hacking tools: IoT’

(democratic control?, 2017)

Other Cyber(space) Incidents 2

WannyCry: Initially affected countries

Wanna Cry (2017): within a day 230.000 Microsoft

computers were infected in 150 countries

(ransom to be paid in bitcoin crypto currency;

exploit was discovered by NSA and used for cyber weapons;

Microsoft also discovered it; released a patch: was often not

implemented wide spread of the worm)

2

Compare Petya

(2016/17) container

terminal of Maersk in

port of Rotterdam

went down: 300M loss

(worldwide impact!!!!)

NCSC Cyber Security Report 2017

Key findings:

1. Professional criminals and state actors continue to be the most significant threat and inflict most damage

2. Digital attacks are being used to influence democratic processes

3. The vulnerability of the Internet of Things has resulted in disruptive attacks that endorse the need to enhance digital resilience

4. Many organisations are dependent on a limited number of foreign digital infrastructure service providers which means that the social impact of disruption is large

5. The resilience of individuals and organisations is lagging behind the increasing threat

20

Quotes Dick Schoof recent DDOS attackes(NCSC) [source]

▪ “DDOS attacks are more advanced than before”

▪ About attackers: “Het kan een land zijn, maar ook een crimineel of

een groepje whizzkids” attribution problem

(“It can be a state, but also a criminal or a group of whizzkids”)

▪ Current attacks have low risks: Minister Hoekstra van Financiën

benadrukte vandaag (29/1) dat de “DDoS-aanvallen geen gevaar

vormen voor betalingsverkeer / de persoonsgegevens van klanten.”

▪ "De financiële sector is een van de vitale sectoren binnen de

Nederlandse samenleving en heeft daarom volop onze aandacht",

zei deze minister ook But what does this really mean?

21

Discussion

▪ What are the (possible) high-impact cyber incident types

▪ at home?

▪ in your organization?

▪ in society?

22

Agenda

▪ Why cyber security?

▪ Conceptualization of Cyberspace

▪ Cyber Security Challenges

▪ Dealing with the challenges

▪ Case study: privacy-security dilemma

▪ Conclusions

23

Two (relatively) recent definitions

▪ ISO27032 (guidelines for cybersecurity, 2012):

▪ Cyberspace = ‘the complex environment resulting from the interaction

of people, software and services on the Internet, supported by

worldwide distributed physical information and communications

technology (ICT) devices and connected networks’

( italics of complex environment by me… but still rather vague!)

▪ Cybersecurity = ‘the preservation of confidentiality, integrity and

availability of information in the cyberspace’

( missed opportunity!)

24

Vision: Cyberspace = 5th domain

▪ Cyberspace is the complex, manmade system at global scale, deeply

embedded in the four physical domains of land, water, air and space,

that enables cyber activities = IT-enabled activities (key assets!)

▪ Characteristics:

▪ high speed global connectivity ( individual organizations)

▪ huge distributed data processing power (including millions of intelligent

systems taking autonomously decisions passive information)

▪ huge data storage capabilities: we now talk about big & open data

▪ with almost 3 billion human actors in different roles worldwide

▪ with > 14 billion (intelligent) devices and systems connected

6

26

2727

Basic cyber activities (= IT-enabled activities)

▪ Communication: sms, email, chat, whatsapp, skype, voip, twittering, …

▪ Information retrieval: news, wheather forcast, public transportation, crises, …

▪ Watching: movies, sporting events, television, youtube, …

▪ Listening: radio, music, spotify, …

More advanced cyber activities

▪ ‘Searching’: google searching, wikipedia, route planning, translating, …

▪ (Automatic) transacting: e-shopping, e-trading, e-payments, e-procurement, holiday

planning, tax returns, e-marketplaces, e-voting, crowd sourcing/funding, …

▪ Social gathering: Facebook, LinkedIn, e-dating, 2nd love, sexting, gambling, …

▪ Rating & Ranking: top web-sites, universities, hotels, services, …

Cyber activities of all kind…

2828

Cyber activities of all kind, con’t.

More advanced cyber activities, cont.

▪ Educating: MOOCs, e-learning, e-coaching …

▪ Monitoring and surveillance activities: sensoring, detecting, using drones, …

▪ Controling critical infrastructures: energy & water supply, transport, chemical

processing, flood defence, …

▪ Cyber protesting: activism including fundraising, community building, lobbying, organizing

Less favourable cyber activities

▪ Cyber crime (dark markets): financial fraud, theft, hacking, child pornography, e-

espionage, cyber bullying, sale of drugs/guns/…, illegal downloads, …

▪ Cyber warfare: intelligence, defense, attack ~ Cyber Operations: NSA, drones,

hacking, attacking, cracking, information warfare …

Note: cyber activities provide semantics to data processing (!!!)

Discussion

▪ What are the key cyber activities (‘crown jewels’) in your

organization/peronal environment/society?

29

3030

Decomposing cyberspace in layers

Technical layer:

▪ IT services ~ information security ~

CIA(A)

Socio-tech layer:

▪ cyber activities ~ cyber security ~

personal/business/societal goals

Governance layer:

▪ governance & management ~

rules & regulations (for other layers) ~

cyber risk appetite, ethics & compliance

- Cyber sub-domains: examples in figure!

- Stakeholder groups: end-users, organisations, sectors, states, continents

Agenda

▪ Why cyber security?

▪ Conceptualization of Cyberspace and Cyber Security, revisited

▪ Cyber Security Challenges

▪ Dealing with the challenges (with examples)

▪ Case study: privacy-security dilemma

▪ Conclusions

31

Basic challenge

As actors in the (new 5th) domain of cyberspace,

we have to learn how to behave ‘competently’

32

• As end-user

▪ How to protect my PC?

▪ How to educate (my) children?

• As (board) member of a company

▪ Which specialists, how to organize them?

▪ Should we start a SOC?

• As decision maker about critical infrastructures

▪ How far can we develop the smart grid?

▪ What about the cyber security of automated car control?

▪ Is distant-control for gas supply/flood defense acceptable?

33

Cyber security struggling

Cyber security struggling, cont’d

• As crisis manager

▪ What to do? Who should I contact?

▪ Which information to make public?

• As police officer

▪ What happens in the dark web?

▪ Which tools to use for catching the unknown

attacker/criminal?

• As politician

▪ Which rules & regulations to put in place?

▪ Which institutions, which responsibilities?

34

Securing Cyberspace = Cyber Security =

Executing Cyber Risk Management

35

3636

Risk mgt: 1. Risk assessment of cyber activity breaches

2. Reduction of cyber risks to ‘acceptable levels’

3737

3. Taking a set of adequate security measures

Balancing preventive and repressive

measures

in different layers

▪ Technical layer: …

▪ Socio-tech layer:

▪ Governance layer:

aligned over all cyber sub-domains

• …

• …

together securing cyberspace = securing

the cyber activities of all actors

Ex. 1: Preventing identify fraud during login

Focus: secure authentication

1. Technical layer: enforce

technically (logically) use of

strong passwords only

2. Cyber Activity (behavior) layer:

use yourself only strong passwords

3. Governance layer: recommend strong / forbid weak passwords

38

Ex. 2: Preventing/Detecting infection by usb-sticks

Focus: malware infection

1. Technical layer:

▪ disable use of usb-stick

▪ check on malware usb-stick injection

2. Cyber Activity (behavior) layer:

stop using usb-sticks

3. Governance layer: forbid use of usb-sticks

39

Modern conceptualization of (Cyber) Risk

▪ Next to the possibility/likelihood of negative impact, risks might

also be interpreted is a positive sense:

▪ “Risk is the potential of gaining or losing something of value”

▪ So,

▪ aligning business opportunities and cyber risks

▪ i.e., security by design

are key issues also invites more for cyber security funding

40

Cyber Risk Management Cycle

▪ Repeat ‘forever’ (in all ‘relevant’ cyber sub-domains: wow!)

▪ Identify the critical cyber activities

▪ Identify & assess their cyber risks (= potential gains & losses)

▪ Define acceptable cyber risk levels

▪ Decide way(s) of dealing with the risks

▪ Design & Implement cyber risk measures

▪ Monitor effectiveness.

41

Discussion

▪ To what extent is the cyber risk management cycle implemented in

your organization/country?

42

Conditio-sine-qua-non for adequate risk management

▪ Creating Cyber Situational Awareness in

▪ socio-technical layer (cyber activities by people & intelligent systems)

▪ technical layer (in terms of IT-processes and -communication)

▪ Includes

▪ attackers

▪ cyber crime (dark web)

▪ in short: cyber attacks

▪ Creates

▪ privacy-security dilemma

▪ security-compliance dilemma

43

Agenda

▪ Why cyber security?

▪ Conceptualization of Cyberspace and Cyber Security, revisited

▪ Cyber Security Challenges

▪ Dealing with the challenges

▪ Case study: privacy-security dilemma

▪ Conclusions

44

Possibilities at technical layer (always cyber-risk related!)

▪ Prevention (security by design): secure hardware & software at all ICT

layers (secure architecture, secure software engineering, backups, pentesting,

certification, …) including for IoT, autonomous cars, smart electricity grid,

smart flood defense, healthcare, …., critical infra’s, etc.

(also includes secure behavior enforcement, in layer 2, e.g. by training)

▪ Repression (since no 100% security by design possible):

▪ Monitoring & detection in IT-systems: scanning the dark web/social

network sites, anti-virus software, anomaly detection (e.g. in financial

transactions), SOCs, malware detection (e.g. via reverse engineering, data analytics), …

▪ Recovery from incidents: by returning to previous safe states, crisis mgt

45

Possibilities at the governance layer (cyber-risk related!)

▪ It is about influencing

▪ cyber behavior (socio-technical layer 2) and IT (technical layer 1)

▪ Lessig’s four modalities of regulation [source]

1. laws, rules, policies, regulations in organizations, states,

countries, … (relates to education, awareness raising, compliance, alignment

of national cyber strategies, rules & regulations (PhD-research), …: layer 2)

2. informal societal rules (different per culture: layer 2)

3. economic incentives (competition, transparency, externalities: layer 2)

4. architecture (physical, IT functionality: layer 1)

46

Discussion point

▪ How can diplomates play a role in aligning international cyber

security challenges, e.g., related to

▪ Dealing with the Global Cyber Security Risks

(related to state-sponsored attacks, information/cyber warfare, mafia in the

dark-web, critical infrastructures, …)

▪ Combatting the power of the “big five”

(Facebook, Google, Amazon, Microsoft, Apple)?

▪ Inspiration/Compare: global efforts to deal with nuclear threats/risks

47

Cyber Security: are we making progress?

▪ Q: are we making progress in society to deal with cyber security?

▪ What’s different from a few years ago?

▪ First recent illustrative example:

▪ HANSA case (compare the earlier SILK ROAD marketplace case):

▪ THTC took over the website (by making a copy running in The Netherlands) and

installed monitoring software (very different from classical SILK ROAD take-down)

▪ Many malicious actors (e.g. drug sellers) could be identified high impact

▪ Close cooperation with law enforcement in other countries

▪ Analyze yourself the information on the webpage (e.g., w.r.t. legality)

https://www.wired.com/story/hansa-dutch-police-sting-operation/

48

Cyber Security: are we making progress?, con’t.

▪ Second recent illustrative example: SCR/SCC advice on IoT

▪ IoT: “Network of smart devices, sensors and other objects that collect data

from their environment, exchange them and take actions effecting their

environment”

▪ Opportunities are manifold

▪ Threats relate to “security and privacy”: e.g. DDOS attack of Mirai botnet

▪ Main challenges: to deal with

▪ insufficient security of IoT devices network security problem

▪ huge data collection capabilities privacy-related problems, a.o.

▪ liabilities (in different national legal regimes) are far from clear

49

Agenda

▪ Why cyber security?

▪ Conceptualization of Cyberspace and Cyber Security, revisited

▪ Cyber Security Challenges

▪ Dealing with the challenges (with examples)

▪ Case study: privacy-security dilemma

▪ Conclusions

50

Case Study: (Cyber) Security versus Privacy

▪ Fundamental Right of Privacy

versus

▪ Governmental ability/responsibility to secure society including

cyberspace

▪ Privacy: “ability of an individual or group to seclude themselves, or

information about themselves …” [1]

▪ Social Contract: ‘“the legitimacy of the authority of the state over the

individual” [2]

Theory of Social Contract

• “Individuals have consented, either explicitly or tacitly, to surrender

some of their freedoms and submit to the authority of the ruler or

magistrate (or to the decision of a majority), in exchange for

protection of their remaining rights” [2]

• Examples in the physical world

▪ paying taxes in exchange of …

▪ decision making rights in exchange of …

▪ right to use violence in exchange of …

▪ privacy breaching actions by police (e.g. “huiszoeking”) in exchange of …

• Condition: Ruler/Magistrate/Government should act “properly”

Application (in Cyberspace) and Discussion

▪ What privacy in cyberspace are you willing to give up in exchange for

protection by “government” by analyzing the risks (!) related to

▪ availability of child pornography (at the WWW)

▪ selling of illegal goods, hard drugs, guns, malware, … (at the dark web)

▪ detection of possible terroristic attacks

▪ cyber stalking, cyber bullying

▪ proper energy supply, water supply, flood defense, and other CIs

▪ cyber espionage & cyber warfare by other countries

▪ How should the government behave in terms of

▪ transparency of their activities

▪ effective use of resources

▪ cooperation with private partners (ISPs, Google, Facebook, …)

Agenda

▪ Why cyber security?

▪ Conceptualization of Cyberspace and Cyber Security, revisited

▪ Cyber Security Challenges

▪ Dealing with the challenges (with examples)

▪ Case study: privacy-security dilemma

▪ Conclusions

54

5555

Conclusions (Agree?)

▪ Cyberspace = space of cyber activities = IT-enabled activities

▪ Cyber security (= Securing Cyberspace) is a societal problem having

technical/legal/economical/institutional/international relations/ethical, …

perspectives: concerns both behavior- and IT-related approaches!

▪ Goal of cyber security: reducing cyber risks to acceptable levels, in alignment

with business/societal/organisational/personal interests

▪ Starts with identifying all relevant cyber activity opportunities and risks

▪ Level of cyber risks and chosen cyber risk appetite determine what measures

are appropriate

▪ Everyone can and has to contribute!

Summary

▪ Please, watch our new CSA-video:

https://www.youtube.com/watch?v=baPyGS7yGkU

56

Interested in a MSc Cyber Security??

▪ 4TU MSc program (2 years full-time) for regular students:

▪ link to MSc theses

▪ CSA MSc program (2 years part-time) for executive professionals:

▪ link to MSc theses

▪ program set-up on next slide

▪ New MSc program Cyber Security Engineering (2 years part-time)

for technical professionals (starting Sept. 2018)

57

5858