1. Introduction to cybersecurity, 2013 Slide 1 Cybersecurity: costs and causes

2. Introduction to cybersecurity, 2013 Slide 2 The cybersecurity problem How big a problem is cybersecurity for individuals, businesses and nations? Why is it difficult to make networked systems secure? 3. Introduction to cybersecurity, 2013 Slide 3 The scale of the problem Its a big problem How big ? We really do not know Many surveys on cyber-security related losses but very wide variations and different methodologies 4. Introduction to cybersecurity, 2013 Slide 4 Individuals Cyber fraud Identity theft Cyber bullying and cyber stalking 5. Introduction to cybersecurity, 2013 Slide 5 The Guardian 2013 6. Introduction to cybersecurity, 2013 Slide 6 7. Introduction to cybersecurity, 2013 Slide 7 Businesses Differing estimates: The extent of losses depends on how these losses are measured and what data is collected Industry reluctant to release figures but when they do, they tend to overvalue assets 8. Introduction to cybersecurity, 2013 Slide 8 The Scotsman 2013 deadline.co.uk 2012 9. Introduction to cybersecurity, 2013 Slide 9 The IET 2013 10. Introduction to cybersecurity, 2013 Slide 10 Nations Cyberattacks on critical infrastructures are seen as a critical economic risk by all countries Significant resources now being devoted to cyberdefence 11. Introduction to cybersecurity, 2013 Slide 11 Wall Street Journal, 2013 12. Introduction to cybersecurity, 2013 Slide 12 World Affairs Journal 2013 13. Introduction to cybersecurity, 2013 Slide 13 Why has cybersecurity become such a major problem Scale and ubiquity of the internet Lower level of physical risk to criminals Fundamental business and technical reasons for insecurity 14. Introduction to cybersecurity, 2013 Slide 14 Business reasons Connection of computers to the internet can cut costs, improve the efficiency and responsiveness of business processes and open up new opportunities for interaction. Therefore business has focused on connectivity rather than security 15. Introduction to cybersecurity, 2013 Slide 15 Security is inconvenient and slows down transactions. Businesses have decided to prioritise convenience and usability over security. Accepting the cost of losses through cyber fraud may be a cost-effective strategy 16. Introduction to cybersecurity, 2013 Slide 16 Internet vulnerabilities The Internet was invented in the 1970s as a network between organisations that were trustworthy and which trusted each other The information maintained on their computers was non-commercial and not thought to be of interest to others 17. Introduction to cybersecurity, 2013 Slide 17 Consequently, security was not a factor in the design of internet protocols, practices and equipment. Security slows things down so efficiency was prioritized 18. Introduction to cybersecurity, 2013 Slide 18 These protocols made it easy for the Internet to be universally adopted in the 1990s However, the problems can only be properly addressed by a complete redesign of Internet protocols, which is probably commercially impractical. 19. Introduction to cybersecurity, 2013 Slide 19 Internet vulnerabilities Unencypted traffic by default Packets can be intercepted and the contents read by anyone who intercepts these packets 20. Introduction to cybersecurity, 2013 Slide 20 Internet vulnerabilities DNS system Possible to divert traffic from legitimate to malicious addresses Easy to hide where traffic has come from Domain name servers vulnerable to DoS attacks 21. Introduction to cybersecurity, 2013 Slide 21 Internet vulnerabilities Mail protocol No charging mechanism for mail Hence spam is possible 22. Introduction to cybersecurity, 2013 Slide 22 Technology is not the only problem Internet vulnerabilities make possible some kinds of cyber-attack but it is important to remember that cybersecurity is a socio-technical systems problem Problems almost always stem from a mix of technical, human and 23. Introduction to cybersecurity, 2013 Slide 23 Risk classification Risks due to actions of people Risks due to hardware or software Risks due to organisational processes 24. Introduction to cybersecurity, 2013 Slide 24 Actions of people Deliberate or accidental exposure of legitimate credentials to attackers Failure to maintain secure personal computers and devices 25. Introduction to cybersecurity, 2013 Slide 25 Insider corruption or theft of data Preference for convenience and usability over security Weak passwords set because they are easy to remember and quick to type 26. Introduction to cybersecurity, 2013 Slide 26 Hardware and software Misconfigured firewalls and mail filters Programming errors and omissions in software lead to malicious penetration Buffer overflow attacks SQL poisoning attacks 27. Introduction to cybersecurity, 2013 Slide 27 Organisational processes No established process and checks for updating and patching software Lack of security auditing Lack of systematic backup processes 28. Introduction to cybersecurity, 2013 Slide 28 Summary Cyber attacks are a major cost for business, government and individuals. But quantifying this cost is difficult. The Internet was not designed as a secure network and making it secure is practically impossible To make systems useable, people take actions that introduce vulnerabilities into sociotechnical systems.