Professional Documents
Culture Documents
Vulnerabilities of New Technologies and The Protection of Cni
Vulnerabilities of New Technologies and The Protection of Cni
Abstract
New information technologies are unavoidable factor in modern world as
they are changing it both in technological and in communication aspect.
Unfortunately, despite the opening of new possibilities, both aspects of
changes have brought about vulnerabilities which cannot be ignored. These
vulnerabilities directly affect security state in the systems where ICT is be-
coming dominant information and communication platform. Therefore,
critical infrastructure security as the key element of national security today
is to a great extent determined by ICT security as its component. Thus, ICT
vulnerabilities are directly spread to critical infrastructure in which they are
built and whose abuse is only a matter of time. It is not only terrorists who
should be regarded as a threat when thinking about critical infrastructure
security, but also organized and commercial crime, competitive companies,
various hackers, even all those who due to different social and economic
reason live on the margins of modern society. Of course, nobody among the
mentioned is immune to committing a terrorist act so as preventive meas-
ure all of them should be spotted and prevented in accordance with securi-
ty estimates.
Keywords
Information and communication technology, vulnerability, safety, securi-
ty, critical infrastructure
ISSN 1333-6371
Krunoslav Antoliš , Petar Mišević, Ana Miličević: VULNERABILITIES OF NEW TECHNOLOGIES AND
THE PROTECTION OF CNI
Media, culture and public relations, 6, 2015, 1, 57
ISSN 1333-6371
Krunoslav Antoliš , Petar Mišević, Ana Miličević: VULNERABILITIES OF NEW TECHNOLOGIES AND
THE PROTECTION OF CNI
58 Media, culture and public relations, 6, 2015, 1,
severe consequences. One of more frequent CNI segment. /9/ The former case is about
abuse of modern technology along with skill- newly discovered intentional errors in soft-
ful exploitation of numerous vulnerabilities of ware enabling perpetrators to penetrate into
the Internet is identity theft which caused information system while the time of error
damage to both individual and legal persons detection and correction/debugging takes less
and can be calculated in millions of the US than 24 hours. In the case of “backdoor” en-
dollars. Social networks and a number of per- cryption tools, whose creators enable data
sonal information on their users' profiles have decryption on the “back door“, without the
made the job of the perpetrators of these crim- user's knowledge. None of the information-
inal acts enormously easier along with their communication systems is immune to such
competencies in using software and hardware vulnerabilities. That is why prevention and
tools for abusing the ICT vulnerability. /6/ fighting against ICT abuse at national and
Skype is one of the examples of fre- international level is very important factor in
quent attacks on user's privacy through which security level analysis of information and
the email address and user’s profile are easily communication systems and wireless commu-
accessible. Besides, Microsoft, Hotmail and nications as a great part of these systems.
Outlook user accounts have drawbacks in au-
thentification procedure of the email service 3 Evolution of wireless communication vul-
enabling the thieves to collect users' data via nerabilities
cookies of the web browser. Furthermore, it is
interesting that the whole procedure of the Security threats to internal communication
privacy attack via memory stick takes only 30 systems of a particular CNI based on wireless
seconds at most. /7/ Examples of stealing transmission are still a great unknown. All
money from credit and debit cards, breaking vulnerabilities of wireless communication sys-
into bank accounts or interception of users' tems such as GSM, GPRS, UMTS or LTE in that
data are numerous. Recently, identity theft has case will directly affect the security of a part or
been closely connected with intellectual capital even of the whole system of a particular CNI.
of successful companies. Since the intellectual /10/ If we view the GSM network in this way,
capital is the biggest value of a company which we should take into account the GSM network
in synergy with ITC provides its clients with security drawbacks such as one-sided authen-
products and services and makes profit, this tication, errors in A3 and A8 algorithm imple-
very capital is becoming more often the target mentation, and weaknesses in user's anonymi-
of identity thieves. The reason for this is that ty, deficiencies of cryptographic algorithms,
the value of intellectual capital which stands limited encryption area and in protection of
beyond any material value. /8/ message integrity. /11/ GPRS system, unlike
All the above mentioned and many GSM enables the Internet access with the WAP
other ICT vulnerabilities built in the structure protocol which imposed new requirements to
of information-communication systems of the GPRS system. The required security level
critical infrastructure represent the key ele- within GPRS network is achieved by WTLS
ment of national security. Apart from financial, protocol within WAP. UMTS, better known as
health, traffic and other CNI sectors mentioned 3G mobile technology system, represents the
at the beginning of the paper, safe and reliable third stage in mobile technology development
information-communication platform is the eliminating security deficiencies of the two
main goal of the intelligence service communi- previous generations but opening the way to
ty of all countries. The countries which are not new forms of threats. The fourth wireless net-
capable of developing the intelligence service work generation or LTE is essentially different
systems of their own are in unenviable posi- from previous generations since its entire func-
tion. In that case, it is necessary to take many tionality is based on TCP/IP protocol. In this
preventive measures and meet very high secu- manner a greater interoperability and compat-
rity standard levels. Many intentional software ibility between wired and wireless networks is
tool vulnerabilities such as “Zero days” and achieved but on the account of security. /12/
data encryptions like the “backdoor” encryp- Vulnerabilities of this system are related to the
tion tools, can inflict irreparable damage to any characteristics of radio interface. Some of the
ISSN 1333-6371
Krunoslav Antoliš , Petar Mišević, Ana Miličević: VULNERABILITIES OF NEW TECHNOLOGIES AND
THE PROTECTION OF CNI
Media, culture and public relations, 6, 2015, 1, 59
threats which can endanger security system of the EU acquis communataire into the laws and
LTE technology are the following: unauthor- regulations of the Republic of Croatia by defin-
ized approach to network, attacks on the eNB ing the law on critical infrastructures (NN/
network component, attacks on the core net- 56/2013). So, the Republic of Croatia was re-
work including attacks on the locations of the quired to create national security policy in this
eNB network components, threats related to field. The law, accordingly, has defined na-
DoS and DdoS attacks. /13/ tional critical infrastructures and their sectors
When talking about wireless network giving initial directions for managing security
security within the CNI context, we cannot and security risks of these systems. Based on
omit Wireless local area networks (WLAN). the definition of CNI and all related sectors
Despite numerous security disadvantages of mentioned in the previous chapters, we can
such networks, their popularity is permanently see all complexity in the application of this law
increasing. In 2010, 50% of the Internet ADSL in all domains of critical national infrastruc-
users in Croatia opted for WLAN. Researches ture. Added the necessity of transparency and
have proved that a very small percentage of applicability of the law in all domains of criti-
users (about 10%) have security protection of cal national infrastructure which can be state-
the highest degree (WPA2), while most users owned or owned by local and regional self-
have WEP and WPA protection (about 80%). government and private companies or socie-
/14/ Disapproving fact is that less than 10% ties, then the need for multidisciplinary ap-
WLAN users have no protection at all. The proach to risk assessment prior to defining
Internet security experts does not recommend particular protective measures for critical in-
using of WEP security standard due to fre- frastructure is quite clear. Creating security
quent abuse of this standard. WPA and WPA2 policy for prevention and fighting against the
use randomly selected encryption key and ICT abuse within the critical national infra-
provide better network protection. By using all structure represents a particular challenge, not
above mentioned security standards it is nec- only for the Republic of Croatia but also for the
essary to apply concrete measures at the tech- countries with a long tradition in fighting
nical level, by selecting the appropriate securi- against cybercrime. The EU legislation frame-
ty software, setting the highest security level in work which enable us to do it this is The Con-
the operating system properties and applica- vention on Cyber Crime of the Council of Eu-
tions, and setting their automatic update. rope and Additional Protocol which were
The awareness of the importance of signed and ratified by the Republic of Croatia.
such network protection is not at very high The first reason is that this technology has
level, which makes abuser's job much easier to manifold application since the ICT today
do. Besides, in this manner it is extremely hard makes a basic information-communication
to discover and follow digital traces of perpe- platform of all companies including pharma-
trators. Although it is impossible to achieve ceutical industry, banking transactions or air
absolute security, it is necessary to install ade- traffic managing.
quate protection to disable frequent abuse of The second reason is intensive devel-
such networks. It is possible to provide by opment of this technology which requires a
applying security standards which enable de- “real time“ following and recognizing security
vice authentication, user authentication and risks at all levels of information systems. That
mutual strong encryption keys (TKIP or AES). is why it is very important to have multidi-
mensional approach to the ICT security issue
which demands meeting specific security re-
4 CNI and ICT abuse quirements at all segments of information-
communication infrastructure: technical
Although the term of national critical infra- equipment, software support, electronic com-
structure was first defined in the Republic of munication networks, data transmission with-
Croatia in the National Strategy for the Pre- in the same or different communication net-
vention and Suppression of Terrorism (NN works and data storage. In that case, law can
139/2008), legislation referring to critical infra- define the areas under special protection as
structure came into force only after accepting well as bodies to perform, monitor and give
ISSN 1333-6371
Krunoslav Antoliš , Petar Mišević, Ana Miličević: VULNERABILITIES OF NEW TECHNOLOGIES AND
THE PROTECTION OF CNI
60 Media, culture and public relations, 6, 2015, 1,
ISSN 1333-6371
Krunoslav Antoliš , Petar Mišević, Ana Miličević: VULNERABILITIES OF NEW TECHNOLOGIES AND
THE PROTECTION OF CNI
Media, culture and public relations, 6, 2015, 1, 61
The idea of localization was initiated a particular CNI to the cooperation and
by several countries which demanded local fighting against all ICT abuse at the interna-
storage of email and other ways of the Internet tional level, regardless of servers, whether
communication as well as disabling data local or cloud server in the world.
transmission across the state borders. Russia, 5 Conclusion
together with a group of countries hold that
the Internet as a multi-shareholder organiza- Critical national infrastructure represents the
tion should be under protection of the UN and key segment of national security and it is rec-
the International Telecommunication Union ognized as strategic target of terrorist organi-
(ITU). zations and intelligence agencies whose coun-
In the second half of 2013, the EU Parliament tries support terrorism. Intensive development
voted for demands for limiting international of ICT introduced numerous benefits within
data transmission which tend to localize the the CNI system, but also opened the door to a
Internet. /17/ This manner of establishing the number new ways of threats to national securi-
Internet ownership would enable the state ty. Therefore, CNI protection is a complex and
authorities to control the Internet traffic within continuous process implying preventive
a state which would certainly decrease cyber- measures and fighting against the ICT abuse at
crime rate and numerous ICT abuse and in- national and international level. Precisely de-
crease the ICT safety level. Yet, despite the fined legislation frameworks, concrete and
concepts of localization and limiting the Inter- targeted strategy of national security as well as
net, more frequent use of cloud-computing professional and competent human resources
option, the development of network technolo- are the main weapons in fighting against in-
gy leads to the opposite directions. Independ- formation and communication threats at na-
ence on physical machines, possibility of the tional level. Since cybercrime and everything
access to the required networks, applications that comes out of it do not know national bor-
and services offered at any time and place, ders, international cooperation has become the
would move the model of modern business key factor for prevention and fighting against
from office-based computer to the clouds. This the ICT vulnerability and abuse and definition
model of the Internet development of fast of high security standards for CNI protection.
communication and weak clients is contrary to
the concept of the Internet localization and Notes
limiting the data transfer. The question is if it
is possible to oppose the fierce waves of virtu- /1/ Report and Recommendations of The President’s
Review Group on Intelligence and Communica-
alization at all? Obviously, entire develop-
tions Technologies Liberty and security in a
ment of the Internet and network technologies
changing world, SAD 2013.
tend to develop a higher degree of independ- /2/ Joshua Sinai, Hsinchun Chen, Edna Reid, An-
ence and flexibility. Limiting the existing or drew Silke, Boaz Ganor: Terrorism Informatics:
further development along with creating new Knowledge Management and Data Mining for
security standards is the next decision in Homeland:
fighting security challenges which ICT devel- http://www.google.hr/books?hl=hr&lr=&id=feoq
opment is bringing. The fact that development hcd8bnkC&oi=fnd&pg=PR15&dq=maclean,+b.+(
of virtual technology has the tendency of per- 2007).+terrorism+and+internet+use&ots=PtaEEQ
ma-
manent and intensive growth, the application
Ma&sig=TX5KBW2tw1727tf7qAtJopr4D8g&redi
of this technology to CNI is a matter of time. In
r_esc=y#v=onepage&q&f=false , 2008.
that case security risk assessment and entire /3/ Antoliš, K. Ideological prerequisites in Combat-
information security will focus their attention ing Terrorism. CT WG conference, PfP Consor-
to commination protection towards and inside tium, Oberamergau, Germany, 2004.
the cloud. Apart from the above mentioned, it /4/ Ibid.
is clear that protection of the entire critical /5/ International strategy for Cyberspace: Prosperity,
national infrastructure is possible to provide Security and Openness in a Networked World,
only by a creating high quality and profession- SAD, 2011.
/6/ The Convention on Cybercrime (NN, Interna-
ally implemented security measures starting
tional Agreements No.: 4/2002), 2002.
from the lowest level of information system of
/7/ Ibid.
ISSN 1333-6371
Krunoslav Antoliš , Petar Mišević, Ana Miličević: VULNERABILITIES OF NEW TECHNOLOGIES AND
THE PROTECTION OF CNI
62 Media, culture and public relations, 6, 2015, 1,
/8/ Antoliš, K. ICT and Identity theft, Informatologi- /13/ Bikos, Anastasios N.; Sklavos, N. LTE SAE
ja, 46, 2013., 4, 353-360, UDK:681.3:340:001, Au- security issues on 4G wireless networks, 2013.
thors Review/Pregledni rad, ISSN [5] Antoliš, K. /14/ National Strategy for Prevention and suppres-
Intellectual capital and critical national infra- sion of terrorism (NN 139/2008), Croatia, 2008.
structure, pg. 7-15. CIP: 853091, ISBN 978-953- /15/ Antoliš, K. Cyber threats to critical national
161-276-0, Zagreb, Croatia, 2013. infrastructure, Corporate security in dynamic
/9/ Report and Recommendations of The President’s global environment – challenges and risks, str
Review Group on Intelligence and Communica- 61.-73., ISBN 978-961-92860-3-6, march, Ljublja-
tions Technologies Liberty and security in a na, 2012.
changing world, SAD 2013. /16/ Antoliš, K. Risk assessment of terrorist abuse of
/10/ National Strategy for Prevention and suppres- ICT in the CNI, Proceedings of the International
sion of terrorism (NN 139/2008), Croatia, 2008. conference on “The War on Terror after 10
/11/ Bilogrevic, I.; Jadliwala, M.; Hubaux, J.P. (2010.) Years, Zagreb, 2012.
Security Issues in Next Generation Mobile Net- /17/ Ibid.
works: LTE and Femtocells:
http://citeseerx.ist.psu.edu/viewdoc/download?
doi=10.1.1.167.223&rep=rep1&type=pdf
/12/ Filković Dujmović, K. Graduate-thesis: Safety of
mobile communication, Polytechnic of Zagreb,
Zagreb, 2012.
Sažetak
Nove informacijske tehnologije nezaobilazan čimbenik u modernom svijetu
koji se mijenja u svom tehnološkom ali i komunikologijskom aspektu. Naža-
lost, unatoč otvaranju novih mogućnosti, oba aspekta promjena dovela su i
do novih ranjivosti, koje se ne može zanemariti u smislu sigurnosnih rizika.
Ove ranjivosti izravno utječu na stanje sigurnosti u sustavima u kojima ICT
postaje dominantna informacijsko komunikacijska platforma. Tako je sa staja-
lišta nacionalne sigurnosti ključni element sigurnost kritične infrastrukture, a
koja je u velikoj mjeri određena sigurnošću ICT kao njezine važne sastavnice.
Dakle, ICT ranjivost izravno utječe na ranjivost kritične infrastrukture u koju
je ugrađena i čija je zlouporaba samo pitanje vremena. Danas prijetnje nisu
samo terorističke naravi već su to i organizirani i gospodarski kriminal, kon-
kurentne tvrtke, razni hakeri, čak i one fizičke osobe koje zbog neprimjerenih
socijalnih i ekonomskih razloga žive na marginama suvremenog društva.
Naravno, nitko među spomenutima nije imun na počinjenje terorističkog
akta, tako da ih sve preventivno treba uočiti i spriječiti u njegovu počinjenju
sukladno sigurnosnim procjenama u danom trenutku.
Ključne riječi
Informacijska i komunikacijska tehnologija, ranjivost, zaštita, sigurnost, kriti-
čna infrastruktura
ISSN 1333-6371