Challenges in Achieving Security in Cyber Space Challenges in Achieving Security in Cyber Space

Cyber security
Cyber Threat Prevention
● Completely unique field of research
Michele Nogueira, Ph.D.
Computer Security Science Center (CCSC)
○ Hard science of physical system behavior
○ Social science of human behavior and response
○ Formal science of data encoding and information
representation
● Set of challenges
○ Cyber space is abstract
○ Mathematical and physical-like foundations
○ Multiple perspective of cyber space
○ Understanding of software, interfaces and
artifacts
○ Humans have avatar in cyber space, not easy to
sense all relevant information

2 3
Attack types Handling Attacks
Challenges in Achieving Security in Cyber Space
Passive vs. Active Attacks

The possible moves: ● Passive attacks

● Set of challenges
● Attacks to integrity ○ Prevention
○ Dynamics
○ Data counterfeiting, identity theft ○ Easy to stop
○ All based on assumptions, that can be broken by
● Attacks to confidentiality ○ Hard to detect
attacks
○ Weak and strong information theft ● Active attacks
○ Human are the threats, and they are intelligent
● Attacks to the quality of service ○ Detection and recovery
and responsive!
○ Denial of service ○ Hard to stop
● Authenticity, accountability ○ Easy to detect
Example of Active Attack
Figure source: Internet Security Tips
4 5 6
Fundamental Concepts Fundamental Concepts Main threats and attacks
Threat Attack

● Denial of Service
● Deliberate source of potential ● Attempt by a threat to gain ● Malware
danger/harm unauthorized access ● Phishing
● Harm: Adverse impact to system ● Service, data, resources ● SPAM
operation or system resources, ● Exploits specific vulnerabilities
including data, ● Series of attacks for a specific
● Someone or group with the aim of period: campaign
harming the system

7 8 9
Denial of Service Denial of Service Malwares

Master computers = botmasters

infected = bots
● Software that exploits
Botset = Botnets vulnerabilities
Botnets are the basis for generating ● Viruses, worms, bots, adware,
attacks such as the Distributed Denial of trojans, ransomware
Service attack.
● Common threat vector

www.ccsc-research.org www.ccsc-research.org
ccsc@ufpr.br 10 ccsc@ufpr.br 11 12
Malwares Phishing SPAM

Purpose: trick people into revealing Intrusive and unwanted message

personal information
(e.g. passwords or credit card, CPF Multiple objectives: simple fun to
and bank account numbers) cause great financial damage
through improperly obtaining data
Method: Emails or text messages and information
(SMS) directing users to fake
websites

13 14 15
Achieving Security in Cyber Space Cyber Security Controls Cyber Security Controls
Security Controls Tools and Techniques Must reflect a policy

● Means to achieve different levels

of security attributes
A small business may declare that all passwords should
Security solutions (a.k.a. security controls: tools, ● Applied research focuses on
be changed every 6 months.
services, mechanisms and techniques) designed to building security control
help security professionals defend systems and ● Must reflect a policy
networks against cyberattacks
Risks Mechanisms Applicability

16 17 18
Cyber Security Controls Cyber Security Controls Cyber Security Controls
Must reflect a policy Policy Tools and Techniques

● Means to achieve different levels

● Definition of what it means for a of security attributes
Without a policy, controls are worthless at best and business to be cyber secure ● Applied research focuses on
deceptive at worst ● Under what: conditions, constraints, building security control
adversaries, circumstances ● Must reflect a policy
● This may vary from a business to
business What are the currently available and
used security controls?

19 20 21
Cyber Security Defenses Cyber Security Defenses
Subfields Cyber Security Controls
Main types
● Patterns and behaviors of attacks to detect/predict
Attack detection and
DEFENSE 01 prediction ●
their occurrence
Statistical methods, IA, machine learning

LINES
● Antivirus and IDS
● Security Services
● Focus on attributes of security

02 Secure Mechanism Design

● Encompass multiple subfields: formal methods,
secure system architecture
● Security Mechanisms
● Firewall and access control

● Understand why vulnerabilities in software exist

Preventive Reactive Tolerance
03 Software Security
●
●
How to detect them
Secure coding practices, static and dynamic
software analysis

Content ● Understand behaviors and tactics of threats and the

Predictive IDS Replication Redundancy
Distribution 04 Malware/Threat Analysis
●
vector of attacks
Forensics, reverse engineering

● Measure and quantify a state of cyber security

Cryptography Authentication
Access
Control IDS = Intrusion Detection Systems
05 Risk Management
●

●
Quantifying the value of cyber security to an
operation
How the prevention/mitigation affect risk

● Secure data in motion or at rest

Fonte: SAMNAR: A survivable architecture for wireless self-organizing networks M. Nogueira 22 06 Cryptography
●
●
●
Algorithms and protocols
Cryptanalysis
Formal proofs and information theoretic
23 24
Lima. PhD's thesis, University of Paris 6, LIP6, Paris, France.
Cyber Security Controls Cyber Security Controls Cyber Security Controls
Security Services Security Services - Examples Security Mechanisms

● Enhance security of data processing systems and ● X.800:

information transfers of an organization
● Intended to counter security attacks
● Using one or more security mechanisms
● Often replicates functions associated with physical
documents
○ which, for example, have signatures, dates; need
protection from disclosure, tampering, or destruction; be
notarized or witnessed; be recorded or licensed
25
● Feature designed to detect, prevent, or recover from a
○ “a service provided by a protocol layer of
security attack
communicating open systems, which ensures adequate
● No single mechanism that will support all services required
security of the systems or of data transfers”
● However one particular element underlies many of the
security mechanisms in use:
● RFC 2828:
○ cryptographic techniques
○ “a processing or communication service provided by a
system to give a specific kind of protection to system
resources”
26 27
Cyber Security Controls Exponential thinking What are their effects? “barbaric horde”
Security Mechanisms - Example in X.800

● Specific security mechanisms:

○ encipherment, digital signatures, access controls, data
integrity, authentication exchange, traffic padding,
routing control, notarization
How to think
● Pervasive security mechanisms: exponentially?
○ trusted functionality, security labels, event detection,
security audit trails, security recovery

28 29 30
Source: SingularityHub.com
Vantagens para atacantes em infectar dispositivos da Differences from conventional malwares and mobile
Advantages for attackers to infect IoT devices
IoT: Informações obtidas malwares? Diversity

Diversity

31 32 33
Differences from conventional malwares and mobile Differences from conventional malwares and mobile Differences from conventional malwares and mobile
malwares? Quantity malwares? Quantity malwares? Mobility

"Thanks to IoT botnets, DDoS attacks have finally turned from

something of a novelty into an everyday occurrence.”
Quantity Quantity Mobility

Fonte: How can botnets cause storms? Understanding the evolution and impact of mobile
34 35 botnets. IEEE INFOCOM 2014 paper. 36
 Security Intelligence Finally, the importance of the standards…

37 38 39
Summary Reading Suggestion - Standards

● Security threat prevention ● ISO/IEC 27001: an international standard to manage information

○ Security services and mechanisms security https://www.iso.org/standard/27001
● Coordination of defenses ● NIST: https://www.nist.gov/cybersecurity
● Necessity of the modern view and what of thinking

www.ccsc-research.org www.ccsc-research.org
ccsc@ufpr.br 40 ccsc@ufpr.br 41