Reducing human error in cyber security using the Human Factors Analysis Classification System (HFACS).

For several decades, researchers have stated that human error is a significant cause of information security breaches, yet it still remains to be a major issue today. Quantifying the effects of security incidents is often a difficult task because studies often understate or overstate the costs involved. Human error has always been a cause of failure in many industries and professions that is overlooked or ignored as an inevitability. The problem with human error is further exacerbated by the fact that the systems that are set up to keep networks secure are managed by humans. There are several causes of a security breach related human error such as poor situational awareness, lack of training, boredom, and lack of risk perception. Part of the problem is that people who usually make great decisions offline make deplorable decisions online due to incorrect assumptions of how computer transactions operate. Human error can be unintentional because of the incorrect execution of a plan (slips/lapses) or from correctly following an inadequate plan (mistakes). Whether intentional or unintentional, errors can lead to vulnerabilities and security breaches. Regardless, humans remain the weak link in the process of interfacing with the machines they operate and in keeping information secure. These errors can have detrimental effects both physically and socially. Hackers exploit these weaknesses to gain unauthorized entry into computer systems. Security errors and violations, however, are not limited to users. Administrators of systems are also at fault. If there is not an adequate level of awareness, many of the security techniques are likely to be misused or misinterpreted by the users rendering adequate security mechanisms useless. Corporations also play a factor in information security loss, because of the reactive management approaches that they use in security incidents. Undependable user interfaces can also play a role for the security breaches due to flaws in the design. System design and human interaction both play a role in how often human error occurs particularly when there is a slight mismatch between the system design and the person operating it. One major problem with systems design is that they designed for simplicity, which can lead a normally conscious person to make bad security decisions. Human error is a complex and elusive security problem that has generally defied creation of a structured and standardized classification scheme. While Human error may never be completely eliminated from the tasks, they perform due to poor situational awareness, or a lack of adequate training, the first step to make improvements over the status quo is to establish a unified scheme to classify such security errors. With this background, I, intend to develop a tool to gather data and apply the Human Factors Analysis and Classification System (HFACS), a tool developed for aviation accidents, to see if there are any latent organizational conditions that led to the error. HFACS analyzes historical data to find common trends that can identify areas that need to be addressed in an organization to the goal of reducing the frequency of the errors

Cyber Defense Capability Model: A Foundation Taxonomy

Cyber attacks have significantly increased over the last few years, where the attackers are highly skilled, more organized and supported by other powerful actors to devise attacks towards specific targets. To aid the development of a strategic plan to defend against emerging attacks, we present a high-level taxonomy along with a cyber defense model to address the interaction and relationships between taxonomy elements. A cyber-kinetic reference model which is used widely by U.S Air Force is adopted as a baseline for the model and taxonomy development. Asset, Cyber Capability, and Preparation Process are the three high-level elements that are presented for the cyber defense capability model. The Cyber Capability, as the focal point of the study, uses three classifiers to characterize the strategic cyber defense mechanisms, which are classified by active, passive and collaborative defense. To achieve a proper cyber defense strategy, the key actors, assets and associated preparation procedure are identified. Finally, the proposed taxonomy is extensible so that additional dimensions or classifications can be added to future needs

A Proposed Hierarchical Taxonomy for Assessing the Primary Effects of Cyber Events: A Sector Analysis 2014-2016

Publicity surrounding the threat of cyber-attacks continues to grow, yet immature classification methods for these events prevent technical staff, organizational leaders, and policy makers from engaging in meaningful and nuanced conversations about the risk to their organizations or critical infrastructure. This paper provides a taxonomy of cyber events that is used to analyze over 2,431 publicized cyber events from 2014-2016 by industrial sector. Industrial sectors vary in the scale of events they are subjected to, the distribution between exploitive and disruptive event types, and the method by which data is stolen or organizational operations are disrupted. The number, distribution, and mix of cyber event types highlight significant differences by sector, demonstrating that strategies may vary based on deeper understandings of the threat environment faced across industries

A Taxonomy-based Analysis of Attacks on Industrial Control Systems

Most critical infrastructure depends on industrial control and automation systems to manage their processes. However, industrial control and automation systems were found to have many vulnerabilities owing to their design. They were initially designed to operate as air-gapped systems. However, with the evolution and the expansion of the industry, they are increasingly being targeted by attackers. Thus, preventative methods must be implemented to minimize/ prevent ICSs from being compromised by patching the vulnerabilities and addressing possible attack vectors. In order to prepare to defend against forthcoming attacks on critical infrastructure, it is vital to understand how past attacks have been carried out. This study analyzed and cataloged cases of attacks against ICSs to form a taxonomy that can be used as a tool to analyze the nature of ICS attacks. The taxonomy developed by this study can aide interested parties to determine potential attack vectors an attacker may choose, based on the attributes discussed in the study. Moreover, this paper also serves as a resource for the interested parties to understand ICSs

The strategic implications of the current Internet design for cyber security

Thesis (S.M. in Engineering and Management)--Massachusetts Institute of Technology, Engineering Systems Division, System Design and Management Program, 2011.Cataloged from PDF version of thesis.Includes bibliographical references (p. 87-89).In the last two decades, the Internet system has evolved from a collection point of a few networks to a worldwide interconnection of millions of networks and users who connect to transact virtually all kinds of business. The evolved network system is also known as Cyberspace. The use of Cyberspace is now greatly expanded to all fields of human endeavor by far exceeding the original design projection. And even though, the Internet architecture and design has been robust enough to accommodate the extended domains of uses and applications, it has also become a medium used to launch all sorts of Cyber attacks that results into several undesirable consequences to users. This thesis analyzes the current Internet system architecture and design and how their flaws are exploited to launch Cyber attacks; evaluates reports from Internet traffic monitoring activities and research reports from several organizations; provides a mapping of Cyber attacks to Internet architecture and design flaw origin; conducts Internet system stakeholder analysis; derives strategic implications of the impact of Internet system weaknesses on Cyber security; and makes recommendations on the broader issues of developing effective strategies to implement Cyber security in enterprise systems that have increasingly become complex. From a global architectural design perspective, the study conducted demonstrates that although the Internet is a robust design, the lack of any means of authentication on the system is primarily responsible for the host of Cyber security issues and thus has become the bane of the system. Following the analysis, extrapolation of facts and by inferences we conclude that the myriad of Cyber security problems will remain and continue on the current exponential growth path until the Internet and in particular the TCP/IP stack is given the ability to authenticate and that only through a collaborative effort by all stakeholders of the Internet system can the other major Cyber security issues be resolved especially as it relates to envisioning and fashioning new Cyber security centric technologies.by Charles M. Iheagwara.S.M.in Engineering and Managemen

Multiple Case Study Approach to Identify Aggravating Variables of Insider Threats in Information Systems

Malicious insiders present a serious threat to information systems due to privilege of access, knowledge of internal computer resources, and potential threats on the part of disgruntled employees or insiders collaborating with external cybercriminals. Researchers have extensively studied insiders’ motivation to attack from the broader perspective of the deterrence theory and have explored the rationale for employees to disregard/overlook security policies from the perspective of neutralization theory. This research takes a step further: we explore the aggravating variables of insider threat using a multiple case study approach. Empirical research using black hat analysis of three case studies of insider threats suggests that, while neutralization plays an important role in insider attacks, it takes a cumulative set of aggravating factors to trigger an actual data breach. By identifying and aggregating the variables, this study presents a predictive model that can guide IS managers to proactively mitigate insider threats. Given the economic and legal ramifications of insider threats, this research has implications relevant both for both academics and security practitioners

A cyberciege traffic analysis extension for teaching network security

CyberCIEGE is an interactive game simulating realistic scenarios that teaches the players Information Assurance (IA) concepts. The existing game scenarios only provide a high-level abstraction of the networked environment, e.g., nodes do not have Internet protocol (IP) addresses or belong to proper subnets, and there is no packet-level network simulation. This research explored endowing the game with network level traffic analysis, and implementing a game scenario to take advantage of this new capability. Traffic analysis is presented to players in a format similar to existing tools such that learned skills may be easily transferred to future real-world situations. A network traffic analysis tool simulation within CyberCIEGE was developed and this new tool provides the player with traffic analysis capability. Using existing taxonomies of cyber-attacks, the research identified a subset of network-based attacks most amenable to modeling and representation within CyberCIEGE. From the attacks identified, a complementary CyberCIEGE scenario was developed to provide the player with new educational opportunities for network analysis and threat identification. From the attack scenario, players also learn about the effects of these cyber-attacks and glean a more informed understanding of appropriate mitigation measures.http://archive.org/details/acyberciegetraff109451057

Machine Learning-Enabled IoT Security: Open Issues and Challenges Under Advanced Persistent Threats

Despite its technological benefits, Internet of Things (IoT) has cyber weaknesses due to the vulnerabilities in the wireless medium. Machine learning (ML)-based methods are widely used against cyber threats in IoT networks with promising performance. Advanced persistent threat (APT) is prominent for cybercriminals to compromise networks, and it is crucial to long-term and harmful characteristics. However, it is difficult to apply ML-based approaches to identify APT attacks to obtain a promising detection performance due to an extremely small percentage among normal traffic. There are limited surveys to fully investigate APT attacks in IoT networks due to the lack of public datasets with all types of APT attacks. It is worth to bridge the state-of-the-art in network attack detection with APT attack detection in a comprehensive review article. This survey article reviews the security challenges in IoT networks and presents the well-known attacks, APT attacks, and threat models in IoT systems. Meanwhile, signature-based, anomaly-based, and hybrid intrusion detection systems are summarized for IoT networks. The article highlights statistical insights regarding frequently applied ML-based methods against network intrusion alongside the number of attacks types detected. Finally, open issues and challenges for common network intrusion and APT attacks are presented for future research.Comment: ACM Computing Surveys, 2022, 35 pages, 10 Figures, 8 Table

Classification of DDoS Attack with Machine Learning Architectures and Exploratory Analysis

The ever-increasing frequency of occurrence and sophistication of DDoS attacks pose a serious threat to network security. Accurate classification of DDoS attacks with efficiency is crucial in order to develop effective defense mechanisms. In this thesis, we propose a novel approach for DDoS classification using the CatBoost algorithm, on CICDDoS2019, a benchmark dataset containing 12 variations of DDoS attacks and legitimate traffic using real-world traffic traces. With a developed ensemble feature selection method and feature engineering, our model proves to be a good fit for DDoS attack type prediction. Our experimental results demonstrate that our proposed approach achieves high classification accuracy of 89.5% and outperforms several state-of-the-art machine learning algorithms in terms of both accuracy and computational efficiency. The thesis does not only limit itself to achieving a good prediction score, it also uses the recently introduced concept of explainable AI (XAI) as a tool for ensuring transparency and interpretability of the proposed approach. Our approach can be applied in real-world scenarios to enhance the security of network infrastructure against DDoS attacks

AVOIDIT IRS: An Issue Resolution System To Resolve Cyber Attacks

Cyber attacks have greatly increased over the years and the attackers have progressively improved in devising attacks against specific targets. Cyber attacks are considered a malicious activity launched against networks to gain unauthorized access causing modification, destruction, or even deletion of data. This dissertation highlights the need to assist defenders with identifying and defending against cyber attacks. In this dissertation an attack issue resolution system is developed called AVOIDIT IRS (AIRS). AVOIDIT IRS is based on the attack taxonomy AVOIDIT (Attack Vector, Operational Impact, Defense, Information Impact, and Target). Attacks are collected by AIRS and classified into their respective category using AVOIDIT.Accordingly, an organizational cyber attack ontology was developed using feedback from security professionals to improve the communication and reusability amongst cyber security stakeholders. AIRS is developed as a semi-autonomous application that extracts unstructured external and internal attack data to classify attacks in sequential form. In doing so, we designed and implemented a frequent pattern and sequential classification algorithm associated with the five classifications in AVOIDIT. The issue resolution approach uses inference to educate the defender on the plausible cyber attacks. The AIRS can work in conjunction with an intrusion detection system (IDS) to provide a heuristic to cyber security breaches within an organization. AVOIDIT provides a framework for classifying appropriate attack information, which is fundamental in devising defense strategies against such cyber attacks. The AIRS is further used as a knowledge base in a game inspired defense architecture to promote game model selection upon attack identification. Future work will incorporate honeypot attack information to improve attack identification, classification, and defense propagation.In this dissertation, 1,025 common vulnerabilities and exposures (CVEs) and over 5,000 lines of log files instances were captured in the AIRS for analysis. Security experts were consulted to create rules to extract pertinent information and algorithms to correlate identified data for notification. The AIRS was developed using the Codeigniter [74] framework to provide a seamless visualization tool for data mining regarding potential cyber attacks relative to web applications. Testing of the AVOIDIT IRS revealed a recall of 88%, precision of 93%, and a 66% correlation metric