Prévention des attaques par logiciels malveillants: perspectives de la santé publique

L’augmentation de la connectivité et du développement des infrastructures numériques a contribué à multiplier les motivations et les opportunités des attaques informatiques. Bien que plusieurs progrès aient été réalisés au niveau du développement et de l’implémentation de stratégies de protection, la majorité de ces efforts sont dédiés au développement de nouvelles solutions, et non à leur évaluation et leur promotion. Il devient dès lors essentiel pour les gouvernements, les entreprises, et les individus de définir des modèles et des moyens de coopération permettant d’identifier et d’évaluer les stratégies visant à réduire le risque que posent les menaces informatiques. À cet effet, le domaine de la sécurité des systèmes d’information pourrait bénéficier des leçons apprises et des méthodes utilisées dans le domaine de la santé. En particulier, nous croyons que l’adoption d’une perspective axée sur l’approche de la santé publique permettrait de founir un cadre global pour i) identifier les facteurs qui affectent la sécurité des systèmes d’information et en comprendre les causes sous-jacentes, ii) développer et évaluer des stratégies efficaces visant à améliorer la sécurité des systèmes d’information, et iii) implémenter et disséminer auprès de la population les stratégies développées. Dans le cadre de la présente thèse, nous proposons de nous inspirer des méthodes en santé publique pour développer un modèle de prévention applicable au contexte des attaques par logiciels malveillants. Notamment, nous appliquons notre modèle de prévention afin d’identifier les causes et les corrélats reliés aux attaques par logiciels malveillants, et d’évaluer l’efficacité réelle des solutions antivirus à prévenir ces attaques. À partir de données réelles d’attaques par logiciels malveillants, nous avons réalisé cinq études empiriques ; trois visant à identifier des facteurs de risque et des facteurs de protection, et deux visant à évaluer l’efficacité des antivirus dans un environnement réel. Les résultats de nos travaux de recherche ont, entre autres, permis : i) d’identifier de nouveaux facteurs de risque et de protection reliés aux attaques par logiciels malveillants, ii) d’identifier des sous-populations à risque plus élevé, et iii) de mettre en évidence comment l’effet des facteurs identifiés et des solutions antivirus varie selon le contexte (type de menace, environnement, usager, etc.). Qui plus est, la présente thèse a permis de valider la viabilité et le potentiel d’une approche basée sur la santé publique en sécurité des systèmes d’information.----------ABSTRACT: The increased connectivity and development of digital infrastructures has yielded to increased motivation and opportunities for computer threats. Although there has been some progress in the development and implementation of protection strategies, the majority of these efforts are dedicated to the development of new solutions, and not to their evaluation and promotion. It is therefore essential for governments, businesses, and individuals to develop models and means of cooperation in order to identify and evaluate effective strategies aimed at reducing the risk posed by computer threats. To this end, the field of information security could benefit from lessons learned and methods used in health. In particular, we believe that adopting a public health perspective could provide a comprehensive framework for i) identifying and understanding the factors that affect the information systems security and understand their underlying causes, ii) develop and evaluate effective strategies to improve the security of information systems, and iii) implement and disseminate the strategies developed to the population. In this thesis, we propose to use public health methods to develop a prevention model for the context of malware attacks. In particular, we apply our prevention model to identify the causes and correlates of malware attacks, and evaluate the effectiveness of antivirus solutions in preventing computer threats. Using real-world malware attacks data, we conducted five empirical studies ; three to identify risk factors and protective factors, and two to assess the effectiveness of antivirus in a real-world environment. The results of our research allowed us, among others, to : i) identify new risk and protective factors related to malware attacks, ii) identify high-risk sub-populations, and iii) highlight how the effect of the identified factors and antivirus solutions vary by context (type of threat, environment, user, etc.). In addition, this thesis validated the viability and potential of a public health approach to information security

ENSURING SPECIFICATION COMPLIANCE, ROBUSTNESS, AND SECURITY OF WIRELESS NETWORK PROTOCOLS

Several newly emerged wireless technologies (e.g., Internet-of-Things, Bluetooth, NFC)—extensively backed by the tech industry—are being widely adopted and have resulted in a proliferation of diverse smart appliances and gadgets (e.g., smart thermostat, wearables, smartphones), which has ensuingly shaped our modern digital life. These technologies include several communication protocols that usually have stringent requirements stated in their specifications. Failing to comply with such requirements can result in incorrect behaviors, interoperability issues, or even security vulnerabilities. Moreover, lack of robustness of the protocol implementation to malicious attacks—exploiting subtle vulnerabilities in the implementation—mounted by the compromised nodes in an adversarial environment can limit the practical utility of the implementation by impairing the performance of the protocol and can even have detrimental effects on the availability of the network. Even having a compliant and robust implementation alone may not suffice in many cases because these technologies often expose new attack surfaces as well as new propagation vectors, which can be exploited by unprecedented malware and can quickly lead to an epidemic

Cybersecurity Strategies for Universities With Bring Your Own Device Programs

The bring your own device (BYOD) phenomenon has proliferated, making its way into different business and educational sectors and enabling multiple vectors of attack and vulnerability to protected data. The purpose of this multiple-case study was to explore the strategies information technology (IT) security professionals working in a university setting use to secure an environment to support BYOD in a university system. The study population was comprised of IT security professionals from the University of California campuses currently managing a network environment for at least 2 years where BYOD has been implemented. Protection motivation theory was the study\u27s conceptual framework. The data collection process included interviews with 10 IT security professionals and the gathering of publicly-accessible documents retrieved from the Internet (n = 59). Data collected from the interviews and member checking were triangulated with the publicly-accessible documents to identify major themes. Thematic analysis with the aid of NVivo 12 Plus was used to identify 4 themes: the ubiquity of BYOD in higher education, accessibility strategies for mobile devices, the effectiveness of BYOD strategies that minimize risk, and IT security professionals\u27 tasks include identifying and implementing network security strategies. The study\u27s implications for positive social change include increasing the number of users informed about cybersecurity and comfortable with defending their networks against foreign and domestic threats to information security and privacy. These changes may mitigate and reduce the spread of malware and viruses and improve overall cybersecurity in BYOD-enabled organizations

Cybersecurity Strategies for Universities With Bring Your Own Device Programs

The bring your own device (BYOD) phenomenon has proliferated, making its way into different business and educational sectors and enabling multiple vectors of attack and vulnerability to protected data. The purpose of this multiple-case study was to explore the strategies information technology (IT) security professionals working in a university setting use to secure an environment to support BYOD in a university system. The study population was comprised of IT security professionals from the University of California campuses currently managing a network environment for at least 2 years where BYOD has been implemented. Protection motivation theory was the study\u27s conceptual framework. The data collection process included interviews with 10 IT security professionals and the gathering of publicly-accessible documents retrieved from the Internet (n = 59). Data collected from the interviews and member checking were triangulated with the publicly-accessible documents to identify major themes. Thematic analysis with the aid of NVivo 12 Plus was used to identify 4 themes: the ubiquity of BYOD in higher education, accessibility strategies for mobile devices, the effectiveness of BYOD strategies that minimize risk, and IT security professionals\u27 tasks include identifying and implementing network security strategies. The study\u27s implications for positive social change include increasing the number of users informed about cybersecurity and comfortable with defending their networks against foreign and domestic threats to information security and privacy. These changes may mitigate and reduce the spread of malware and viruses and improve overall cybersecurity in BYOD-enabled organizations

Automating Cyber Analytics

Model based security metrics are a growing area of cyber security research concerned with measuring the risk exposure of an information system. These metrics are typically studied in isolation, with the formulation of the test itself being the primary finding in publications. As a result, there is a flood of metric specifications available in the literature but a corresponding dearth of analyses verifying results for a given metric calculation under different conditions or comparing the efficacy of one measurement technique over another. The motivation of this thesis is to create a systematic methodology for model based security metric development, analysis, integration, and validation. In doing so we hope to fill a critical gap in the way we view and improve a system’s security. In order to understand the security posture of a system before it is rolled out and as it evolves, we present in this dissertation an end to end solution for the automated measurement of security metrics needed to identify risk early and accurately. To our knowledge this is a novel capability in design time security analysis which provides the foundation for ongoing research into predictive cyber security analytics. Modern development environments contain a wealth of information in infrastructure-as-code repositories, continuous build systems, and container descriptions that could inform security models, but risk evaluation based on these sources is ad-hoc at best, and often simply left until deployment. Our goal in this work is to lay the groundwork for security measurement to be a practical part of the system design, development, and integration lifecycle. In this thesis we provide a framework for the systematic validation of the existing security metrics body of knowledge. In doing so we endeavour not only to survey the current state of the art, but to create a common platform for future research in the area to be conducted. We then demonstrate the utility of our framework through the evaluation of leading security metrics against a reference set of system models we have created. We investigate how to calibrate security metrics for different use cases and establish a new methodology for security metric benchmarking. We further explore the research avenues unlocked by automation through our concept of an API driven S-MaaS (Security Metrics-as-a-Service) offering. We review our design considerations in packaging security metrics for programmatic access, and discuss how various client access-patterns are anticipated in our implementation strategy. Using existing metric processing pipelines as reference, we show how the simple, modular interfaces in S-MaaS support dynamic composition and orchestration. Next we review aspects of our framework which can benefit from optimization and further automation through machine learning. First we create a dataset of network models labeled with the corresponding security metrics. By training classifiers to predict security values based only on network inputs, we can avoid the computationally expensive attack graph generation steps. We use our findings from this simple experiment to motivate our current lines of research into supervised and unsupervised techniques such as network embeddings, interaction rule synthesis, and reinforcement learning environments. Finally, we examine the results of our case studies. We summarize our security analysis of a large scale network migration, and list the friction points along the way which are remediated by this work. We relate how our research for a large-scale performance benchmarking project has influenced our vision for the future of security metrics collection and analysis through dev-ops automation. We then describe how we applied our framework to measure the incremental security impact of running a distributed stream processing system inside a hardware trusted execution environment