Adversarial behaviours knowledge area

The technological advancements witnessed by our society in recent decades have brought improvements in our quality of life, but they have also created a number of opportunities for attackers to cause harm. Before the Internet revolution, most crime and malicious activity generally required a victim and a perpetrator to come into physical contact, and this limited the reach that malicious parties had. Technology has removed the need for physical contact to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio

Addressing consumerisation of IT risks with nudging

In this work we address the main issues of Information Technology (IT) consumerisation that are related to security risks, and vulnerabilities of devices used within Bring Your Own Device (BYOD) strategy in particular. We propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions. Several examples of nudging are considered for different tested and potential scenarios in security context

Addressing consumerisation of IT risks with nudging

In this work we address the main issues of Information Technology (IT) consumerisation that are related to security risks, and vulnerabilities of devices used within Bring Your Own Device (BYOD) strategy in particular. We propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk assessment of device vulnerabilities and threats to corporate data and devices, combined with a strategy of influencing security behaviour by nudging. We argue that nudging, by taking into account the context of the decision-making environment, and the fact that the employee may be in better position to make a more appropriate decision, may be more suitable than strict policies in situations of uncertainty of security-related decisions. Several examples of nudging are considered for different tested and potential scenarios in security context

Focus On Some Cyber Security Topics: Literature Based Study

Cybersecurity is the practice of protecting systems, networks and programs from digital attacks. These cyber attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Globally, there is an explosive growth of internet, with its penetration estimated to be around 3.4 billion users (47% world population). Cyber Security is the practice of preventing cybercrime. Various types of cyber-attacks like phishing attacks, DDoS, password attacks, SQL & ransomware attacks are causing detrimental financial damage to the individual & industry

Cyber Infrastructure Protection: Vol. III

Despite leaps in technological advancements made in computing system hardware and software areas, we still hear about massive cyberattacks that result in enormous data losses. Cyberattacks in 2015 included: sophisticated attacks that targeted Ashley Madison, the U.S. Office of Personnel Management (OPM), the White House, and Anthem; and in 2014, cyberattacks were directed at Sony Pictures Entertainment, Home Depot, J.P. Morgan Chase, a German steel factory, a South Korean nuclear plant, eBay, and others. These attacks and many others highlight the continued vulnerability of various cyber infrastructures and the critical need for strong cyber infrastructure protection (CIP). This book addresses critical issues in cybersecurity. Topics discussed include: a cooperative international deterrence capability as an essential tool in cybersecurity; an estimation of the costs of cybercrime; the impact of prosecuting spammers on fraud and malware contained in email spam; cybersecurity and privacy in smart cities; smart cities demand smart security; and, a smart grid vulnerability assessment using national testbed networks.https://press.armywarcollege.edu/monographs/1412/thumbnail.jp

Proceedings of the Designing interactive secure systems workshop (DISS 2012).

In recent years, the field of usable security has attracted researchers from HCI and Information Security, and led to a better understanding of the interplay between human factors and security mechanisms. Despite these advances, designing systems which are both secure in, and appropriate for, their contexts of use continues to frustrate both researchers and practitioners. One reason is a misunderstanding of the role that HCI can play in the design of secure systems. A number of eminent security researchers and practitioners continue to espouse the need to treat people as the weakest link, and encourage designers to build systems that Homer Simpson can use. Unfortunately, treating users as a problem can limit the opportunities for innovation when people are engaged as part of a solution. Similarly, while extreme characters (such as Homer) can be useful for envisaging different modes of interaction, when taken out of context they risk disenfranchising the very people the design is meant to support. Better understanding the relationship between human factors and the design of secure systems is an important step forward, but many design research challenges still remain. There is growing evidence that HCI design artefacts can be effective at supporting secure system design, and that some alignment exists between HCI, security, and software engineering activities. However, more is needed to understand how broader insights from the interactive system design and user experience communities might also find traction in secure design practice. For these insights to lead to design practice innovation, we also need usability and security evaluation activities that better support interaction design, together with software tools that augment, rather than hinder, these design processes. Last, but not least, we need to share experiences and anecdotes about designing usable and secure systems, and reflect on the different ways of performing and evaluating secure interaction design research. The objective of this workshop is to act as a forum for those interested in the design of interactive secure systems. By bringing together a like-minded community of researchers and practitioners, we hope to share knowledge gleaned from recent research, as well as experiences designing secure and usable systems in practice

The Heartbleed bug : insecurity repackaged, rebranded and resold

The emergence of a post-industrial information economy shaped by and around networked communication technology has presented new opportunities for identity theft. In particular, the accidental leakage or deliberate harvesting of information, via either hacking or social engineering, is an omnipresent threat to a large number of commercial organisations and state agencies who manage digital databases and sociotechnical forms of data. Throughout the twenty-first century the global media have reported on a series of data breaches fuelling amongst the public an anxiety concerning the safety and security of their personal and financial data. With concern outpacing reliable information a reassurance gap has emerged between the public's expectations and the state's ability to provide safety and security online. This disparity presents a significant opportunity for a commercial computer crime control industry who has sought to position itself as being able to offer consumer citizens the antidotes for such ills. This paper considers how neoliberal discourses of cybercrime control are packaged, branded and sold, through an examination of the social construction of the Heartbleed bug. It demonstrates how security company Codenomicon masterfully communicated the vulnerability, the product of a simple coding error, through its name, a logo and an accompanying website, in turn, shaping news coverage across the mainstream media and beyond

Making Cyberspace Safe for Democracy: The Challenge Posed by Denial-of-Service Attacks

In December 2010, the British government braced itself for a sudden threat: Overnight, tens of thousands of people had acquired a weapon called the Low Orbit lon Cannon (LOIC). The good news for British authorities was that this cannon is not actually a space laser or hardly even a weapon; it is an old diagnostic computer program that allows an individual to test a network\u27s capacity to handle traffic by sending information to the network\u27s servers. The bad news was that a nebulous online hacking collective called Anonymous was successfully encouraging these tens of thousands of people to use this tool to disrupt the availability of the websites of a few major corporations. The program allowed individuals to participate in organized attempts to overwhelm each company\u27s servers with information-so much information that those servers could not process other users\u27 normal requests for access. The goal of this type of assault, known as a denial-of-service (DOS) attack, is to disrupt a target organization\u27s online presence for as long as the attacking computers continue to send such information. The immediate consequence of a successful attack is somewhat anticlimactic: The target organization\u27s website simply fails to load upon request. Nevertheless, the idea that thousands of nameless, faceless individuals could have banded together to produce that result adds social significance to what would otherwise be a purely technical problem