Honeypot Technologies and Their Applicability as an Internal Countermeasure

Honeypots or honeynets are a technology that is rapidly maturing and establishing this archetype of countermeasure as viable and useful in modern network defence. Honeypot technology is now at a point of development where near real-time monitoring and forensic analysis of security events can occur. This paper explores the hurdles to be overcome for the internal deployment of honeypot technologies

Survey of Attack Projection, Prediction, and Forecasting in Cyber Security

This paper provides a survey of prediction, and forecasting methods used in cyber security. Four main tasks are discussed first, attack projection and intention recognition, in which there is a need to predict the next move or the intentions of the attacker, intrusion prediction, in which there is a need to predict upcoming cyber attacks, and network security situation forecasting, in which we project cybersecurity situation in the whole network. Methods and approaches for addressing these tasks often share the theoretical background and are often complementary. In this survey, both methods based on discrete models, such as attack graphs, Bayesian networks, and Markov models, and continuous models, such as time series and grey models, are surveyed, compared, and contrasted. We further discuss machine learning and data mining approaches, that have gained a lot of attention recently and appears promising for such a constantly changing environment, which is cyber security. The survey also focuses on the practical usability of the methods and problems related to their evaluation

Web attack risk awareness with lessons learned from high interaction honeypots

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk

ESTABLISHMENT OF CYBER-PHYSICAL CORRELATION AND VERIFICATION BASED ON ATTACK SCENARIOS IN POWER SUBSTATIONS

Insurance businesses for the cyberworld are an evolving opportunity. However, a quantitative model in today\u27s security technologies may not be established. Besides, a generalized methodology to assess the systematic risks remains underdeveloped. There has been a technical challenge to capture intrusion risks of the cyber-physical system, including estimating the impact of the potential cascaded events initiated by the hacker\u27s malicious actions. This dissertation attempts to integrate both modeling aspects: 1) steady-state probabilities for the Internet protocol-based substation switching attack events based on hypothetical cyberattacks, 2) potential electricity losses. The phenomenon of sequential attacks can be characterized using a time-domain simulation that exhibits dynamic cascaded events. Such substation attack simulation studies can establish an actuarial framework for grid operation. The novelty is three-fold. First, the development to extend features of steady-state probabilities is established based on 1) modified password models, 2) new models on digital relays with two-step authentications, and 3) honeypot models. A generalized stochastic Petri net is leveraged to formulate the detailed statuses and transitions of components embedded in a Cyber-net. Then, extensive modeling of steady-state probabilities is qualitatively performed. Methodologies on how transition probabilities and rates are extracted from network components and actuarial applications are summarized and discussed. Second, dynamic models requisite for switching attacks against multiple substations or digital relays deployed in substations are formulated. Imperative protection and control models to represent substation attacks are clarified with realistic model parameters. Specifically, wide-area protections, i.e., special protection systems (SPSs), are elaborated, asserting that event-driven SPSs may be skipped for this type of case study. Third, the substation attack replay using a proven commercially available time-domain simulation tool is validated in IEEE system models to study attack combinations\u27 critical paths. As the time-domain simulation requires a higher computational cost than power flow-based steady-state simulation, a balance of both methods is established without missing the critical dynamic behavior. The direct impact of substation attacks, i.e., electricity losses, is compared between steady-state and dynamic analyses. Steady-state analysis results are prone to be pessimistic for a smaller number of compromised substations. Finally, simulation findings based on the risk-based metrics and technical implementation are extensively discussed with future work

Online Social Deception and Its Countermeasures for Trustworthy Cyberspace: A Survey

We are living in an era when online communication over social network services (SNSs) have become an indispensable part of people's everyday lives. As a consequence, online social deception (OSD) in SNSs has emerged as a serious threat in cyberspace, particularly for users vulnerable to such cyberattacks. Cyber attackers have exploited the sophisticated features of SNSs to carry out harmful OSD activities, such as financial fraud, privacy threat, or sexual/labor exploitation. Therefore, it is critical to understand OSD and develop effective countermeasures against OSD for building a trustworthy SNSs. In this paper, we conducted an extensive survey, covering (i) the multidisciplinary concepts of social deception; (ii) types of OSD attacks and their unique characteristics compared to other social network attacks and cybercrimes; (iii) comprehensive defense mechanisms embracing prevention, detection, and response (or mitigation) against OSD attacks along with their pros and cons; (iv) datasets/metrics used for validation and verification; and (v) legal and ethical concerns related to OSD research. Based on this survey, we provide insights into the effectiveness of countermeasures and the lessons from existing literature. We conclude this survey paper with an in-depth discussions on the limitations of the state-of-the-art and recommend future research directions in this area.Comment: 35 pages, 8 figures, submitted to ACM Computing Survey

Compilation of thesis abstracts, December 2006

NPS Class of December 2006This quarter’s Compilation of Abstracts summarizes cutting-edge, security-related research conducted by NPS students and presented as theses, dissertations, and capstone reports. Each expands knowledge in its field.http://archive.org/details/compilationofsis109452750

Cyber defensive capacity and capability::A perspective from the financial sector of a small state

This thesis explores ways in which the financial sectors of small states are able todefend themselves against ever-growing cyber threats, as well as ways these states can improve their cyber defense capability in order to withstand current andfuture attacks. To date, the context of small states in general is understudied. This study presents the challenges faced by financial sectors in small states with regard to withstanding cyberattacks. This study applies a mixed method approach through the use of various surveys, brainstorming sessions with financial sector focus groups, interviews with critical infrastructure stakeholders, a literature review, a comparative analysis of secondary data and a theoretical narrative review. The findings suggest that, for the Aruban financial sector, compliance is important, as with minimal drivers, precautionary behavior is significant. Countermeasures of formal, informal, and technical controls need to be in place. This study indicates the view that defending a small state such as Aruba is challenging, yet enough economic indicators indicate it not being outside the realm of possibility. On a theoretical level, this thesis proposes a conceptual “whole-of-cyber” model inspired by military science and the VSM (Viable Systems Model). The concept of fighting power components and governance S4 function form cyber defensive capacity’s shield and capability. The “whole-of-cyber” approach may be a good way to compensate for the lack of resources of small states. Collaboration may be an only out, as the fastest-growing need will be for advanced IT skillsets

Information Systems Security Countermeasures: An Assessment of Older Workers in Indonesian Small and Medium-Sized Businesses

Information Systems (IS) misuse can result in cyberattacks such as denial-of-service, phishing, malware, and business email compromise. The study of factors that contribute to the misuse of IS resources is well-documented and empirical research has supported the value of approaches that can be used to deter IS misuse among employees; however, age and cultural nuances exist. Research focusing on older workers and how they can help to deter IS misuse among employees and support cybersecurity countermeasures within developing countries is in its nascent stages. The goal of this study was two-fold. The first goal was to assess what older workers within Indonesian Small to Medium-sized Businesses (SMBs) do to acquire, apply, and share information security countermeasures aimed at mitigating cyberattacks. The second goal was to assess if and how younger workers share information security countermeasures with their older colleagues. Using a qualitative case study approach, semi-structured interviews were conducted with five dyads of older (50-55 years) and younger (25-45 years) workers from five SMBs in Jakarta, Indonesia. A thematic analysis approach was used to analyze the interview data, where each dyad represented a unit of analysis. The data were organized into three main themes including 1) Indonesian government IS policy and oversight, which included one topic (stronger government IS oversight needed); 2) SMB IS practices, which included three topics (SMB management issues, SMB budget constraints, SMB diligent IS practices, and IS insider threat); and 3) SMB worker IS practices, which included three topics (younger worker job performance, IS worker compliance issues, older worker IS practices) and five sub-topics under older worker IS practices (older worker diligent in IS, older worker IS challenged, older worker riskier IS practices, older worker more IS dependent, and older worker more forgetful on IS practices). Results indicated that older and younger workers at Indonesian SMBs acquire, apply, and share information security countermeasures in a similar manner: through IS information dissemination from the SMB and through communication from co-workers. Also, while younger workers share IS countermeasures freely with their older co-workers, some have negative perceptions that older co-workers are slower and less proficient in IS. Overall, participants reported positive and cohesive teamwork between older and younger workers at SMBs through strong IS collaboration and transparent information sharing. The contribution of this research is that it provides valuable empirical data on older worker behavior and social dynamics in Indonesian organizations. This was a context-specific study aimed at better understanding the situationalities of older workers within organizations in the developing country of Indonesia and how knowledge is shared within the organization. This assessment of cybersecurity knowledge acquisition, skill implementation, and knowledge sharing contributes to the development of organization-wide cybersecurity practices that can be used to strengthen Indonesian SMBs and other organizations in developing countries. This study also provides a blueprint for researchers to replicate and extend this line of inquiry. Finally, the results could shed light on how older workers can be a productive part of the solution to information security issues in the workplace