UNIT 4 CYBERSECURITY: ISSUES AND PERSPECTIVES
3.1 Meaning and Scope of Cybersecurity
Cybersecurity has to do with the protection of computers, networks, programmes and data from unintended or unauthorized access, change or destruction (see, Pale, 2014). It focuses on the understanding of issues around various cyber attacks and devising defense strategies or countermeasures that safeguard the confidentiality, integrity and availability of digital and information technologies (Jang-Jaccard & Nepal, 2014). The scope of cybersecurity covers the protection of various kinds of digital assets. For example, Klonoff (2015) argued that diabetes medical devices such as blood glucose monitors, continuous glucose monitors, insulin pumps, other wearable sensors, cloud computer systems, and readers like, desktop computers, laptops, pads, smartphones and watches need to be protected from threats that can degrade their function and put the health of the user of the device at risk. He noted that such threats can include unauthorized disclosure, modification or loss of function.
According to Kostopoulos (2018, p.xvi) cybersecurity must safeguard the following four principles that are essential for any trusted cyberspace engagement:
i. Confidentiality: Data transmitted or stored are private; to be viewed only by authorized persons.
161
ii. Integrity: Data transmitted or stored are authentic - free of errors made in storage or in transit.
iii. Availability: Data transmitted or stored are accessible to all authorized.
iv. Non-Repudiation: Data transmitted or stored are of indisputable authenticity, especially when supported by acceptable digital certificates, digital signatures, or other explicit identifiers.
3.2 Types of Cyber Incidents
There are various types of cyber incidents. These incidents constitute a major threat to individual internet users, businesses, private and public organizations. Romanosky (2016) categorized cyber incidents as follows:
i. Data Breach: This refers to the unintentional disclosure of personally identifiable information that is as a result of loss or theft of digital or printed information such as a laptop or wallet containing a person‟s driver‟s license.
Data breach also involves the improper disposal or disclosure such as to a dumpsite or website of personal information. Such information can be used to commit identity, financial or medical fraud.
ii. Security Incident: This is an incident that involves the compromise or disruption of corporate information technology systems such as computers or networks or its intellectual property. Examples include a denial of service (DOS) attack, theft of intellectual property, malicious infiltration etc.
iii. Privacy Violation: This is the unauthorized collection, use or sharing of the personal information of others. This may involve unauthorized collection from cell phones, Global Positioning System (GPS) devices, cookies, web tracking or physical surveillance. It also includes allegations of violations of information statuses as well as unsolicited communications from spam emails,
162
other mass marketing communication (robocalling, texts, and emails) or debt collection.
iv. Phishing/Skimming: This category deals with cyber incidents that are perpetrated by individuals against other individuals or firms. These include phishing attack (whereby criminals seek to harvest account information from users), identity theft (whereby criminals use another person‟s information for financial gain) or skimming attack (where criminals install a hardware devices over automated teller machines that enables them to copy bank account and bank pin numbers of others without their knowledge).
Although the above categorization of cyber incidents is not exhaustive, it provides useful insights on the patterns of cyber incidents in the digital age. The type of cyber incident an attacker can launch will largely depend on his/her skill set. Ashtiani and Azgomi (2014) classified cyber attackers as follows:
i. Low-skilled attackers: This kind of attackers also referred to as script kiddies do not have programming knowledge and knowledge of the steps required to gain access to the targeted systems. They usually rely on the blind use of public exploits and tools which professional hackers provide.
ii. Medium skilled attackers: This kind of attackers partially knows professional hacking tools and the steps required for accessing targeted systems. However, they lack the programming skills required to create new exploits based on vulnerabilities that they find in their targets.
iii. High-skilled attackers: They are versed in vulnerability detection techniques and creating of new exploits. They are very familiar with professional hacking tools and the steps required for accessing targeted systems. They normally use their private archive of exploit.
163
The harm caused to the targeted system by the attack is usually a function of how skilled the attacker is. Therefore, high-skilled attackers are the most dangerous of the three as they possess the required skill-set to perpetrate highly malicious attacks.
3.3 Vulnerabilities in Information Systems
According to Kostopoulos (2018, p.1) “vulnerability in any system is the result of an intentional or unintentional omission or of an inadvertent design mistake that directly or indirectly leads to a compromise in the system‟s availability, integrity, or confidentiality”
.The United States National Institute of Standard and Technology (NIST) (as cited in Kostopoulos, 2018, pp. 5-7) protocol for standardizing the identification and cataloging of security vulnerability and configuration is made up of the following six components:
i. Common Vulnerabilities and Exposures (CVE): This is a depository of registered known information security vulnerabilities containing unique identification number for each occurrence. An occurrence is first defined as candidate vulnerability, entered in the MTRE Common Vulnerabilities and Exposure List and registered in the National Vulnerability Database.
ii. Common Configuration Enumerator (CCE): This depository contains security vulnerabilities and interfacing inconsistencies that are in system configurations. This information can facilitate regulatory compliance, proper interoperability and audit checks. It identifies existing problems and recommends solutions.
iii. Common Platform Enumerator (CPE): This component deals with the proper naming of the software and provision of hierarchical structure. It explicitly defines the software and facilitates software inventory management.
iv. Common Vulnerability Scoring System (CVSS): This is an algorithm that deals with parameters of the development and use of the subject software and
164
provides a score for the level of calculated security. The algorithm is open access based and it highly patronized by system designers and security analysts who are involved in risk analysis and system planning.
v. Extensible Configuration Checklist Description Format (XCCDF): This is an XML template that assists in the preparation of standardized security guidance documents. It presents general software vulnerabilities or those of specific configurations or uses of addressed software, in normalized configuration content via automated security tools.
vi. Open vulnerability and Assessment Language (OVAL): This runs across the entire spectrum of the information security tools and services and standardizes the three major steps of the assessment process: the representation of system information, the expression of the specific machine states, and the assessment reporting. These are presented in a language that the information system security community understands.
Information system vulnerabilities are basically weaknesses in the hardware or software design from the client or server side that an attacker can exploit to gain an unauthorized access to the system. The role of human factor is also widely recognized. Cybercriminals can create various kinds of malicious software that are capable of disrupting the smooth operations of hardware and software components of information systems.
3.4 Vulnerabilities in Critical Infrastructure
According to Radvanovsky and McDougal (2013) critical Infrastructure are assets of physical and computer-based systems that are fundamental to the minimum operations of the economy and government. They include among others telecommunications, energy, banking and finance, transportation, water systems and emergence services.
165
The US PATRIOT ACT (as cited in Breneau et. al. (2020, p. 22) listed the following categories of critical infrastructure:
i. Transportation Infrastructure
● Trucks, highways, and bridges
● Trains and rail tracks
● Airplanes and airports
● Ships and ports
ii. EI – Energy Infrastructure
● Pipelines (including for green gas) and refineries
● Electrical grids, towers, and power stations
● Large-scale renewable energy generation and supply systems, e.g., offshore parks
● Nuclear reactors
● Dams
iii. WW – Waste Water System
● Water pipes, tanks, and reservoirs
● Sewage conduits and refineries iv. ES – Emergency Services
● Hospitals
● Fire stations
● Police stations
v. IT – Information Technologies
● Sensors, connectors, and other data acquisition devices (DAQs)
● Interpretation of signals
● Databases and cloud computing
● Security and safety of data
● Artificial intelligence
● Machine and deep learning
166
As can be seen from the above list, critical infrastructure cuts across various sectors of a nation‟s economy and is very essential to its smooth operations. Because critical infrastructure increasingly relying on the internet for their operations, they are vulnerable to cyber attacks. Vulnerabilities in the hardware and software can constitute threats to critical infrastructure as they can obstruct the services provided by critical infrastructures.
Alcaraz and Zeadllly (2015) classified the faults associated with critical infrastructure into two: internal and external faults. An internal fault involves anomalous changes that originated from the system. An external fault has to do with interactions that originate from outside the system like natural phenomena, malicious actions or accidents. They explained that whatever be the cause, any fault within the critical infrastructural system can create an internal effect that can result in the collapse of essential services and activities for the control. For example, an attack on a sensor node can cause hardware and software errors that may eventually affect the operations of essential resources for the control like remote terminal units.
3.5 Countermeasures for Vulnerabilities
Cyber infrastructural systems are always threatened with various kinds of vulnerabilities.
Kostopoulos (2018, pp.19-20) suggested the following countermeasures that can serve as defenses against external threats.
● Screening the URL of online system access attempts against a list of pre-approved ones. Or, extend them or retreat them as the need calls for.
● Maintaining the instruction risk by reducing access privileges wherever they are not absolutely necessary.
● Minimizing the outline availability of sensitive data, thus reducing the exposure to possible instruction.
167
● Having passwords that are immune to “dictionary” attack by including letters of foreign languages.
● Using multi-factor authentication, such as receiving additional access parameters via mobile telephony.
● Designing for high volume traffic, so that “flooding” attempts to the interface ports will not succeed.
● Developing the ability to recognize Distributed Denial of Service (DDoS), attacks, through dynamic metrics, that continuously observe the resources utilization.
● Use of firewall, anti-virus software, and upgrading of the software, and updating of the software (updates and patches) of Web-connected devices.
● Log and report instruction attempts and suspicious Web requests.
● Disconnect or deactivate Web-accessible assets not used at the moment.
● Conduct a frequent (daily or weekly) audit. Be aware of the types of applications that reside in your system.
3.6 Cybersecurity Risk Management
Musman and Turner (2018) used Cyber Security Game (CSG) to demonstrate the following ways cyber security risk can be addressed.
i. Quantifying cyber risk: This focuses on the damage (loss) caused by an unfavourable events and an estimate of how often it may occur within a period of time (likelihood). Mission Oriented Risk and Design Analysis (MORDA) is a security risk analysis methodology that combines threats, attack trees, and mission impact concepts to arrive at unbiased risk metric. Many people also use simplified models that use the definition “Risk = Threat (T) x Vulnerability (V) x Consequence (C)”. Experts usually assess the threat and vulnerability terms as
168
probabilities. Consequence is assessed using various units such as economic replacement cost, or fatalities. The idea being to assess adversary intent as “threat”
and consequently use such assessment to strengthen defense.
ii. Comprehensive assessment of cyber incidents: There is a wide range of potential attacker exploits and method; some may be opportunistic while others may be targeted. The cyber security game approach focuses on assessing whether good security principles have been applied and whether there were defenses to frustrate the efforts of the attacker. Due to the wide range of attack methods it is difficult for cyber modeling to comprehensively capture all the likely cyber incident instances. In order to address the problem some have used cyber incidents effects instead of the attack instances that can produce those effects.
Confidentiality, Integrity and Availability (CIA) cyber incident effects is commonly considered. However, in cyber security game (CSG) cyber effects is defined in the DIMFUI (i.e. deregulation, interruption, modification, fabrication, unauthorized use, and interception) classification as a more comprehensive set of incident effects, where every entry in the common vulnerability and exposure serve as one or more of these effects against one or more of the cyber resources of the system.
iii. Modeling attack paths: Cyber security defender must have the capacity to identify and defend against multi-step attacks. This is very necessary because they deal with intelligent adversary. Cyber systems are usually interconnected and therefore attackers can exploit those cyber components that seem non-critical in order to bypass security controls and other defenses, example Stuxnet and targeted data breach. It is common to identify attack path and model attacker behaviour using attack trees. Although it is usually developed manually, it can be computed via automation using system typology model. This approach is generalized by
169
cyber security game using a probabilistic attacker model that factors all the potential impact targets an attacker can possibly hit.
iv. Modeling attacker behaviour: Cyber security defense is also complicated by the fact that every action taken by a defender to improve system security is followed by a corresponding adjustment by an attacker to find another potential loophole.
Attack trees provide insights about how an attacker will exploit various options to bypass defenses, but do not show how the tree is affected by the defender‟s action.
To deal with this problem, cyber-attacks and the corresponding defense actions that can prevent them can be construed as game playing between two players.
Cyber security game generalizes attacker behaviour by applying a game-theoretic approach that is based on the constraints imposed on the attacker by the system structure and defenses.
v. Identifying the best investments: There are several cyber risk methods that deals with allocating resources by the risk ranking of critical cyber resources or developing a top10 list of system‟s risk. But such ranking are not enough for resource allocation. The best defenses and where to employ them vary and largely depend on the defender‟s level of resource. Cyber security game has a portfolio engine that can best identify investment considering resource investment.
4.0 CONCLUSION
Information systems and critical national infrastructure are threatened by the activities of cyber criminals. The need to secure them becomes very imperative. While the vulnerabilities in these systems cannot be completely eliminated certain countermeasures can make them less prone to attacks that are capable of disrupting their smooth operation.
It is important that concerted efforts are made by stakeholders to safeguard the confidentiality, integrity and availability of digital information and technologies as that is the whole essence of cybersecurity.
170
5.0 SUMMARY
This unit examined the meaning and scope of cybersecurity, types of cyber incidents and attackers, vulnerability in information systems, vulnerability in critical infrastructure, countermeasures for vulnerabilities and cybersecurity risk management.
6.0 TUTOR-MARKED ASSIGNMENT
a. What do you understand by the term “cybersecurity”?
b. Explain the various types of cyber incidents.
7.0 REFERENCES/FURTHER READING
Alcaraz, & S. Zeadally (2015). Critical Infrastructure Protection: Requirements and Challenges for the 21st Century. International Journal of Critical
Infrastructure Protection (IJCIP), 8, 1-34.
Ashtiani, M. & Azgomi, M.A. (2014). A distributed simulation framework for modeling cyber attack and the evaluation of security measures. Simulation: Transactions of the Society for Modeling and Simulation International, (90) 9, 1071-1102.
Bruneau, M. et. al. (2020). Introduction: Challenges and generic research questions for future research on resilience. In Z. Wu, X. Lu, M. Noori (eds.). Resilience of Critical Infrastructure Systems: Emerging Developments and Future Challenges (pp. 1-42) Boca Raton: Taylor and Francis – CRC Press.
Jang-Jaccard, J. & Nepal, S. (2014). A survey of emerging threats in cybersecurity.
Journal of Computer and System Science, 80, 973-993.
Klonoff, D.C. (2015). Cybersecurity for connected diabetes devices. Journal of Diabetes Science and Technology, 9 (5) 1143-1147.
Kostopoulos, G. (2018). Cyberspace and Cyber Security (2nd ed.). Boca Raton: CRC Press, Taylor & Francis Group – CRC Press.
Pale, P. (2014). Education as a long term strategy for cybersecurity. In A.Vaseashta, P.
171
Susmann & E. Braman (ed.). Cyber Security and Resiliency Framework (pp. 127-134). Amsterdam: IOS Press.
Radvanovsky, R. & McDougal, A. (2013). Critical Infrastructure, Homeland Security and Emergency Preparedness (3rd ed.). Boca Raton: Taylor and Francis- CRC Press.
Romanosky, S. (2016). Examining the cost and causes of cyber incidents. Journal of Cybersecurity, 2 (2), 121-135.
172
Module 6: Cyber Crime Policing and Prosecution in Nigeria: Issues, Challenges and