Role Of Cyber Security In It

Published Date: 02 Nov 2017

CHAPTER 5

Cyber security is not a new term, even though the recent increase of public media coverage. Cyber security has been the subject of serious discussion in government, industry and academics for the last two decades. The various definition and scope of cyber-security given by the authors has cause the contention between the authors regarding cyber-security. A recent study on cyber security has shown that the threat of cyber-war has been grossly exaggerated as by 23% according to the professionals.[53] Cyber security is the key concepts and discussion topics that encourages the independent thinking and research among students. The discussions are carried out by security experts, Bruce Schneier points out that cyber crimes are the direct result of poor security rather than insufficient government powers. Similarly, president of the Electronic Privacy Information Center (EPIC) Marc Rotenberg stated mandatory internet identification requirements.[54-58] He also pointed out that in countries such as China, identification requirements have resulted in restriction and international human rights violations.[59] Cyber security is recognized as a real topic and worthy of discussion, regardless of which view one may take.[60]

As the frequency of cyber-attacks are on a constant rise, governments worldwide are taking proactive and defensive action to reduce the risk of successful attacks against critical infrastructures. However many IT Professionals may be aware of recent events surrounding Supervisor Control and Data Acquisition (SCADA) systems following the STUXNET virus, yet almost two years after its first recognized appearance in 2009 there are still significant vulnerabilities.[52] In May 20011 an independent security researchers Brian Meixell and Dillon Beresford along with NSS Labs canceled their Takedown 2011 Conference presentation "Hacking SCADA". The presentation was related to show how to write "industrial-grade" SCADA malware using both inadequate vulnerabilities and new vulnerabilities.[61] The presentation was willingly cancelled by the Meixell and Beresford due to "the serious physical, financial impact these issues could have on a worldwide basis" and "negative impact to human life". The lack of security in the mentioned systems is particularly alarming dating back to 1999, which consists of research of vulnerabilities.[62-64]

Although the cyber -events are connected to human loss of life yet the economic impact to a society can still be hugely damaging. In the 2010 Fraud Report by Kroll,[65] it was reported that information and electronic data theft exceed all other fraud for the first time rising 9.3% from the previous year. As a result of cyber threats in 2006, the National Science and Technology Council released the Federal Plan for cyber-security and Information Assurance Research and Development.[66] The report’s lead to some recommendations for future cyber-security research and development:

1. Strategic cyber security and information assurance needs requires investments from Federal R&D.

2. Focus on threats with impact.

3. Making cyber-security and information assurance a topic of Research & Discussion both an individual agency and interagency budget priority.

4. Support the interagency coordination and collaboration on cyber-security and information assurance R&D.

5. Implementing security in the starting.

6. Developing a roadmap for Federal cyber-security and information assurance R&D.

7. Developing and apply new metrics to assess cyber-security and information assurance.

8. Strengthening R&D partnerships with international partners.

The CNCI (Comprehensive National Cyber-security Initiative (CNCI) in 2008,[67-68] is the first in a series of stages to establish a broader, updated national U.S. cyber-security strategy with the following summarized goals: [69]

1. To create immediate front line defense against today’s cyber threats.

2. To defend against the full range of threats.

3. To strengthen the future cyber-security system.

These goals underline the CNCI’s initiatives, which are:

1. Track the Federal Enterprise Network as a single network with trusted net Connections.

2. To make an intruder detecting system of sensors across the Federal enterprise.

3. To check deployment of intrusion prevention systems across the Federal enterprise.

4. To Co-ordinate and direct research and development efforts.

5. To connect current cyber operations centers to improve situational awareness.

6. To develop and implement a government wide cyber counterintelligence (CI) plan.

7. To increase the security of our classified networks.

8. To expand the cyber education.

9. To define and develop enduring "leap-ahead" technology, strategies and software’s.

10. To develop and define enduring deterrence software and strategies.

11. To develop a multi-directional approach for global supply chain risk management.

12. To define the Federal role for spreading cyber-security into critical infrastructure domains.

Today ,Cyber-security is a challenge .It extends beyond national demarcation and requires global co-operation with no single group, country or agency claiming ownership, according to a 2009 report by the US Department of Homeland Security.[70] The report outlined a Roadmap for Cyber-security Research which was built on the 2005 second revision of the INFOSEC Research Council (IRC) Hard Problem List,[71] and in recognition of the aforementioned presidential directives,[67-68] the roadmap specifies development research and opportunities that are scoped to address few "tough problems". The list was concluded following a significant research effort and took more than a year to develop, with many ‘real’ and virtual workshops alongside online collaboration from a team of experts on the topic:

1. Highly trustworthy systems (including system architectures and requisite development methodology).

2. Enterprise-level metrics (including measures of overall system trustworthiness).

3. Life cycle of system evaluation (including approaches for sufficient assurance).

4. To Combat insider threats.

5. To Combat botnet and malware.

6. Global-scale identity management.

7. Survival of time-critical systems.

8. Situational understanding and attack attribution.

9. Provenance (relating to information, systems and hardware).

10. Privacy-aware security.

11. Usable security.

In the recent past an Organization for Economic Co-operation and Development (OECD) report by two UK Professors discusses the relationship between cyber and physical warfare. It is claiming that although cyberspace is a war fighting region , there is little prospect of a war being carried out only in cyberspace.[72] They do however acknowledge that there are a few cyber-events with the capability to cause a global attack and many more that could create localized misery and loss. Their list of findings and recommendations is too exhaustive to cover in its entirety but focuses on risk factors from a multi-pronged attack using a variety of technological and social methods to achieve a mal-intentioned objective, such as cyber-espionage. Recently these form of attacks have become known as Advanced Persistent Threats or APT s. [73]

The International Standards Organization are currently reviewing the final committee draft of ISO/IEC 27032: Guidelines for Cyber-security.[74] As per this, cyber-security is defined as the "preservation of integrity confidentiality and availability of information in the cyberspace", with an accompanying definition of cyberspace as "the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it as it does not exist in any physical form". It is clear then, that cyber-security is much debatable, interesting and requiring great attention. If at all, there is any dispute about the importance of this as an academic training curriculum, one should consult recent reports indicating a dramatic (and growing) deficit of competent qualified professionals in the public sector.[75-77] Even given the importance of thorough Information Assurance and Security education throughout the Information Technology Model Curriculum, we suggest that a wider-reaching emphasis in cyber-security with advanced topics would add value to many existing IT training Programs.[78]

5.2 WHY INFORMATION TECHNOLOGY?

It is without indubitable that all computing and technology programs have a responsibility to make sure a thorough and pervasive security curriculum within their courses. To do otherwise, has the potential to be dangerous in training students with advanced technical skills but lacking security awareness – such an omission would almost certainly result in systems designed or produced by graduates containing many security vulnerabilities.

Yet we believe Information Technology programs are uniquely well suited to an advanced cyber-security curriculum. Earlier we referred to the five pillars of an IT Curriculum:

Programming

Networking

Human Computer Interaction

Databases

Web Systems

These five pillars are each critical pre-requisites for cyber -security. Justification for same is provided below.

5.2.1 Programming

Ability to make a program in a computer system to achieve a desired result is perhaps the most fundamental skill taught in an IT program and in all computing programs. Yet it is here that the potential for unintentionally crafting exploitable vulnerabilities lies. Programming security vulnerabilities are a common cause of computing security breaches. Even the best programmers in the industry can make errors, and a simple oversight can have far-reaching effects. Likewise it is in programming that the ability to rectify these vulnerabilities lies. At the very least, conceptual programming knowledge is an essential cyber-security tool to understand how and why a software vulnerability may be exploited and begin to realize the impact of a harmful attack.

5.2.2 Networking

The essential requirement for practical networking knowledge in cyber-security is obvious. "Cyberspace" is defined as a networked group of entities. Understanding the concepts, technicalities, protocols and vulnerabilities of computer networks are key pre-requisites of an advanced cyber-security education.

5.2.3 Human Computer Interaction (HCI)

In cyber-security context , HCI represents a huge "piece of the pie". Although declining, reports indicate that user mistake is the primary cause of security breach.[79] Is this a result of poor user interface design or poor user education? In fact, both are likely to play a significant part. Information Technology professionals are described as user advocates and effectively provide a human interface between technology and users.[78] It is their responsibility to ensure the users can efficiently, securely and effectively realize their targets through the proper use of advanced

computer technology.

Education of user takes an important role in user advocacy. Through proper training, users can be taught to recognize and avoid common security pitfalls such as phishing attacks, social engineering, malware and insecure browsing.[80] The advantages of these approaches has been shown and as of 2009, user error is no longer the primary cause of security breaches[81-82].

5.2.4 Databases

Databases are often primary targets in cyber-attacks. They represent a rich resource of information that is often commercially sensitive, contains sensitive user data, or both. While other computing programs may emphasize advanced database structure and design methods, Information Technology includes significant Database Management Systems (DBMS), and Database Administration (DBAdmin) content. Although these are intended to help students to be better able to integrate and manage systems from a theoretical and practical standpoint, the understanding of how a database management system works and is administered are key skills in protecting

information from sabotage or cyber-theft.

5.2.5 Web Systems

Web systems provide the external interface to many different types of computer systems. A website is typically the first publically accessible boundary that an attacker will communicate with, in cyberspace. Websites are designed for a variety of purposes and often present a viable attack vector to an organizations internal network A particularly prevalent and dangerous threat today is cross-site scripting (XSS). XSS is the placement of malicious code on an

attacker-controlled website which exploits vulnerabilities in a legitimate and typically high-traffic website in order to inject client-side code (this is one method of drive-by infection – the infection of a victim’s system without their knowledge or consent by using a client-side browser vulnerability). The danger of this type of infection is dependent on the nature of the malicious code and can vary from privacy invasions and information theft, to full remote control of a victim’s system by the attacker. This is listed in the 2010 SANS.[83-84] Top 25 list as the number one most dangerous software error. Given the intentional public placement of websites, great care must be exercised to ensure their security. Vulnerabilities are frequently found by security experts and reported to vendors who produce patches, or security hotfixes. This evolutionary cycle appears to be without end and any organization with a web presence

should have clearly defined policies regarding the adoption and implementation of manufacturer fixes.

The web systems pillar of IT includes a strong security emphasis that discusses additional security topics such as the need for server hardening, firewalls and intrusion detection/prevention systems (IDS/IPS).

5.2.6 Summary of IT Fit

As shown, the five pillars of IT are well suited to cyber-security education. There already exists a pervasive security element throughout each pillar, which provides students with subject knowledge that is both conceptually and technically applicable within a security context. Additionally these same pillars provide key knowledge cornerstones that are pre-requisite to cybersecurity education. We do not dispute that cyber-security education has elements residing in other disciplines [85]. In fact this diversity is to be encouraged and wherever possible leveraged into cross disciplinary collaborative opportunities. The unique perspectives of Computer Science, Computer Engineering, Electronic Engineering, Information Systems, Mathematics and many other fields which share an interest in cyber-security are able to contribute to making our digital society a safer place.

We do however assert that Information Technology presents a uniquely suited and ideal environment for cyber-security education that sets it apart from other disciplines. Indeed were one to design a separate discipline specifically for cyber-security, we believe it would closely resemble an Information Technology program with a cyber-security advanced emphasis.

5.3 A CYBER-SECURITY CURRICULUM

As even among the differing views and interpretations of cyber-security, it is possible to assemble a structured curriculum that should be both encompassing and unbiased to various definitions of cyber-security.

5.3.1 Outcomes

To develop an effective curriculum establishing goals and outcomes is necessary. However the goals can be program specific and customized to the educational and research objectives of the teaching institution. Keeping all these points in mind, the five high-level outcomes can be presented which should be suitably standard to be adapted to most programs.

1. This will make the students familiar with the multi-disciplinary and fast paced nature of cyber-security and students will be prepared to learn and understand new technologies and contexts throughout their career. Ed Crowley who discusses on curriculum development has focused on outcome, he also discusses the multidisciplinary nature of IAS including psychology, sociology, law, computer science, engineering and management.[85]

2. This will also acquire basic cyber-security skills with an emphasis on a professional path to the students. This outcome is tailored from a 1998 NCISSE presentation by Eugene Stafford at Purdue. Here it emphasizes the need to align a programs skill set with the profession.[86]

3. The students will understand the need for cross-disciplinary and cross-cultural association in cyber-security and will be able to communicate the domain to a variety of technical and non-technical audiences. It emphasizes on the need of cyber-security among the students, to be able to cross both cultural and academic divides to improve systems security and educate users is of paramount importance.

4. The students will be able to apply their own knowledge of systems integration thinking when working with cyber-security threats, attacks, incident response and defenses. An outcome of this, it emphasizes the need for cyber-security professionals to be able to think outside the box in an order to overcome the vulnerabilities. This will make the students to think of potential attacker, relate to a cyber-victim and will understand the bigger picture. These are some of the important skills in cyber-security. For example, a cyber-security professional should be able to understand and correlate all attacks and use those in a form of root-cause analysis to determine the attack objectives, begin to derive attribution and implement an incident response plan that both minimizes service interruption and leads to future increased defensive abilities against attack in an advanced persistent threat scenario.[87]

5. The students will understand the ethical responsibilities of the cyber-security profession and will treat ethical, moral and privacy issues responsibly and with sensitivity.[88-89]

From all the above mentioned emphasis, we underline the importance of cyber-security professionals being of high moral character.

5.3.2 Security Across The Curriculum?

As per the academics many of them have stated the need for security-across-the curriculum in IT programs.[88,90-93] The proposal of a cyber security emphasis is not be seen as countering. The benefits of cyber-security across the curriculum have been proven in its implementation.[93-94] However through research we come to know there is still significant advanced content that would benefit undergraduates and help reduce the cyber-security professional deficit.[75-77] Some researchers declare that security topics are taken from a wide range of academic domains rather than being a separate study.[95] It is true that cyber-security does indeed draw together various academic disciplines, but this does not imply that it is not unified or does not have innovative content.

An educational reference framework listing the body of knowledge for an Information Security Curriculum which unites security content from a variety of domains has been proposed by the Committee on National Security Systems produced in 1994.[96] Content areas within NSTISSI 4011 are:

Communications Fundamentals

Security Fundamentals

NSTISS Fundamentals

Operating System Environment

NSTISS Planning And Management

NSTISS Policies and Procedures

However it provides a good baseline for Information Assurance and Security education, but it does not address some cyber-threats currently faced. Therefore we encourage institutions offering Information Technology or closely related topics to consider the addition of an advanced cyber-security curriculum that builds upon established foundations laid out in the IT Model Curriculum and National Training Standard for Information Systems Security Infosec (NSTISSI) 4011.[96]

5.3.3 Topics

In our experience, encouraging students to analyze the variations in cyber-security standards, reports and documentation is a useful tool in promoting understanding for cyber-security. We accept that simplifying cyber-security into a few key terms and their relationships will provide a adaptable framework. This level of elasticity helps programs maintain a relatively ‘open’ academic structure that can cater to the ‘shifting sands’ problems in cyber-security definitions, standards and frameworks.[95] We propose that an advanced cyber-security emphasis could be covered within three high-level categories that would follow a common pre-requisite of Information Assurance and Security. These categories are:

Prepare

Defend

Act

The first preference was to label the latter of these categories ‘react’ indicating a response to a cyber-incident. On reflection, this seemed unsuitable given the axiom ‘it is better to act, than react’. All the three categories can be better contextualized through the following questions:

Preparing – What all cyber-threats are there and how can we prepare for, and decrease potential attacks?

Defending – How to design, implement and maintain secure systems? (Defending)

Acting – What steps should be carried out in the event of a cyber-attack and how can one place attribution?

Cyber-security preparation means that risks are clear and understood. This requires a careful and complete understanding of the threat and its impact. Therefore it is important to note that these are not merely technical as a large part of preparation is in understanding the relationship between cyberspace and the real world. The top technical topics are penetration testing, ethical hacking, and advanced persistent/evasive threats. Cyber-defense involves taking preventative measures to guard computer systems and again includes both technical and nontechnical rudiments. Systems Administrators are accountable for the maintenance of systems and networks and also for the implementation of security policies. Other suitable topics include networks and systems design all in a security context.

The preventive defense category fall into following category i.e. hardening, auditing, accreditation and user education. The act category is what has to be done in the event of a cyber attack. What are the signs of an active attack, what steps should be taken to measure potential impact, derive attribution, respond and restore service? Technical topics includes digital forensics and incident response. Other areas include the theory of computer forensics, cultural and global standardization, legal issues, counter forensics and incident response, and understanding how different organizations have different methodologies and priorities.

Suggested course names for each category are:

Cyber Threats and Infiltration Testing

Cyber Security and Systems Administration

Cyber Response and Forensics

Each of the mentioned topics are coupled with a more technical practice. The coupling of the courses deal with both the concepts of cyber-security as well as a ‘practical skills toolbox’ suitable for a cyber-security specialized. The relatively high level of topic abstraction of cyber security should allow course trainers great litheness in their content and the academic freedom to focus on a specific cyber-security model if desired. At the same time it highlights that cyber-security is not a new topic, rather a practice of viewing and correlating existing knowledge to holistically analyze, understand, defend against and respond to cyber-threats. It is advisable that cyber security courses should be taught towards the end of a student’s study after the necessary prerequisite material has been learnt by them.

5.4 EDUCATIONAL METHODS

Many researchers have provided excellent information on educational approaches for cyber security topics.[85,86-90,93-95] Some supplementary educational methods on cyber security are presented here that have been found useful in cyber security program and hope that they may aid instructors in their own course design. Although this list is not exhaustive by any means and may be viewed as a basis for future research.

5.4.1 Hands-On Exposure

According to the research the hands-on experience has shown to be an effective teaching tool. However there is a common belief that ‘hands-on experience is at the heart of science learning’.[97] Nancy Nersessian put emphasis on that labs that should be explicitly directed towards conceptual instruction.[98] Jing Ma and Jeffrey Nickerson in 2006, reviewed different methods of laboratory instruction and concluded that laboratories can be an effective tool in both conceptual and design education. [99]

It can be state that a well-designed lab can be very effective for student learning. Experience has revealed that labs encourages independent thinking and other higher cognitive functions which are both effective and enjoyable for students. Cyber-security is an appropriate topic for lab-based instruction as many labs are unscripted and ‘open ended’ allowing multiple correct solutions to their students. It allows students to select tools, methodology frameworks and operating systems to achieve a goal which encourage student-led research and innovation.

A technique that has shown significant success is that of cyber security exercises, or cyber war-games. These place students in a competitive atmosphere and allow them to polish their skills to achieve a specified objective. Such types of exercises are popular among hacking communities and government agencies.[100]

5.4.2 Collaboration

The working with industry and government in a teaching setting allows students to gain a distinctive insight into current cyber-security threats, trends and needs. Mutual opportunities can be as simple as inviting cyber-security professionals to present a formal arrangements working with local businesses and institutions that exposes students to real-world environments. These types of collaboration need not be external as an institution has demonstrated. As of collaborative work, Dartmouth College established a cyber security initiative in which students worked alongside the campus computing services to improve their security posture following a successful malicious compromise of successor computer network. [101]

The need of information sharing in cyber security has been emphasized by several authors.[102-103] Students can gain an appreciation of the need for community, private sector and government information while sharing through an appropriate collaboration. The call for this type of teamwork was shared in the recent Cyberspace Policy Review[104] which underlined the need for a variety of collaborative efforts between the academia, private sector, government, and military. These kind of collaborative activities help expose students to professional level activities and also can encourage professional certifications and qualifications all through their future careers. [85]