Cyber security and countermeasure: Difference between revisions

It has been suggested that this article be merged into Computer security. (Discuss) Proposed since March 2014.

Cybersecurity is the process of applying security measures to ensure confidentiality, integrity, and availability of data. Cybersecurity assures protection of assets, which includes data, desktops, servers, buildings, and most importantly, humans. The goal of cybersecurity is to protect data both in transit and at rest. There are many countermeasures that can be put in place, in order to ensure security of the data. Some of these measures include, but not limited to, access control, awareness training, audit and accountability, risk assessment, and security assessment and authorization.^[1]

Cybercrime (or computer crime) refers to any crime that involves a computer and a network.^[2] In general, a countermeasure is a measure or action taken to counter or offset another one. In computer security a countermeasure is defined as an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.^[3][4] An alternate meaning of countermeasure from the InfosecToday glossary^[5] is:

The deployment of a set of security services to protect against a security threat.

Although different types of threats (e.g., earthquakes, floods, electrical break-down) can cause an incident, or may harm a system or an organisation,^[6] only intentional threats will be considered here.
According to Microsoft's classification there are 6 categories of threats:^[7]

• Spoofing of user identity : describes a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
• Tampering : describes an intentional modification of products in a way that would make them harmful to the consumer.
• Repudiation : describes a situation where the authenticity of a signature is being challenged.
• Information Disclosure (Privacy breach or Data leak) : describes a situation where information, thought as secure, is released in an untrusted environment.
• Denial of Service (DoS): describes a situation where a technological resource (computer, network, ...) becomes unavailable to its intended user.
• Elevation of Privilege : describes a situation where a person or a program were to gain elevated privileges or access to resources that are normally restricted to him/it.

This model is named after the initials of every threat : STRIDE, and is now widely used. Nevertheless, other models do exists ; for instance the DREAD : Damage, Reproducibility, Exploitability, Affected users, Discoverability.
To exploit those vulnerabilities, perpetrators (individual hacker or a criminal organization) most commonly use malware (malicious software), worms, viruses and targeted attacks.
To assess the risk of an attack, different scale exists. In the United States, authorities use the Information Operations Condition (INFOCON) system. This system is scaled from 5 to 1 (INFOCON 5 being an harmless situation and INFOCON 1 representing the most critical threats).

Except human factors, their own flaws of system also is a threat. Sometimes system have wrong judgement. There is a famous own flaws of system in history. Year 2000 computer problem, also called "2000 virus", the "millennium bug", "computer millennium millennium bug" or "millennium virus." Abbreviated as "Y2K". In general, the "millennium bug" also includes the following two aspects: one is the number of computer systems, computing and identification for the leap year problem, can not be recognized as a leap year in 2000, that in the calendar of the computer system no February 29, 2000 on this day, but a direct transition from February 28, 2000 to March 1, 2000; another in some older computer systems used in the program string of numbers 99 (or 99/99, etc.) to indicate the end of file, permanently expired, delete some of the special significance of automatic operation, so that when the September 9, 1999 (or April 9, 1999 that in 1999 the first 99 days) to temporarily a computer system in dealing with the content in the file date, it will encounter 99 or 99/99 and other digital series, which will document mistakenly thought to have expired or delete the wrong file operations, causing confusion and even system crashes and other failures.

Over the past 10 to 15 years, multiple cyber attacks occurred targeting both governmental agencies and private companies.

• In 2000, several commercial websites including Yahoo.com, Amazon.com, eBay.com, Buy.com, CNN.com, ZDNet.com hit massive DOS. The FBI estimated that the attack caused $1.7 billion in damage.
• In 2003, a slammer worm infected 90% of vulnerable computers within 10 minutes. This caused interferences with elections, airline flights cancellation, Seattle's 911 emergency system failure and over 13,000 Bank of America ATMs failure. The lost in productivity was estimated around $1 billion.
• Since 2003, a series of coordinated attacks on American computer systems occurred. The US government designated those attacks as Titan Rain. Titan Rain hackers gained access to many U.S. computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA.

"As a fundamental principle, cyberspace is a vital asset to the nation and the United States should protect it"^[8] is the opening statement of the Cybersecurity act of 2010.
Most countries do not possess a digital infrastructure that can be qualified as "secure". The United States is no different: "Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations".^[8]
As more than 85% of the digital infrastructure is owned and operated by the private sector in the United States,^[8] it is crucial that both public and private sectors, in addition of on their own, cooperate on finding a global solution.

The role of the government is to make regulations to force companies and organizations to protect their system, infrastructure and information from any cyber attacks, but also to protect its own national infrastructure such as the national power-grid.

The question of whether the government should intervene or not in the regulation of the cyberspace is a very polemical one. Indeed, for as long as it has existed and by definition, the cyberspace is a virtual space free of any government intervention. Where everyone agree that an improvement on cybersecurity is more than vital, is the government the best actor to solve this issue? Many government officials and experts think that the government should step in and that there is a crucial need for regulation, mainly due to the failure of the private sector to solve efficiently the cybersecurity problem. R. Clarke said during a panel discussion at the RSA Security Conference in San Francisco, he believes that the "industry only responds when you threaten regulation. If industry doesn't respond (to the threat), you have to follow through."^[9] On the other hand, executives from the private sector agree that improvements are necessary but think that the government intervention would affect their ability to innovate efficiently.

The cybersecurity act of 2010 establishes the creation of an advisory panel, each member of this panel will be appointed by the President of the United-States. They must represent the private sector, the academic sector, the public sector and the non-profit organisations.^[8] The purpose of the panel is to advise the government as well as help improve strategies.

InfraGard is an example of public-private organization.

The "Cybersecurity Act of 2010 - S. 773" (full text) was introduced first in the Senate on April 1, 2009 by Senator Jay Rockefeller (D-WV), Senator Evan Bayh (D-IN), Senator Barbara Mikulski (D-MD), Senator Bill Nelson (D-FL), and Senator Olympia Snowe (R-ME). The revised version was approved on March 24, 2009.
The main objective of the bill is to increase collaboration between the public and the private sector on the issue of cybersecurity. But also

"to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes."^[8]

The act also wants to instate new higher standards, processes, technologies and protocols to ensure the security of the "critical infrastructure".

The government put together several different websites to inform, share and analyze information. Those websites are targeted to different "audiences":

• the government itself: states, cities, counties
• the public sector
• the private sector
• the end-user

Here are a few examples :

• http://www.msisac.org/ : the Multi-State Information Sharing and Analysis Center. The mission of the MS-ISAC is to improve the overall cyber security posture of state, local, territorial and tribal governments.
• http://www.onguardonline.gov/ : The mission of this website is to provide practical tips from the federal government and the technology industry to help the end user be on guard against internet fraud, secure their computers, and protect their private personal information.
• http://csrc.nist.gov/ : The Computer Security Division (Computer Security Resource Center) of the National Institute of Standards and Technology. Its mission is to provide assistance, guidelines, specifications, minimum information security requirements...

The U.S. Federal Communications Commission's role in cyber security is to strengthen the protection of critical communications infrastructure, to assist in maintaining the reliability of networks during disasters, to aid in swift recovery after, and to ensure that first responders have access to effective communications services.^[10]

Computer Emergency Response Team is a name given to expert groups that handle computer security incidents. In the US, two distinct organization exist, although they do work closely together.

• US-CERT: the United States Computer Emergency Response Team is part of the National Cyber Security Division of the United States Department of Homeland Security.^[11]
• CERT/CC: The Computer Emergency Response Team Coordination Center is a major coordination center created by the Defense Advanced Research Projects Agency (DARPA) and is run by the Software Engineering Institute (SEI).

A lot of different teams and organisations exists, mixing private and public members. Here are some examples:

• The Forum of Incident Response and Security Teams (FIRST) is the global association of CSIRTs.^[12] The US-CERT, AT&T, Apple, Cisco, McAfee, Microsoft are all members of this international team.^[13]

• The Council of Europe helps protect societies worldwide from the threat of cybercrime through the Convention on Cybercrime and its Protocol on Xenophobia and Racism, the Cybercrime Convention Committee (T-CY) and the Project on Cybercrime.^[14]

• The purpose of the Messaging Anti-Abuse Working Group (MAAWG) is to bring the messaging industry together to work collaboratively and to successfully address the various forms of messaging abuse, such as spam, viruses, denial-of-service attacks and other messaging exploitations. To accomplish this, MAAWG develops initiatives in the three areas necessary to resolve the messaging abuse problem: industry collaboration, technology, and public policy.^[15] France Telecom, Facebook, AT&T, Apple, Cisco, Sprint are some of the members of the MAAWG.^[15]

• ENISA : The European Network and Information Security Agency (ENISA) is an agency of the European Union. It was created in 2004 by EU Regulation No 460/2004 and is fully operational since September 1, 2005. It has its seat in Heraklion, Crete (Greece).

The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market.

Here are the main computer emergency response teams around the world. Every country have their own team to protect network security. February 27, 2014, the Chinese network security and information technology leadership team is established. The leadership team will focus on national security and long-term development, co-ordination of major issues related to network security and information technology economic, political, cultural, social, and military and other fields of research to develop network security and information technology strategy, planning and major macroeconomic policy promote national network security and information technology law, and constantly enhance security capabilities.

CSIRTs in Europe collaborate in the TERENA task force TF-CSIRT. TERENA's Trusted Introducer service provides an accreditation and certification scheme for CSIRTs in Europe. A full list of known CSIRTs in Europe is available from the Trusted Introducer website.[1]

• CERT.br, Brazil, member of FIRST (Forum for Incident Response and Security Teams)
• CARNet CERT, Croatia, member of FIRST
• Brazil CERT
• AE CERT, United Arab Emirates
• SingCERT, Singapore
• CERT-LEXSI, France, Canada, Singapore