the role of science in cybercrime prevention and computer security snt luxembourg, jujy 14, 2010 aad...

the role of science in cybercrime

prevention and computer security

SnT L

uxe

mbourg

, Ju

jy 1

4, 2

01

0

Aad van MoorselNewcastle University, School of Computing

ScienceCentre for Cybercrime and Computer Security

[email protected]

mailto:[email protected]

motivation

3© Aad van Moorsel, Newcastle University, 2010

motivation


example of the sort of problems


example of the sort of problemseconomicmotivation

blamethe user

hacker’smotivation

shift economic accountability


the role of science in cybercrime and security

– some exasperation: “so much trouble, so few improvements”

– in US as well as EU: looking for science to help find resolutions

– personal interest• own research• cybercrime centre’s research

what is science?– use of the scientific method: falsifiable conclusions– use of scientific techniques: mathematics, rigorous

engineering tools, rigorous social science methods


holding us back: requiring technological perfection


holding us back: blaming the human


holding us back: convoluted (economic) incentives

Newcastle Cybercrime Centre research strands

• risk management & communication

• secure networked business

• useable security

• computer-aided forensics

law enforcem

ent citizens and

familiespolicy

makers

businesses

my group: risk management & communication

• risk management & communication

law enforceme

nt citizens and

familiespolicy

makersbusinesses

objective security investments using

mathematical models for ‘trust economics’

research how to educate in security, how people react to fraud cues in web

sites

user interfaces to show dangers and quantify risks in intuitive manner

policy decision-making—

the trust economics methodology


security decision-making

decisions at various levels:– policy makers:

• anti-terrorism• cybercrime laws and regulations• regulating social networks

– companies and organisations• allow facebook in the workplace?• integrate applications across government

(g-cloud)– individuals

• should I order from this web site• should I trust this seller

the CISO: Chief Information Security Officer


Forrester report 2010

in ‘The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk’, Forrestor finds:

1. secrets comprise two-thirds of information value2. compliance, not security, drives security budgets3. focus on preventing accidents, but theft is 10

times costlier4. more value correlates with more incidents5. CISOs do not know how effective their security

controls are


the value of top-five data assets

in the knowledge industryabout 70% of this is secrets,30% custodial data (creditcard, customer data, etc)


compliance drives budgets, but doesn’t protect secrets


most incidents are employee accidents

75% of incidents is insider (accident or theft)


but thefts are much more costly than accidents


do CISOs know?

CISO at high-value firm scores its security at 2.5 our of 3

CISO at low-value firm scores its security at 2.6 out of 3

high value firms have 4 times as many accidents as low-value firms, with 20 times more valuable data

so, the CISOs seem to think security is okay/same, despite differences in actual accidents at a firm...

Forrester concludes: to understand more objectively how well their security programs perform, enterprises will need better ways of generating key performance indicators and metrics

introduction to the trust economics methodology

© Aad van Moorsel, Newcastle University, 2010

trust economics methodology for security decisions

22

stakeholdersdiscuss

a modelof the information

system

trade off:legal issues,human tendencies,business concerns,...


trust economics research

from the trust economics methodology, the following research follows:

1. identify human, business and technical concerns

2. develop and apply mathematical modelling techniques

3. glue concerns, models and presentation together using a trust economics information security ontology

4. use the models to improve the stakeholders discourse and decisions

defining the problem space:

information security ontology including human behavioural and economic

aspects

25

ontologies

not unlike a dictionary:• a collection of interrelated terms and

concepts that describe and model a domain• expressed in a formal ontology language

(OWL)

aim:• define the problem space• share knowledge between humans• underlying the tools we build: integrate



security ontology: relationships

Fentz, ASIACCS’09, Formalizing Information Security Knowledge

security ontology: example of fire threat


Fentz, ASIACCS’09, Formalizing Information Security Knowledge


human-behavioural aspects in the ontology

28

Asset

Behavioural Foundation

Behaviour Control

Chapter

Guideline

Section

Guideline Step

Threat

Vulnerability

contains

contains

contains

hasSubject

hasVulnerability

exploitedBy

hasFoundation

managesRiskOf

Control TypehasRiskApproach

isMitigatedBy

RoleownedBy

hasStakeholder

hasSubject

1

1

1

1

*

*

*

1 1

1

1

1

1

1***

*

*

*

*

Infra. Proc.

1

1

*

hasVulnerability*

1


ontology – password policy example

29

ChapterNumber: 11

Name: “ Access Control”

SectionNumber: 11.3Name: “User Responsibilities”Objective: ...

GuidelineNumber: 11.3.1Name: “Password Use”Control: ...Implementation Guidance (Additional): ...Other Information: ...

Implementation Guidance Step

Number: 11.3.1 (d)Guidance: “select quality passwords with sufficient minimum length which are:1) easy to remember;...”

Single Password Memorisation Difficult

Password

hasSubject

hasVulnerability


example – password memorisation

KEY

mitigated by

has vulnerability

exploited by

Vulnerability

Procedural Threat

Infrastructure Threat

Behaviour Control

Asset

Control Type

Classes

Relationships


Threat Consequence

manages risk of


Single Password Forgotten

Capability

Make Password Easier To Remember

AcceptanceMaintain Password

Policy

Reduction

User temporarily without access


example – recall methods

KEY

mitigated by

has vulnerability

exploited by

Vulnerability

Procedural Threat

Infrastructure Threat

Behaviour Control

Asset

Control Type

Classes

Relationships


Threat Consequence

manages risk of


Password Stored Externally to Avoid Recall

Mindset

Insecure storage medium can be exploited by malicious party

Implement ISO27002 Guideline 11.3.1 (b), “avoid keeping a record of passwords”

Reduction

Educate Users in Recall Techniques

Reduction


example – password reset function

Helpdesk Password Reset Management

Transfer


Single Password Forgotten

Capability

IT Helpdesk Cannot Satisfy Reset Request

Automated Password Reset System

Additional Helpdesk Staff

Helpdesk Busy

Password Reset Process Laborious

User temporarily without accessUser compliance diminished

Reduction

Reduction

Employee Becomes Impatient

Temporal

User temporarily without access

Helpdesk Provided With Identity Verification Details

User Account Details Stolen

Mindset

Malicious party gains access


conclusion ontologies

scientific rigour through ontologies:

1. ontology defines the problem and solution space:– information security decision making– trust economics methodology

2. ontology includes human–behavioural aspects

3. ontology has been abstracted so that CISO can easily edit the ontology

4. web-based collaborative security knowledge based on ontology– together with SBA, Austria

5. foundation of software tools

33

probabilistic system models


optimize utility

the central bank has an instrument, call it I, the interest rate

• inflation is a function of I• unemployment is a function of inflation

the best for a country is some weighted sum of unemployment and inflation

you can solve the equation to find out which I is best for a country

35


how does this work for security investments?

• you want to optimize a utility function combining confidentiality and availability

• you can set the value of I, the instrument– more monitoring of employees– more training

• but we have no nice functions for:– monitoring employees versus improved

confidentiality– perturbations of confidentiality over time– relation availability and confidentiality

• instead: we build a probabilistic system model to represent these relations (functions), based on techniques and tools developed in CS over past 40 years 36


system model

the model describes how the system moves between states

37


probabilities and distributions

we use probabilities:• represents uncertainty: A or B may happen• represents long run fractions: 60 percent of

time A happens

we also need to represent uncertainty about duration:

• use probability distributions–all possible durations have a probability–sum to 1

38


system model: probabilities and distributions

39

2 in 3 employees next go in transit

when at desk

1 in 3 employees next go to

conference room when at desk

travel to client takes between 45 and 75 minutes,

uniformly spread


stochastic system model (in Möbius)

40


human behaviour

• trust economics system models are yet more complicated:– not only overall objective, but also for individual

participants: human score function

• take all the human scoring functions together and determine which encryption level users will apply, for each investment level

• plug that in the model, and solve it for confidentiality/availability utility function

41


some results

• a company can invest in more help desk staff, or more monitoring employees which of two investments makes little difference

• if investment increases, one would expect increase in user encrypting not gradual, sudden sharp increase at some investment level

• one would expect the user to change its proportion of encryption optimal proportion seems to be always 0 or 1

42


confidentiality/availability utility

investment horizontally, encryption probability vertical, linear conf/avail utility function as some

slides back 43

a tool for CISOs


a tool for CISOsPassword Policy Composition Tool

Generate Output

#upper #upper

Password Length:

i#min_length

#lower

Password Complexity:

i

Password Change Frequency:

#upper

#change_frequency

i

#lower

#upper

User PropertiesOrganisation PropertiesPolicy Properties

#upper

#char_classes

#lower

#upper #upper

Password Change Notification:

i#notif_days

#lower

Password Login Attempts:

i

#upper

#upper

#max_retries

#lower

Export Policy

File Help

Breaches / Productivity / Cost

BREACHES

Full

Composite

Partial

#

#

#

#

Productivity #

Costs #

Composite PartialFull

No.

No.

BREACHES:

[projected per annum for 100-user sample]

No.

280 175 350 280 175 350 280 175 350


a tool for CISOs

User PropertiesPolicy Properties Organisation Properties

Manned Helpdesk - No. of Staff:

Manned Helpdesk - Staff Salary: GBP

Automated Helpdesk - Annual Support Cost:

USD

Manned Helpdesk – Reset Request Completion Time:

Hrs

Automated Helpdesk – Reset Request Completion Time:

Mins

Helpdesk Strategy:

Manned Automated

Organisation Properties

Class Name:

Average Salary: GBP

Average Projected Annual Earnings: USD

Working Pattern:

Policy Properties User Properties

Select User Class ... Class 1

Home

100%

#%

0

Office

100%

#%

0

Public

100%

#%

0

In Transit

100%

#%

0

User Distribution: Class 1100%

#%

0

Class 2100%

#%

0

Class 3100%

#%

0

Potential Breach Condition: Per-Breach


a tool for CISOs


Breaches

Reset Requ...

Account Lo...

Authenticat...

#

#

#

#

PRODUCTIVITY #

Costs #

Cla

ss 1

Cla

ss 2

Cla

ss 3

No.

280

175

350

Acc. Lockouts

Cla

ss 1

Cla

ss 2

Cla

ss 3

No.

400

0

100

0

380

0

Auth. Attempts

Cla

ss 1

Cla

ss 2

Cla

ss 3

Reset Requests

Hrs

No.

Automated

Manual

PRODUCTIVITY:



a tool for CISOs


Breaches

Lost Salary

Lost Earnings

Helpdesk S...

#

#

#

#

Productivity #

COSTS #

Cla

ss 1

Cla

ss 2

Cla

ss 3

£%

73%

48%

88%

Lost Salary

Cla

ss 1

Cla

ss 2

Cla

ss 3

%£

£200

K

£70K

£180

K

Lost Earnings

Cla

ss 1

Cla

ss 2

Cla

ss 3

Helpdesk Support% ££

Automated

Manual

COSTS:



conclusion system models

science of system models:• rigorous mathematical techniques for prediction• scientifically founded input from human behavioural

experts• scientific care is taken in not overstating its

conclusions

better decision-making:• for CISOs

and in the future:• for policy makers• for users

49


trust economics results thus far

• case study for USB use to demonstrate the idea (HP et al)

• refinements of modelling human behaviour (with UIUC)

• ontology developed to glue pieces together• CISO tool design completed and tool building started

(with UCL)• data collection strategies are being developed (with

DWP)• now developing trust economics as a design

methodology (with UMA standards body)

and to indicate it’s for real:• industrial strength ‘security analytics’ consulting

tools have just been released by HP/ViStorm: for patching strategies and data loss prevention

50


trust economics info

http://www.trust-economics.org/Publications:• A Stealth Approach to Usable Security: Helping IT Security Managers to Identify Workable

Security Solutions. Simon Parkin, Aad van Moorsel, Philip Inglesant, Angela Sasse, New Security Paradigms Workshop, 2010

• Ontology Editing Tool for Information Security and Human Factors Experts. John Mace, Simon Parkin, Aad van Moorsel, Knowledge Management and Information Sharing, 2010

• An Information Security Ontology Incorporating Human-Behavioural Implications. Simon Parkin, Aad van Moorsel, Robert Coles. International Conference on Security of Information and Networks, 2009

• Risk Modelling of Access Control Policies with Human-Behavioural Factors. Simon Parkin and Aad van Moorsel. International Workshop on Performability Modeling of Computer and Communication Systems, 2009.

• A Knowledge Base for Justified Information Security Decision-Making. Daria Stepanova, Simon Parkin, Aad van Moorsel. International Conference on Software and Data Technologies, 2009.

• Architecting Dependable Access Control Systems for Multi-Domain Computing Environments. Maciej Machulak, Simon Parkin, Aad van Moorsel. Architecting Dependable Systems VI, R. De Lemos, J. Fabre C. Gacek, F. Gadducci and M. ter Beek (Eds.), Springer, LNCS 5835, pp. 49—75, 2009.

• Trust Economics Feasibility Study. Robert Coles, Jonathan Griffin, Hilary Johnson, Brian Monahan, Simon Parkin, David Pym, Angela Sasse and Aad van Moorsel. Workshop on Resilience Assessment and Dependability Benchmarking, 2008.

• The Impact of Unavailability on the Effectiveness of Enterprise Information Security Technologies. Simon Parkin, Rouaa Yassin-Kassab and Aad van Moorsel. International Service Availability Symposium, 2008.

Technical reports:• Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications.

Maciej Machulak, Aad van Moorsel. CS-TR 1191, 2010• Use Cases for User-Centric Access Control for the Web, Maciej Machulak, Aad van Moorsel. CS-TR

1165, 2009 • A Novel Approach to Access Control for the Web. Maciej Machulak, Aad van Moorsel. CS-TR 1157, 2009• Proceedings of the First Trust Economics Workshop. Philip Inglesant, Maciej Machulak, Simon Parkin,

Aad van Moorsel, Julian Williams (Eds.). CS-TR 1153, 2009.• A Trust-economic Perspective on Information Security Technologies. Simon Parkin, Aad van Moorsel.

CS-TR 1056, 2007

http://www.trust-economics.org/

the role of science in cybercrime prevention and computer security snt luxembourg, jujy 14, 2010 aad...

Documents

motivation slide

economic accountability

intuitive manner slide

security budgets

security controls

role of science

cybercrime prevention

policy decisionmaking