the role of science in cybercrime prevention and computer security snt luxembourg, jujy 14, 2010 aad...
TRANSCRIPT
the role of science in cybercrime
prevention and computer security
SnT L
uxe
mbourg
, Ju
jy 1
4, 2
01
0
Aad van MoorselNewcastle University, School of Computing
ScienceCentre for Cybercrime and Computer Security
5© Aad van Moorsel, Newcastle University, 2010
example of the sort of problemseconomicmotivation
blamethe user
hacker’smotivation
shift economic accountability
6© Aad van Moorsel, Newcastle University, 2010
the role of science in cybercrime and security
– some exasperation: “so much trouble, so few improvements”
– in US as well as EU: looking for science to help find resolutions
– personal interest• own research• cybercrime centre’s research
what is science?– use of the scientific method: falsifiable conclusions– use of scientific techniques: mathematics, rigorous
engineering tools, rigorous social science methods
Newcastle Cybercrime Centre research strands
• risk management & communication
• secure networked business
• useable security
• computer-aided forensics
law enforcem
ent citizens and
familiespolicy
makers
businesses
my group: risk management & communication
• risk management & communication
law enforceme
nt citizens and
familiespolicy
makersbusinesses
objective security investments using
mathematical models for ‘trust economics’
research how to educate in security, how people react to fraud cues in web
sites
user interfaces to show dangers and quantify risks in intuitive manner
13© Aad van Moorsel, Newcastle University, 2010
security decision-making
decisions at various levels:– policy makers:
• anti-terrorism• cybercrime laws and regulations• regulating social networks
– companies and organisations• allow facebook in the workplace?• integrate applications across government
(g-cloud)– individuals
• should I order from this web site• should I trust this seller
15© Aad van Moorsel, Newcastle University, 2010
Forrester report 2010
in ‘The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk’, Forrestor finds:
1. secrets comprise two-thirds of information value2. compliance, not security, drives security budgets3. focus on preventing accidents, but theft is 10
times costlier4. more value correlates with more incidents5. CISOs do not know how effective their security
controls are
16© Aad van Moorsel, Newcastle University, 2010
the value of top-five data assets
in the knowledge industryabout 70% of this is secrets,30% custodial data (creditcard, customer data, etc)
17© Aad van Moorsel, Newcastle University, 2010
compliance drives budgets, but doesn’t protect secrets
18© Aad van Moorsel, Newcastle University, 2010
most incidents are employee accidents
75% of incidents is insider (accident or theft)
20© Aad van Moorsel, Newcastle University, 2010
do CISOs know?
CISO at high-value firm scores its security at 2.5 our of 3
CISO at low-value firm scores its security at 2.6 out of 3
high value firms have 4 times as many accidents as low-value firms, with 20 times more valuable data
so, the CISOs seem to think security is okay/same, despite differences in actual accidents at a firm...
Forrester concludes: to understand more objectively how well their security programs perform, enterprises will need better ways of generating key performance indicators and metrics
© Aad van Moorsel, Newcastle University, 2010
trust economics methodology for security decisions
22
stakeholdersdiscuss
a modelof the information
system
trade off:legal issues,human tendencies,business concerns,...
23© Aad van Moorsel, Newcastle University, 2010
trust economics research
from the trust economics methodology, the following research follows:
1. identify human, business and technical concerns
2. develop and apply mathematical modelling techniques
3. glue concerns, models and presentation together using a trust economics information security ontology
4. use the models to improve the stakeholders discourse and decisions
defining the problem space:
information security ontology including human behavioural and economic
aspects
25
ontologies
not unlike a dictionary:• a collection of interrelated terms and
concepts that describe and model a domain• expressed in a formal ontology language
(OWL)
aim:• define the problem space• share knowledge between humans• underlying the tools we build: integrate
© Aad van Moorsel, Newcastle University, 2010
26© Aad van Moorsel, Newcastle University, 2010
security ontology: relationships
Fentz, ASIACCS’09, Formalizing Information Security Knowledge
security ontology: example of fire threat
27© Aad van Moorsel, Newcastle University, 2010
Fentz, ASIACCS’09, Formalizing Information Security Knowledge
© Aad van Moorsel, Newcastle University, 2010
human-behavioural aspects in the ontology
28
Asset
Behavioural Foundation
Behaviour Control
Chapter
Guideline
Section
Guideline Step
Threat
Vulnerability
contains
contains
contains
hasSubject
hasVulnerability
exploitedBy
hasFoundation
managesRiskOf
Control TypehasRiskApproach
isMitigatedBy
RoleownedBy
hasStakeholder
hasSubject
1
1
1
1
*
*
*
1 1
1
1
1
1
1***
*
*
*
*
Infra. Proc.
1
1
*
hasVulnerability*
1
© Aad van Moorsel, Newcastle University, 2010
ontology – password policy example
29
ChapterNumber: 11
Name: “ Access Control”
SectionNumber: 11.3Name: “User Responsibilities”Objective: ...
GuidelineNumber: 11.3.1Name: “Password Use”Control: ...Implementation Guidance (Additional): ...Other Information: ...
Implementation Guidance Step
Number: 11.3.1 (d)Guidance: “select quality passwords with sufficient minimum length which are:1) easy to remember;...”
Single Password Memorisation Difficult
Password
hasSubject
hasVulnerability
30© Aad van Moorsel, Newcastle University, 2010
example – password memorisation
KEY
mitigated by
has vulnerability
exploited by
Vulnerability
Procedural Threat
Infrastructure Threat
Behaviour Control
Asset
Control Type
Classes
Relationships
Behavioural Foundation
Threat Consequence
manages risk of
Single Password Memorisation Difficult
Single Password Forgotten
Capability
Make Password Easier To Remember
AcceptanceMaintain Password
Policy
Reduction
User temporarily without access
31© Aad van Moorsel, Newcastle University, 2010
example – recall methods
KEY
mitigated by
has vulnerability
exploited by
Vulnerability
Procedural Threat
Infrastructure Threat
Behaviour Control
Asset
Control Type
Classes
Relationships
Behavioural Foundation
Threat Consequence
manages risk of
Single Password Memorisation Difficult
Password Stored Externally to Avoid Recall
Mindset
Insecure storage medium can be exploited by malicious party
Implement ISO27002 Guideline 11.3.1 (b), “avoid keeping a record of passwords”
Reduction
Educate Users in Recall Techniques
Reduction
32© Aad van Moorsel, Newcastle University, 2010
example – password reset function
Helpdesk Password Reset Management
Transfer
Single Password Memorisation Difficult
Single Password Forgotten
Capability
IT Helpdesk Cannot Satisfy Reset Request
Automated Password Reset System
Additional Helpdesk Staff
Helpdesk Busy
Password Reset Process Laborious
User temporarily without accessUser compliance diminished
Reduction
Reduction
Employee Becomes Impatient
Temporal
User temporarily without access
Helpdesk Provided With Identity Verification Details
User Account Details Stolen
Mindset
Malicious party gains access
© Aad van Moorsel, Newcastle University, 2010
conclusion ontologies
scientific rigour through ontologies:
1. ontology defines the problem and solution space:– information security decision making– trust economics methodology
2. ontology includes human–behavioural aspects
3. ontology has been abstracted so that CISO can easily edit the ontology
4. web-based collaborative security knowledge based on ontology– together with SBA, Austria
5. foundation of software tools
33
© Aad van Moorsel, Newcastle University, 2010
optimize utility
the central bank has an instrument, call it I, the interest rate
• inflation is a function of I• unemployment is a function of inflation
the best for a country is some weighted sum of unemployment and inflation
you can solve the equation to find out which I is best for a country
35
© Aad van Moorsel, Newcastle University, 2010
how does this work for security investments?
• you want to optimize a utility function combining confidentiality and availability
• you can set the value of I, the instrument– more monitoring of employees– more training
• but we have no nice functions for:– monitoring employees versus improved
confidentiality– perturbations of confidentiality over time– relation availability and confidentiality
• instead: we build a probabilistic system model to represent these relations (functions), based on techniques and tools developed in CS over past 40 years 36
© Aad van Moorsel, Newcastle University, 2010
system model
the model describes how the system moves between states
37
© Aad van Moorsel, Newcastle University, 2010
probabilities and distributions
we use probabilities:• represents uncertainty: A or B may happen• represents long run fractions: 60 percent of
time A happens
we also need to represent uncertainty about duration:
• use probability distributions–all possible durations have a probability–sum to 1
38
© Aad van Moorsel, Newcastle University, 2010
system model: probabilities and distributions
39
2 in 3 employees next go in transit
when at desk
1 in 3 employees next go to
conference room when at desk
travel to client takes between 45 and 75 minutes,
uniformly spread
© Aad van Moorsel, Newcastle University, 2010
human behaviour
• trust economics system models are yet more complicated:– not only overall objective, but also for individual
participants: human score function
• take all the human scoring functions together and determine which encryption level users will apply, for each investment level
• plug that in the model, and solve it for confidentiality/availability utility function
41
© Aad van Moorsel, Newcastle University, 2010
some results
• a company can invest in more help desk staff, or more monitoring employees which of two investments makes little difference
• if investment increases, one would expect increase in user encrypting not gradual, sudden sharp increase at some investment level
• one would expect the user to change its proportion of encryption optimal proportion seems to be always 0 or 1
42
© Aad van Moorsel, Newcastle University, 2010
confidentiality/availability utility
investment horizontally, encryption probability vertical, linear conf/avail utility function as some
slides back 43
45© Aad van Moorsel, Newcastle University, 2010
a tool for CISOsPassword Policy Composition Tool
Generate Output
#upper #upper
Password Length:
i#min_length
#lower
Password Complexity:
i
Password Change Frequency:
#upper
#change_frequency
i
#lower
#upper
User PropertiesOrganisation PropertiesPolicy Properties
#upper
#char_classes
#lower
#upper #upper
Password Change Notification:
i#notif_days
#lower
Password Login Attempts:
i
#upper
#upper
#max_retries
#lower
Export Policy
File Help
Breaches / Productivity / Cost
BREACHES
Full
Composite
Partial
#
#
#
#
Productivity #
Costs #
Composite PartialFull
No.
No.
BREACHES:
[projected per annum for 100-user sample]
No.
280 175 350 280 175 350 280 175 350
46© Aad van Moorsel, Newcastle University, 2010
a tool for CISOs
User PropertiesPolicy Properties Organisation Properties
Manned Helpdesk - No. of Staff:
Manned Helpdesk - Staff Salary: GBP
Automated Helpdesk - Annual Support Cost:
USD
Manned Helpdesk – Reset Request Completion Time:
Hrs
Automated Helpdesk – Reset Request Completion Time:
Mins
Helpdesk Strategy:
Manned Automated
Organisation Properties
Class Name:
Average Salary: GBP
Average Projected Annual Earnings: USD
Working Pattern:
Policy Properties User Properties
Select User Class ... Class 1
Home
100%
#%
0
Office
100%
#%
0
Public
100%
#%
0
In Transit
100%
#%
0
User Distribution: Class 1100%
#%
0
Class 2100%
#%
0
Class 3100%
#%
0
Potential Breach Condition: Per-Breach
47© Aad van Moorsel, Newcastle University, 2010
a tool for CISOs
Breaches / Productivity / Cost
Breaches
Reset Requ...
Account Lo...
Authenticat...
#
#
#
#
PRODUCTIVITY #
Costs #
Cla
ss 1
Cla
ss 2
Cla
ss 3
No.
280
175
350
Acc. Lockouts
Cla
ss 1
Cla
ss 2
Cla
ss 3
No.
400
0
100
0
380
0
Auth. Attempts
Cla
ss 1
Cla
ss 2
Cla
ss 3
Reset Requests
Hrs
No.
Automated
Manual
PRODUCTIVITY:
[projected per annum for 100-user sample]
48© Aad van Moorsel, Newcastle University, 2010
a tool for CISOs
Breaches / Productivity / Cost
Breaches
Lost Salary
Lost Earnings
Helpdesk S...
#
#
#
#
Productivity #
COSTS #
Cla
ss 1
Cla
ss 2
Cla
ss 3
£%
73%
48%
88%
Lost Salary
Cla
ss 1
Cla
ss 2
Cla
ss 3
%£
£200
K
£70K
£180
K
Lost Earnings
Cla
ss 1
Cla
ss 2
Cla
ss 3
Helpdesk Support% ££
Automated
Manual
COSTS:
[projected per annum for 100-user sample]
© Aad van Moorsel, Newcastle University, 2010
conclusion system models
science of system models:• rigorous mathematical techniques for prediction• scientifically founded input from human behavioural
experts• scientific care is taken in not overstating its
conclusions
better decision-making:• for CISOs
and in the future:• for policy makers• for users
49
© Aad van Moorsel, Newcastle University, 2010
trust economics results thus far
• case study for USB use to demonstrate the idea (HP et al)
• refinements of modelling human behaviour (with UIUC)
• ontology developed to glue pieces together• CISO tool design completed and tool building started
(with UCL)• data collection strategies are being developed (with
DWP)• now developing trust economics as a design
methodology (with UMA standards body)
and to indicate it’s for real:• industrial strength ‘security analytics’ consulting
tools have just been released by HP/ViStorm: for patching strategies and data loss prevention
50
51© Aad van Moorsel, Newcastle University, 2010
trust economics info
http://www.trust-economics.org/Publications:• A Stealth Approach to Usable Security: Helping IT Security Managers to Identify Workable
Security Solutions. Simon Parkin, Aad van Moorsel, Philip Inglesant, Angela Sasse, New Security Paradigms Workshop, 2010
• Ontology Editing Tool for Information Security and Human Factors Experts. John Mace, Simon Parkin, Aad van Moorsel, Knowledge Management and Information Sharing, 2010
• An Information Security Ontology Incorporating Human-Behavioural Implications. Simon Parkin, Aad van Moorsel, Robert Coles. International Conference on Security of Information and Networks, 2009
• Risk Modelling of Access Control Policies with Human-Behavioural Factors. Simon Parkin and Aad van Moorsel. International Workshop on Performability Modeling of Computer and Communication Systems, 2009.
• A Knowledge Base for Justified Information Security Decision-Making. Daria Stepanova, Simon Parkin, Aad van Moorsel. International Conference on Software and Data Technologies, 2009.
• Architecting Dependable Access Control Systems for Multi-Domain Computing Environments. Maciej Machulak, Simon Parkin, Aad van Moorsel. Architecting Dependable Systems VI, R. De Lemos, J. Fabre C. Gacek, F. Gadducci and M. ter Beek (Eds.), Springer, LNCS 5835, pp. 49—75, 2009.
• Trust Economics Feasibility Study. Robert Coles, Jonathan Griffin, Hilary Johnson, Brian Monahan, Simon Parkin, David Pym, Angela Sasse and Aad van Moorsel. Workshop on Resilience Assessment and Dependability Benchmarking, 2008.
• The Impact of Unavailability on the Effectiveness of Enterprise Information Security Technologies. Simon Parkin, Rouaa Yassin-Kassab and Aad van Moorsel. International Service Availability Symposium, 2008.
Technical reports:• Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications.
Maciej Machulak, Aad van Moorsel. CS-TR 1191, 2010• Use Cases for User-Centric Access Control for the Web, Maciej Machulak, Aad van Moorsel. CS-TR
1165, 2009 • A Novel Approach to Access Control for the Web. Maciej Machulak, Aad van Moorsel. CS-TR 1157, 2009• Proceedings of the First Trust Economics Workshop. Philip Inglesant, Maciej Machulak, Simon Parkin,
Aad van Moorsel, Julian Williams (Eds.). CS-TR 1153, 2009.• A Trust-economic Perspective on Information Security Technologies. Simon Parkin, Aad van Moorsel.
CS-TR 1056, 2007