Lecture 5: Security in Cyberspace

10/2020

1
 Overview
 Aim s & requirem ents :
Providing students understandings about Cyberethics issuses related to cyber security.
Requirements:
- Reading materials before the lecture
- Attending required
 Lecturing form at:
 Content:
 What is cybersecurity, and how are security issues involving computers and
cybertechnology different from privacy issues in cyberspace?
 How are violations involving cybersecurity similar to and different from issues of
cybercrime?
 Which key features differentiate data security, system security, and network
security?
 What is “cloud computing,” and which kinds of challenges does it pose for
cybersecurity?
 What is meant by “hacking” and the “hacker ethic”?
 Can a clear distinction be drawn between “hacktivism” and cyberterrorism?
 What is the difference between cyberterrorism and information warfare (IW)?
 Discussion: Categories of cyber securities
 Self-study: Cyber Security tools
 Exercise: Your thoughts on the Problem of “De-Perimeterization”.
 Reading m aterial: Chapter 6, Textbook
1. SECURITY IN THE CONTEXT
OF CYBERTECHNOLOGY
 The expressions computer security and
cybersecurity are often associated with issues
having to do with:
 reliability
 availability
 safety
of computer systems
 integrity
 confidentiality
 protection
of data
Defining Cyber Security
(continued)
 Richard Epstein (2007) suggests that security concerns
affecting computers and cybertechnology can be viewed
in terms of three key elements:
 confidentiality

 integrity

 accessibility

 Confidentiality is “about preventing unauthorized persons

from gaining access to unauthorized information,”
 Integrity, in computer security contexts, is about
“preventing an attacker from modifying data.”
 Accessibility has to do with “making sure that resources
are available for authorized users.”
Cybersecurity as Related to
Cybercrime
 Cyber security issues often overlap with issues
analyzed under the topic of cyber crime.
 Virtually every violation of security involving
cybertechnology is also criminal in nature.
 But not every instance of crime in cyberspace
necessarily involves a breach or violation of
security.
Cyber Security Issues as
Distinct from Cyber Crime
 Some computer-related crimes have no
direct implications for computer security.
 An individual can use a personal computer
to:
 Make unauthorized copies of software
programs
 Engage in illegal gambling activities
 None of these kinds of crimes are a direct
result of insecure computer systems.
Security as Related to Privacy
 Cyber-related issues involving privacy and
security often overlap.
 Some important distinctions can be drawn.
 Privacy concerns often arise because on-line
users are concerned about losing control over
ways in which personal information about
them can be accessed by organizations.
 Many of these organizations claim to have some
legitimate need for that personal information in
order to make important decisions.
Cyber Security as Related to
Privacy (continued)
 Security concerns can arise
because people worry that
 personal data or proprietary
information, or both, could be
retrieved and possibly altered, by
unauthorized individuals and
organizations..
Security as Related to Privacy
(continued)
 Privacy and security concerns can be thought of
as two sides of a single coin, where each side
complements and completes the other:
 People need personal privacy and they wish to control
those who have information about them as well as
how that information is accessed by others
 Securing personal information stored in computer
databases is an important element in helping
individuals to achieve and maintain their privacy.
 In this sense, the objectives of privacy would seem
compatible with, and even complementary to, security.
 In another sense, sometimes the objectives of privacy
and security seem to be at odds with each other.
Security as Related to Privacy
(continued)
 From the perspective of security,
 The protection of system resources and
proprietary data is generally considered
more critical,
 Whereas from the vantage point of privacy,
the protection of personal information and
personal autonomy will receive a higher
priority.
2. Three Categories
of Computer Security
 Security issues involving cybertechnology span a
range of concerns having to do with three
distinct kinds of vulnerabilities:
 1. Unauthorized access to data, which are either
resident in or exchanged between computer systems.
 2. Attacks on system resources (such as computer
hardware, operating system software, and application
software) by malicious computer programs.
 3. Attacks on computer networks, including the
infrastructure of privately owned networks and the
Internet itself
 Computer Security

Data Security System Security Network Security

Securing Securing Securing Securing Securing the Securing

data that data that is hardware application infrastructure the infrastructure
resides in transmitted and operating software of privately of the
computer between system and owned Internet
databases computer resources programs networks
systems

Figure 6-1
Data Security
 Another sense of “cyber security" is
concerned with vulnerability to unauthorized
access of data.
 The data can be either:
 (a) resident in one or more disk drives or
databases in a computer system;
 (b) transmitted between two or more computer
systems.
 We call this “data security.”
Data Security
 In particular, data security issues affect the
confidentiality, integrity, and availability of
information.
 Spinello (2000) notes that information integrity
requires that:
…proprietary or sensitive information under one's
custodial care is kept confidential and secure, that
information being transmitted is not altered in form or
content and cannot be read by unauthorized parties,
and that all information being disseminated or
otherwise made accessible through Web sites and on-
line data repositories is as accessible and reliable as
possible.
Data Security
 Data security is now also threatened by “cloud-computing”
services, as more and more corporations and ordinary
users elect to store their data in “the Cloud.”
 Cloud storage devices provide users with one means to

secure their data by ensuring that their data could

survive (a) “crashes” on the hard drives of their
personal computers, and (b) physical damages
involving their electronic “tablets” and electronic
devices.
 Cloud storage also poses a threat to data security because
unauthorized users could gain access to, and potentially
manipulate, personal data that is stored there.
System Security
 The expression “computer security" is
sometimes used ambiguously.
 In one sense, "computer security" refers to
concerns related to a computer system's
vulnerability to attacks involving system
hardware and software resources from
"malicious programs" (viruses and worms).
 This aspect of computer security can be
referred to as system security.
System Security
 What are the differences between computer
viruses and worms?
 A virus is a self-replicating piece of software code
that “attaches itself to other programs and
usually requires human action to propagate.”
 A worm in contrast as a self-replicating piece of
code that “spreads via networks and usually
doesn’t require human interaction to propagate.”
 Worms replicate and propagate without needing a host
or program.
System Security
 Examples of malicious programs that
disrupted system security:
 Internet Worm (1988)
 ILOVEYOU Virus (2001)
 Code Red Worm (2002)
 Blaster virus (2004)
System Security
 If the distinction between viruses and worms were not
confusing enough, some analysts suggest that we further
differentiate disruptive programs to include Trojan horses and
logic bombs.
 A Trojan horse often appears to be a benign program, but it can do
significant system damage behind the scenes.
 Logic bombs, on the contrary, check for certain conditions or states in a
computer system and then execute when one of those conditions arises.
Some now refer collectively to these various kinds of “malicious programs,”
including viruses and worms, under the single heading “malware.”
 Malware can take many forms and can also include “spyware.”
The effects of malware can range from minor annoyances with
individual computer systems, to preventing an entire
organization from operating, to shutting down computer
networks, to disrupting major segments of the Internet.
Network Security
 A third category of computer security, which we call
network security, is concerned with securing computer
networks—i.e., from privately owned computer networks
(such as LANs and WANs) to the Internet itself—against
various kinds of attacks.
 The Internet’s infrastructure has been the victim of
several attacks.
 These attacks have ranged from programs launched by
individuals with malicious intentions to individuals who
claimed their intentions were benign.
 In many cases, these attacks have severely disrupted
activities on segments of the Internet.
 In a few cases, they have also rendered the Internet
virtually inoperable.
3. Cloud Computing and
Security
 In the past, “the cloud” has often been used as a “metaphor for
the Internet.”
 In the current context of “cloud computing,” “the cloud” (in its
broad sense) can now refer to any computer resources that are
used “outside the firewall.”
 According to the National Institute of Standards and Technology
(NIST), cloud computing is officially defined as
 a model for enabling ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers,
storage, applications and services).
 Four popular examples of cloud-computing applications include
photo storing services, such as Google’s Picassa; Web-based
email services, such as Yahoo; file transfer services, such
asYouSendit; and online computer backup services, such as
Mozy.
Deployment and Service/Delivery
Models for the Cloud
 The NIST definition of cloud computing identifies four
distinct “deployment models” and three kinds of “service
models,” which are also sometimes also referred to as
“delivery models” (Zeng and Cavoukian).
 Deployment models:
 Private Cloud.

 Community Cloud.

 Public Cloud.

 Hybrid Cloud.

 Service (or delivery) models:

 Software as a Service (or SaaS).

 Platform as a Service (PaaS).

 Infrastructure as a Service (IaaS).

Securing User Data Residing in
the Cloud
 For cloud computing to be fully realized, users will have to be
confident that their personal information is protected and that
their data (in general) is both secure and accessible.
 At present, however, users have at least four kinds of worries
along these lines.
 One concern has to do with how users can control their data stored in the
cloud—currently, users have very little “control over or direct knowledge
about how their information is transmitted, processed, or stored”.
 Another concern involves the integrity of the data—for example, if the host
company goes out of business, what happens to the users’ data?
 A third concern affects access to the data; i.e., can the host deny a user
access to his/her own data?
 And a fourth concern has to do with who actually “owns” the data that is
stored in the cloud.
Securing User Data Residing in
the Cloud
 Many businesses—especially those in the
healthcare and finance sectors—remain leery about
turning over their data to third parties.
 In particular, three main kinds of concerns that
these businesses have
 (i) accidental loss of data,
 (ii) fear of hacking attacks, and
 (iii) theft by “rogue employees of cloud providers.”
 So it would seem that until these kinds of concerns
are resolved, users have good reasons to be
skeptical about placing their trust in cloud-
computing services to protect their data
4. Hacking and Hacker Ethic
 Individuals who have launched malicious programs of
various kinds, which we collectively refer to as
malware, have commonly been described in the
media as computer hackers.
 A hacker is anyone who “accesses a computer

system or network without authorization from the

owner.”
 “crackers,” on the contrary, as hackers who break

into a computer system with “the intention of

doing harm or destroying data.”
4. Hacking and Hacker Ethic
 Many in the computer science community are
unhappy with how the word “hacker,” which
now has a negative connotation, is used in
the conventional media.
 “true computer hackers”:
 as individuals who play with computers for the
“pure intellectual challenge” and
 as “master programmers, incorruptibly honest,
unmotivated by money, and careful not to harm
anyone.”
4. Hacker Ethic
 A strong and distinctive code of ethics could be
found in the original hacker community.
 The hacker code can be described as “a
philosophy, an ethic, and a dream,” based on the
following principles:
 (i) Access to computers should be unlimited and total.
 (ii) All information should be free.
 (iii) Mistrust Authority - Promote Decentralization.
 (iv) Hackers should be judged by their hacking, not
bogus criteria such as degrees, age, race, or position.
 (v) You can create art and beauty on a computer.
 (vi) Computers can change life for the better.
Hacking Activities
 Many of the early hackers believed that computer
systems were inherently flawed and thus needed to
be improved.
 As a result, some hackers believed that they needed total
access to all computer systems in order to take them apart,
see how they work, and make the needed improvements.
 Hacking activities in cyberspace embrace three
principles:
 (1) Information should be free;
 (2) Hackers provide society with a useful and important
service;
 (3) Activities in cyberspace are virtual in nature and thus do
not harm real people in the real (physical) world.
“Should Information be free?”
 This view is regarded by critics as idealistic or
romantic.
 Some consider it as a naïve view.
 If information were free, privacy would not be
possible because we would not be able to control
how information about them was collected and
used.
 Also, it would not be possible to ensure integrity
and accuracy of that information since information
that was freely available.
Do Hackers Really Provide an
Important Service?
 Does the second hacker principle fare any better?
Many are suspicious of claims that hackers
perform a useful service for society by searching
for and exposing security holes in cyberspace
 Spafford (1992) provides counterexamples to this
version of the hacker argument
 Spafford asks whether we would permit someone to
start a fire in a crowded shopping mall in order to
expose the fact that the mall's sprinkler system was
not adequate.
 Would you be willing to thank a burglar who
successfully broke into your house?
 e.g., would you thank a burglar who shows that your home
security system was inadequate?
Does Hacking Causes Only
Virtual Harm, Not Real Harm?
 Some argue that break-ins and vandalism in
cyberspace cause no real harm to persons
because they are activities that occur only in
the virtual realm.
 This argument commits a logical fallacy by
confusing the connection between the real
and the virtual regarding harm by reasoning:
 The virtual world in not the real (physical) world;
so any harms that occur in the virtual world are
not real harms.
(James Moor calls this the Virtuality Fallacy.)
Can Computer Break-ins Ever
Be Ethically Justified?
 Spafford (1992) believes that in certain
extreme cases, breaking into a
computer could be the "right thing to
do."
 e.g., breaking into a computer to get
medical records to save one’s life.
 He also argues that computer break-ins
always cause harm; and from this point,
he infers that hacker break-ins are
never ethically justifiable.
5. Cyberterrorism
 Denning (2000) defines cyberterrorism as the
"convergence of cyberspace and terrorism."
 Cyberterrorism covers a range of politically
motivated hacking operations intended to
cause grave harm that can result in either
loss of life or severe economic loss, or both.
 In some cases, it is difficult to separate acts
of hacking and cybervandalism from
cyberterrorism.
Cyberterrorism vs.
Hacktivism
 In February 2000, "denial-of-service" attacks
prevented tens of thousands of persons from
accessing e-commerce Web sites.
 These attacks resulted in severe economic
loss for major corporations.
 Should these particular cyber-attacks be
classified as instances of cyberterrorism?
 Or are they better understood as another
form of malicious hacking by individuals with
no particular political agenda or ideology?
Hacktivism
 Manion and Goodrum questioned whether
some cyber-attacks might not be better
understood as acts of hacktivism.
 They consider the growing outrage on the
part of some hackers and political activists
over an increasingly "commodified Internet.“
 They also question whether this behavior
suggests a new form of civil disobedience,
which they describe as hacktivism.
Hacktivism (continued)
 Hacktivism integrates the talent of traditional
computer hackers with the interests and
social consciousness of political activists.
 Manion and Godrum note that while hackers
continue to be portrayed as vandals,
terrorists, and saboteurs, hardly anyone has
considered the possibility that at least some
of these individuals might be "electronic
political activists" or hacktivists.
Hacktivism vs. Cyberterrorism
 Can a meaningful distinction be drawn
between hacktivism and cyberterrorism?
 Denning attempts to draw some critical
distinctions among three related notions:
 activism
 hacktivism
 Cyberterrorism.
Activism, Hacktivism, and
Cyberterrorism
 Activism includes the normal, non-disruptive
use of the Internet to support a cause.
 e.g, an activist could use the Internet to discuss
issues, form coalitions, and plan and coordinate
activities.
 Activists could engage in a range of activities
from browsing the Web to sending e-mail,
posting material to a Web site, constructing a
Web site dedicated to their political cause or
causes, and so forth.
Activism, Hacktivism, and
Cyberterrorism (continued)
 Hacktivism is the convergence of activism and
computer hacking, which uses hacking
techniques against a target Internet site with
intent to disrupt normal operations but
without intending to cause serious damage.
 These disruptions could be caused by "e-mail
bombs" and "low grade" viruses that cause
only minimal disruption, and would not result
in severe economic damage or loss of life.
Activism, Hacktivism, and
Cyberterrorism (continued)
 Cyberterorism consists of operations that are
intended to cause great harm such as loss of
life or severe economic damage, or both.
 e.g., a cyberterrorist might attempt to bring down
the US stock market or take control of a trans-
portation unit in order to cause trains to crash.
 Denning believes that conceptual distinctions
can be used to differentiate various activities
included under the headings of activism,
hacktivism, and cyberterrorism.
Denning’s Analysis
 Denning admits that as we progress from
activism to cyberterrorism the boundaries
become "fuzzy."
 e.g., should an "e-mail bomb" sent by a hacker
who is also a political activist be classified as a
form of hacktivism or as an act of cyberterrorism?
 Many in law-enforcement argue that more
effort should be devoted to finding ways to
deter and catch these individuals rather than
trying to understand their ideological beliefs,
goals, and objectives.
Cybertechnology and
Terrorist Organizations
 A major security concern, especially since
September 11, 2001, has been how and
when terrorist organizations, such as Al
Qaeda, might use cybertechnology to carry
out their objectives
 Some members of al Quaeda have fairly
sophisticated computer devices, despite the fact
that some operate out of caves in Afghanistan.
 It is not clear that terrorists have used cyber-
technology to enhance their acts of terrorism
in ways that technology could have been.
6. Information Warfare
 Denning defines information warfare (or IW)
as "operations that target or exploit
information media in order to win some
objective over an adversary."
 Certain aspects of cyberterrorism also seem
to conform to Denning's definition of IW.
 Information warfare is a slightly broader
concept than cyberterrorism; e.g., it need not
involve loss of life or severe economic loss,
even though such results can occur.
Information Warfare
(continued)
 IW, unlike conventional or physical warfare,
tends to be more disruptive than destructive.
 The instruments of war in IW typically strike
at a nation's infrastructure.
 The "weapons" used, which are deployable from
cyberspace, consist of "logic bombs" and viruses.
 The disruption caused by viruses and worms
can be more damaging, in certain respects,
than physical damage caused to a nation by
conventional weapons.
 Table 6-1: Hacktivism, Cyberterrorism,
and Information Warfare

Hacktivism The convergence of political

activism and computer hacking
techniques to engage in a new
form of civil disobedience.

Cyberterrorism The convergence of cyber-

technology and terrorism for
carrying acts of terror in (or via)
cyberspace.

Information Warfare Using information to deceive the

enemy; and using conventional
warfare tactics to take out an
enemy's computer and
information systems.
7. Security Countermeasures
 Power defines a countermeasure as an
action, device, procedure, technique or other
measure that reduces the vulnerability of a
threat to a computer system.
 We have come to rely increasingly on
countermeasures.
 Many security analysts believe that
countermeasures would not be as necessary
as they currently are if better security
features were built into computer systems.
Security Countermeasures
(continued)
 Spafford (2002) argues that successful
security cannot be thought of as an "add-on"
to computer systems.
 Security should be embedded in the systems
themselves (not added on).
 Until that is accomplished, however, it is
prudent to use existing tools and technologies
to combat security threats involving computer
systems.
Four Types of Security
Counterreasures
 Firewalls
 Anti-Virus Software
 Encryption Tools
 Anonymity Tools
Firewall Technology
 Power (2000) defines a firewall as a system
or combination of systems that enforces a
boundary between two or more networks.
 Firewalls help to secure systems not only
from unauthorized access to information in
databases, but also help prevent unwanted
and unauthorized communication into or out
of a privately owned network.
 A firewall is a "blockade" between an internal
privately owned network and an external network,
which is not assumed to be secure (Oplinger, 1997).
Anti-Virus Software
 Anti-virus software is designed to "inoculate"
computer systems against viruses, worms,
and other malicious or rogue programs.
 Anti-virus software, now considered a
standard security countermeasure, has been
installed on most networked computer
systems, including desktop computers.
 Typically used in conjunction with firewall
technology to protect individual computer systems
as well as network domains in universities, and
governmental and commercial organizations.
Encryption Tools

 Encryption is the technique used to convert

the information in a message composed in
ordinary text ("plain text"), into "ciphertext."
 The use of data encryption or cryptography
techniques in communicating sensitive
information is not new.
 Dates back as least as far as the Roman era,
where Julius Caesar encrypted messages sent
to his generals.
Encryption Tools (Continued)
 The party receiving the encrypted message
uses a "key" to decrypt the ciphertext back
into plain text.
 So long as both parties have the appropriate
key, they can decode a message back into its
original form (i.e., plain text).
 One challenge in ensuring the integrity of
encrypted communications has been to make
sure that the key, which must remain private,
can be successfully communicated.
Encryption Tools (Continued)
 An encrypted communication will be
only as secure and private as its key.
 In private-key encryption, both parties
use the same encryption algorithm and
the same private key.
 Public cryptography uses two keys: one
public and the other private.
Encryption (Continued) –
public Cryptography
 If A wishes to communicate with B, A uses B's public
key to encode the message.
 That message can then only be decoded with B's
private key, which is secret.
 Similarly when B responds to A, B uses A's public key
to encrypt the message.
 That message can be decrypted only by using A's
private key. Although information about an
individual's public key is accessible to others, that
individual's ability to communicate encrypted
information is not compromised.
Anonymity Tools
 Users want to secure the integrity and confi-
dentiality of their electronic communications.
 They also wish to protect their identity while
engaging in on-line activities.
 Anonymity tools such as the Anonymizer, and
pseudonymity agents such as Lucent's
Personalized Web Assistant, enable users to
roam the Web either anonymously or
pseudonymously.
Anonymity Tools (Continued)
 Wallace (1999) describes a person as being
anonymous when that person has no traits
that can be coordinated in way that would
make that person uniquely identifiable.
 An individual is anonymous in cyberspace
when that person is able to navigate the
Internet is a way that his or her personal
identity is not revealed.
 e.g., the user cannot be identified beyond certain
technical information such as the user's IP
(Internet protocol) address, ISP, and so forth.
Total Security in Cyberspace
 Can total security in cyberspace be achieved?
 If so, would it be a desirable goal?
 When asked if we would prefer a secure
cyberspace, we would likely answer "yes."
 But we might not be willing to accept the
consequences of such a level of security.
 e.g., more secure systems might require certain
additional features in cyber-technology that would
result in computer systems being less friendly and
thus more difficult for ordinary users to operate.
Tradeoffs Involving Security
 More secure computer systems might also
result in products that are more expensive.
 Would consumers be willing to spend more
money for securer computer systems?
 The costs associated with computer security
can be measured both in monetary and non-
monetary terms (such as convenience and
flexibility) because more secure systems
might also be less user-friendly.
Viewing Security as a P rocess
Rather Than as a Product
 Scheier (2000) claims that anyone who
promises a totally secure or "hacker
proof" system is selling "snake oil.“
 Many security experts assume we
simply need to find the right technology
or the foolproof encryption device or
the right security countermeasures.
Security as a Process
(continued)
 For Schneier, security is a process, not
a product.
 Schneier believes that an important
element in that process is risk
assessment.
 Seeking perfect security would make a
system useless, because "anything
worth doing requires some risk."
8. Cyber Security and Risk
Analysis
 Risk analysis is a methodology used to come
to an informed decision about the most cost-
effective controls to limit the risks to your
assets vis-à-vis the spectrum of threats.
 Banks and credit card companies can tolerate
a considerable amount of credit risk and
fraud because they know how to anticipate
loses and price their services accordingly.
 What is the acceptable level of risk in
computer systems? How can we assess it?
Risk Analysis (Continued)
 Schneier believes that risk can be understood
and assessed in terms of the net result of the
impacts of five elements:
 Assets;
 Threats;
 Vulnerabilities;
 Impact;
 safeguards.
Risk Analysis (Continued)
 Consider how these five elements could be applied in
a process for determining how to secure an
automobile you purchased.
 Imagine that you wish to install a security device in
to protect a 1990 Toyota against theft or vandalism.
 Suppose that you live in an urban area where there is
a high degree of crime involving automobile theft.
 Even though a 1990 Toyota would have a low blue-
book value (say, for example, $800), vehicles of that
type might be useful to certain car thieves for the
automotive parts that could be sold once the stolen
vehicles have been "stripped."
Risk Analysis (Continued)
 You decide that you need to take the
appropriate measures to make your car
secure.
 Suppose that purchasing a security system
for your car would cost approximately $1100.
 Is your asset (the 1990 Toyota) worth the
price required to secure it?
 According to the risk assessment model, it
would be advisable to find some alternative
means to secure your car.
The Problem of “De-Perimeterization” of
Information Security for Analyzing Risk
 IT systems now “span the boundaries of multiple parties” and they
“cross the security perimeters” that these parties have put in place
for themselves
 We can no longer achieve adequate cybersecurity by simply
building a “digital fence” around a single organization.
 In their view, IT security has become de-perimeterized because of
the following trends:
 Many organizations now outsource their information technology processes.
 Many employees expect to be able to work from home.
 Mobile devices make it possible to access data from anywhere.
 ‘Smart buildings’ are being equipped with small microchips that allow for
constant communication between buildings and their headquarters
 De-perimeterization-related concerns lead to “uncertain risk” for IT
security, because of the lack of clear boundaries defining the
security landscape
Review Question
 What do we mean by “computer
security” or “cybersecurity”?
 How can cybersecurity concerns be
differentiated from issues in
cybercrime?
 Who are computer hackers, and how
has the term “hacker” evolved?