Katana VentraIP

Computer security

Computer security, cybersecurity, digital security or information technology security (IT security) is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.[1][2]

The field is significant due to the expanded reliance on computer systems, the Internet,[3] and wireless network standards such as Bluetooth and Wi-Fi. It is also significant due to the growth of smart devices, including smartphones, televisions, and the various devices that constitute the Internet of things (IoT). Cybersecurity is one of the most significant challenges of the contemporary world, due to both the complexity of information systems and the societies they support. Security is of especially high importance for systems that govern large-scale systems with far-reaching physical effects, such as power distribution, elections, and finance.[4][5]


While most aspects of computer security involve digital measures such as electronic passwords and encryption, physical security measures such as metal locks are still used to prevent unauthorized tampering.

are a specific type of malware, and are normally a malicious code that hijacks software with the intension to "do damage and spread copies of itself." Copies are made with the aim to spread to other programs on a computer.[21]

Viruses

are similar to viruses, however viruses can only function when a user runs (opens) a compromised program. Worms are self-replicating malware that spread between programs, apps and devices without the need for human interaction.[21]

Worms

are programs that pretend to be helpful or hide themselves within desired or legitimate software to "trick users into installing them." Once installed, a RAT (remote access trojan) can create a secret backdoor on the affected device to cause damage.[21]

Trojan horses

is a type of malware that secretly gathers information from an infected computer and transmits the sensitive information back to the attacker. One of the most common forms of spyware are keyloggers, which record all of a user's keyboard inputs/keystrokes, to "allow hackers to harvest usernames, passwords, bank account and credit card numbers."[21]

Spyware

as the name suggests, is a form of malware which uses social engineering (manipulation) to scare, shock, trigger anxiety, or suggest the perception of a threat in order to manipulate users into buying or installing unwanted software. These attacks often begin with a "sudden pop-up with an urgent message, usually warning the user that they've broken the law or their device has a virus."[21]

Scareware

Pre-evaluation: To identify the awareness of information security within employees and to analyze the current security policies.

Strategic planning: To come up with a better awareness program, clear targets need to be set. Assembling a team of skilled professionals is helpful to achieve it.

Operative planning: A good security culture can be established based on internal communication, management buy-in, security awareness and a training program.

[46]

Implementation: Four stages should be used to implement the information security culture. They are:

Employee behavior can have a big impact on information security in organizations. Cultural concepts can help different segments of the organization work effectively or work against effectiveness toward information security within an organization. Information security culture is the "...totality of patterns of behavior in an organization that contributes to the protection of information of all kinds."[43]


Andersson and Reimers (2014) found that employees often do not see themselves as part of their organization's information security effort and often take actions that impede organizational changes.[44] Indeed, the Verizon Data Breach Investigations Report 2020, which examined 3,950 security breaches, discovered 30% of cybersecurity incidents involved internal actors within a company.[45] Research shows information security culture needs to be improved continuously. In "Information Security Culture from Analysis to Change", authors commented, "It's a never-ending process, a cycle of evaluation and change or maintenance." To manage the information security culture, five steps should be taken: pre-evaluation, strategic planning, operative planning, implementation, and post-evaluation.[46]

The , where each part of the system has only the privileges that are needed for its function. That way, even if an attacker gains access to that part, they only have limited access to the whole system.

principle of least privilege

to prove the correctness of crucial software subsystems.

Automated theorem proving

and unit testing, approaches to make modules more secure where formal correctness proofs are not possible.

Code reviews

where the design is such that more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds.

Defense in depth

Default secure settings, and design to fail secure rather than fail insecure (see for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.

fail-safe

track system activity so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks.

Audit trails

of all vulnerabilities, to ensure that the window of vulnerability is kept as short as possible when bugs are discovered.

Full disclosure

Cost and impact of security breaches[edit]

Serious financial damage has been caused by security breaches, but because there is no standard model for estimating the cost of an incident, the only data available is that which is made public by the organizations involved. "Several computer security consulting firms produce estimates of total worldwide losses attributable to virus and worm attacks and to hostile digital acts in general. The 2003 loss estimates by these firms range from $13 billion (worms and viruses only) to $226 billion (for all forms of covert attacks). The reliability of these estimates is often challenged; the underlying methodology is basically anecdotal."[183]


However, reasonable estimates of the financial cost of security breaches can actually help organizations make rational investment decisions. According to the classic Gordon-Loeb Model analyzing the optimal investment level in information security, one can conclude that the amount a firm spends to protect information should generally be only a small fraction of the expected loss (i.e., the expected value of the loss resulting from a cyber/information security breach).[184]

Attacker motivation[edit]

As with physical security, the motivations for breaches of computer security vary between attackers. Some are thrill-seekers or vandals, some are activists, others are criminals looking for financial gain. State-sponsored attackers are now common and well resourced but started with amateurs such as Markus Hess who hacked for the KGB, as recounted by Clifford Stoll in The Cuckoo's Egg.


Attackers motivations can vary for all types of attacks from pleasure to for political goals.[15] For example, "hacktivists" may target a company a company or organization that carries out activities they do not agree with. This would be to create bad publicity for the company by having its website crash.


High capability hackers, often with larger backing or state sponsorship, may attack based on the demands of their financial backers. These attacks are more likely to attempt more serious attack. An example of a more serious attack was the 2015 Ukraine power grid hack, which reportedly utilised the spear-phising, destruction of files, and denial-of-service attacks to carry out the full attack.[185][186]


Additionally, recent attacker motivations can be traced back to extremist organizations seeking to gain political advantage or disrupt social agendas.[187] The growth of the internet, mobile technologies, and inexpensive computing devices have led to a rise in capabilities but also to the risk to environments that are deemed as vital to operations. All critical targeted environments are susceptible to compromise and this has led to a series of proactive studies on how to migrate the risk by taking into consideration motivations by these types of actors. Several stark differences exist between the hacker motivation and that of nation state actors seeking to attack based on an ideological preference.[188]


A standard part of threat modeling for any particular system is to identify what might motivate an attack on that system, and who might be motivated to breach it. The level and detail of precautions will vary depending on the system to be secured. A home personal computer, bank, and classified military network face very different threats, even when the underlying technologies in use are similar.[189]

Legal issues and global regulation[edit]

International legal issues of cyber attacks are complicated in nature. There is no global base of common rules to judge, and eventually punish, cybercrimes and cybercriminals - and where security firms or agencies do locate the cybercriminal behind the creation of a particular piece of malware or form of cyber attack, often the local authorities cannot take action due to lack of laws under which to prosecute.[215][216] Proving attribution for cybercrimes and cyberattacks is also a major problem for all law enforcement agencies. "Computer viruses switch from one country to another, from one jurisdiction to another – moving around the world, using the fact that we don't have the capability to globally police operations like this. So the Internet is as if someone [had] given free plane tickets to all the online criminals of the world."[215] The use of techniques such as dynamic DNS, fast flux and bullet proof servers add to the difficulty of investigation and enforcement.

Role of government[edit]

The role of the government is to make regulations to force companies and organizations to protect their systems, infrastructure and information from any cyberattacks, but also to protect its own national infrastructure such as the national power-grid.[217]


The government's regulatory role in cyberspace is complicated. For some, cyberspace was seen as a virtual space that was to remain free of government intervention, as can be seen in many of today's libertarian blockchain and bitcoin discussions.[218]


Many government officials and experts think that the government should do more and that there is a crucial need for improved regulation, mainly due to the failure of the private sector to solve efficiently the cybersecurity problem. R. Clarke said during a panel discussion at the RSA Security Conference in San Francisco, he believes that the "industry only responds when you threaten regulation. If the industry doesn't respond (to the threat), you have to follow through."[219] On the other hand, executives from the private sector agree that improvements are necessary, but think that government intervention would affect their ability to innovate efficiently. Daniel R. McCarthy analyzed this public-private partnership in cybersecurity and reflected on the role of cybersecurity in the broader constitution of political order.[220]


On 22 May 2020, the UN Security Council held its second ever informal meeting on cybersecurity to focus on cyber challenges to international peace. According to UN Secretary-General António Guterres, new technologies are too often used to violate rights.[221]

The Forum of Incident Response and Security Teams (FIRST) is the global association of CSIRTs. The US-CERT, AT&T, Apple, Cisco, McAfee, Microsoft are all members of this international team.[223]

[222]

The helps protect societies worldwide from the threat of cybercrime through the Convention on Cybercrime.[224]

Council of Europe

The purpose of the Messaging Anti-Abuse Working Group (MAAWG) is to bring the messaging industry together to work collaboratively and to successfully address the various forms of messaging abuse, such as spam, viruses, denial-of-service attacks and other messaging exploitations. France Telecom, Facebook, AT&T, Apple, Cisco, Sprint are some of the members of the MAAWG.[226]

[225]

ENISA : The (ENISA) is an agency of the European Union with the objective to improve network and information security in the European Union.

European Network and Information Security Agency

: created by the Defense Advanced Research Projects Agency (DARPA) and run by the Software Engineering Institute (SEI).

CERT/CC

U.S. NRC, 10 CFR 73.54 Cybersecurity[edit]

In the context of U.S. nuclear power plants, the U.S. Nuclear Regulatory Commission (NRC) outlines cybersecurity requirements under 10 CFR Part 73, specifically in §73.54.[272]

NEI 08-09: Cybersecurity Plan for Nuclear Power Plants[edit]

The Nuclear Energy Institute's NEI 08-09 document, Cyber Security Plan for Nuclear Power Reactors,[273] outlines a comprehensive framework for cybersecurity in the nuclear power industry. Drafted with input from the U.S. NRC, this guideline is instrumental in aiding licensees to comply with the Code of Federal Regulations (CFR), which mandates robust protection of digital computers and equipment and communications systems at nuclear power plants against cyber threats.[274]

Access restricts access to a computer to a group of users through the use of authentication systems. These systems can protect either the whole computer, such as through an interactive login screen, or individual services, such as a FTP server. There are many methods for identifying and authenticating users, such as passwords, identification cards, smart cards, and biometric systems.

authorization

consists of computer programs that attempt to identify, thwart, and eliminate computer viruses and other malicious software (malware).

Anti-virus software

Applications

Linux

techniques can be used to ensure that communication end-points are who they say they are.

Authentication

and other verification tools can be used to enable critical algorithms and code used in secure systems to be mathematically proven to meet their specifications.

Automated theorem proving

are one or more copies kept of important computer files. Typically, multiple copies will be kept at different locations so that if a copy is stolen or damaged, other copies will still exist.

Backups

and access control list techniques can be used to ensure privilege separation and mandatory access control. Capabilities vs. ACLs discusses their use.

Capability

techniques can be used to attempt to ensure that all software loaded has been certified as authentic by the system's designers.

Chain of trust

is the nondisclosure of information except to another authorized person.[296]

Confidentiality

techniques can be used to defend data in transit between systems, reducing the probability that the data exchange between systems can be intercepted or modified.

Cryptographic

is an Internet-based conflict that involves politically motivated attacks on information and information systems. Such attacks can, for example, disable official websites and networks, disrupt or disable essential services, steal or alter classified data, and cripple financial systems.

Cyberwarfare

is the accuracy and consistency of stored data, indicated by an absence of any alteration in data between two updates of a data record.[297]

Data integrity

The following terms used with regards to computer security are explained below:

History[edit]

Since the Internet's arrival and with the digital transformation initiated in recent years, the notion of cybersecurity has become a familiar subject in both our professional and personal lives. Cybersecurity and cyber threats have been consistently present for the last 60 years of technological change. In the 1970s and 1980s, computer security was mainly limited to academia until the conception of the Internet, where, with increased connectivity, computer viruses and network intrusions began to take off. After the spread of viruses in the 1990s, the 2000s marked the institutionalization of organized attacks such as distributed denial of service.[299] This led to the formalization of cybersecurity as a professional discipline.[300]


The April 1967 session organized by Willis Ware at the Spring Joint Computer Conference, and the later publication of the Ware Report, were foundational moments in the history of the field of computer security.[301] Ware's work straddled the intersection of material, cultural, political, and social concerns.[301]


A 1977 NIST publication[302] introduced the CIA triad of confidentiality, integrity, and availability as a clear and simple way to describe key security goals.[303] While still relevant, many more elaborate frameworks have since been proposed.[304][305]


However, in the 1970s and 1980s, there were no grave computer threats because computers and the internet were still developing, and security threats were easily identifiable. More often, threats came from malicious insiders who gained unauthorized access to sensitive documents and files. Although malware and network breaches existed during the early years, they did not use them for financial gain. By the second half of the 1970s, established computer firms like IBM started offering commercial access control systems and computer security software products.[306]


One of the earliest examples of an attack on a computer network was the computer worm Creeper written by Bob Thomas at BBN, which propagated through the ARPANET in 1971. The program was purely experimental in nature and carried no malicious payload. A later program, Reaper, was created by Ray Tomlinson in 1972 and used to destroy Creeper.


Between September 1986 and June 1987, a group of German hackers performed the first documented case of cyber espionage.[307] The group hacked into American defense contractors, universities, and military base networks and sold gathered information to the Soviet KGB. The group was led by Markus Hess, who was arrested on 29 June 1987. He was convicted of espionage (along with two co-conspirators) on 15 Feb 1990.


In 1988, one of the first computer worms, called the Morris worm, was distributed via the Internet. It gained significant mainstream media attention.[308]


In 1993, Netscape started developing the protocol SSL, shortly after the National Center for Supercomputing Applications (NCSA) launched Mosaic 1.0, the first web browser, in 1993. Netscape had SSL version 1.0 ready in 1994, but it was never released to the public due to many serious security vulnerabilities. These weaknesses included replay attacks and a vulnerability that allowed hackers to alter unencrypted communications sent by users. However, in February 1995, Netscape launched Version 2.0.[309]


The National Security Agency (NSA) is responsible for the protection of U.S. information systems and also for collecting foreign intelligence.[310] The agency analyzes commonly used software and system configurations to find security flaws, which it can use for offensive purposes against competitors of the United States.[311]


NSA contractors created and sold click-and-shoot attack tools to US agencies and close allies, but eventually, the tools made their way to foreign adversaries. In 2016, NSAs own hacking tools were hacked, and they have been used by Russia and North Korea. NSA's employees and contractors have been recruited at high salaries by adversaries, anxious to compete in cyberwarfare. In 2007, the United States and Israel began exploiting security flaws in the Microsoft Windows operating system to attack and damage equipment used in Iran to refine nuclear materials. Iran responded by heavily investing in their own cyberwarfare capability, which it began using against the United States.[311]

Branch, Jordan (24 September 2020). "What's in a Name? Metaphors and Cybersecurity". International Organization. 75 (1). Cambridge University Press (CUP): 39–70. :10.1017/s002081832000051x. ISSN 0020-8183. S2CID 224886794.

doi

Costigan, Sean; Hennessy, Michael (2016). (PDF). NATO. ISBN 978-9284501960. Archived (PDF) from the original on 10 March 2017.

Cybersecurity: A Generic Reference Curriculum

Fuller, Christopher J (11 June 2018). (DOC). Diplomatic History. 43 (1). Oxford University Press (OUP): 157–185. doi:10.1093/dh/dhy038. ISSN 0145-2096.

"The Roots of the United States' Cyber (In)Security"

Bob, Yonah Jeremy (21 August 2021). . The Jerusalem Post.

"Ex-IDF cyber intel. official reveals secrets behind cyber offense"

Kim, Peter (2014). The Hacker Playbook: Practical Guide To Penetration Testing. Seattle: . ISBN 978-1494932633.

CreateSpace Independent Publishing Platform

(2015). Counterterrorism and Cybersecurity: Total Information Awareness (2nd ed.). Springer. ISBN 978-3319172439.

Lee, Newton

Montagnani, Maria Lillà; Cavallo, Mirta Antonella (2018). . Market and Competition Law Review. 2 (2). Elsevier BV: 71–98. doi:10.2139/ssrn.3220475. ISSN 1556-5068. S2CID 216704215. SSRN 3220475.

"Cybersecurity and Liability in a Big Data World"

Shariati, Marzieh; Bahmani, Faezeh; Shams, Fereidoon (2011). . Procedia Computer Science. 3. Elsevier BV: 537–543. doi:10.1016/j.procs.2010.12.089. ISSN 1877-0509.

"Enterprise information security, a review of architectures and frameworks from interoperability perspective"

Singer, P. W.; Friedman, Allan (2014). Cybersecurity and Cyberwar: What Everyone Needs to Know. Oxford University Press.  978-0199918119.

ISBN

Wu, Chwan-Hwa (John); Irwin, J. David (2013). Introduction to Computer Networks and Cybersecurity. Boca Raton: CRC Press.  978-1466572133.

ISBN