SlideShare a Scribd company logo

ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf

S
sulu98

This document discusses controls for protecting critical information infrastructure from cyberattacks. It begins by examining vulnerabilities in critical information infrastructure that cyberthreats exploit to launch attacks, such as software vulnerabilities, personnel vulnerabilities, and network protocol vulnerabilities. It then analyzes various cyberthreats like malware, distributed denial of service attacks, cyberwarfare, and social engineering that target these vulnerabilities. The document proposes implementing a system of preventive, detective, and corrective security controls based on general systems theory to address the vulnerabilities. Finally, it presents a model for securing critical information infrastructure that is currently insecure.

Technology
1 of 7
Download to read offline
1
2
3
4
5
6
7
See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/281907475 Controls for protecting critical information infrastructure from cyberattacks Conference Paper · December 2014 DOI: 10.1109/WorldCIS.2014.7028160 CITATIONS 9 READS 4,142 2 authors: Some of the authors of this publication are also working on these related projects: A User Personality Model: Susceptibility to Phishing on Social Networking Sites View project Sustainability of using technology View project Tamir Tsegaye Rhodes University 5 PUBLICATIONS   11 CITATIONS    SEE PROFILE Stephen Flowerday Rhodes University 118 PUBLICATIONS   907 CITATIONS    SEE PROFILE All content following this page was uploaded by Tamir Tsegaye on 19 October 2019. The user has requested enhancement of the downloaded file.
World Congress on Internet Security (WorldCIS-2014) Controls for Protecting Critical Information Infrastructure from Cyberattacks Tamir Tsegaye Department of Information Systems University of Fort Hare East London, South Africa tamir.tsegaye@gmail.com Abstract - Critical information infrastructure has enabled organisations to store large amounts of information on their systems and deliver it via networks such as the internet. Users who are connected to the internet are able to access various internet services provided by critical information infrastructure. However, some organisations have not effectively secured their critical information infrastructure and hackers, disgruntled employees and other entities have taken advantage of this by launching cyberattacks on their critical information infrastructure. They do this by using cyberthreats to exploit vulnerabilities in critical information infrastructure which organisations fail to secure. As a result, cyberthreats are able to steal or damage confidential information stored on systems or take down websites, preventing access to information. Despite this, risk strategies can be used to implement a number of security controls: preventive, detective and corrective controls, which together form a system of controls. This will ensure that the confidentiality, integrity and availability of information is preserved, thus reducing risks to information. This system of controls is based on the General Systems Theory, which states that the elements of a system are interdependent and contribute to the operation of the whole system. Finally, a model is proposed to address insecure critical information infrastructure. Keywords: Cyberattacks, Critical Information Infrastructure, Vulnerabilities, Cyberthreats, Security Controls I. INTRODUCTION Cyberattacks have been targeting critical information infrastructure, which is the information systems that store, process and deliver information [1]. These cyberattacks have escalated lately, increasing in variety and volume [2]. Hackers, disgruntled employees and other entities are capable of launching cyberattacks. It is important that emphasis is placed on cyberattacks, as anyone possessing a virus infected computer and an internet connection can launch a cyberattack. Many organisations have been hit by cyberattacks, as a result of not securing their systems and networks. A survey was conducted by Kaspersky Lab and B 2B International in 2013 . It indicated that 91% of organisations who took part in the survey had been hit by a cyberattack at least once in a12 - month period, while 9% became victims of cyberattacks [3]. In addition, in 2013 Spamhaus was attacked by one of the biggest Distributed Denial of Service (DDoS) attacks to date, with the attack reaching a throughput of300 gbps [3]. 978-1-908320-42/1/©2014 IEEE Stephen Flowerday Department of Information Systems University of Fort Hare East London, South Africa sflowerday@uth.ac.za The internet was originally invented for the purpose of conducting research between academic institutions, as well as the US Department of Defence (DOD) [4]. Thus, it was not designed for security as its purpose back then was to exchange information between small networks. Due to the emergence of various cyberthreats, security is now essential as information online needs to be protected. Hence, Information Security has been added, which aims to protect the confidentiality, integrity and availability of information stored on systems [5]. Confidentiality, integrity and availability are the three principles of information and form the CIA Triad [6]. Confidential information must be protected from being exposed to unauthorized individuals. The integrity of information indicates that information must be complete and not corrupted. Finally, information must be available to authorized individuals without any interference. These three principles of information must be preserved in order to effectively secure critical information infrastructure. The impact that cyberthreats have on the CIA principles will be referred to throughout this paper. In this paper, cyberattacks launched on organisations' vulnerable critical information infrastructure will be examined. Focus will be placed only on the information side of critical infrastructure, thus excluding critical infrastructure such as power stations and water supply systems. Section II will discuss a number of vulnerabilities possessed by critical information infrastructure. Next, section III will examine various cyberthreats which create cyberattacks, which target critical information infrastructure. This will be followed by section IV which will discuss security controls that are needed to protect critical information infrastructure. Finally, in section V a proposed model will be examined in order to address insecure critical information infrastructure. II. VULNERABILITIES IN CRlTICAL INFORMATION INFRASTRUCTURE A vulnerability is a flaw in a system or protection mechanism that exposes a system to cyberattacks [5]. Attackers can use cyberthreats to exploit vulnerabilities in order to steal confidential information, damage information or take down websites, thus making information unavailable to authorized users. Fig. 1 shows the Common Criteria Model [7] which depicts security concepts and relationships. These security 24
World Congress on Internet Security (WorldCIS-2014) concepts and relationships will be examined before discussing the various types of vulnerabilities which are possessed by critical information infrastructure. By applying this model to this paper, owners refer to organisations who value their assets. These assets represent information which is stored on systems and delivered via networks such as the internet. to reduce Figure 1. Common Criteria Model [7] On the other hand, threat agents may wish to abuse or damage these assets by stealing confidential information, sabotaging or modifYing information and preventing access to information. Thus, the CIA principles will not be preserved. Examples of threat agents include hackers, disgruntled employees and other entities. These threat agents give rise to threats which target assets. Examples of threats include malware, cybersabotage and Distributed Denial of Service attacks (discussed in section III). Threat agents are often successful in damaging or abusing assets as they exploit vulnerabilities which are present in critical information infrastructure. However, owners may be aware of vulnerabilities in critical information infrastructure and thus lTIlpose countermeasures (i.e. security controls: discussed in section IV) to reduce them. As a result, risks to assets will be reduced. In contrast, countermeasures such as antivirus software may possess vulnerabilities, which will prevent them from identifYing and rectifYing the latest software vulnerabilities. Software vulnerabilities, including unpatched systems, will be discussed next. A. Software Vulnerabilities A software vulnerability is a flaw in the design of a computer program [8]. It is these flaws which malware exploits in order to gain lTIlauthorized access to a system. Once access has been gained, the system is at the disposal of the attacker who lalTIlches the cyberattack. Although computer programs such as database software can be beneficial for organisations working with large amounts of information, a vulnerability in this software can potentially cause the information stored in the database to be accessible to the attacker. Unpatched systems create an opportunity for malware to exploit, which leaves a system open to attack [ 9]. Despite this, 978-1-908320-42/1/©2014 IEEE many software programs notifY users when new patches are available, which can be installed automatically and secure any vulnerabilities. Personnel vulnerabilities consisting of disgruntled and naive employees will be discussed next. B. Personnel Vulnerabilities Personnel vulnerabilities comprise of employees who have the potential to damage their organisation's information [10]. Disgruntled employees have an advantage over external attackers, as most employees have access to confidential information and know where critical systems are located in their organisation. In contrast, external attackers would need to probe a system and look for vulnerabilities to exploit before they can infiltrate a system. However, personnel vulnerabilities do not only include disgruntled employees. External attackers are able to take advantage of naive employees in order to steal their confidential information [2]. For example, an attacker could send an email to an employee requesting their password in order to keep their email account active. As a result, employees may carelessly give away their passwords. These methods are used in social engineering which is discussed in section III. Disaster recovery planning vulnerabilities which involves personnel will be examined next. C. Disaster Recovery Planning Vulnerabilities A disaster recovery plan is a document which specifies the activities that need to be followed to recover from a disaster [5]. However, this plan may contain several vulnerabilities. Due to these vulnerabilities, an organisation may not be able to recover information which has been lost due to a cyberattack. A disaster recovery plan which is not tested regularly in a specific scenario will not be reliable in the event of a disaster [11]. An example of a scenario could include a DDoS attack which has taken down a website. The disaster recovery plan is an important security control and will be discussed in section IV. Next, vulnerabilities in network protocols will be discussed. D. Network Protocol Vulnerabilities Some network protocols are vulnerable to cyberattacks and are exploited in order to disrupt or compromise websites [ 9]. One vulnerable protocol is Hypertext Transfer Protocol (HTTP). HTTP is exploited by DDoS attacks in order to take down websites, thus preventing access to information. Domain Name System (DNS) is another vulnerable protocol [8]. Attackers exploit this protocol, which allows them to create malicious websites used to steal confidential information from victims. Thus, it is important that organisations take measures to prevent these protocols from being exploited. It is evident that a number of vulnerabilities in critical information infrastructure are creating an opportunity for attackers to exploit. As a result, critical information infrastructure will remain insecure. In section IV, security controls will be used to address the vulnerabilities which were discussed in this section. Cyberattacks created by cyberthreats are covered in the next section. 25
World Congress on Internet Security (WorldCIS-2014) III. CYBERATTACKS CREATED BY CYBERTHREATS Many organisations have suffered from cyberattacks that have been created by a variety of cyberthreats. These cyberthreats use the internet as a mediwn to create cyberattacks. They exploit a large nwnber of vulnerabilities in order to infiltrate or take down systems and networks. A nwnber of vulnerabilities which cyberthreats exploit were discussed in the previous section. A common cyberthreat known as malware will be examined next. A. Malware Malware is software which is used to compromise a system [12]. It includes three categories: viruses, worms and Trojan horses. Malware can be disguised as legitimate software, which organisations may install erroneously, infecting their systems in the process. This could happen due to the use of ineffective security controls which leave a system open to attack. Due to the increase in internet speeds and its affordability, more and more users are connecting to it, causing the threat of malware to increase with it [8]. It is evident that there is a trade-off between the number of internet users and malware. Malware would be stopped if the internet was shutdown, but that is impossible as the internet has been providing beneficial internet services to users. The threat of malware has also been on the increase due to an increase in easy-to-use malware toolkits which are available to anyone for a certain price. For example, the Zeus bot malware creator kit was sold to novice users with detailed instructions on how to use it [2]. Thus, this has created opportunities for amateur hackers to steal confidential information such as credit card information and passwords. Malware is also used to infect computers which take part in DDoS attacks [13]. B. Distributed Denial of Service Distributed Denial of Service is an attack which uses a group of infected computers to take down a website, by flooding it with unnecessary traffic [13]. Many countries have been hit by DDoS attacks, which have negatively affected their economy. For example, in 2007 Estonia's government and ecommerce websites were brought down by DDoS attacks [14]. As a result, users were not able to access their online banking accounts and thus could not make any transactions. DDoS attacks are used extensively in cyberwarfare which will be discussed next. C. Cyberwarfare Cyberwarfare comprises of several other cyberthreats such as DDoS, cyberespionage and cybersabotage. It includes hackers and governments who attack systems or networks belonging to other governments [15]. Anyone with a computer and an internet connection can take part in cyberwarfare intentionally or unintentionally (if their computer is turned into a zombie). One area of cyberwarfare is cyberespionage, which is the use of computers to steal confidential information from systems [13]. For instance, hackers may be employed by their government to steal classified information from other governments. In addition, a developing nation may use cyberespionage in order to catch up with first world nations [16]. Alternatively, an organisation may plan to steal trade secrets from another organisation and use it to improve their competitive advantage in their industry. Cybersabotage, which is another area of cyberwarfare, includes damaging information and defacing or taking down websites [15]. Hacktivists may protest against the government by using DDoS attacks to take down or deface their websites. For instance, during the Russia-Georgia war in2008 , Russian hacktivists disabled and defaced Georgian government web sites using cyberattacks [15]. In contrast, disgruntled employees can sabotage information by installing malware on their organisation's systems [17]. However, an employee may unintentionally create an opportunity for their organisation to be attacked. This will be discussed next under social engineering. D. Social Engineering Social engineering is a method used by attackers to deceive employees into giving them their confidential information [17]. Even if an organisation secures its systems effectively, employees who are easily tricked may unknowingly let malware enter these systems. For instance, in 2010 cybercriminals sent phishing emails (with the Zeus malware attached to it) that targeted employees who were in charge of IT operations in the USA [2]. Once the phishing email was opened, the Zeus malware was installed on the victim's system and consequently stole their confidential information [2]. Thus, it is important that employees are able to differentiate between an authentic website and a phishing website. Based on section III, cyberthreats exploit vulnerabilities in critical information infrastructure in order to steal, corrupt or make information unavailable. Hence, the three CIA principles will not be preserved. Table I shows the vulnerabilities exploited by cyberthreats which were covered earlier on. In the next section security controls will be identified in order to preserve the CIA principles. TABLE I. VULNERABILITIES EXPLOITED BY CYBERTHREATS CYBERTHREAT VULNERABILITIES A Malware • Software vulnerabilities: exploit unpatched systems in order to infiltrate a system [9]. • Personnel vulnerabilities: naive users may be tempted to download legitimate software disguised as a Trojan horse, which consequently infect their system rI01- B Distributed Denial of • Network protocol vulnerabilities: HTTP protocol exploited in order to take down websites [9]. Service (DDoS) C Cyberwarfare • Software vulnerabilities: malware used to steal and damage information [12]. • Personnel vulnerabilities: disgruntled employees may sabotage their organisation's systems [17]. • Network protocol vulnerabilities: DDoS attacks take down websites by exploiting HTTP protocol [9]. 0 Social Engineering • Personnel vulnerabilities: users tricked into giving their personal information [17]. 978-1-908320-42/1/©2014 IEEE 26
World Congress on Internet Security (WorldCIS-2014) IV. SECURITY CONTROLS USED TO PROTECT CRITICAL INFORMATION INFRASTRUCTURE Security controls comprise of three categories: preventive, detective and corrective controls [11]. Preventive controls prevent security incidents from happening, while detective controls detect any security incidents that have avoided preventive controls. Corrective controls correct incidents which have been detected. Both technical and non-technical controls will be discussed in this section. An organisation should have more preventive controls compared to detective and corrective controls, as preventing a cyberthreat from attacking a system or network is the best defence. Preventive controls, which are the first line of defence, will be discussed next. A. Preventive Controls Before preventive controls are implemented, a risk strategy such as the defend strategy needs to be selected. The defend strategy attempts to prevent the exploitation of vulnerabilities [5]. This is achieved by implementing preventive controls such as policies. 1) Policies Policies are rules which are set by the board of directors and executive management of an organisation [11]. Policies are implemented to help increase the level of security in an organisation. Some policies which could be implemented include allowing people to only access specific information based on their role. In addition, security education, training and awareness programs should be included to ensure that employees do not fall for phishing scams [18]. All security controls should comply with policies such as firewalls [II]. 2) Firewalls A firewall is a security control which is used to manage incoming and outgoing network traffic and determines if traffic should be allowed through based on certain rules [8]. For example, traffic coming from outside an organisation's network is analysed by the firewall to check if it meets certain rules specified by the firewall. If it does not meet any of these rules, the firewall will prevent the traffic from entering the network. A firewall is useful as it allows organisations to define their own firewall rules which should comply with policies. Antivirus software is another preventive control which is examined next. 3) Antivirus Software Antivirus software is not only a preventive control but also a detective and corrective control [18]. It acts as a preventive control by preventing malware from attacking a system, which may steal confidential information or corrupt it. It is important that antivirus software is updated regularly to protect systems from the latest malware. Next, penetration testing which acts as a preventive control is discussed. 4) Penetration Testing Penetration testing is a set of security tests that simulate attacks made by an external attacker [5]. These security tests are done in order to identify vulnerabilities in networks and systems. These vulnerabilities can then be secured once they are found. Hence, penetration testing is a preventive control as 978-1-908320-42/1/©2014 IEEE once vulnerabilities have been identified and secured, cyberthreats will be prevented from entering systems or networks. Detective controls, which are the second layer of security, will be examined next. B. Detective Controls In the event that a cyberthreat has been able to bypass preventive controls, detective controls would ensure that the cyberthreat is identified. A mitigation strategy, which is another type of risk strategy, would need to be selected before implementing detective controls [5]. This strategy aims to reduce the impact caused by the exploitation of a vulnerability, which has allowed a cyberthreat to infiltrate a network or system. A mitigation strategy is important as it ensures that attacks are detected early. A number of detective controls will be examined below. 1) Antivirus Software Antivirus software functions as a detective control by alerting a user when malware has been found on a system [12]. An example of this would be a message which appears, warning a user that malware has been detected e.g. after a flash drive has been plugged into a system. Intrusion detection systems are discussed next. 2) Intrusion Detection Systems An intrusion detection system is used to detect suspicious activity which has been found on a system or network. If any suspicious activity has been found, an administrator will be alerted by the intrusion detection system [12]. As a result, action can be taken before a cyberthreat attacks a system or network. Honeypots, which are also able to detect suspicious activity, will be examined next. 3) Honeypots A honeypot is a decoy system which is used to gather information, by recording the activities performed by the attacker who infiltrated the honeypot [8]. This information can be used to learn about an attacker's motives, including the methods of attack used by the attacker. Thus, organisations will be able to protect themselves from future attacks. Corrective controls which are the third and final layer of security will be discussed next. C. Corrective Controls Corrective controls are used once a cyberthreat has managed to bypass preventative controls and evade detective controls. A mitigation strategy would need to be used to implement corrective controls, which will respond to an attack as quickly as possible [5]. A number of corrective controls will be discussed below. 1) Antivirus Software Antivirus acts as a corrective control by removing any malware which has been found on a system [12]. This malware could have damaged or stolen confidential information from a system. Although antivirus software can remove malware which has infected a system, it is not able to recover information which may have been corrupted or destroyed. A disaster recovery plan can address this issue and is discussed next. 27
World Congress on Internet Security (WorldCIS-2014) 2) Disaster Recovery Plan A disaster recovery plan is a document which specifies the activities which are followed, in order to recover from a disaster [5]. Backing up information is an important part of this plan and should be done on a regular basis, as organisations store large amounts of information on their systems. Thus, a disaster recovery plan acts as a corrective control since information which has been corrupted by malware can be recovered from backups. The final corrective control which will be discussed next is Zombie Zapper. 3) Zombie Zapper Zombie Zapper is a free tool which is used to command a zombie to stop flooding a network with traffic [14]. This tool will help organisations save money instead of looking for some other commercial tool to help counter zombies. Hence, various security controls are available to counteract cyberthreats in the form of preventive, detective and corrective controls, which are depicted in Table II. It is important that organisations do not only use one of these controls as the only layer of security, but should use other controls as well. In the next section a model is proposed to address insecure critical information infrastructure. TABLE II. CATEGORIES OF SECURITY CONTROLS PREVENTIVE DETECTIVE Policies [11], [18] Antivirus Software [12] Firewalls [8] Intrusion Detection Systems [12] Antivirus Software [18] Honeypots [8] Penetration Testing [5] V. PROPOSED MODEL CORRECTIVE Antivirus Software [12] Disaster Recovery Plan [5] ZombieZapper [14] The proposed model depicted in Fig. 2 aims to address insecure critical information infrastructure. Cyberthreats exploit vulnerabilities in critical information infrastructure, in order to infiltrate or disrupt it. Cyberthreats do this with the aim of stealing, corrupting or making information unavailable to users. To counter these cyberthreats, risk strategies are needed to implement specific security controls. The risk strategies depicted in this model are the defend strategy and mitigation strategy. The defend strategy is used to prevent the exploitation of vulnerabilities in critical information infrastructure, while the mitigation strategy is used to reduce the impact caused by the exploitation of vulnerabilities. Once risk strategies have been selected and security controls have been implemented, they will ensure that the confidentiality, integrity and availability of information are preserved. As a result, risks to information will be reduced. The General Systems Theory states that a system, within an environment, is made up of elements which are interdependent and contribute to the operation of the whole system [1 9]. This system has inputs which are processed into outputs. By applying the General Systems Theory to the proposed model, critical information infrastructure is the overall system and is made up of three elements (i.e. sub-systems) which contribute to the functioning of the overall system. These three sub-systems are: risk strategies, the CIA Triad and security controls. Each sub-system is further broken down into its elements. Thus, the General Systems Theory is hierarchical as it has different levels. The first sub-system, risk strategies, is made up of the defend strategy and mitigation strategy elements. Both of these strategies are needed to implement all three controls. The second sub-system is the CIA Triad and is made up of three elements: confidentiality, integrity and availability. The CIA Triad can only be made a 'whole' with all three elements. The third sub-system is security controls. This sub-system is made up of preventive, detective and corrective controls. If preventive, detective or corrective controls are missing, critical information infrastructure will be vulnerable to cyberattacks. For instance, if a cyberthreat bypasses preventive controls and detective controls are missing, it will not be detected. Thus, all three controls are needed to form a system of controls. Hence, if any elements of the three sub-systems are excluded, then the output (reduced risks to information) will not be achieved. exploit vulnerabilities in order to infiltrate/disrupt ... Critical Information Infrastructure r - - - - - - - - - - - - - implement- - - - - - - - - - - - - - - 1 I ,:. Risk Strategies Defend Strategy -en,ur.. Mitigation Strategy CIA Triad Confidentiality Integrity Availability Risks Information Stolen Information Modified/Corrupted Information Unavailable Security Controls Preventive Controls ....-ensure- Detective Controls Corrective Controls Figure 2. Model to Address Insecure Critical Information Infrastructure 978-1-908320-42/1/©2014 IEEE 28
World Congress on Internet Security (WorldCIS-2014) These three sub-systems (and their elements) are used as input, while the process consists of selecting a specific risk strategy to implement security controls. The proposed model is a differentiated model, which uses certain elements from the Common Criteria Model [7] and the CIA Triad Model [6]. These two models are both general models [20]. The original CIA Triad Model does not illustrate any elements that show how the confidentiality, integrity and availability of information are preserved. On the other hand, the proposed model illustrates how risk strategies and security controls can be used to ensure that the CIA principles are preserved. VI. CONCLUSION Although critical information infrastructure has allowed organisations to store and deliver information via the internet, vulnerabilities exist, which makes critical information infrastructure vulnerable to cyberattacks. Cyberthreats create these cyberattacks and are consequently able to steal and corrupt information or make it unavailable to authorized users, by denying access to information. Despite this, security controls are available to counter these cyberthreats. Before security controls are used, a risk strategy needs to be selected. Thus, the confidentiality, integrity and availability of information will be preserved and risks to information will be reduced. REFERENCES [1] Department of Homeland Security, "Blueprint for a Secure Cyber Future," 2011. http://www.dhs.gov/x1ibrary/assets/nppd/blueprint-for-a­ secure-cyber-future.pdf(Access Date: 12 September, 2014). [2] K. R. Choo, "The cyber threat landscape: Challenges and future research directions," Computers and Security, vol. 30, no. 1, pp. 719-731, Nov. 2011. [3] Kaspersky, "Kaspersky Security Bulletin 2013. Malware Evolution," 2013. https://kasperskycontenthub.comlreport/files/ksbI3_ENJite-l.pdf (Access Date: 18 September, 2014). [4] S. Jordan, "Defense in Depth: Employing a Layered Approach for Protecting Federal Government Information Systems," 2012. http://www.sans.org/reading-roomlwhitepapers/bestprac/defense-depth­ employing-Iayered-approach-protecting-federal-government­ information-system-34047(Access Date: 17 June, 2014). 978-1-908320-42/1/©2014 IEEE [5] M. E. Whitman and H. J. Mattord, Principles of Information Security, 4 ed. Boston: Course Technology Press, 2012. [6] International Organization for Standardization and the International Electrotechnical Commission, "ISOI1EC 27002: Information technology - Security techniques - Code of practice for information security management," 2005. [7] Common Criteria, "ISO/IEC 15408: Common Criteria for Information Technology Security Evaluation Part I: Introduction and general model," 2005. https://www.commoncriteriaportal.org/files/ccfiles/ccpartlv2.3.pdf (Access Date: 5 September, 2014). [8] J. Jang-Jaccard and S. Nepal, "A survey of emerging threats in cybersecurity," Journal of Computer and System Sciences, vol. 80, no. 5, pp. 973-993, Aug. 2014. [9] T. Peng, C. Leckie and K. Ramamohanarao, "Survey of network-based defense mechanisms countering the DoS and DDoS problems," ACM Computing Surveys (CSUR), vol. 39, no. I, pp. 1-42, 2007. [10] C. ColwiIJ, "Human factors in information security: The insider threat - Who can you trust these days," Information Security Technical Report, vol. 14, no. 4, pp. 186-196, Nov. 2009. [11] D. A. Richards, A. S. Oliphant and H. C. Le Grant, Global Technology Audit Guide (GTAG) I: Information Technology Risks and Controls, Altamonte Springs: The Institute oflnternal Auditors, 2005. [12] K. Won, 1. Ok-Ran, K. Chulyun, and S. Jungmin, "The dark side of the Internet: Attacks ,costs and responses," Information Systems, vol. 36, pp. 675-705, May. 2011. [13] G. Praprotnik, T. Ivanusa and 1. Podbregar, "eWar - Reality of Future Wars," in Proceedings of the 2013 IEEEIACM International Conference on Advances in Social Networks Analysis and Mining, New York: ACM, 2013, pp. 1068-1072. [14] A. Jenik, "Cyberwar in Estonia and the Middle East," Network Security, pp. 4-6, Apr. 2009. [15] S. Goel, "Cyberwarfare: connecting the dots in cyber intelligence," Communications of the ACM, vol. 54, no. 8, pp. 132-140, Aug. 2011. [16] c. Everett, "The lucrative world of cyber-espionage," Computer Fraud & Security, pp. 5-7, Jul. 2009. [17] R. C. Newman, "Cybercrime, identitiy theft, and fraud: practicing safe internet - network security threats and vulnerabilities," in Proceedings of the 3rd Annual Conference on Information Security Curriculum Development, New York: ACM, 2006, pp. 68-78. [18] S. Northcutt, "Security Controls," n.d. http://www.sans.edu/research/security-Iaboratory/articIe/security­ controls(Accessed: 26 June 2014). [19] Y. Lin, X. Duan, C. Zhao, and L. D. Xu, Systems Science: Methodological Approaches. Boca Raton: CRC Press, 2012. [20] M. S. Olivier, Information Technology Research: A practical guide for Computer Science and Informatics, 3 ed., Pretoria: Van Schaik Publishers, 2009. 29 View publication stats View publication stats

More Related Content

PPT
Security policy
Dhani Ahmad
 
PPT
Security and personnel
Dhani Ahmad
 
PDF
Five principles for improving your cyber security
WGroup
 
PPT
Risk management i
Dhani Ahmad
 
PPT
Risk management ii
Dhani Ahmad
 
PPT
Network security policies
Usman Mukhtar
 
PPT
Privacy & security in heath care it
Dhani Ahmad
 
PPTX
Information Security Blueprint
Zefren Edior
 
Security policy
Dhani Ahmad
 
Security and personnel
Dhani Ahmad
 
Five principles for improving your cyber security
WGroup
 
Risk management i
Dhani Ahmad
 
Risk management ii
Dhani Ahmad
 
Network security policies
Usman Mukhtar
 
Privacy & security in heath care it
Dhani Ahmad
 
Information Security Blueprint
Zefren Edior
 

What's hot (20)

PPTX
It security controls, plans, and procedures
CAS
 
PPTX
Security management concepts and principles
Divya Tiwari
 
PPT
Chapter 5
sivadnolram
 
PDF
Secure Engineering Practices for Java
Tim Ellison
 
PDF
Nist.sp.800 37r2
newbie2019
 
ODT
Ch.5 rq (1)
anthnydvs
 
PPT
Lesson 1- Information Policy
MLG College of Learning, Inc
 
PDF
Assessing Risk: Developing a Client/Server Security Architecture,
MITDaveMillaar
 
PPT
develop security policy
Info-Tech Research Group
 
PPTX
SIEM in NIST Cyber Security Framework
Bernie Leung, P.E., CISSP
 
PPT
Computer Security Policy D
guest34b014
 
DOC
Computer Security Policy
everestsky66
 
PDF
Chapter 12 iso 27001 awareness
newbie2019
 
PDF
Chapter 10 security standart
newbie2019
 
PPT
Start With A Great Information Security Plan!
Tammy Clark
 
PPTX
Importance Of A Security Policy
charlesgarrett
 
PPT
Lesson 1 - Introduction
MLG College of Learning, Inc
 
PDF
2019 SANS Holiday Hack Challenge Deliverable
Curtis Brazzell
 
PPT
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
 
PDF
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
Tripwire
 
It security controls, plans, and procedures
CAS
 
Security management concepts and principles
Divya Tiwari
 
Chapter 5
sivadnolram
 
Secure Engineering Practices for Java
Tim Ellison
 
Nist.sp.800 37r2
newbie2019
 
Ch.5 rq (1)
anthnydvs
 
Lesson 1- Information Policy
MLG College of Learning, Inc
 
Assessing Risk: Developing a Client/Server Security Architecture,
MITDaveMillaar
 
develop security policy
Info-Tech Research Group
 
SIEM in NIST Cyber Security Framework
Bernie Leung, P.E., CISSP
 
Computer Security Policy D
guest34b014
 
Computer Security Policy
everestsky66
 
Chapter 12 iso 27001 awareness
newbie2019
 
Chapter 10 security standart
newbie2019
 
Start With A Great Information Security Plan!
Tammy Clark
 
Importance Of A Security Policy
charlesgarrett
 
Lesson 1 - Introduction
MLG College of Learning, Inc
 
2019 SANS Holiday Hack Challenge Deliverable
Curtis Brazzell
 
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
Tripwire
 
Ad

Similar to ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf (20)

PPTX
Protection of critical information infrastructure
Neha Agarwal
 
PDF
C018131821
IOSR Journals
 
PDF
The Biggest Cyber and Physical Security Threats to Critical Infrastructure FM...
Fas (Feisal) Mosleh
 
PDF
IRJET- Cybersecurity: The Agenda for the Decade
IRJET Journal
 
PPT
PBL PROJECT - B2- (54,56,50,40) (2) (1).ppt
Itzsonya
 
PPT
Cybersecurity R&D briefing
Naba Barkakati
 
PDF
American Bar Association guidelines on Cyber Security standards
David Sweigert
 
PPTX
Cloud Security.pptx
Binod Rimal
 
PDF
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
itnewsafrica
 
PPTX
Meeting04_Threats_to_Critical_Infrastructure.pptx
othmanomar13
 
PPTX
Module 1Introduction to cyber security.pptx
Skippedltd
 
PPTX
Cyber-Security-Unit-1.pptx
TikdiPatel
 
PDF
Cyber security: challenges for society- literature review
IOSR Journals
 
PPTX
CYBERSECURITY.pptx
ItzRoswell1
 
PDF
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
IRJET Journal
 
PPT
InfoSecConcepts.ppt
MobileAntitheft
 
PPTX
Infrastructure security
Adhar kashyap
 
PDF
cyber security guidelines.pdf
VarinSingh1
 
KEY
Mis
misecho
 
KEY
Chapter 10, part 1
misecho
 
Protection of critical information infrastructure
Neha Agarwal
 
C018131821
IOSR Journals
 
The Biggest Cyber and Physical Security Threats to Critical Infrastructure FM...
Fas (Feisal) Mosleh
 
IRJET- Cybersecurity: The Agenda for the Decade
IRJET Journal
 
PBL PROJECT - B2- (54,56,50,40) (2) (1).ppt
Itzsonya
 
Cybersecurity R&D briefing
Naba Barkakati
 
American Bar Association guidelines on Cyber Security standards
David Sweigert
 
Cloud Security.pptx
Binod Rimal
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
itnewsafrica
 
Meeting04_Threats_to_Critical_Infrastructure.pptx
othmanomar13
 
Module 1Introduction to cyber security.pptx
Skippedltd
 
Cyber-Security-Unit-1.pptx
TikdiPatel
 
Cyber security: challenges for society- literature review
IOSR Journals
 
CYBERSECURITY.pptx
ItzRoswell1
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
IRJET Journal
 
InfoSecConcepts.ppt
MobileAntitheft
 
Infrastructure security
Adhar kashyap
 
cyber security guidelines.pdf
VarinSingh1
 
Mis
misecho
 
Chapter 10, part 1
misecho
 
Ad

Recently uploaded (20)

PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Cloud computing and distributed systems.
kkkkkhan
 
Encapsulation theory and applications.pdf
gurumoop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 

ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf

  • 1. See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/281907475 Controls for protecting critical information infrastructure from cyberattacks Conference Paper · December 2014 DOI: 10.1109/WorldCIS.2014.7028160 CITATIONS 9 READS 4,142 2 authors: Some of the authors of this publication are also working on these related projects: A User Personality Model: Susceptibility to Phishing on Social Networking Sites View project Sustainability of using technology View project Tamir Tsegaye Rhodes University 5 PUBLICATIONS   11 CITATIONS    SEE PROFILE Stephen Flowerday Rhodes University 118 PUBLICATIONS   907 CITATIONS    SEE PROFILE All content following this page was uploaded by Tamir Tsegaye on 19 October 2019. The user has requested enhancement of the downloaded file.
  • 2. World Congress on Internet Security (WorldCIS-2014) Controls for Protecting Critical Information Infrastructure from Cyberattacks Tamir Tsegaye Department of Information Systems University of Fort Hare East London, South Africa tamir.tsegaye@gmail.com Abstract - Critical information infrastructure has enabled organisations to store large amounts of information on their systems and deliver it via networks such as the internet. Users who are connected to the internet are able to access various internet services provided by critical information infrastructure. However, some organisations have not effectively secured their critical information infrastructure and hackers, disgruntled employees and other entities have taken advantage of this by launching cyberattacks on their critical information infrastructure. They do this by using cyberthreats to exploit vulnerabilities in critical information infrastructure which organisations fail to secure. As a result, cyberthreats are able to steal or damage confidential information stored on systems or take down websites, preventing access to information. Despite this, risk strategies can be used to implement a number of security controls: preventive, detective and corrective controls, which together form a system of controls. This will ensure that the confidentiality, integrity and availability of information is preserved, thus reducing risks to information. This system of controls is based on the General Systems Theory, which states that the elements of a system are interdependent and contribute to the operation of the whole system. Finally, a model is proposed to address insecure critical information infrastructure. Keywords: Cyberattacks, Critical Information Infrastructure, Vulnerabilities, Cyberthreats, Security Controls I. INTRODUCTION Cyberattacks have been targeting critical information infrastructure, which is the information systems that store, process and deliver information [1]. These cyberattacks have escalated lately, increasing in variety and volume [2]. Hackers, disgruntled employees and other entities are capable of launching cyberattacks. It is important that emphasis is placed on cyberattacks, as anyone possessing a virus infected computer and an internet connection can launch a cyberattack. Many organisations have been hit by cyberattacks, as a result of not securing their systems and networks. A survey was conducted by Kaspersky Lab and B 2B International in 2013 . It indicated that 91% of organisations who took part in the survey had been hit by a cyberattack at least once in a12 - month period, while 9% became victims of cyberattacks [3]. In addition, in 2013 Spamhaus was attacked by one of the biggest Distributed Denial of Service (DDoS) attacks to date, with the attack reaching a throughput of300 gbps [3]. 978-1-908320-42/1/©2014 IEEE Stephen Flowerday Department of Information Systems University of Fort Hare East London, South Africa sflowerday@uth.ac.za The internet was originally invented for the purpose of conducting research between academic institutions, as well as the US Department of Defence (DOD) [4]. Thus, it was not designed for security as its purpose back then was to exchange information between small networks. Due to the emergence of various cyberthreats, security is now essential as information online needs to be protected. Hence, Information Security has been added, which aims to protect the confidentiality, integrity and availability of information stored on systems [5]. Confidentiality, integrity and availability are the three principles of information and form the CIA Triad [6]. Confidential information must be protected from being exposed to unauthorized individuals. The integrity of information indicates that information must be complete and not corrupted. Finally, information must be available to authorized individuals without any interference. These three principles of information must be preserved in order to effectively secure critical information infrastructure. The impact that cyberthreats have on the CIA principles will be referred to throughout this paper. In this paper, cyberattacks launched on organisations' vulnerable critical information infrastructure will be examined. Focus will be placed only on the information side of critical infrastructure, thus excluding critical infrastructure such as power stations and water supply systems. Section II will discuss a number of vulnerabilities possessed by critical information infrastructure. Next, section III will examine various cyberthreats which create cyberattacks, which target critical information infrastructure. This will be followed by section IV which will discuss security controls that are needed to protect critical information infrastructure. Finally, in section V a proposed model will be examined in order to address insecure critical information infrastructure. II. VULNERABILITIES IN CRlTICAL INFORMATION INFRASTRUCTURE A vulnerability is a flaw in a system or protection mechanism that exposes a system to cyberattacks [5]. Attackers can use cyberthreats to exploit vulnerabilities in order to steal confidential information, damage information or take down websites, thus making information unavailable to authorized users. Fig. 1 shows the Common Criteria Model [7] which depicts security concepts and relationships. These security 24
  • 3. World Congress on Internet Security (WorldCIS-2014) concepts and relationships will be examined before discussing the various types of vulnerabilities which are possessed by critical information infrastructure. By applying this model to this paper, owners refer to organisations who value their assets. These assets represent information which is stored on systems and delivered via networks such as the internet. to reduce Figure 1. Common Criteria Model [7] On the other hand, threat agents may wish to abuse or damage these assets by stealing confidential information, sabotaging or modifYing information and preventing access to information. Thus, the CIA principles will not be preserved. Examples of threat agents include hackers, disgruntled employees and other entities. These threat agents give rise to threats which target assets. Examples of threats include malware, cybersabotage and Distributed Denial of Service attacks (discussed in section III). Threat agents are often successful in damaging or abusing assets as they exploit vulnerabilities which are present in critical information infrastructure. However, owners may be aware of vulnerabilities in critical information infrastructure and thus lTIlpose countermeasures (i.e. security controls: discussed in section IV) to reduce them. As a result, risks to assets will be reduced. In contrast, countermeasures such as antivirus software may possess vulnerabilities, which will prevent them from identifYing and rectifYing the latest software vulnerabilities. Software vulnerabilities, including unpatched systems, will be discussed next. A. Software Vulnerabilities A software vulnerability is a flaw in the design of a computer program [8]. It is these flaws which malware exploits in order to gain lTIlauthorized access to a system. Once access has been gained, the system is at the disposal of the attacker who lalTIlches the cyberattack. Although computer programs such as database software can be beneficial for organisations working with large amounts of information, a vulnerability in this software can potentially cause the information stored in the database to be accessible to the attacker. Unpatched systems create an opportunity for malware to exploit, which leaves a system open to attack [ 9]. Despite this, 978-1-908320-42/1/©2014 IEEE many software programs notifY users when new patches are available, which can be installed automatically and secure any vulnerabilities. Personnel vulnerabilities consisting of disgruntled and naive employees will be discussed next. B. Personnel Vulnerabilities Personnel vulnerabilities comprise of employees who have the potential to damage their organisation's information [10]. Disgruntled employees have an advantage over external attackers, as most employees have access to confidential information and know where critical systems are located in their organisation. In contrast, external attackers would need to probe a system and look for vulnerabilities to exploit before they can infiltrate a system. However, personnel vulnerabilities do not only include disgruntled employees. External attackers are able to take advantage of naive employees in order to steal their confidential information [2]. For example, an attacker could send an email to an employee requesting their password in order to keep their email account active. As a result, employees may carelessly give away their passwords. These methods are used in social engineering which is discussed in section III. Disaster recovery planning vulnerabilities which involves personnel will be examined next. C. Disaster Recovery Planning Vulnerabilities A disaster recovery plan is a document which specifies the activities that need to be followed to recover from a disaster [5]. However, this plan may contain several vulnerabilities. Due to these vulnerabilities, an organisation may not be able to recover information which has been lost due to a cyberattack. A disaster recovery plan which is not tested regularly in a specific scenario will not be reliable in the event of a disaster [11]. An example of a scenario could include a DDoS attack which has taken down a website. The disaster recovery plan is an important security control and will be discussed in section IV. Next, vulnerabilities in network protocols will be discussed. D. Network Protocol Vulnerabilities Some network protocols are vulnerable to cyberattacks and are exploited in order to disrupt or compromise websites [ 9]. One vulnerable protocol is Hypertext Transfer Protocol (HTTP). HTTP is exploited by DDoS attacks in order to take down websites, thus preventing access to information. Domain Name System (DNS) is another vulnerable protocol [8]. Attackers exploit this protocol, which allows them to create malicious websites used to steal confidential information from victims. Thus, it is important that organisations take measures to prevent these protocols from being exploited. It is evident that a number of vulnerabilities in critical information infrastructure are creating an opportunity for attackers to exploit. As a result, critical information infrastructure will remain insecure. In section IV, security controls will be used to address the vulnerabilities which were discussed in this section. Cyberattacks created by cyberthreats are covered in the next section. 25
  • 4. World Congress on Internet Security (WorldCIS-2014) III. CYBERATTACKS CREATED BY CYBERTHREATS Many organisations have suffered from cyberattacks that have been created by a variety of cyberthreats. These cyberthreats use the internet as a mediwn to create cyberattacks. They exploit a large nwnber of vulnerabilities in order to infiltrate or take down systems and networks. A nwnber of vulnerabilities which cyberthreats exploit were discussed in the previous section. A common cyberthreat known as malware will be examined next. A. Malware Malware is software which is used to compromise a system [12]. It includes three categories: viruses, worms and Trojan horses. Malware can be disguised as legitimate software, which organisations may install erroneously, infecting their systems in the process. This could happen due to the use of ineffective security controls which leave a system open to attack. Due to the increase in internet speeds and its affordability, more and more users are connecting to it, causing the threat of malware to increase with it [8]. It is evident that there is a trade-off between the number of internet users and malware. Malware would be stopped if the internet was shutdown, but that is impossible as the internet has been providing beneficial internet services to users. The threat of malware has also been on the increase due to an increase in easy-to-use malware toolkits which are available to anyone for a certain price. For example, the Zeus bot malware creator kit was sold to novice users with detailed instructions on how to use it [2]. Thus, this has created opportunities for amateur hackers to steal confidential information such as credit card information and passwords. Malware is also used to infect computers which take part in DDoS attacks [13]. B. Distributed Denial of Service Distributed Denial of Service is an attack which uses a group of infected computers to take down a website, by flooding it with unnecessary traffic [13]. Many countries have been hit by DDoS attacks, which have negatively affected their economy. For example, in 2007 Estonia's government and ecommerce websites were brought down by DDoS attacks [14]. As a result, users were not able to access their online banking accounts and thus could not make any transactions. DDoS attacks are used extensively in cyberwarfare which will be discussed next. C. Cyberwarfare Cyberwarfare comprises of several other cyberthreats such as DDoS, cyberespionage and cybersabotage. It includes hackers and governments who attack systems or networks belonging to other governments [15]. Anyone with a computer and an internet connection can take part in cyberwarfare intentionally or unintentionally (if their computer is turned into a zombie). One area of cyberwarfare is cyberespionage, which is the use of computers to steal confidential information from systems [13]. For instance, hackers may be employed by their government to steal classified information from other governments. In addition, a developing nation may use cyberespionage in order to catch up with first world nations [16]. Alternatively, an organisation may plan to steal trade secrets from another organisation and use it to improve their competitive advantage in their industry. Cybersabotage, which is another area of cyberwarfare, includes damaging information and defacing or taking down websites [15]. Hacktivists may protest against the government by using DDoS attacks to take down or deface their websites. For instance, during the Russia-Georgia war in2008 , Russian hacktivists disabled and defaced Georgian government web sites using cyberattacks [15]. In contrast, disgruntled employees can sabotage information by installing malware on their organisation's systems [17]. However, an employee may unintentionally create an opportunity for their organisation to be attacked. This will be discussed next under social engineering. D. Social Engineering Social engineering is a method used by attackers to deceive employees into giving them their confidential information [17]. Even if an organisation secures its systems effectively, employees who are easily tricked may unknowingly let malware enter these systems. For instance, in 2010 cybercriminals sent phishing emails (with the Zeus malware attached to it) that targeted employees who were in charge of IT operations in the USA [2]. Once the phishing email was opened, the Zeus malware was installed on the victim's system and consequently stole their confidential information [2]. Thus, it is important that employees are able to differentiate between an authentic website and a phishing website. Based on section III, cyberthreats exploit vulnerabilities in critical information infrastructure in order to steal, corrupt or make information unavailable. Hence, the three CIA principles will not be preserved. Table I shows the vulnerabilities exploited by cyberthreats which were covered earlier on. In the next section security controls will be identified in order to preserve the CIA principles. TABLE I. VULNERABILITIES EXPLOITED BY CYBERTHREATS CYBERTHREAT VULNERABILITIES A Malware • Software vulnerabilities: exploit unpatched systems in order to infiltrate a system [9]. • Personnel vulnerabilities: naive users may be tempted to download legitimate software disguised as a Trojan horse, which consequently infect their system rI01- B Distributed Denial of • Network protocol vulnerabilities: HTTP protocol exploited in order to take down websites [9]. Service (DDoS) C Cyberwarfare • Software vulnerabilities: malware used to steal and damage information [12]. • Personnel vulnerabilities: disgruntled employees may sabotage their organisation's systems [17]. • Network protocol vulnerabilities: DDoS attacks take down websites by exploiting HTTP protocol [9]. 0 Social Engineering • Personnel vulnerabilities: users tricked into giving their personal information [17]. 978-1-908320-42/1/©2014 IEEE 26
  • 5. World Congress on Internet Security (WorldCIS-2014) IV. SECURITY CONTROLS USED TO PROTECT CRITICAL INFORMATION INFRASTRUCTURE Security controls comprise of three categories: preventive, detective and corrective controls [11]. Preventive controls prevent security incidents from happening, while detective controls detect any security incidents that have avoided preventive controls. Corrective controls correct incidents which have been detected. Both technical and non-technical controls will be discussed in this section. An organisation should have more preventive controls compared to detective and corrective controls, as preventing a cyberthreat from attacking a system or network is the best defence. Preventive controls, which are the first line of defence, will be discussed next. A. Preventive Controls Before preventive controls are implemented, a risk strategy such as the defend strategy needs to be selected. The defend strategy attempts to prevent the exploitation of vulnerabilities [5]. This is achieved by implementing preventive controls such as policies. 1) Policies Policies are rules which are set by the board of directors and executive management of an organisation [11]. Policies are implemented to help increase the level of security in an organisation. Some policies which could be implemented include allowing people to only access specific information based on their role. In addition, security education, training and awareness programs should be included to ensure that employees do not fall for phishing scams [18]. All security controls should comply with policies such as firewalls [II]. 2) Firewalls A firewall is a security control which is used to manage incoming and outgoing network traffic and determines if traffic should be allowed through based on certain rules [8]. For example, traffic coming from outside an organisation's network is analysed by the firewall to check if it meets certain rules specified by the firewall. If it does not meet any of these rules, the firewall will prevent the traffic from entering the network. A firewall is useful as it allows organisations to define their own firewall rules which should comply with policies. Antivirus software is another preventive control which is examined next. 3) Antivirus Software Antivirus software is not only a preventive control but also a detective and corrective control [18]. It acts as a preventive control by preventing malware from attacking a system, which may steal confidential information or corrupt it. It is important that antivirus software is updated regularly to protect systems from the latest malware. Next, penetration testing which acts as a preventive control is discussed. 4) Penetration Testing Penetration testing is a set of security tests that simulate attacks made by an external attacker [5]. These security tests are done in order to identify vulnerabilities in networks and systems. These vulnerabilities can then be secured once they are found. Hence, penetration testing is a preventive control as 978-1-908320-42/1/©2014 IEEE once vulnerabilities have been identified and secured, cyberthreats will be prevented from entering systems or networks. Detective controls, which are the second layer of security, will be examined next. B. Detective Controls In the event that a cyberthreat has been able to bypass preventive controls, detective controls would ensure that the cyberthreat is identified. A mitigation strategy, which is another type of risk strategy, would need to be selected before implementing detective controls [5]. This strategy aims to reduce the impact caused by the exploitation of a vulnerability, which has allowed a cyberthreat to infiltrate a network or system. A mitigation strategy is important as it ensures that attacks are detected early. A number of detective controls will be examined below. 1) Antivirus Software Antivirus software functions as a detective control by alerting a user when malware has been found on a system [12]. An example of this would be a message which appears, warning a user that malware has been detected e.g. after a flash drive has been plugged into a system. Intrusion detection systems are discussed next. 2) Intrusion Detection Systems An intrusion detection system is used to detect suspicious activity which has been found on a system or network. If any suspicious activity has been found, an administrator will be alerted by the intrusion detection system [12]. As a result, action can be taken before a cyberthreat attacks a system or network. Honeypots, which are also able to detect suspicious activity, will be examined next. 3) Honeypots A honeypot is a decoy system which is used to gather information, by recording the activities performed by the attacker who infiltrated the honeypot [8]. This information can be used to learn about an attacker's motives, including the methods of attack used by the attacker. Thus, organisations will be able to protect themselves from future attacks. Corrective controls which are the third and final layer of security will be discussed next. C. Corrective Controls Corrective controls are used once a cyberthreat has managed to bypass preventative controls and evade detective controls. A mitigation strategy would need to be used to implement corrective controls, which will respond to an attack as quickly as possible [5]. A number of corrective controls will be discussed below. 1) Antivirus Software Antivirus acts as a corrective control by removing any malware which has been found on a system [12]. This malware could have damaged or stolen confidential information from a system. Although antivirus software can remove malware which has infected a system, it is not able to recover information which may have been corrupted or destroyed. A disaster recovery plan can address this issue and is discussed next. 27
  • 6. World Congress on Internet Security (WorldCIS-2014) 2) Disaster Recovery Plan A disaster recovery plan is a document which specifies the activities which are followed, in order to recover from a disaster [5]. Backing up information is an important part of this plan and should be done on a regular basis, as organisations store large amounts of information on their systems. Thus, a disaster recovery plan acts as a corrective control since information which has been corrupted by malware can be recovered from backups. The final corrective control which will be discussed next is Zombie Zapper. 3) Zombie Zapper Zombie Zapper is a free tool which is used to command a zombie to stop flooding a network with traffic [14]. This tool will help organisations save money instead of looking for some other commercial tool to help counter zombies. Hence, various security controls are available to counteract cyberthreats in the form of preventive, detective and corrective controls, which are depicted in Table II. It is important that organisations do not only use one of these controls as the only layer of security, but should use other controls as well. In the next section a model is proposed to address insecure critical information infrastructure. TABLE II. CATEGORIES OF SECURITY CONTROLS PREVENTIVE DETECTIVE Policies [11], [18] Antivirus Software [12] Firewalls [8] Intrusion Detection Systems [12] Antivirus Software [18] Honeypots [8] Penetration Testing [5] V. PROPOSED MODEL CORRECTIVE Antivirus Software [12] Disaster Recovery Plan [5] ZombieZapper [14] The proposed model depicted in Fig. 2 aims to address insecure critical information infrastructure. Cyberthreats exploit vulnerabilities in critical information infrastructure, in order to infiltrate or disrupt it. Cyberthreats do this with the aim of stealing, corrupting or making information unavailable to users. To counter these cyberthreats, risk strategies are needed to implement specific security controls. The risk strategies depicted in this model are the defend strategy and mitigation strategy. The defend strategy is used to prevent the exploitation of vulnerabilities in critical information infrastructure, while the mitigation strategy is used to reduce the impact caused by the exploitation of vulnerabilities. Once risk strategies have been selected and security controls have been implemented, they will ensure that the confidentiality, integrity and availability of information are preserved. As a result, risks to information will be reduced. The General Systems Theory states that a system, within an environment, is made up of elements which are interdependent and contribute to the operation of the whole system [1 9]. This system has inputs which are processed into outputs. By applying the General Systems Theory to the proposed model, critical information infrastructure is the overall system and is made up of three elements (i.e. sub-systems) which contribute to the functioning of the overall system. These three sub-systems are: risk strategies, the CIA Triad and security controls. Each sub-system is further broken down into its elements. Thus, the General Systems Theory is hierarchical as it has different levels. The first sub-system, risk strategies, is made up of the defend strategy and mitigation strategy elements. Both of these strategies are needed to implement all three controls. The second sub-system is the CIA Triad and is made up of three elements: confidentiality, integrity and availability. The CIA Triad can only be made a 'whole' with all three elements. The third sub-system is security controls. This sub-system is made up of preventive, detective and corrective controls. If preventive, detective or corrective controls are missing, critical information infrastructure will be vulnerable to cyberattacks. For instance, if a cyberthreat bypasses preventive controls and detective controls are missing, it will not be detected. Thus, all three controls are needed to form a system of controls. Hence, if any elements of the three sub-systems are excluded, then the output (reduced risks to information) will not be achieved. exploit vulnerabilities in order to infiltrate/disrupt ... Critical Information Infrastructure r - - - - - - - - - - - - - implement- - - - - - - - - - - - - - - 1 I ,:. Risk Strategies Defend Strategy -en,ur.. Mitigation Strategy CIA Triad Confidentiality Integrity Availability Risks Information Stolen Information Modified/Corrupted Information Unavailable Security Controls Preventive Controls ....-ensure- Detective Controls Corrective Controls Figure 2. Model to Address Insecure Critical Information Infrastructure 978-1-908320-42/1/©2014 IEEE 28
  • 7. World Congress on Internet Security (WorldCIS-2014) These three sub-systems (and their elements) are used as input, while the process consists of selecting a specific risk strategy to implement security controls. The proposed model is a differentiated model, which uses certain elements from the Common Criteria Model [7] and the CIA Triad Model [6]. These two models are both general models [20]. The original CIA Triad Model does not illustrate any elements that show how the confidentiality, integrity and availability of information are preserved. On the other hand, the proposed model illustrates how risk strategies and security controls can be used to ensure that the CIA principles are preserved. VI. CONCLUSION Although critical information infrastructure has allowed organisations to store and deliver information via the internet, vulnerabilities exist, which makes critical information infrastructure vulnerable to cyberattacks. Cyberthreats create these cyberattacks and are consequently able to steal and corrupt information or make it unavailable to authorized users, by denying access to information. Despite this, security controls are available to counter these cyberthreats. Before security controls are used, a risk strategy needs to be selected. Thus, the confidentiality, integrity and availability of information will be preserved and risks to information will be reduced. REFERENCES [1] Department of Homeland Security, "Blueprint for a Secure Cyber Future," 2011. http://www.dhs.gov/x1ibrary/assets/nppd/blueprint-for-a­ secure-cyber-future.pdf(Access Date: 12 September, 2014). [2] K. R. Choo, "The cyber threat landscape: Challenges and future research directions," Computers and Security, vol. 30, no. 1, pp. 719-731, Nov. 2011. [3] Kaspersky, "Kaspersky Security Bulletin 2013. Malware Evolution," 2013. https://kasperskycontenthub.comlreport/files/ksbI3_ENJite-l.pdf (Access Date: 18 September, 2014). [4] S. Jordan, "Defense in Depth: Employing a Layered Approach for Protecting Federal Government Information Systems," 2012. http://www.sans.org/reading-roomlwhitepapers/bestprac/defense-depth­ employing-Iayered-approach-protecting-federal-government­ information-system-34047(Access Date: 17 June, 2014). 978-1-908320-42/1/©2014 IEEE [5] M. E. Whitman and H. J. Mattord, Principles of Information Security, 4 ed. Boston: Course Technology Press, 2012. [6] International Organization for Standardization and the International Electrotechnical Commission, "ISOI1EC 27002: Information technology - Security techniques - Code of practice for information security management," 2005. [7] Common Criteria, "ISO/IEC 15408: Common Criteria for Information Technology Security Evaluation Part I: Introduction and general model," 2005. https://www.commoncriteriaportal.org/files/ccfiles/ccpartlv2.3.pdf (Access Date: 5 September, 2014). [8] J. Jang-Jaccard and S. Nepal, "A survey of emerging threats in cybersecurity," Journal of Computer and System Sciences, vol. 80, no. 5, pp. 973-993, Aug. 2014. [9] T. Peng, C. Leckie and K. Ramamohanarao, "Survey of network-based defense mechanisms countering the DoS and DDoS problems," ACM Computing Surveys (CSUR), vol. 39, no. I, pp. 1-42, 2007. [10] C. ColwiIJ, "Human factors in information security: The insider threat - Who can you trust these days," Information Security Technical Report, vol. 14, no. 4, pp. 186-196, Nov. 2009. [11] D. A. Richards, A. S. Oliphant and H. C. Le Grant, Global Technology Audit Guide (GTAG) I: Information Technology Risks and Controls, Altamonte Springs: The Institute oflnternal Auditors, 2005. [12] K. Won, 1. Ok-Ran, K. Chulyun, and S. Jungmin, "The dark side of the Internet: Attacks ,costs and responses," Information Systems, vol. 36, pp. 675-705, May. 2011. [13] G. Praprotnik, T. Ivanusa and 1. Podbregar, "eWar - Reality of Future Wars," in Proceedings of the 2013 IEEEIACM International Conference on Advances in Social Networks Analysis and Mining, New York: ACM, 2013, pp. 1068-1072. [14] A. Jenik, "Cyberwar in Estonia and the Middle East," Network Security, pp. 4-6, Apr. 2009. [15] S. Goel, "Cyberwarfare: connecting the dots in cyber intelligence," Communications of the ACM, vol. 54, no. 8, pp. 132-140, Aug. 2011. [16] c. Everett, "The lucrative world of cyber-espionage," Computer Fraud & Security, pp. 5-7, Jul. 2009. [17] R. C. Newman, "Cybercrime, identitiy theft, and fraud: practicing safe internet - network security threats and vulnerabilities," in Proceedings of the 3rd Annual Conference on Information Security Curriculum Development, New York: ACM, 2006, pp. 68-78. [18] S. Northcutt, "Security Controls," n.d. http://www.sans.edu/research/security-Iaboratory/articIe/security­ controls(Accessed: 26 June 2014). [19] Y. Lin, X. Duan, C. Zhao, and L. D. Xu, Systems Science: Methodological Approaches. Boca Raton: CRC Press, 2012. [20] M. S. Olivier, Information Technology Research: A practical guide for Computer Science and Informatics, 3 ed., Pretoria: Van Schaik Publishers, 2009. 29 View publication stats View publication stats