2. Today – Cyber-warfare
• Discuss “How to Sell
Information Security” article
• Introduction to Cyberwar
• Discuss technical vs.
administrative controls
• Watch Frontline video
• Discuss written assignment
#1
3. Prospect Theory
• People react
differently to risk
and guaranteed
outcomes based
on whether those
outcomes are
positive or
negative. Known
as the Prospect
Theory S-Curve
4. Prospect Theory
• If someone offers you a
guaranteed $500 or a 50%
chance at winning $1000,
studies show that people tend
to pick the guaranteed $500
5. Prospect Theory
• If someone told you that you
had to surrender $500 or take
a 50% chance of surrendering
$1000, most people would
tend to take the risk of losing
$1000 rather than the fixed
$500 loss
6. Prospect Theory
• When it comes to gain, people
are risk averse
• When it comes to loss, people
embrace risk
• What does this mean for IT
security, which is almost
always sold based on potential
to avoid loss?
7. How to Sell Information
Security
Prospect Theory in
relation to information
systems security, the
battle of cost, risk and
features.
The constant of battle
of proving ROI
The challenges of
Layering security on
after the sale:
cost, complexity of
administration and
true usefulness.
8. How to Sell Information
Security (DISCUSSION)
• What has your personal experience
been with security add on
products?
• How do you feel about paying for
virus scanning, when you already
paid for the Operating System?
• If you were selling a system which
required a security add on
component, what approach would
you take?
• As an IS security decision maker,
what approach would you take
with your vendors?
9. Security Technologies are
Exciting, But…
In this class you will get hands
on experience with powerful
military grade encryption
technology, you will
use automated Rainbow Tables
to crack top level Administrator
Passwords and you will learn
how to sniff network traffic!
But, we have to start at the beginning, by
gaining an understanding of the threats.
10. Cyberwar
• Cyber-warfare (also known as
cybernetic war, or cyberwar)
is the use of computers and
the Internet in conducting
warfare in cyberspace.
11. Types of Attacks
Cyber Espionage
The act or practice of obtaining secrets
(sensitive, proprietary of classified
information) from individuals,
competitors, rivals, groups,
governments and enemies for
military, political, or economic
advantage using illegal exploitation
methods via the internet, networks,
software and or computers.
12. Web Vandalism – The Weapon
of Mass Irritation
• Attacks that deface web
pages, or denial-of-service
attacks. This is normally
swiftly contained and of little
harm.
• Distributed Denial-of-Service
Attacks: Large numbers of
computers in one country
launch a DoS attack against
systems in another country.
13. Gathering Sensitive or
Proprietary Information
• Classified information that is
not handled securely can be
intercepted and even
modified, making espionage
possible from the other side of
the world. See Titan Rain and
Moonlight Maze.
• Encryption!
14. Equipment Disruption
• Military and commercial
activities that use computers
and satellites for co-ordination
are at risk from this type of
attack. Orders and
communications can be
intercepted or replaced,
putting soldiers at risk
16. Information Security Controls
• Two types of controls in all
information systems
• Technical controls
• Administrative controls
• Most good systems contain a
combination of both types of
controls
17. Technical Controls
• A direct, continuous and
unavoidable control on the use
and distribution of data which
allows, also for the purposes of
possible audits, the following:
• The direct identification of each
user in auditable form
• Keeping track, with auditable
evidence, of the accesses which
have occurred in the relevant
period
• The prevention and exclusion of
any utilization of data and systems
by subjects who are not authorized
18. Technical Controls - Examples
• Can you think of any technical
controls?
• Username/Password
• Building access card
• ATM card, with PIN (dual
factor)
19. Benefits of Technical Controls
• Strong and consistent, treat
everyone equally
• Can be audited with real
assurance of the truthfulness
of the data
20. Drawbacks of Technical Controls
• Costly
• Complex and time consuming
• When they break, they either
fail open or fail closed, neither
of which may be desirable
21. Administrative Controls
• Using policies, procedures,
safety signs, training or
supervision, or a combination
of these, to control risk.
22. Administrative Controls
Examples
• Can you think of any
examples of administrative
controls?
• Signing out a key
• Policy requiring the shredding
of documents
• Filling out a check in sheet
when you enter and leave a
secure area
24. Drawbacks of Administrative
Controls
• Difficult to enforce
• Difficult to audit
• Impossible to verify
• Easy to evade by a dedicated
individual
25. Controls - Summary and
Conclusions
• Both technical controls and
administrative controls have
benefits and drawbacks
• Technical controls are often used
in highly sensitive systems
• Administrative controls are used in
lower priority situations
• Hybrid solutions are the most
common, placing technical controls
at the front door and
administrative controls behind
them. Example: Server Platform
26. Cyberwar Video
• When watching this video, think
about the following:
• How real is the threat of
Cyberwar?
• How does the application of
Prospect Theory relate to the
threat of Cyberwar?
• What types of technical and
administrative controls might help
mitigate the risks posed by cyber
attack?
27. Readings on Cybersecurity
• Might give you some things to
think about when writing
Assignment #1
• Cyberwar – Myth or Reality
• Make Vendors Liable for Bugs
• The Truth About Chinese
Hackers