A Review of Information Security Issues and Techniques.pdf
2015_ICMSS_Institutional_Cybersecurity_s02
1. 2
Abstract— Enlargement of cyber space has increased the level
and amount of cyber risk. Commensurate with the growing risk
in Information Communication Technology (ICT), many
countries have prepared their national cyber security strategies.
The complexity in cyber attacks, cyber espionage activities have
demonstrated that not only the national critical infrastructures
are on the target, but also the institutions are. Having a national
level cybersecurity strategy document could not prevent cyber
attacks targeting institutions. Therefore, institutions should also
have a robust cyber security strategy, roadmap and action plan in
order to stand firmly against emerging cyber risks. It has become
a real fact that protecting critical infrastructures and assets will
be key issues that leaders should permanently take into account
whether they are being a CEO of an organization or a general
commanding a troop. From this point of view, we tried to shed
light on some possible cyber risks that how cyber criminals can
exploit. Via open source intelligence and social networks,
employees, managers and even system administrators can be
exposed to hacking and cyber intelligence activities. In this study,
we have made a case study by using open source intelligence and
social networks in order to emphasize and show how institutions
are vulnerable to possible cyber attacks and cyber intelligence
activities.
Index Terms— Institutional Cybersecurity, Social Networks,
Open Source Information Gathering Techniques, Metadata.
I. INTRODUCTION
he use of information communication technologies
(ICT), ranging from merely a smart phone to national
assets like critical infrastructures, have been increasing
day by day around the world. Along with the widespread use
of ICT, cyber risks have been rising in accordance. Reaching
the 1 billion points in 2012, the global smart phone users are
expected to reach 1.75 million in the current year. It is also
Cpt. Muhammer Karaman, War Colleges Command, Army War College,
Student Officer, Yenilevent, İSTANBUL 34330 TURKEY (Pbx: +90 212
398-0100/3504, İstanbul-Turkey, email: muammerkaraman29@gmail.com)
Cpt. Hayrettin Çatalkaya, War Colleges Command, Army War College,
Student Officer, Yenilevent, İSTANBUL 34330 TURKEY (Pbx: +90 212 398-
0100/3504, İstanbul-Turkey, email: hcatalkaya@gmail.com)
expected that more than 2.23 billion people around the world
or approximately half of the mobile phone users will connect
internet via mobile devices in following years [1].
In this complex and enlarging cyber environment, how
institutions will manage to protect themselves against cyber
related activities (ranging from commercial use of personal
information, open source information gathering, to cyber
espionage efforts? In this study we tried to define how
information gathering techniques via open source can give
valuable information about employees to cyber criminals and
then we recommended several counter measures against these
activities.
The organization of this study is handled in four sections.
In Section 2, we tried to define institutional cybersecurity, its
components, dilemmas and importance for a nation. In
Section 3, we gave some information about open source
intelligence (OSINT) gathering techniques through internet
and social networks and executed a case study. In that case
study, we used some freeware tools and gathered information
and analyzed the results and put light on possible major cyber
incidents. Finally in Section 4, we have pointed out that some
essential cybersecurity measures and processes should be
handled both technically and administratively.
II. METHODS
Expansion of cyberspace and the increasing use of smart
devices have made us to reevaluate the cybersecurity not only
from governmental level but also from institutional
perspective. Thus, the institutional cyber security can be
defined as the capability that consist of information security
components and procedures, provides cooperation with
partners and government authorities and handles top down
cyber security situational awareness [2].
Generally the first step against global cyber threats is seen
as forming a national level cybersecurity strategy. In
government level strategies, the risks are put forward, critical
infrastructures are emphasized, action plans and measures are
discussed and specified. When we move down from
government level to institutional level, it is hardly possible to
see a cybersecurity strategy document or a roadmap that is
projected and adapted institutionally. The question is: “Can a
Institutional Cybersecurity: A Case Study of
Open Source Intelligence and Social Networks
M. Karaman, H. Çatalkaya
T
2. 3
government level cybersecurity strategy document be enough
for an institution itself and can an institution get away with not
having its own cybersecurity strategy or roadmap?” The
answer is: “Of course not”. The main point in this issue is that
the institutional level cybersecurity is generally ignored [2].
In order to ensure a strong national cybersecurity, it is a
must for institutions to have their own institutional
cybersecurity strategy and roadmap. In fig.1, the institutional
level cybersecurity plays an important role between
government level and individual level. Whether being public
or private, the institutions have the critical infrastructures,
providing industries, communication, transportation, finance
etc. However, military organizations are left out of institutional
cybersecurity in fig.1, it is also possible to include them in
institutional level.
Fig. 1. Cybersecurity Organizational Structure [2].
The main part of cybersecurity organization showed in fig.1, is
always in close connection with up and down, government and
individuals, because it has the public and private critical
infrastructures within. Therefore institutional level
cybersecurity, that is also valid for military organizations, must
be handled systematically and thoroughly. In this respect, we
put forward some main components of institutional
cybersecurity, which is generic and can be applicable to other
institutions as well [2].
TABLE I
THE MAIN COMPONENTS OF INSTITUTIONAL CYBERSECURITY [2].
The Main Components of Institutional Cybersecurity
1. Cyber Strategy, Policies and Roadmap
2. Defining Cyber Environment and, Operational Design
3. Cybersecurity Situational Awareness and Education
4. Risk Assessment, Standardization, Cyber Resiliency
5. Secure System Architecture
6. Vulnerability Assessment
7. Central Incident Management
8. Log Management and Correlation
9. Continuous Monitoring and Auditing
10. Business Continuity
With the coming of new cyber threats and more complex
malwares, some leading countries and international
organizations have sought for ways to deal with these
challenging issues [2],[3]. In this respect, the nations that are
trying to ensure strong and sustainable cybersecurity, also face
some dilemmas [4]. The National Cybersecurity Dilemmas in
Table 2 are specified by NATO Cooperative Cyber Defense
Centre of Excellence (NATO CCDCOE) in its Framework
Manual [4]. As nations deal with these dilemmas, the
institutions are also subject to cybersecurity dilemmas shown
below.
TABLE II
THE NATIONAL CYBERSECURITY DILEMMAS [4]
The National Cybersecurity Dilemmas
1. Stimulate The Economy
2. Infrastructure Modernisation
3. Private Sectors vs. Public Sector
4. Data Protection vs. Information Sharing
5. Freedom of Speech
By OSINT techniques, showed in the case study, cyber
criminals can pave the way for a large scale data breach,
obtain valuable information about the employees and can
exploit the vulnerabilities of both human like honey traps [5],
spear phishing attacks [6] and alike. The details of the case
study as follows.
III. A CASE STUDY OF OF OPEN SOURCE INTELLIGENCE AND
SOCIAL NETWORKS
According to the National Defense Authorization Act
(2006), OSINT is attained from publicly available piece of
information for a mission’s intelligence requirement. OSINT,
from the army intelligence process perspective, is related with
information derived from the systematic gathering, processing,
and analysis of publicly available information in reaction to
intelligence necessities [7].
White and black hat hackers utilize OSINT which is one of
the easiest ways of information gathering techniques. In
addition to intelligence and security personnel the police
departments are also using information through open source
[8]. The main drives of gathering OSINT about a person or
system can be counted as reaching the data fast, easily and
cheaply. Although these simplicity that data being available
and generally accessible to anyone may cause people to think
that the OSINT is useless. By analyzing the data collected
piece by piece from different type of sources, we can reach to
very effective results. As it is known, OSINT can be obtained
from media, journals, radio and television and in our time
mostly from internet.
A. Individual Centric OSINT Efforts
The internet stores a vast and valuable data in addition to a
great deal of personal information. People using the internet,
send information to each other with the help of social media
and other type of communication tools like blogging and so on
[8]. To reach a plenty of information about the target person is
almost impossible if the one has not an internet connection. An
3. 4
attacker can get information via internet search engines, social
media and blogs and so on.
By glancing at a social network profile, it is easy to get lots
of information about someone (That is the one chosen by a
cyber criminal as a victim)’s relations; friends, professions,
area of interests, location, information about the family and the
list goes on. After analyzing this information a cyber criminal
can easily specify an attacking route to the victim. The
direction and methodology that a cyber criminal could pursue
depends firstly on his creative thinking and secondly on the
victim’s attitudes, behaviors and the portion of sharing on
social media networks [9].
According to a recent report released by iSIGHT Partners
on 28 May 2014, a country’s cyber threat actors are using
more than a dozen of fake personas on social networking sites
(Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in
a coordinated, long-term cyber espionage campaign. At least
2,000 people/targets are, or have been, caught in the snare and
are connected to the false persons [10]. Attackers using social
media exploit vulnerabilities of users’ security and privacy
settings, shared contents, metadata, social media friends
(Semantic Relations Among Users), user’s policy and
consequently they gather information about their targets.
Reaching the friends of a target, the attacker can extract
connection diagrams with various tools (i2 Analyst Notebook,
Maltego, CaseFile etc.) like in fig. 2. Target’s friends, the data
that maybe helpful in some time, can also be gathered from
different social networks and web sites mirroring social
networks.
Fig. 2. Common followers of two different account. Account 1 (Left) having
1949 followers, Account 2 (Right) having 535 followers and common
followers (Up).
By using social networks, it is possible to reach a one’s area
of interest, systems that are being used, connections, photos,
videos, phone numbers, mail addresses etc. (Fig. 2.)
Fig. 3. An official social media account of a ministery. It shows the usage
density on daily basis and the systems that totaly 3195 messages have been
sent on during two year period.
In a study by IBM Research Team on 1.524.544 tweets of
9551 users, they have managed to detect users’ locations
correctly by checking the last 200 tweets of users [11]. In
another research, an algorithm is developed that finds the
location of users just by their tweets without even needing
location information [12], [13].
The main drive on this issue is to collect as much
information as possible about the target which may be valuable
at any time. Even though some social networks erase the
metadata of uploaded contents, there are some that don’t. By
collecting the demanded information from social networks,
some programs present the gathered data and information on
graphical interface. Either on official or personal social media
accounts, published photos of presidents, high-ranking
commanders, diplomats, bureaucrats, being a high value target
for an adversary, poses a great risk in terms of OSINT. In case
of a seizure of coordinate/location information about a high
level statesman, can end up in irreversible conclusions. It is
possible to reach coordinate information of photos by the
exchangeable image file format (EXIF) being available on
photos. After reaching the coordinate information, it is the
baby’s job to put that information on map. There are some
programs that analyze the photos and show the location
information on a map. An example is shown in fig.3.
TABLE III
THE DISTRIBUTION OF GATHERED INFORMATION
Gathered Information Number
User Names 132
E-mail Addresses 185
Operating System Information 5
Folder Location 26
Printer Information 29
Software 25
4. 5
Fig. 4. A show of gathered information on the map from published photos of
a country’s top level leaders by using the EXIF coordinate data.
By Filtering the demanded information from selected web
sites, RSS (Real Simple Syndicate or Rich Site Summary) is
being used widely by plenty of online news agencies, web sites
and blogs [14]. Search engines are deemed one of the most
useful information gathering sources. Collecting automatic
information on internet, many programs can do result-oriented
filtering by inputting various parameters. These parameters can
be typed manually by the attacker. In our time it is possible to
make a search on web, multiple search engines and different
social networks just by typing some information about a target,
like personal information, email address, photos and etc.
B. System Centric OSINT Efforts
In these cases, the attacker will struggle to find every
piece of data by using OSINT in order to infiltrate the system.
The system administrators, types of software being used on the
system and the location of the system are the ones that the
attacker would aspire to reach.
By putting web sites into whois queries, the attacker would
acquire administrator’s information since whois can give
contact information that is connected with that domain name
[15]. Even though the data retrieved from a whois query can
be masked by administrators, it is possible to reach the
previous years’ whois records. The systems enabling to reach
the previous years’ whois records since the first date of a web
site will provide an attacker to gather information about the
system administrators. An attacker can reach the web sites’
previous images in order to gather web sites’ administrators’
information by some systems that archive web sites faces.
Afterwards this kind of data may be used by cyber criminals
with the help of OSINT. It is possible to get user names, ip
addresses, client/computer names, server computer names,
email addresses, folder names, software, operating system
name and version and so on by analyzing the metadata of
uploaded contents of a web site. This can be done easily by a
several free software on files (doc, docx, xls, ppt, pps, rtf etc.)
that feature metadata on. In the table below, 300 files (63 item
doc, 57 item docx, 58 item pdf, 15 item ppt, 21 item pptx, 43
item xls, 43 item xls) containing metadata were downloaded
from a ministry web sites and analyzed. The numbered of
gathered information are as follows.
Fig. 5. Some of the 132 users that are obtained by the analysis of metadata
belonging 300 downloaded item.
By using and analyzing the metadata, institutions’ personnel
information can be obtained with free software by cyber
criminals and terrorists. (Fig. 4) After gathering users and
system information on these documents, seen as harmless, not
being confidential or sensible and thus released to internet by
the administrators, attackers can utilize these information to
form an organizational structure of an institution, to track the
personnel on social media with masked accounts for future
complicated, phishing, cyber espionage attacks after earning
the trust of the target. Similar efforts were recently discovered
in the large scale cyber espionage attack of a country that has
been ongoing undetected since 2011. The mentioned cyber
espionage campaign targeted key US military and diplomatic
personnel by covert and fake accounts pretending to be
government contractors or journalists. After cementing the
trustworthiness by giving the target the information about
activities, news updates etc., cyber criminals trap the target
with “spear-phishing”, directing them to false web pages, and
obtain the credentials of the target [5].
C. Possible Counter Measures Against Cyber Intelligence
and Espionage Activities
In our time the civil and governmental firms, institutions
are on the race of reaching and informing their followers fast
and reliably. Commensurate with that struggle a great deal of
cyber risks may come forth unless the institutional data,
whether conveyed or existed on internet environment, are
brought under control. Although some social networks delete
the EXIF data for the privacy of its users, some still don’t. And
there is a no guarantee that they do not keep the metadata and
similar data on its own servers. The institutions sharing photos
or documents on social networks on their web sites should
5. 6
erase or change the metadata with third-party software, in
order to prevent OSINT efforts that may lead to a more
complicated cyber espionage attack. A document apparently
having no confidential or sensitive information may in fact
hold crucial metadata on it. Therefore the significance of
metadata and similar cyber risks should be told to workers
ranging from least significant to manager of the institution by
Information Communication Technologies (ICT) guys.
Procedural processes should be examined to consist of the
usage of social networks among personnel. In order to
prevent OSINT and web vulnerabilities exposing such as the
users’ credentials, system’s information and so on should be
checked by upper senior ICT guys.
Information that reveals the institutions organizational
structure like operation, logistic department etc. and users’
credentials like citizenship number, email address or names
should not be used as computer, server or printer name.
Instead simple names and numbers should be preferred in
naming the institution’s asset like computer001,
networkprinter002 etc. As a general principle, the ICT
personnel should not depart the rule of separation of duties and
should not prefer simplicity against safer network design. For
a sustainable institutional cybersecurity, vulnerability tests and
security auditing should be executed periodically. Risk
assessment documents, including novel and emerging cyber
threats must be updated according to international standards
and virtualization technologies should be used in networks
[17].
IV. CONCLUSION
Cyber activities cannot be thought apart from intelligence
efforts. According to the leaked documents by Edward
Snowden, released by a news agency, offensive cyber activities
are being executed before and concurrently with cyber
intelligence activities [5]. While the target, key diplomatic and
military personas remain similar on this mentioned document,
the scope of intelligence efforts exceeds the limits and
ensnares the target into sex and honey traps [5] by arranging
the location, time and place that may be obtained with various
ways by OSINT on social networks or with other cyber means.
Institutions and firms create official accounts on social
networks to bridge a healthy communication with their
customers and followers and they share some information and
documents on them.
In a series of analysis perpetuated, it is evident that the
institutions haven’t taken necessary measures against metadata
and other cyber risks [18]. If similar analysis are done by
vicious people or terrorist organizations, information and
documents holding metadata can advantage and help improve
their level of intelligence about the institution, can income to
cyber criminals by covertly getting the commercial secrets and
they may also carry out ransomware attacks that gradually
reached the top level in 2013 [16].
Cyber Incidents Response Teams (CIRT) that all institutions
established in itself by the official order (Dated 13 October
2013) of The Ministry of Transportation, Maritime Affairs and
Communications, should take into account the cyber risks of
metadata of uploaded contents whether on official web sites or
social media accounts of their institution and also be aware of
the threat that social networks are exposing in terms of cyber
espionage and intelligence activities.
Measures against OSINT and social networks, should be
administrative and technical considering confidentiality,
integrity, availability of information and for sure the privacy of
the employees too. However these kinds of cyber risks are
seemingly relevant to institutions, these cyber risks in general
concern national cyber security. While the weakest chain in
ensuring the information and cyber security is the human, in
terms of national security, the weakest chain could be a
critical/key institution of a country.
REFERENCES
[1] Smartphone Users Worldwide Will Total 1.75 Billion in 2014. [Online].
Available: http://www.emarketer.com/Article/Smartphon-Users-Worldwide-
Will-Total-175-Billion-2014/1010536
[2] I. Sisaneci, O. Akin, M. Karaman, and M. Saglam. “A Novel Concept
For Cybersecurity: Institutional Cybersecurity”, 6th International Conference
on Information Security and Cryptology, Turkey, Ankara, Sep. 20-21, 2013,
pp. 89.
[3] NATOWeb Site. [Online]. Available: http://www.nato.int, June, 2013
[4] A. Klimburg, Ed., National Cyber Security Framework Manual. NATO
CCD COE Publications, 2012.
[5] M.Cole. Exclusive: Snowden Docs Show British Spies Used Sex and
'DirtyTricks.(2014,February,07).[Online].Available:http://www.nbcnews.com/
feature/edward-snowden-interview/exclusive-snowden-docs-show-british-
spies-used-sex-dirty-tricks-n23091
[6] Jim FinkleIranian hackers use fake Facebook accounts to spy on U.S.,
others.(2014,May,29).[Online]:http://www.reuters.com/article/2014/05/29/us-
iran-hackers-idUSKBN0E90A220140529.
[7] Open Source Intelligence, FMI 2-22.9, 2006.
[8] Q.Eijkman and D.Weggemans, “Open source intelligence and privacy
dilemmas: Is it time to reassess state accountability? Security and Human
Rights,” 2012 no. 4, pp. 285-286.
[9] Brandon Valeriano, Ryan Maness. “A Theory of Cyber Espionage for
the intelligence Community”, EMC Chair Conference Paper.
[10] S. Ward. An Iranian Threat Inside Social Media. (2014,May,28).
[Online]. Available: http://www.isightpartners.com/2014/05/newscaster-
iranian-threat-inside-social-media/
[11] M. Jalal, J. Nichols, and C. Drews., "Where Is This Tweet From?
Inferring Home Locations of Twitter Users." ICWSM. 2012.
[12] Hecht, B., Hong, L., Suh, B., & Chi, E. H. (2011,May). “Tweets from
Justin Bieber's heart: the dynamics of the location field in user profiles.” In
Proceedings of the SIGCHI Conference on Human Factors in Computing
Systems (pp. 237-246). ACM.
[13] Bo Han, Paul Cook and Timothy Baldwin. “A Stacking-based Approach
to Twitter User Geolocation Prediction”,
[14] Vilma Vuori, Jaani Väisänen. “The Use of Social Media in Gathering
and Sharing Competitive Intelligence”, The 9th International Conference on
Electronic Business, Macau, November 30 - December 4, 2009.
[15] Whois Access Policy (2012,February,02) [Online]. Available:
http://www.nic.uno/policy/Whois-Access-Policy.pdf.
[16] McAfee Threats Report Second Quarter (2013).
[17] M. Çalişkan, I. Şen, E. Kuğu and M.A. Aydin, “Sanallaştirma
Teknolojilerinin Saldiri Tespit ve Önleme Sistemleri Üzerine Etkisi”, 1st
International Symposium on Digital Forensics and Security (ISDFS’13), pp.
244-249, 2013.
6. 7
[18] K. Goztepe, (2012). Designing Fuzzy Rule Based Expert System for
Cyber Security. International Journal of Information Security Science, 1(1),
13-19.
Muhammer Karaman received his BS degree in Turkish Army Academy in
2005. He has completed Information System Management Course in School
of Information Technologies in US Army Signal School in Georgia, USA, in
2012. He currently continues his study at the Turkish Army War College. His
research interests are cyber operations, cyber law, operational design and
international relations.
Hayrettin Çatalkaya received his BS degree in Turkish Army Academy in
2005. He currently continues his study at the Turkish Army War College. His
research interests are information security and privacy, computer forensics
and digital investigation.