ebook img

Human Dimensions of Cybersecurity PDF

229 Pages·2019·7.102 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Human Dimensions of Cybersecurity

Human Dimensions of Cybersecurity Human Dimensions of Cybersecurity Terry Bossomaier, Steven D’Alessandro, and Roger Bradbury CRCPress Taylor&FrancisGroup 6000BrokenSoundParkwayNW,Suite300 BocaRaton,FL33487-2742 (cid:13)c 2020byTaylor&FrancisGroup,LLC CRCPressisanimprintofTaylor&FrancisGroup,anInformabusiness NoclaimtooriginalU.S.Governmentworks InternationalStandardBookNumber-13:978-1-138-59040-3(Hardback) Thisbookcontainsinformationobtainedfromauthenticandhighlyregardedsources.Reasonableeffortshave beenmadetopublishreliabledataandinformation,buttheauthorandpublishercannotassumeresponsibility forthevalidityofallmaterialsortheconsequencesoftheiruse.Theauthorsandpublishershaveattemptedto tracethecopyrightholdersofallmaterialreproducedinthispublicationandapologizetocopyrightholdersif permissiontopublishinthisformhasnotbeenobtained.Ifanycopyrightmaterialhasnotbeenacknowledged pleasewriteandletusknowsowemayrectifyinanyfuturereprint. ExceptaspermittedunderU.S.CopyrightLaw,nopartofthisbookmaybereprinted,reproduced,transmitted,or utilizedinanyformbyanyelectronic,mechanical,orothermeans,nowknownorhereafterinvented,including photocopying,microfilming,andrecording,orinanyinformationstorageorretrievalsystem,withoutwritten permissionfromthepublishers. Forpermissiontophotocopyorusematerialelectronicallyfromthiswork,pleaseaccesswww.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers,MA01923,978-750-8400.CCCisanot-for-profitorganizationthatprovideslicensesandregistra- tionforavarietyofusers.FororganizationsthathavebeengrantedaphotocopylicensebytheCCC,aseparate systemofpaymenthasbeenarranged. TrademarkNotice:Productorcorporatenamesmaybetrademarksorregisteredtrademarks,andareusedonly foridentificationandexplanationwithoutintenttoinfringe. LibraryofCongressCataloging-in-PublicationData Names:Bossomaier,TerryR.J.(TerryRichardJohn),author.| D’Alessandro,Steven,author.|Bradbury,R.H.(RogerH.),author. Title:Humandimensionsofcybersecurity/byTerryBossomaier,Steven D’Alessandro,RogerBradbury. Description:BocaRaton:CRCPress,[2020]|Includesbibliographical referencesandindex.|Summary:“Thebookidentifiesthetechnological featuresthatgiverisetosecurityissues.Itdescribesthestructure oftheInternetandhowitiscompromisedbymalware,andexaminessome ofthemorecommonsecurityissues.Itthenlooksataspectsofhuman persuasionandconsumerchoice,andhowtheseaffectcybersecurity.It arguesthatsocialnetworksandtherelatednormsplayakeyroleas doesgovernmentpolicy,aseachimpactonindividualbehaviorof computeruse.Thebookidentifiesthemostimportanthumanandsocial factorsthataffectcybersecurity.Itillustrateseachfactorusingcase studies,andexaminespossiblesolutionsfrombothtechnicalandhuman acceptabilityviewpoints”–Providedbypublisher. Identifiers:LCCN2019038924(print)|LCCN2019038925(ebook)| ISBN9781138590403(hardback)|ISBN9780429490989(ebook) Subjects:LCSH:Computersecurity–Casestudies.|Computer security–Socialaspects.|Computernetworks–Securitymeasures.| Dataprotection.|Computersecurity–Governmentpolicy. Classification:LCCQA76.9.A25B63952020(print)|LCCQA76.9.A25 (ebook)|DDC005.8–dc23 LCrecordavailableathttps://lccn.loc.gov/2019038924 LCebookrecordavailableathttps://lccn.loc.gov/2019038925 VisittheTaylor&FrancisWebsiteat http://www.taylorandfrancis.com andtheCRCPressWebsiteat http://www.crcpress.com Contents Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv ListofCyberNuggets . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxvii 1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 ThatCouldHaveBeenMe . . . . . . . . . . . . . . . . . . . 1 1.2 ABriefHistoryofCybersecurity . . . . . . . . . . . . . . . . 3 1.2.1 TheGermanCelebrityHack . . . . . . . . . . . . . . 5 1.2.2 TheAustralianParliamentaryHack . . . . . . . . . . . 6 1.3 TheBigPicture . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 CaseStudies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1 DenialofService . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.1 MotivationandFrequencyofDoSAttacks . . . . . . . 12 2.1.2 PreventingandCounteringaDoSAttack . . . . . . . . 13 2.2 Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.1 WannaCry. . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.2 PetyaandNotPetya . . . . . . . . . . . . . . . . . . . 20 2.3 Check Before You Send: Business Email Compromise (BEC) Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 v vi (cid:4) Contents 2.3.1 BlockchainLandTitles . . . . . . . . . . . . . . . . . 24 2.4 When Too Much Concern over Cybersecurity Is Too Much: OptingOutofMyHealthRecordsinAustralia . . . . . . . . . 24 2.5 CorporateDataBreaches . . . . . . . . . . . . . . . . . . . . 26 2.5.1 SupplyChainAttacks . . . . . . . . . . . . . . . . . . 26 2.5.2 IllustrativeFloods . . . . . . . . . . . . . . . . . . . . 27 2.5.2.1 GuardYourCV . . . . . . . . . . . . . . . 27 2.5.2.2 TheEquifaxHack . . . . . . . . . . . . . . 27 2.5.2.3 Don’tOrganizeanAffairOnline . . . . . . . 28 2.5.2.4 FloodPrevention . . . . . . . . . . . . . . . 28 2.6 The Nation State and CyberSecurity: Firewalls, Friends, and Enemies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.6.1 The Great Firewall, Golden Shield, and the Great CannonofChina . . . . . . . . . . . . . . . . . . . . 29 2.6.2 SocialCreditsAnyone? . . . . . . . . . . . . . . . . . 30 2.7 Encryption: The Government Is Your Friend but Not Always YourBestFriend . . . . . . . . . . . . . . . . . . . . . . . . 31 2.7.1 CantheLawoftheLandDefeattheLawof Mathematics? . . . . . . . . . . . . . . . . . . . . . . 31 2.7.2 Who Watches the Watchers and the Impact on the Economy . . . . . . . . . . . . . . . . . . . . . . . . 33 2.8 CambridgeAnalytica . . . . . . . . . . . . . . . . . . . . . . 33 2.9 TramplingoverTransportLayerSecurity . . . . . . . . . . . . 36 2.10 BewaretheInsider . . . . . . . . . . . . . . . . . . . . . . . 37 3 NetworksandNorms . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.2 Mindsets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.3 SocialNetworks . . . . . . . . . . . . . . . . . . . . . . . . 44 3.3.1 SomeElementaryGraphTheory . . . . . . . . . . . . 44 3.3.1.1 SmallWorlds . . . . . . . . . . . . . . . . 44 3.3.1.2 Scale-FreeNetworks . . . . . . . . . . . . . 45 3.3.1.3 NetworkMotifs . . . . . . . . . . . . . . . 47 3.3.2 SomeMeasuresonNetworks . . . . . . . . . . . . . . 47 3.3.2.1 ClusteringandAssortativeness . . . . . . . 47 3.3.2.2 BetweennessCentrality . . . . . . . . . . . 47 3.3.2.3 Modularity . . . . . . . . . . . . . . . . . . 48 3.3.3 NetworkDiscovery . . . . . . . . . . . . . . . . . . . 49 3.3.4 UsingandTransformingNetworks . . . . . . . . . . . 50 3.3.5 FriendsofFriends. . . . . . . . . . . . . . . . . . . . 50 3.3.6 SecureNetworks . . . . . . . . . . . . . . . . . . . . 51 3.4 SocialNorms . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Contents (cid:4) vii 3.4.1 EmergentversusAgreedNorms . . . . . . . . . . . . 52 3.4.2 TrendsandSocialMediaMarketing . . . . . . . . . . 53 3.4.3 SomeAdverseSocialNormsinCybersecurity . . . . . 53 3.4.3.1 TermsandConditions . . . . . . . . . . . . 53 3.4.3.2 DataSecurity . . . . . . . . . . . . . . . . 54 3.4.3.3 CyberHygiene . . . . . . . . . . . . . . . . 55 3.4.3.4 DistributedTrust . . . . . . . . . . . . . . . 56 3.4.3.5 SlackEmail . . . . . . . . . . . . . . . . . 56 3.4.3.6 GoodandBadAdvice . . . . . . . . . . . . 56 3.4.3.7 The Ups and Downs of Virtual Private Networks . . . . . . . . . . . . . . . . . . 57 3.4.3.8 DataFragility . . . . . . . . . . . . . . . . 57 3.5 ModularityinCybersecurity . . . . . . . . . . . . . . . . . . 58 3.5.1 ConcludingComments . . . . . . . . . . . . . . . . . 59 4 ConsumerChoice . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4.2 CybersecurityasPredictedbyDemographics . . . . . . . . . . 63 4.3 CybersecurityandtheTheoryofReasonedAction . . . . . . . 65 4.4 MotivationToAvoidHarm(MTAH)andCybersecurity . . . . 67 4.5 TheTechnologyAcceptanceModel(TAM)andtheAdoptionof NewTechnologiesinCybersecurity . . . . . . . . . . . . . . 70 4.6 SocialandSituationalFactorsinCybersecurity . . . . . . . . . 72 4.6.1 TrustandRiskintheOnlineEnvironment . . . . . . . 72 4.6.2 CybersecurityasPredictedbyPersonality . . . . . . . 73 4.6.3 StressandTimePressuresonUsers . . . . . . . . . . . 73 4.6.4 InformationOverload . . . . . . . . . . . . . . . . . . 74 4.7 ImprovingtheSecurityBehaviorofUsers . . . . . . . . . . . 74 4.7.1 ANeedforaSystematicApproachtoCybersecurity . . 75 5 RiskPerspectivesinCybersecurity . . . . . . . . . . . . . . . . . 77 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 5.2 CostsandOccurrencesofCyberattacksasof2018 . . . . . . . 78 5.3 TypesofThreatsandTheirAssociatedRisks . . . . . . . . . . 80 5.3.1 ThreatsbySourceofAttack . . . . . . . . . . . . . . 80 5.3.2 ThreatsbyTypeofAttack . . . . . . . . . . . . . . . 83 5.3.2.1 DDoSAttacks . . . . . . . . . . . . . . . . 84 5.3.2.2 MiddlewareAttacks . . . . . . . . . . . . . 86 5.3.2.3 SpoofingAttacks. . . . . . . . . . . . . . . 86 5.3.2.4 SocialEngineeringAttacks . . . . . . . . . 87 5.3.2.5 AdvancedPersistentThreat(APT) . . . . . . 90 viii (cid:4) Contents 6 GovernmentPolicyandStatecraftinCybersecurity . . . . . . . . 93 6.1 LegalFrameworksandTheirEffectsonReducingRisk . . . . 94 6.2 Accreditation and National Frameworks to Reduce Cyber-Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 6.2.1 CBEST . . . . . . . . . . . . . . . . . . . . . . . . . 101 6.2.2 FrameworkforImprovingCriticalInfrastructure CybersecurityortheNationalInstituteofStandardsand Technology(NIST)Framework . . . . . . . . . . . . . 103 6.2.3 TheAustralianSignalsDirectorateEssentialEight . . . 108 6.3 OtherApproachestoCorporateGovernancetoReduce Cyber-Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 6.4 CyberWarfare . . . . . . . . . . . . . . . . . . . . . . . . . 112 6.5 ConclusionandRecommendations . . . . . . . . . . . . . . . 112 7 TechnicalPerspectives . . . . . . . . . . . . . . . . . . . . . . . . 115 7.1 Public–PrivateKey(PPK)Cryptography . . . . . . . . . . . . 116 7.2 SomePreliminaryConcepts . . . . . . . . . . . . . . . . . . 116 7.2.1 AsymmetricCyphers . . . . . . . . . . . . . . . . . . 117 7.2.2 Diffie–Hellman,withApologiestoMaryPoppins . . . 118 7.2.2.1 NumericalExample . . . . . . . . . . . . . 119 7.2.3 TheRSAAlgorithm . . . . . . . . . . . . . . . . . . 119 7.2.3.1 TheReallyHairyPart . . . . . . . . . . . . 121 7.2.4 EllipticCurveCryptography(ECC). . . . . . . . . . . 122 7.3 SymmetricEncryption . . . . . . . . . . . . . . . . . . . . . 123 7.3.1 AdvancedEncryptionStandard(AES) . . . . . . . . . 124 7.3.2 StreamCyphers . . . . . . . . . . . . . . . . . . . . . 124 7.4 KeysGalore . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 7.4.1 CommunicationKeys . . . . . . . . . . . . . . . . . . 125 7.4.2 Goodand(Very)BadSignatures . . . . . . . . . . . . 126 7.4.3 AntiencryptionLegislation . . . . . . . . . . . . . . . 127 7.5 Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 7.5.1 ThePasswordFile . . . . . . . . . . . . . . . . . . . 128 7.5.2 GoodPasswords . . . . . . . . . . . . . . . . . . . . 129 7.5.3 PasswordManagers/Safes . . . . . . . . . . . . . . . 130 7.5.3.1 UsingtheBrowser . . . . . . . . . . . . . . 131 7.5.3.2 RainbowTables . . . . . . . . . . . . . . . 132 7.5.3.3 KeyExchangePrecomputation . . . . . . . 133 7.5.3.4 StoringPasswordsLocally . . . . . . . . . . 134 7.5.3.5 OnlinePasswordSafes . . . . . . . . . . . . 134 7.5.4 Two-FactorIdentification . . . . . . . . . . . . . . . . 135 7.6 Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Contents (cid:4) ix 7.7 BasicIdeasofComputerNetworks . . . . . . . . . . . . . . . 136 7.7.1 NetworkLayers . . . . . . . . . . . . . . . . . . . . . 137 7.7.1.1 ProtocolStacks.ASimpleAnalogy . . . . . 137 7.7.1.2 Abstraction . . . . . . . . . . . . . . . . . 138 7.7.1.3 TCP:TheTransportControlProtocol . . . . 139 7.7.1.4 UDP:TheUserDatagramProtocol . . . . . 139 7.7.1.5 TheApplicationLayer . . . . . . . . . . . . 139 7.7.2 AddressesofAllSorts . . . . . . . . . . . . . . . . . 139 7.7.2.1 IPAddressesfortheInternet . . . . . . . . . 139 7.7.2.2 Ethernet . . . . . . . . . . . . . . . . . . . 140 7.7.2.3 WiFi . . . . . . . . . . . . . . . . . . . . . 140 7.7.3 DomainNameServer(DNS) . . . . . . . . . . . . . . 140 7.8 IncreasingInternetSecurity . . . . . . . . . . . . . . . . . . . 142 7.8.1 IPSec:GoingaBitDeeper . . . . . . . . . . . . . . . 143 7.8.2 Ports,Firewalls,andFilters . . . . . . . . . . . . . . . 144 7.8.2.1 DetectingOpenPorts . . . . . . . . . . . . 144 7.9 VirtualPrivateNetworks . . . . . . . . . . . . . . . . . . . . 145 7.9.1 VirtualPrivateNetworksintheHome . . . . . . . . . 145 7.9.2 ChoosingaVPN . . . . . . . . . . . . . . . . . . . . 146 7.9.3 ValueofaVirtualPrivateNetwork . . . . . . . . . . . 146 7.9.4 AvoidingtheNeedforVPNs . . . . . . . . . . . . . . 147 7.10 OnionsandtheDarkWeb . . . . . . . . . . . . . . . . . . . . 147 7.10.1 TheDarkWebandOnionRouting . . . . . . . . . . . 147 7.11 LocalThreatsandMalware . . . . . . . . . . . . . . . . . . . 149 7.12 CertificatesandTrust . . . . . . . . . . . . . . . . . . . . . . 150 7.12.1 PublicKeyInfrastructure(PKI) . . . . . . . . . . . . . 151 7.13 Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 7.13.1 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . 154 7.13.2 EmailSecurity . . . . . . . . . . . . . . . . . . . . . 154 7.13.2.1 SenderPolicyFrameworkResults . . . . . . 156 7.14 Blockchains . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 7.14.1 TheHardFork . . . . . . . . . . . . . . . . . . . . . 158 7.15 EUDataProtectionRules . . . . . . . . . . . . . . . . . . . . 159 7.16 QuantumComputing . . . . . . . . . . . . . . . . . . . . . . 160 7.16.1 MrHyde:SuperpositionandParallelComputation . . . 160 7.16.2 DrJekyll:Entanglement . . . . . . . . . . . . . . . . 160 8 TheFuture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 8.1 KeepingNastiesOut . . . . . . . . . . . . . . . . . . . . . . 163 8.1.1 FormalValidation . . . . . . . . . . . . . . . . . . . . 164 8.2 UseofEncryption . . . . . . . . . . . . . . . . . . . . . . . . 165 8.3 EncouragingGoodCyberPractice . . . . . . . . . . . . . . . 166

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.