Identifying the critical success factors to improve information security incident reporting

Humphrey, Mike

January 2017

There is a perception amongst security professionals that the true scale of information security incidents is unknown due to under reporting. This potentially leads to an absence of sufficient empirical incident report data to enable informed risk assessment and risk management judgements. As a result, there is a real possibility that decisions related to resourcing and expenditure may be focussed only on what is believed to be occurring based on those incidents that are reported. There is also an apparent shortage of research into the subject of information security incident reporting. This research examines whether this assumption is valid and the potential reasons for such under reporting. It also examines the viability of re-using research into incident reporting conducted elsewhere, for example in the healthcare sector. Following a review of what security related incident reporting research existed together with incident reporting in general a scoping study, using a group of information security professionals from a range of business sectors, was undertaken. This identified a strong belief that security incidents were significantly under-reported and that research from other sectors did have the potential to be applied across sectors. A concept framework was developed upon which a proposal that incident reporting could be improved through the identification of Critical Success Factors (CSF’s). A Delphi study was conducted across two rounds to seek consensus from information security professionals on those CSF’s. The thesis confirms the concerns that there is under reporting and identifies through a Delphi study of information security professionals a set of CSF’s required to improve security incident reporting. An Incident Reporting Maturity Model was subsequently designed as a method for assisting organisations in judging their position against these factors and tested using the same Delphi participants as well as a control group. The thesis demonstrates a contribution to research through the rigorous testing of the applicability of incident reporting research from other sectors to support the identification of solutions to improve reporting in the information security sector. It also provides a practical novel approach to make use of a combination of CSF’s and an IRMM that allows organisations to judge where their level of maturity is set against each of the four CSF’s and make changes to strategy and process accordingly.

Cyber security

The global vulnerability discovery and disclosure system: a thematic system dynamics approach

Lewis, P S

23 October 2017

Vulnerabilities within software are the fundamental issue that provide both the means, and opportunity for malicious threat actors to compromise critical IT systems (Younis et al., 2016). Consequentially, the reduction of vulnerabilities within software should be of paramount importance, however, it is argued that software development practitioners have historically failed in reducing the risks associated with software vulnerabilities. This failure is illustrated in, and by the growth of software vulnerabilities over the past 20 years. This increase which is both unprecedented and unwelcome has led to an acknowledgement that novel and radical approaches to both understand the vulnerability discovery and disclosure system (VDDS) and to mitigate the risks associate with software vulnerability centred risk is needed (Bradbury, 2015; Marconato et al., 2012). The findings from this research show that whilst technological mitigations are vital, the social and economic features of the VDDS are of critical importance. For example, hitherto unknown systemic themes identified by this research are of key and include; Perception of Punishment; Vendor Interactions; Disclosure Stance; Ethical Considerations; Economic factors for Discovery and Disclosure and Emergence of New Vulnerability Markets. Each theme uniquely impacts the system, and ultimately the scale of vulnerability based risks. Within the research each theme within the VDDS is represented by several key variables which interact and shape the system. Specifically: Vender Sentiment; Vulnerability Removal Rate; Time to fix; Market Share; Participants within VDDS, Full and Coordinated Disclosure Ratio and Participant Activity. Each variable is quantified and explored, defining both the parameter space and progression over time. These variables are utilised within a system dynamic model to simulate differing policy strategies and assess the impact of these policies upon the VDDS. Three simulated vulnerability disclosure futures are hypothesised and are presented, characterised as depletion, steady and exponential with each scenario dependent upon the parameter space within the key variables.

Cyber security

The global vulnerability discovery and disclosure system : a thematic system dynamics approach

Lewis, Paul Simon

January 2017

Vulnerabilities within software are the fundamental issue that provide both the means, and opportunity for malicious threat actors to compromise critical IT systems (Younis et al., 2016). Consequentially, the reduction of vulnerabilities within software should be of paramount importance, however, it is argued that software development practitioners have historically failed in reducing the risks associated with software vulnerabilities. This failure is illustrated in, and by the growth of software vulnerabilities over the past 20 years. This increase which is both unprecedented and unwelcome has led to an acknowledgement that novel and radical approaches to both understand the vulnerability discovery and disclosure system (VDDS) and to mitigate the risks associate with software vulnerability centred risk is needed (Bradbury, 2015; Marconato et al., 2012). The findings from this research show that whilst technological mitigations are vital, the social and economic features of the VDDS are of critical importance. For example, hitherto unknown systemic themes identified by this research are of key and include; Perception of Punishment; Vendor Interactions; Disclosure Stance; Ethical Considerations; Economic factors for Discovery and Disclosure and Emergence of New Vulnerability Markets. Each theme uniquely impacts the system, and ultimately the scale of vulnerability based risks. Within the research each theme within the VDDS is represented by several key variables which interact and shape the system. Specifically: Vender Sentiment; Vulnerability Removal Rate; Time to fix; Market Share; Participants within VDDS, Full and Coordinated Disclosure Ratio and Participant Activity. Each variable is quantified and explored, defining both the parameter space and progression over time. These variables are utilised within a system dynamic model to simulate differing policy strategies and assess the impact of these policies upon the VDDS. Three simulated vulnerability disclosure futures are hypothesised and are presented, characterised as depletion, steady and exponential with each scenario dependent upon the parameter space within the key variables.

005.8

Cyber security

A behavioural study in runtime analysis environments and drive-by download attacks

Puttaroo, Mohammad Ally Rehaz

January 2017

In the information age, the growth in availability of both technology and exploit kits have continuously contributed in a large volume of websites being compromised or set up with malicious intent. The issue of drive-by-download attacks formulate a high percentage (77%) of the known attacks against client systems. These attacks originate from malicious web-servers or compromised web-servers and attack client systems by pushing malware upon interaction. Within the detection and intelligence gathering area of research, high-interaction honeypot approaches have been a longstanding and well-established technology. These are however not without challenges: analysing the entirety of the world wide web using these approaches is unviable due to time and resource intensiveness. Furthermore, the volume of data that is generated as a result of a run-time analysis of the interaction between website and an analysis environment is huge, varied and not well understood. The volume of malicious servers in addition to the large datasets created as a result of run-time analysis are contributing factors in the difficulty of analysing and verifying actual malicious behaviour. The work in this thesis attempts to overcome the difficulties in the analysis process of log files to optimise malicious and anomaly behaviour detection. The main contribution of this work is focused on reducing the volume of data generated from run-time analysis to reduce the impact of noise within behavioural log file datasets. This thesis proposes an alternate approach that uses an expert lead approach to filtering benign behaviour from potentially malicious and unknown behaviour. Expert lead filtering is designed in a risk-averse method that takes into account known benign and expected behaviours before filtering the log file. Moreover, the approach relies upon behavioural investigation as well as potential for 5 system compromisation before filtering out behaviour within dynamic analysis log files. Consequently, this results in a significantly lower volume of data that can be analysed in greater detail. The proposed filtering approach has been implemented and tested in real-world context using a prudent experimental framework. An average of 96.96% reduction in log file size has been achieved which is transferable to behaviour analysis environments. The other contributions of this work include the understanding of observable operating system interactions. Within the study of behaviour analysis environments, it was concluded that run-time analysis environments are sensitive to application and operating system versions. Understanding key changes in operating systems behaviours within Windows is an unexplored area of research yet Windows is currently one of the most popular client operating system. As part of understanding system behaviours for the creation of behavioural filters, this study undertakes a number of experiments to identify the key behaviour differences between operating systems. The results show that there are significant changes in core processes and interactions which can be taken into account in the development of filters for updated systems. Finally, from the analysis of 110,000 potentially malicious websites, typical attacks are explored. These attacks actively exploited the honeypot and offer knowledge on a section of the active web-based attacks faced in the world wide web. Trends and attack vectors are identified and evaluated.

Cyber security ; Computing

A Virtual Hydroelectric Power System for Distributable Industrial Control System Security Research

Mudd, David Brian

15 August 2014

Cyber security for industrial control systems (ICS) has been a rapidly growing area of interest and research for the last several years. The lack of an easily distributable platform on which ICS components can be built for use in security testing and result comparison among researchers presents a major issue. This thesis details the use of a virtual testbed environment to build a representative virtual hydroelectric power system (VHPS). The VHPS generates realistic Modbus/TCP network traffic between two separate ICS devices, a Master and a Slave, located on separate VMs. For security testing purposes, a method of session hijacking has been implemented as well as a Function Code Scan attack and a Setpoint Manipulation attack. The virtual environment, the VHPS, and the attacks have been packaged into an LXDE-based Fedora Spin VM for easy distribution.

cyber security

SCADA

Collaborative cyber security situational awareness

Almualla, Mohammed Humaid

January 2017

Situational awareness is often understood as the perception of environmental elements and comprehension of their meaning, and the projection of future status. The advancements in cyberspace technology have fuelled new business and opportunities, but also brought an element of risk to valued assets. Today, the growing gap between different types of cyber-attacks threatens governments and organisations, from individuals to highly organized sponsored teams capable of breaching the most sophisticated systems and the inability to cope with these emerging threats. There is a strong case to be made for effective Collaborative Cyber-Security Situational Awareness (CCSA) that is designed to protect valuable assets, making them more resilient to cybersecurity threats. Cybersecurity experts today must rethink the nature of security, and shift from a conventional approach that stresses protecting vulnerable assets to a larger, more effective framework with the aim of strengthening cyber assets, making them more resilient and part of a cybersecurity process that delivers greater value against cyber threats. This study introduces a new approach to understanding situational awareness of information sharing and collaboration using knowledge from existing situational awareness models. However, current situational awareness models lack resilience in supporting information systems infrastructure, addressing various vulnerabilities, identifying high priority threats and selecting mitigation techniques for cyber threats. The use of exploratory and explanatory analysis techniques executed by Structure Equation Modelling (SEM) allowed the examination of CCSA, in this study. Data from 377 cyber security practitioners affiliated to cybersecurity expert groups including computer emergency response team (CERT) and computer security incident response team (CSIRT) was gathered in the form of an electronic survey and analysed to discover insights and understand the mental model of those cybersecurity experts. Also, a finding from the SEM was the CSSA model aligned perfectly with the second-order Cybernetics model to test the theory in practice, confirming the possibility of using the proposed model in a practical application for this research. Furthermore, the SEM informed the design of the CCSA Environment where an empirical study was employed to verify and validate the CCSA theory in practice. In addition, the SEM informed the design of a behavioural anchor rating scale to measure participant situational awareness performance. The experiment results proved that when using the CCSA model and replicating real-world cyber-attack scenarios that the outcome of situational awareness performance was 61% more than those who did not employ the use of the CCSA model and associated dashboard tool. Further, it was found that both timeliness and accuracy are important in influencing the outcome of information sharing and collaboration in enhancing cyber situational awareness and decision-making. This thesis for the first time presents a novel CCSA theory which has been confirmed in practice. Firstly, this research work improves the outcome of effectiveness in cyber SA by identifying important variables related with the CCSA model. Second, it provides a new technique to measure operators' cyber SA performance. Secondly, it provides the necessary steps to employ information sharing in order to improve cyber security incorporated in the CCSA model. Finally, cybersecurity experts should collaborate to identify and close the gap between cybersecurity threats and execution capacity. The novel CCSA model validated in this research can be considered an effective solution in fighting and preventing cyber-attacks. Attainment of cyber security is driven by how information is both secured and presented between members to encourage the use of information sharing and collaboration to resolve cyber security threats in a timely and accurate manner. This research helps researchers and practitioners alike gain an understanding of key aspects of information sharing and collaboration in CSSA which is informed by the CCSA theory and new capability that the implementation of this theory has shown to deliver in practice.

On Cyber-Physical Security of Smart Grid: Data Integrity Attacks and Experiment Platform

Tan, Song

07 May 2016

A Smart Grid is a digitally enabled electric power grid that integrates the computation and communication technologies from cyber world with the sensors and actuators from physical world. Due to the system complexity, typically the high cohesion of communication and power system, the Smart Grid innovation introduces new and fundamentally different security vulnerabilities and risks. In this work, two important research aspects about cyber-physical security of Smart Grid are addressed: (i) The construction, impact and countermeasure of data integrity attacks; and (ii) The design and implementation of general cyber-physical security experiment platform. For data integrity attacks: based on the system model of state estimation process in Smart Grid, firstly, a data integrity attack model is formulated, such that the attackers can generate financial benefits from the real-time electrical market operations. Then, to reduce the required knowledge about the targeted power system when launching attacks, an online attack approach is proposed, such that the attacker is able to construct the desired attacks without the network information of power system. Furthermore, a network information attacking strategy is proposed, in which the most vulnerable meters can be directly identified and the desired measurement perturbations can be achieved by strategically manipulating the network information. Besides the attacking strategies, corresponding countermeasures based on the sparsity of attack vectors and robust state estimator are provided respectively. For the experiment platform: ScorePlus, a software-hardware hybrid and federated experiment environment for Smart Grid is presented. ScorePlus incorporates both software emulator and hardware testbed, such that they all follow the same architecture, and the same Smart Grid application program can be tested on either of them without any modification; ScorePlus provides a federated environment such that multiple software emulators and hardware testbeds at different locations are able to connect and form a unified Smart Grid system; ScorePlus software is encapsulated as a resource plugin in OpenStack cloud computing platform, such that it supports massive deployments with large scale test cases in cloud infrastructure.

Cyber Security

Testbed

Smart Grid

H.264 encoded digital video protection using temporal redundancy LSB steganography

Mitchell, Scott

January 2018

A steganographic method was developed based on the temporal redundancies present in digital video streams, these redundancies are utilised by the H.264 encoding standard to reduce the bandwidth requirements of a digital video stream while maintaining content quality. The temporal redundancies are used to steganographically embed unique binary data within the digital video stream, this results in a unique embedding strategy within each video stream while also utilising areas that reduce the potential data loss experienced during the H.264 encoding process. The effectivness of the developed steganographic method is measured using the common steganographic metrics of Payload Capacity, Embedded Data Robustness and Media Impact. The results illustrate that the compensation of mutative factors in the embedding process using temporal redundancies result in a more robust method of data embedding within digital video encoded using H.264.

How do the Baltic States bolster their national resilience through cyber security? / Cybersecurity and national resilience in Estonia

Nicol, Cameron

January 2018

This thesis is an attempt to analyse the relationship between the increasingly popular concept of national resilience and cybersecurity. National resilience is a concept that has permeated the security and policy making realms in recent times. This relationship is examined by using the Baltic nation of Estonia as a model due to the nation being regarded as the 'most digitally advanced in the world'. The main objective of the thesis is to investigate the relationship between cybersecurity and national resilience and discuss the implications of this relationship in the wider security context. The thesis begins by establishing if a nexus exists between the concept of national resilience and cybersecurity. In order to better understand the potential impact cyber security could have on a nation's resilience, it is important to establish the relationship between the two concepts. After the nexus is successfully established, the thesis then charts the development of the concept of resilience within the Estonian national security documents. The aim of this exercise is to demonstrate how the concept of resilience has been transformed over the years within an Estonian context while comparing its trajectory to the wider global trend of the concept. The research technique of content analysis is utilised to...

Používání kybernetických útoků proti Íránu jako nástroj hybridní války / Cyber Attacks against Iran as Instruments of Hybrid Warfare

Utinková, Hana

January 2021

Cyber security is quickly becoming one of the most important issues in the field of global politics. For this reason, it is vital to pay attention to topics in this field since they can impact international relations in a major way. Inspired by this, the thesis is focused on analysis, characterization, and categorization of cyber-attacks, which had been aimed at the Islamic Republic of Iran since 2007. The goal of the thesis is dual: to provide a complex picture of such incidents, and also to decide whether those attacks can be considered as evidence of hybrid warfare of some states against Iran. Data and reports about cyber-attacks were analyzed using AVOIDIT taxonomy in order to outline their basic characteristics. The characteristics were then contrasted with the definition of hybrid warfare. The final result of the analysis is that the cyber-attacks against Iran cannot be considered as hybrid warfare, because they do not meet the basic tenets of the concept of hybrid warfare. The aspiration of the thesis is to provide a clearer insight into the topic of cyber- attacks and global politics and can serve as a guide for future discussions since the topic of hybrid warfare has become very divisive.

cyber security; hybrid warfare; Iran