Cyber security

Risks and Opportunities provided by the Cyber- Domain and Policy- Needs to address the Cyber- Defense

Posted on Updated on

International Research Journal On Police Science, ISSN 2454-597X Volume 2, Issue 1&2

Sandeep Mittal, I.P.S.,*

 

International Research Journal On Police Science. ISSN: 2454-597X, Issue 1&2, December 2016

Introduction

The term ‘Cyber Domain’ has been used widely by various experts, sometimes interchangeably with ‘Cyber Space’, to imply – “the global domain within the information environment that encompasses the interdependent networks of information technology infrastructures, including the internet and telecommunication networks” (Camillo & Miranda, 2011). Today it has become “the fifth domain of warfare after land, sea, air and space and its a challenge to have a common definition of cyber Domain” but for the purpose of this essay the definition given above would suffice. Any entity, whether it is a Nation State or an Enterprise, who operates in cyber domain need to maintain confidentiality, integrity and availability of its deployed resources. The dynamics of cyber domain is complex and complicated in time and space. The humans, machines, things and their interaction is evolving continuously to pose risks and opportunities in the cyber domain. The risk to someone becomes opportunity for the other. In this essay, the ‘risks presented by’ and ‘opportunities available in’ the cyber Domain would be identified, discussed and analyzed to consider key strategic policy elements to defend the cyber domain.

Risks and Opportunities in Cyber Domain

The ‘very low cost efforts’ giving asymmetric results coupled with anonymity in space and time makes the cyber domain attractive (Cyber Security Strategy of UK, 2009) for use by various actors for malicious objectives. This faceless and boundary less domain is highly dynamic and throwing surprises with rapidity and having the potential of causing damages (real and virtual) which are disproportionate to the resources deployed. Let us have a look at various realms in terms of risks associated with them.

  1. The information system platforms and the equipment supporting the cyber ecosystem is susceptible to conventional physical attacks. The electronic equipment can be subjected to destruction by generating High Energy Radio Frequencies and Electromagnetic Pulses.
  2. The services in the cyber- space may be disrupted by direct attack e.g. DoS, DDoS etc. This is the most common attack and has the potential to paralyze the lines of communication, bring down banking services and sabotage military operations. It has been deployed over the years not only by novice script kiddies but also sophisticated state sponsored agencies successfully. Botnets working round the clock have become a serious challenge.
  3. The sensitive data (in storage and on the move) may be accessed, stolen or manipulated to have the desired effect immediately or at a subsequent date. The technology and deployment methodology is evolving with time and simple malware tools have been replaced with complex, intelligent and well-crafted attacks generally known as Advanced Persistent Threats (APTs). The stealth, patience and dedicated consistency of APTs has the capability to bypass the best firewalls (including New Generation Firewalls) and Intrusion Detection and Prevention Systems to exploit the Zero- Day- Vulnerabilities (Fire Eye White Paper, 2014).

The risks  associated with various realms as discussed above may manifest themselves in various dimensions of the society like Civic Infrastructural Breakdown (e.g., failure of electric power grids, disruption of fuel pipelines, disruption of water supply chain etc.), Economy Disruption (e.g., disruption of banking services, business continuity and maintenance related costs), Social Behavioral Effects on Society (e.g., gambling, spamming, pornography, drugs supply, propagation of extremist ideology) and last but not the least hacking and intrusion into privacy, compromising the Nations Morale through  use  of social media leading  to civic unrest and hampering diplomatic relations (e.g. Wiki Leaks ) and thus finally setting the stage for Cyber Warfare. Eventually, the Cyber Domain becomes a ‘means’ of most serious ‘end’, that is, the Cyber Warfare (Cornish et al, 2009). The ‘research-tool of yester- years’ has evolved into a strong medium of mass communication. In the Chatham Report titled ‘Cyberspace and the National Security of the United Kingdom, 2009, the concept of Cyber Threat Domains is introduced.

Let us have a look at the challenges and opportunities in Cyber security in terms of four ‘Cyber- Threat- Domains” (Cornish et al, 2009).

  1. ‘State-sponsored Cyber-attacks: The complete dependence of a Nation’s economy and critical infrastructure presents an opportunity to the ‘Nation States’ to deploy cyber- tools to gain information-dominance in cyber-domain to transmit information and denial/ restriction of such information to enemy state, as also the collection of tactical information. Going further, crippling a nation by paralyzing its critical infrastructure through deployment of stealthy and well-crafted tools to exploit ‘Zero-day-vulnerability’ is a matter of hours, and not even days. The use of Cyber attacks in raising the temperatures of furnaces in nuclear power plants and increasing the flow-speed of liquids in fuel pipelines may be used as weapons of mass- destruction.
  2. The concepts of war-maneuvering have been compared with cyber-maneuver (Applegate 2012), where it is realized that blatantly hostile acts in cyber space are characterized by rapidity, anonymity and difficulty in attribution and are dispersed in space and time. Even the territory of enemy or one of his allies can be used to achieve desired asymmetric results.

  3. Cyber-Terrorism /Extremism –There is no other medium which is more powerful and anonymous than cyberspace, where asymmetric results can be achieved by deploying minimal resources with ease. The internet is an anarchic play ground or an ungoverned space, which can be exploited by extremists for communication and information sharing, designing strategies, conducting training for its members, procurement of resources, infiltrating State’s assets and forming alliances with organization having common objectives but different motivations. The use of social media by political extremists to propagate their ideology and take on the government machinery may spearhead insurgency by exploiting public sentiment.
  4. Serious and Organized Criminal Groups are exploiting the cyber space not only to maintain their criminal networks but also for money laundering, drug-trafficking, extortion, credit card frauds, industrial espionage etc. “In the cyber space, physical strength is insignificant […….] , strength is in  software , not in numbers of individuals“ (Brenner, 2002). It poses a great challenge to the Law Enforcement Agencies to tackle Cyber- criminality. The need of operational level coordination with international LEAs can not be under stated as the existing mechanisms of MLAT etc have not given desired results. The thrust LEAs is on acquisition of hardware and software and the training of human resources is lacking.
  5. Lower –level Individual Attacks: are acts of individuals and may give results disproportionate to the skills deployed. These attacks may not be technologically advanced but have the capabilities to create panic and day to day disruptions. Sometimes fools pose great questions. Free availability of a number of   hacking and penetration testing tools on internet assist the script kiddies to venture in the world of hacking.

Thus it is amply clear form the foregoing that the cyber domain presents unimaginable opportunities spread over space and time with rapidity, anonymity and almost no investments.

Policies to Address Cyber Defense

Any policy for cyber- defense has to be multipronged, tiered and dynamic. There are many approaches to decide upon the strategic policies. One is the systematic approach while the other is to keep the national security as the central theme and then weave other defenses around it. What should be the strategy for a secure Information Society?  For the purpose of this essay we may define it as    “the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems” (Commission of the European Communities, 2006). Though this is a network- system- centric definition, it is felt by author that, if this approach is taken care of, by the strategic policy, the other considerations would fall in line. The approach should not be like the example of the “elephant and the five blind men’ rather it should be an integrative approach to address various risks, issues and opportunities in the cyber domain.  We would try to build up the key elements of the strategy which a strategic policy should address to defend the cyber domain. “The integrated application of cyberspace capabilities and processes to synchronize in real- time, ability to detect, analyze and mitigate threats and vulnerabilities, and outmaneuver adversaries, in order to defend designated networks is part of cyber defense strategy and includes proactive network operations, defensive counter cyber operations and defensive countermeasures” ( U.S Department of Defense, 2010 ). As policy should be general and broad, it would be beyond the scope of this essay to discuss procedures, details of technologies and processes associated with them and mechanisms to deploy them.  We would be focusing rather on the key elements; a security policy should incorporate to achieve the objective of defending the cyber domain. It should incorporate the ground realities present in the scenario where policy would be applied. In the lighter vein, I am incorporating three cartoons, based on three real incidents in India, conceptualized by the author.


The author has perused the summaries of  the National Cyber Security Strategies of nineteen countries (Luijf, Besseling & Graaf, 2013) and based on them, tried to identify the key elements of the strategic policy to defend the cyber domain.

  1. Legislation/Legal Framework:

    The cyber domain has no boundary. The various stakeholders and players may be spread all round the globe irrespective of national jurisdictions. Hence, a law which is progressive and aligned with international conventions on cyber-crime and Laws of the other nation states would be a basic requirement to defend the cyber domain. Additionally, the judiciary needs to be sensitized on various aspects of cyber law for better appreciation while dealing with such cases.

  2. Mandating the Security Standards:

    Mandating the minimal security standards in information security is like preparing the ground before the seeds are sown. Security assurance measures for products ( ISO/IEC 15408), security assurance measures for development process  (ISO /IEC 21827) , measures for Security Management (ISO/IEC 27001) etc should  be implemented with Zero tolerance for non-compliance. Personnel expertise and knowledge should be mandated through professional certifications.

  3. Secure protocols, Soft wares and Products:

    At present there is no system in place for ‘cyber-supply-chain-security-ratings’. This is a big loophole as these hardware and software ,  have to be frequently changed and have the potential of getting compromised thus putting the cyber- security at stake. These software and hardware become the gateway to attacks in the cyber domain.

  4. Active-Dynamic Security Measures for Prevention, Detection and Response Capabilities:

    The technology of the malware and the methodology of its deployment in cyber-domain has radically evolved over the years. “The attacks are advanced, targeted, stealthy and persistent and cut across multiple threat vectors [web, email, file shares, and mobile devices ] and unfold in multiple stages, with calculated steps to get in , signal back out of the compromised  network,  and get  the valuables out (Fire Eye White  Paper, 2013).  While firewalls, new generation firewalls , Intrusion Prevention Systems etc. are important security defenses, they can not stop  dynamic attacks  that exploit zero-day vulnerabilities. Hence integrated platforms having the capability to identify and block these sophisticated attacks,   and thus safeguard their critical and sensitive assets. Attack  Attribution Analysis should be deployed to  identify the attackers (Lewis, 2014) . Zero Trust Model of Information Security also helps in reducing the attacks from digitally- signed-malware (IBM Forrester Research Paper, 2013).

  5. Threat and vulnerability Analysis:

    A detailed threat and vulnerability analysis of the resources should be maintained and updated periodically as per minimum At least a broad 3×3 matrix  as per NIST FIPS 199 Standards is suggested.  A risk- profile- dashboard should be kept ready. The assets which are critical need to be identified clearly and SOPs for their protection be put in place.

  6. Continuity and contingency Plans should be prepared and kept ready. Many nations are deploying in house “Government- off- the- shelf“ (GOTS) technology for sensitive defense and critical infrastructure systems. The attacks are inevitable but if the services are maintained, the confidence and trust of the stakeholders is vindicated. The Governments should also work towards a mechanism of Cyber Liability and Cyber Insurance which at present is generally lacking.

  7. Information Sharing: In most of the countries there is a mechanism to share information on security breaches and related developments by establishing Computer Emergency Response Teams (CERTs). These national CERTs also interact with each other at international level. However , the author’s personal experience shows that many of the enterprises  don’t share information on breaches  in order to protect corporate image. Sometimes the security breaches may not be even known for months. There is an urgent need for devising a mechanism where reporting of security  breaches should be made mandatory with penalties for non-compliance.

  8. Awareness, education and training: Practice makes a man perfect. Continuous awareness and educational campaigns for various stakeholders on dos and don’ts have to be run repeatedly. The training workshops  for the workforce  should be organized. We should always remember that the human behavior is the greatest risk to security and this risk can only be minimized by education and training only.

  9. Reforms in school and Collegiate Education: If cyber security as a subject is included in the school and college curricula, a ready cyber work force would be available to be deployed across various sectors. The online training courses in cyber security should be designed and incentives offered to workers, if they attend and successfully complete these courses.

  10. International Collaboration: The cyber domain has no boundaries. The attacker sitting in one country using the system and resources of a second country may compromise a sensitive database in a third country. If there is no international collaboration, what  ever strategy we may design, it is bound to fail. Although, there is a Regional Convention on Cyber Crime but unfortunately there is no such convention on cyber security [The Council of Europe (Budapest) convention on Cyber Crime, 2004]. There is a necessity for comprehensive international cooperation to sort-out issues regarding Jurisdiction, Mutual Assistance, Extradition , 24 / 7 Network etc ( Clough, 2013). However , personal experience of the author is that there is need to galvanize international cooperation, which is presently almost ineffective at operational level.

However, to achieve the desired objectives, the strategies need to be implemented through acquirement and effective allocation of sufficient resources through accountable responsibilities ( Ward & Peppard, 2002). But even if all this is done, the things will not turn out as desired ( Johnson & Scholes, 2002 ) as demonstrated in the following figure. Therefore a strategic management process that can adapt to changing scenarios during the implementation of original strategy is not a substitute for the original strategy but it’s a way of making it work.

Conclusion

The Cyber Domain by virtue of its unique characteristics of anonymity, availability and maneuverability in space and time, having no international borders ,  and capacity to give asymmetric results hugely disproportionate to the resources deployed, offers tremendous risks and opportunities for various stakeholders. It is rapidly expanding its scope from internet of human beings and machines to internet of things. It has the potential of disrupting a Nations economy, polity, civic and military infrastructure and last not the least, may lead to the cyber-warfare. Any policy and strategy to defend the Cyber Domain should be dynamic enough to adjust to the rapidly changing nature of attacks and technology. The futuristic scenarios  like “Botnet of Things” have the potential of disrupting the normal life of humans. The strategic policy explained in this essay,  if implemented,  should take care of various aspects of defending the cyber domain. However, as the attacks, technologies and attackers evolve, the policy should also evolve with the same rapidity. The ‘unknown- unknown’ of the cyber domain is yet to be seen by the world.

Note:      The views expressed in this paper are of the author and do not necessarily reflect the views of the organizations where he worked in the past or is working presently. The author convey his thanks to Chevening TCS Cyber Policy Scholarship of UK Foreign and Commonwealth Office, who sponsored part of this study. The author is also thankful to his student Ms. Avinash Kaur @ NICFS who skillfully converted the given situations depicted by the author into the cartoons included in this paper.

References

Applegate,S. 2012, “ The Principle of Maneuver in Cyber Operations http://www.academia.edu/1436096/The_Principle_of_Maneuvar_in_Cyber_Operation/  accessed on 14/03/2014.

Brenner, S.W. 2002, “Organized Cybercrime? How Cyberspace May Affect theStructure of Criminal Relationships  (Vol. 4, Issue 1, Fall 2002), p. 24.”, Journal of Law & Technology, North Carolina, vol. 4, no. 1, pp. 24.

Clough , J. 2013, “The Budapest Convention on Cyber Crime: Is Harmonisation Achievable in a Digital World.
http://aic.gov.au/media_library/conferences/2013-isoc/presentations/clough.pdf
Accessed on 13/03/2014.”, 2nd International Serious and Organised Crime Conference, ed. Presentation, Monash University, Brisbane, 29-30 July 2013.

Cornish, P., Livingstone, D., Clemente, D. & and Yorke, C. 2009, Cyber Security and the UK’s Critical National Infrastructure.  http://www.chathamhouse.org/sites/default/files/public/Research/International%20Security/r0911cyber.pdf Accessed on 13/03/2014, A Chatham House Report, United Kingdom.

Cornish, P., Hughes, R. & and Livingstone, D. 2009, Cyber space and the National Security of the UnitedKingdom : Threats and Responses.  http://www.chathamhouse.org/sites/default/files/public/Research/International%20Security/r0309cyberspace.pdf Accessed on 14/03/2014, A Chatham House Report, United Kingdom.

Cornish, P., Livingstone, D., Clemente, D. & and Yorke, C. 2010, On Cyber Warfare https://www.chathamhouse.org/sites/default/files/public/Research/International%20Security/r1110_cyberwarfare.pdfAccessed on: 11/03/2014, A Chatham House Report, United Kingdom.

Federica Di Camillo and Vale’rie Miranda 2011, Ambiguous Definitions in Cyber Domains: Costs, Risks and the Way Forward., Istituto Affari Internazionali, Roma.

FireEye White Paper 2014, Advanced Attacks Require Federal Agencies to Reimagine IT Security, online publisher, http://docs.media.bitpipe.com/io_11x/io_114094/item_844153/advanced_attacks_federal_agencies.pdf Accessed 11/03/2014.

FireEye White Paper 2013, Thinking Locally, Targetted Globally- New Security Challenges for State and Local Governments

http://docs.media.bitpipe.com/io_11x/io_114094/item_844153/fireeye-thinking-locally-targeted-globally.pdfOnline accessed on 11/03/2014,

IBM 2013, Supporting the Zero Tr ust Model of Information Security:The Important Role of Today’ s Intrusion Prevention Systems http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03038usen/WGL03038USEN.PDFAccessed on 13/03/2014, IBM Forresster Research Paper, Online.

Luiijf, E., Besseling, K. & and de Graaf, P. 2013, “Nineteen national cyber security strategies’, , Vol. 9, Nos. 1/2, pp.3–31.”, Int. J. Critical Infrastructures, vol. 9, no. 1/2, pp. 3–31.

NIST 800- 39, Managing Information Security Risk: Organization Mission and Information System View.  , NIST Special Publication., USA.

NIST “Guide for Applying Risk Management Framework to Federal Information Systems. NIST Special Publication 800- 37.   “, NIST, vol. 800- 37.

NIST Recommended Security Controls for Federal Information Systems and Organizations. NIST Special Publication 800- 53., 800- 53 edn, NIST, USA.

NIST FIPS Standards for Security Categorization of Federal Information and Information Systems., NIST FIPS, USA.

NIST FIPS Standards for Security Categorization of Federal Information and Information Systems.  NIST FIPS Publication 199  , 199th edn, NIST FIPS, USA.

Purser, S. 2004, A practical guide to managing information security, Artech House, Boston, Mass. ; London.

Stevens, T. 2010, , ‘US Cyber Command achieves “full operational capability,” international cyberbullies be warned’, 5 November 2010,
http://www.engadget.com/2010/11/05/us-cyber-command-achieves-full-operational-capability-interna/ Accessed 11/03/2014, November edn,

The Joint Chiefs of the Staff 2010, http://www.nsci-va.org/CyberReferenceLib/2010-11-joint%20Terminology%20for%20Cyberspace%20Operations.pdf, Memorendum for Chief of Military Services edn, US Department of Defense, Washington D.C.

UK Cabinet Office 2010, Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review , p. 47. http://www.direct.gov.uk/prod_consum_dg/groups/dg_digitalassets/@dg/@en/documents/digitalasset/dg_191634.pdf Accessed 11/03/2014, Cm7948 edn, The Stationary Office, London.

UK Cabinet Office 2009, Cyber Security Strategy of the United Kingdom: Safety, Security and Resilience in Cyber Space, p. 12., Cm7642 edn, The Stationery Office, London.

Advertisements

Reputational Risk, Main Risk Associated with Online Social Media

Posted on

IJCC, Volume XXXIV No. 2 July-Dec.,2015 ISSN 09704345

Sandeep Mittal, I.P.S.,*

 

The Indian Journal of Criminology & Criminalistics,
Volume 35 (2) July – Dec. 2015

Abstract

Social media is undoubtedly a revolution in the business arena blessing the organizations with the power to connect to their consumers directly. However, as the saying goes nothing comes without a cost; there is cost involved here as well. This article examines the risks and issues related to social media at the time when the world is emerging as a single market. Social networking and online communications are no more just a fashion but an essential feature of organizations in every industry. Unfortunately, inappropriate use of this media has resulted in increasing risks to organizational reputation threatening the very survival in the long-run and necessitating the management of these reputational risks.

This article attempts to explore the various risks associated with social media. The main aim of this study is to particularly focus on reputational risks and evaluate it’s intensity from the perspectives of public relations and security staff of an organization. The article is structured to firstly explain the concept of social media followed by identification of various social media risks and the analysis of reputational risk from perspectives of public relations and organizational security staff. The article then based on the analysis provides various recommendations in order to help the contemporary organizations to overcome such risks and thus, enhance their effectiveness and efficiency to gain competitive advantage in the long-run.

Keywords: Reputational Risk, Online Social Media, OSM Security, OSM Risk, Organizational Reputation, Cyber Security, Information Assurance, Cyber Defence, Online Communication.

Introduction

With changing times, the concept of socializing has been transforming. Globalization and digitalization to a large extent are responsible for the same. With internet, it is possible to stay connected with people located in various regions of the world. One such medium of socializing is the social media. In todays time, online social media services have been one of the most vibrant tools adopted not only by individuals but also corporate and government organizations (Picazo-Vela et al., 2012). Corporates in fact have been abiding social media extensively as it is one of the cheapest ways of communicating with the masses. The importance of social media can be understood from the fact that at present there are more than 100 million blogs that are highly operational and connect people from across the world (Kietzmann et al., 2010). Further there has been a surge in social media members for websites like Facebook or Twitter with over 800 million active users in Facebook in 2012 and 300 million users of Twitter (Picazo-Vela et al., 2012). In spite of being a very powerful mode of communication it is subjected to a large number of risks.

Organizations do not operate in vacuum, thus, management of reputation is crucial for them, as it affects their markets as well as the overall environment. Organizational reputation not only impacts its existing relations but also affects the future courses of action (McDonnell and King, 2013). In this article, an attempt is made to understand the various reputational risks associated with social media that affects an organization’s working and also suggests some ways to overcome them.

Concept of Social Media

The foundations of social media have been laid by the emergence of Web 2.0 (Kaplan and Haenlein, 2010). It is with the help of this technological development that social media is accessed at such a wide scale and is available in devices like cell phones and tablets, other than personal computers and laptops. Social media is gaining importance in the corporate world as decision makers and consultants are exploring its various aspects to exploit its potential optimally (Kaplan and Haenlein, 2010). Social media is an online communication system through which information is generated, commenced, distributed and utilized by a set of consumers who aim to aware themselves regarding various aspects related to a product, service, brand, problems and persona (Mangold and Faulds, 2009). It is also known as consumer-generated media. In simple terms, it can be explained as a platform to create and sustain relationships through an Internet based interactive platform.

Social media is categorized under collaborative projects, blogs, content communities, social networking sites, virtual game worlds, and virtual social worlds (Kaplan and Haenlein, 2010). The examples of various communication systems under social media are provided in the Table 1 for ready reference.

Organizations have realized the importance of social media and have been using it along with other integrated marketing communication tools to converse with target audience effectively and efficiently (Michaelidou et al, 2011). This is mainly because the modern day consumers are shifting from traditional promotional sources to such modernized sources. Social media has a very strong hold and is influencing consumer behavior to a large extent. Out of all the above few examples, Twitter has emerged as one of the most powerful social media tools. In the present day scenario, approximately 145 million users communicate by transferring around 90 million ‘tweets’ per day, of 140 characters or less (Kietzmann et al, 2010). Another example is of Youtube in which videos can go viral in few seconds and can attract more than 9.5 million views for a single video (Kietzmann et al, 2010).

Table 1: Example of Social Media Types

Social Media Type Example
Social networking websites MySpace, Facebook, Faceparty, Twitter
Innovative sharing websites Video Sharing (Youtube), Music Sharing (Jamendo.com), Photo Sharing (Flickr), Content Sharing (Piczo.com), General intellectual property sharing (Creative Commons),
User-sponsored blogs The Unofficial AppleWeblog, Cnet.com
Company-sponsored websites/blogs Apple.com, P&G’s Vocalpoint
Company-sponsored cause/help sites Dove’s Campaign for Real Beauty, click2quit.com
Invitation-only social networks ASmallWorld.net
Business networking sites LinkedIn
Collaborative websites Wikipedia
Virtual worlds Second Life
Commerce communities eBay, Amazon.com, Craig’s List, iStockphoto, Threadless.com
Podcasts For Immediate Release: The Hobson and Holtz Report
News delivery sites Current TV
Educational materials sharing MIT OpenCourseWare, MERLOT
Open Source Software communities Mozilla’s spreadfirefox.com, Linux.org
Social bookmarking sites which permit browsers to suggest online news stories, music, videos Digg, del.icio.us, Newsvine, Mixx it, Reddit

Source: Mangold and Faulds, 2009.

<p

Risks Associated with Social Media

Before discussing the various risks associated with social media, it is essential to understand the various risks faced by an organization while using the internet. This can be depicted with the help of a diagram provided as Figure 1.

Figure 1: Internet Related Risks for Organizations
Source: Lichtenstein and Swatman, 1997

In Figure 1, other internet participants imply other members from the internet society. These risks are very general and are experienced by organizations even in cases where they are not connected to the internet like the risks associated with corrupted software (Lichtenstein and Swatman, 1997).

The horizon of risks have expanded to a larger extent by things becoming more critical and complicated with extensive popularity and usage of social media (Armstrong, 2012). Organizations are challenged with new and unique risks which need to be catered proactively. These risks threaten the effectiveness of this mode and thus organizations fail to reap its benefits completely. It is due to such risks that many organizations have either limited their approach towards usage of social media or do not resort to such measures. Such risks range from data outflow and legal complications to risks associated with reputation (Everett, 2010).

These risks can be categorized under two heads namely; those related to user and security related issues (Chi, 2011). User related risks are inadequate certification controls, phishing, information seepage, and information truthfulness (Chi, 2011). The security related risks are Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), injection defects, deficient anti-automation (Chi, 2011).

Out of all the risks related to social media, an organization is mainly threatened with risks related to information confidentiality, organizational reputation and legal conformities (Thompson, 2013). Issues related to information confidentiality emerge mainly because information is shared digitally using social media. Thus, there are chances of such information getting hacked or shared unintentionally. This may raise risks related to privacy thus affecting information integrity.

Legal issues while using social media are bound to take place mainly because this media is used for global approach and is therefore affected by international rules and regulations. It is challenging for an organization to understand varied legal obligations of differing countries and then determine a universally accepted legal protocol. Risks related to organizational reputation are discussed in detail in the next section.

Reputational Risk

Reputation of an individual or organization is related to one’s reliability and uprightness. Thus, managing and securing the reputation becomes highly critical. With organizations resorting to social media extensively, they are bound to experience such reputational risks thus affecting their goodwill negatively. Reputational risks arise from the fact that organizations share all-embracing information with customers and browsers (Woodruff, 2014). This information in many circumstances is misused which damages organizational reputation. The various depressing effects from reputational damage are negative impact on goodwill in the real world, restricting development of social contacts and contracts, detrimental impact on attracting potential customers (Woodruff, 2014). In one of the research studies, 74 per cent employees accept the ease of causing reputational damage to organizations through social media (Davison et al., 2011). It is due to this reason that organizations to a large extent scrutinize the use of social networking sites by their employees.

Public Relations

Public relations depict organization’s relations with its various stakeholders. Organizations use the social media platform to interact with their stakeholders and thus develop a strong and positive public image. In fact the social media, organizations and stakeholders together interact within the dynamic business world (Aula, 2010). These interactions are shaped by organizational public relations objectives and the extent of social media usage for developing organizational reputation. But developing and sustaining a positive public relation is not easy as they are hampered to a large extent when subjected to reputational risks. Organization’s personal identity is at stake as it can be plagiarized and used without authentication (Weir et al, 2011).

Reputational risks are related to organizational credibility and results from security risks like identity theft and profiling risks. These risks challenge organizational reputation by questioning its compliance with societal rules and regulations (McDonnell and King, 2013). Organizations to a large extent fail to integrate social media with organizational and stakeholders objectives resulting into ineffective reputation management.

Social media has made organizations global, due to which even minor incidents get highlighted internationally. Local issues get international fame resulting in a negative reputation for the organization globally. Further with social media being active, organizations cannot escape from the clutches of negative publicity (Kotler, 2011). One example of failure of reputation management that resulted in earning negative fame across the world is Nestle. In 2010, Greenpeace uploaded a video on YouTube against KitKat by Nestle (Berthon et al, 2012). The video went viral and resulted in negative publicity for the organization. Though the advertisement was made mainly for consumers in Malaysia and Indonesia for conserving rainforests but it was acknowledged by the world at large.

Another risk that is faced by the organizations is the creation of a public image through standardized marketing programs. Differing stakeholders from different countries use different social media platforms which make it essential for organizations to clearly analyze and understand their usage requirements and patterns. This is where most of the organizations fail and thus are unable to use social media appropriately.

Below is a graph that depicts usage of differing social media platforms in different countries as per statistics in 2011 (Berthon et al, 2012).

Figure 2: Relative Frequency of Search Terms from Google Insights: Social Media by Country

Source: Berthon et al, 2012

Organizational Security Staff

Organizational employees are indispensable for the success. But these employees can also be a threat to the organization. It is mainly possible as employees have access to organization’s confidential and important information which they can leak to outsiders. With social media’s growing popularity, the line between personal and professional conversations on web has become blurred. Further inspite of keeping this information under security they can evade such systems through illegal measures. Further research has proved that only in USA approximately 83per cent staffs use organizational resources to contact their social media (Zyl, 2009). Other than using these resources for personal messages exchange over social media, 30 per cent employees in USA and 42 per cent employees in UK also exchanged information related to their work and organization (Zyl, 2009). This depicts the intensity of problem of security risks related to social media. Thus, the organizational security staff has to be on its toes to ensure that such information is highly secured and not utilized inappropriately.

In 2002, an employee of an international financial services organization in the USA infiltrated the organizational digital security systems and used ‘Logic Bomb’ virus to delete approximately 10 billion files from 1300 organization’s servers. This resulted in a financial loss of around $3 million and it also had to suffer due to negative publicity. This depicts failure of organizational society staff to combat risks. Such issues have become very common in the social networking world. Employees have the freedom to generate nasty and unsecured comments or links that harms organizational reputation, finances and creates security related risks (Randazzo, 2005).

With the help of social media, social engineering attacks are possible due to easy admission to hefty information by hackers, spammers and virus creators. They can easily misuse the same by creating fake profiles, stealing identity and collect details with regards to job titles, phone numbers, e-mail addresses. Further they can also corrupt systems using malwares that ultimately are a threat to organizational data. Data infiltration and loss ultimately impact organizational reputation negatively as these leaked data are used for unauthentic and illegal activities.

RECOMMENDATIONS

Organizations who are either unaware of these risks or are unable to defend themselves can face dire consequences at times. Organizations are aware of the gains that they would derive from using social media networking and thus take such risks readily. These risks cannot be avoided completely,organizations need to work out measures through which they can manage these risks and mitigate their negative influences.

In order to overcome issues related to privacy that ultimately results in hampering one’s reputation, the organizations should take proactive measures before using social media. During the sign-up phase or creation of social networking profiles, specific concerns related to privacy and confidentiality should be resolved and proper regulations designed (Fogel and Nehmad, 2009). These rules and regulations should be very clearly communicated to organizational employees so that they have complete information regarding social media dos and don’ts. Further the organization should not only design strict punishments but also execute them against those who break such rules (Hutchings, 2012).

One of the ways to overcome reputational risks related to social media is by appointing an efficient social media manager. These managers are specialists and would be responsible for determining the social media related protocol based on organizational top secret information, contemporary issues and prospective plans (Bottles and Sherlock, 2011). The social media manager should have a responsibility towards the organization and various stakeholders and thus intermingle with them sincerely and empathetically (Brammer and Pavelin, 2006). The manager should also have a vigilant eye and an analytical attitude to identify various fact, figures and events that can impact organizational reputation and thus take corrective actions. As security staff play crucial role in determining organizational security standards, the organizations should be very specific in recruiting and selecting them. Besides, there should be a greater emphasis in the organization development of culture, values, and ethics within an organization.

Organizations should also understand that management of reputational risks requires collaborative and innovative approach. The organization needs to develop a social media involvement protocol by consulting and taking advice from differing sources like legal experts, marketing experts, international business experts, media experts and other stakeholders (Montalvo, 2011). The organization should also be innovative in selecting and distributing the content through social media so that it can responsibly deal with issues.

CONCLUSION

Organizations today prefer to use social media in comparison to traditional media (Hutchings, 2012). It is mainly due to the various benefits associated with the same but they cannot also overlook various associated risks. It takes ages for an organization to develop a positive reputation and thus careful measures needs to be taken to maintain and sustain it. Organizations are unable to exercise control on social media completely but they can take restrictive measures to ensure that reputational risks are minimized and their ill effects are combated.

The article identified that the major reputational risks related to social media for organizations arise due to data outflow, identity theft, profiling risks, inappropriate choice of public relation strategy, inability to control external environmental factors, inappropriate information management and security policy and failure to have efficient and effective security staff. In order to overcome such issues, organizations need to appoint social media managers and hire employees skilled in social media management. Further, it should be a collaborative and creative approach and design social media protocol to mitigate such risks.

To conclude, it can be stated that the organizations need to be proactive and have a vigilant eye on environmental factors to secure themselves and benefit from online social media.

Note: The views expressed in this paper are of the author and do not necessarily reflect the views of the organization where he worked in the past or is working presently, the author convey his thanks to Chevening TCS Cyber Policy Scholarship of UK Foreign and Commonwealth Office, who sponsored part of this study.

References

A. Kaplan, and M. Haenlein, “Users of the world, unite! The challenges and opportunities of Social Media. “Business horizons, vol: 53, iss: 1, 2010, pp. 59-68. http://openmediart.com/ log/pics/sdarticle.pdf. [Accessed on 07/08/2014]

A. Woodruff, Necessary, unpleasant, and disempowering: reputation management in the internet age. ACM, In Proceedings of the 32nd annual ACM conference on Human factors in computing systems,2014, pp. 149-58. http://delivery.acm.org/10.1145/2560000/2557126/p149- woodruff.pdf?ip=59.177.33.156&id=2557126&acc= OA&key=4D4702B0C3E38B35% 2E4D4702B 0C3E38B 35 %2E4D4702B 0C3E38B 35 % 2E362513C443C43C7A&CFID= 381960244&CFTOKEN=18798755&__acm__=1404667886_023e822660bflb 4433893921552068cc [ Accessed on 06/07/2014 ]

A. Zyl, “The impact of Social Networking 2.0 on organisations. “Electronic Library, vol. 27, iss: 6, 2009, pp. 906-18. https://kenniscafe.com/documents/2314/impact_of social_networking.pdf. [Accessed on 07/08/2014]

C. Everett, “Social media: opportunity or risk?” Computer Fraud & Security, vol: 2010, iss: 6,2010, pp. 8-10. http://ac.els-cdn.com/S136137231070066X/1-s2.0-S136137231070066X-main.pdf?_tid=0d2ff5f6-0528-11e4-92dd00000aab0f26&acdnat=1404663210_ d16c69fe23c071cc363e2a967ce68e4e. [Accessed on 06/07/2014].

C. Hutchings, “Commercial Use of Facebook and Twitter: Risks and Rewards.” Computer Fraud & Security, vol: 2010, iss: 6,2012, pp. 19-20. http://ac.els-cdn.com/S1361372312700659/l-s2.0¬S 1361372312700659-main.pdf?_tid=ed89f016-0528- 11 e4-8935 -00000aab0f27 &acdnat= 14046635870ebcbda0807a69b549a7dfa0a62430c1. [Accessed on 06/07/2014]

G. Weir, F. Toolan, and D. Smeed, “The threats of social networking: Old wine in new bottles?”. Information Security Technical Report, vol: 1, 6, 2011, pp. 38-43. http://ac.els-cdn.com/ S1363412711000598/1-s2.0-51363412711000598-main.pdf?_tid=fe220808-052a-l1e4-80b4- 00000aacb361&acdnat=1404664473_4ac2c6946ec5ac14beeaf9f567432b0d. [Accessed on 06/07/ 2014]

H. Davison, C. Maraist and M. Bing, “Friend or Foe? The Promise and Pitfalls of Using Social Networking Sites for HR Decisions”. Journal of Business Psychology, vol: 26, 2011 pp. 153-9. https://e-hrinnovations.com/Davison%20et%20a1 JBP_2011_Social%20Networking %20and%2OHR.pdf [Accessed on 06/07/2014].

I. Ahmed, Fascinating #SocialMedia Stats 2015: Facebook, Twitter, Pinterest, Google+, 2015. http://www.digitalinformationworld.com/2015/02/fascinating-social-networking-stats-2015.html (Accessed: 24/05/2016)

J. Fogel and E Nehmad, “Internet social network communities: Risk taking, trust, and privacy concerns.” Computers in Human Behavior, vol: 25, 2009,pp, 153-160. http://ac.els-cdn.com/ S0747563208001519/1-s2.0-50747563208001519-main.pdf?_tid=36c1e884-052d-l1e4-bd79- 00000aacb35d&acdnat=1404665427_ecb8f0d08d037b033d3e8c901bf2d27f. [Accessed on 06/ 07/2014].

J. Kietzmann, K. Hermkens, I. McCarthy and B. Silvestre, “Social media? Get serious! Understanding the functional building blocks of social media.” Business horizons, vol: 54, iss: 3, 2011,pp. 241-51. http://busandadmin.uwinnipeg.ca/silvestrepdfs/PDF06.pdf. [ Accessed on 07/08/2014 ]

K. Bottles, & T. Sherlock, “Who should manage your social media strategy”. Physician executive, vol: 37, iss: 2, 2011, pp: 68-72. http://www.kentbottles.com/modx/assets/templates/kb/pdfs/ WhoShouldManageYourSocialMediaStrategy.pdf [ Accessed on 06/07/2014 ]

K. Armstrong, “Managing your Online Reputation: Issues of Ethics, Trust and Privacy in a Wired, “No Place to Hide “World.” World Academy of Science, Engineering and Technology, vol: 6, 2012, pp. 716-21. http://www.waset.org/publications/2138 [ Accessed on 06/07/2014 ]

M. Chi, Security Policy and Social Media Use,2011 The SANS Institute. http://www.sans.org/ reading-room/whitepapers/policyissues/reducing-risks-social-media-organization-33749 [ Accessed on 07/07/2014]

M. Langheinrich and G. Karjoth, “Social networking and the risk to companies and institutions.” Information Security Technical Report, vol: 1 5, 2010,pp.51-6. http://ac.els-cdn.com/ 51363412710000233/1-s2.0-51363412710000233-main.pdf?_fid=880db588-052d- 1 1 e4-9416- 00000aacb361&acdnat=1404665564_4c01c9309cedc188fe4fc0888009c66e.[ Accessed on 06/07/ 2014 ]

M. McDonnell and B. King, “Keeping up Appearances Reputational Threat and Impression Management after Social Movement Boycotts.” Administrative Science Quarterly, vol: 58, iss: 3, 2013, pp. 387-419. http://asq.sagepub.com/content/58/3/387. [ Accessed on 07/08/ 2014]

M. Randazzo, M. Keeney,E.Kowalski, D. Cappelli, and A. Moore, Insider threat study: Illicit cyber activity in the banking and finance sector,2005(No. CMU/SEI-2004-TR-021). Carnegie-Mellon University Pittsburgh Pa Software Engineering Institute. http://www.dtic.mil/dtichr/ fulltext/u2/a441249.pdf. [Accessed on 01/08/2014]

N. Michaelidou, N. Siamagka and G. Christodoulides, “Usage, barriers and measurement of social media marketing: An exploratory investigation of small and medium B2B brands”. Industrial Marketing Management, vol: 40, iss: 7, 2011, pp. 1153-9. http://ac.els-cdn.com/ S0019850111001374/1-s2.0-50019850111001374-main.pdf?_tid=c846abe2-1e5e- 1 1 e4-8a82- 00000aacb35f&acdnat=1407435496_aflecOcd05602467585a29dcc4394261.[ Accessed on 07/08/ 2014 ]

P. Aula, “Social media, reputation risk and ambient publicity management”. Strategy & Leadership, Vol. 38 Iss: 6, 2010, pp. 43 — 9 http://www.emeraldinsight.com/ journals.htm?articleid=1886894. [Accessed on 07/08/2014]

P. Berthon, L. Pitt, K. Plangger and D. Shapiro, “Marketing meets Web 2.0, social media, and creative consumers: Implications for international marketing strategy.” Business Horizons, vol: 55, iss: 3, 2012, pp: 261-71. http://www.parsproje.com/tarjome/modiriyat/323.pdf [ Accessed on 07/08/2014 ]

P. Kotler, “Reinventing marketing to manage the environmental imperative. “Journal of Marketing, vol: 75, iss: 4, 2011, pp. 132-5. http://www.dyane.net/linked 2.1.%20Reinventing%20 Marketing%20to%20Manage%20the%20Environmental%20Imperative.pdf. [ Accessed on 07/ 08/2014]

R. Montalvo, “Social Media Management. “International Journal of Management & Information Systems. vol. 15, No.3,2011, pp. 91-6. http://www.cluteinstitute.com/ojs/index.php/IJMIS/ article/download/4645/4734.[ Accessed on 06/07/2014]

S. Brammer and S. Pavelin, “Corporate reputation and social performance: The importance of fit.” Journal of Management Studies, vol: 43, iss: 3, 2006,pp: 435-55. http:// http://www.researchgate.net/publication/4993041_Corporate_Reputation_and _Social_Performance_The_Importance_of Fit/file/60b7d522d9749b6686.pdf. [ Accessed on 07/08/2014 ]

S. Picazo-Vela, I. Gutierrez-Martinez and L. Luna-Reyes, “Understanding risks, benefits, and strategic alternatives of social media applications in the public sector.” Government Information Quarterly, vol: 29, 2012 pp. 504-11. http://ac.els-cdn.com/S0740624X12001025/1- s2.0-S0740624X12001025-main.pdf?_tid=a206f2a2-0527-11e4-a7ea-00000aacb362&acdnat=140466303198b29673394d658f23bd31968c72aefd. [Accessed on 06/ 07/2014]

T. Thompson, J. Hertzberg and M. Sullivan, Social media risks and rewards,2013 Financial Executive Research Foundation, Retrieved from http://www.grantthornton.com/-/media/ content-page-files/advisory/pdfs/2013/ADV-social-media-survey.ashx [Accessed 30/07/ 2014]

W. Mangold and D. Faulds, “Social media: The new hybrid element of the promotion mix.” Business horizons, vol: 52, Iss: 4, 2009, pp. 357-65. http://www.iaadiplom.d1c/Billeder/ MasterClass07/07-1SocialMedia-inthePromotionalMix.PDF. [Accessed 07/08/2014]

9TH ASSOCHAM ANNUAL SUMMIT on Cyber and Network security

Posted on Updated on

assochem
9TH ANNUAL SUMMIT
CYBER & NETWORK SECURITY
“CYBER 3.0- BRIDGING PEOPLE, PROCESS AND TECHNOLOGY”
Friday 29th July 2016 Hotel Hyatt, Bhikaji Cama Place, New Delhi

9TH ANNUAL SUMMIT CYBER & NETWORK SECURITY which ASSOCHAM organised along with the “Official Support” of the Ministry of Electronics and IT, Government of India, Cert-In and Council of Europe in New Delhi.

The Summit was a huge success with active participation of more then 300 Senior Officers from CISF; CRPF; SPG; BSF; ECIL; Bharat Petroleum; GAIL; ONGC; PNB; RBI; CCIL; NSIC; TCIL; Delhi Metro; Embassy of Sweden, USA, Israel, Malaysia, Japan, Germany, China, Indonesia; Enforcement Directorate; Intelligence Bureau; National Investigating Agency; Government of Manipur, Uttarakhand, Haryana, Nagaland, Punjab, Chhattisgarh, Uttar Pradesh, Delhi; Bureau of Police Research and Development; HQ IDS; NAVY; Air Force; Ministry of Defence, Rural Development, Women & Child Development, Railways, Department of Revenue, Directorate of Income Tax, CBEC, Statistics and Program Implementation, CBDT, Directorate General of Systems and Data, Ministry of Communications, Government of India; DRDO; National Institute of Criminology and Forensic Science; Cabinet Secretariat; IDSA apart from Industry representatives; academicians; journalists and other stakeholders in large number.

The Valedictory Session “Targeted Attacks: Protection of Critical Infrastructure of the Country & Capacity Building” was graced by the auspicious presence of Shri R. Gandhi, Deputy Governor, RBI, Shri Sandeep Mittal, IPS, Officiating Director, National Institute of Criminology and Forensic Science, Shri R. N. Dhoot (M. P.), Past President, ASSOCHAM.

Sh. Sandeep Mittal IPS welcoming with buquet by Sh. D.S. Rawat, Secretary General, ASSOCHAM
Sh. Sandeep Mittal IPS welcoming with buquet by Sh. D.S. Rawat, Secretary General, ASSOCHAM

Sh. Sandeep Mittal IPS DIG (Admin) addressing the Annual Summit in the Valedictory Session
Sh. Sandeep Mittal IPS DIG (Admin) addressing the Annual Summit in the Valedictory Session

The Valedictory Session “Targeted Attacks: Protection of Critical Infrastructure of the Country & Capacity Building” was graced by the auspicious presence of Shri R. Gandhi, Deputy Governor, RBI, Shri Sandeep Mittal, IPS, Officiating Director, National Institute of Criminology and Forensic Science, Shri R. N. Dhoot (M. P.), Past President, ASSOCHAM.
The Valedictory Session “Targeted Attacks: Protection of Critical Infrastructure of the Country & Capacity Building” was graced by the auspicious presence of Shri R. Gandhi, Deputy Governor, RBI, Shri Sandeep Mittal, IPS, Officiating Director, National Institute of Criminology and Forensic Science, Shri R. N. Dhoot (M. P.), Past President, ASSOCHAM.

International Conference on Cyber law, Cybercrime & Cybersecurity

Posted on

Shri Sandeep Mittal, IPS, Deputy Inspector General of Police delivered lecture and participated in the International Conference on Cyber law, Cybercrime & Cybersecurity held on 19th November, 2015 at New Delhi.

cyber4

cyber2

cyber3

cyber1

Perspectives in Cyber Security, the future of cyber malware

Posted on Updated on

Published in The Indian Journal of Criminology (ISSN 0974 - 7249), Vol .41 (1) & (2), Jan. & July,2013
Published in The Indian Journal of Criminology (ISSN 0974 – 7249), Vol .41 (1) & (2), Jan. & July,2013, p.210-227

Sandeep Mittal, I.P.S.,*

 

Introduction

The term ‘Malware’ has become a fashionable word to throw around now days. However, it should not be thought of something very sophisticated only. In this paper, we would give a brief definition and description of the term ‘malware’ and the related concepts including the evolutionary and historical time line. The concept of the future of ‘malware’ would be dealt with from four perspectives which may be dependent upon one another at least at some point in space and time. The first being the ‘malware design’ as the malware experts are using increasingly complex designs, taking the ‘malware’, to the scale of ‘war- grade- weapon’ in the recent past. The second important perspective is the ‘terrain’ of the cyber domain where the malware operates or is deployed. The third important perspective would be the ‘technologies’ that are used to detect these malware. As the malware are becoming ‘multiplatform’ and complex, the technologies have to keep pace with the evolution of malware. However, it is made clear at the outset that this paper deals only with the basics of issues raised and technical details have been kept to the minimum, being beyond the scope of present work.

The Malware Understood

‘Malware’ is an ‘unitary’ term for the different types of software- codes which are called as ‘virus’, ‘Trojan horse’ and ‘worm’ at different stages of its evolution. It could be as simple in its design as ‘virus’ or could be extremely complex as some of the ‘worms’ discovered recently. It would be useful if we understand these terms clearly before we venture in to malware understanding. A ‘virus’ is a self-replicating program whose only purpose is to propagate itself by modifying another program to include itself through an act of the user of the system in which it exists (modified after Skardhamar, 1996). The Trojan- Horse (named after the wooden horse, the ancient Greek army used to conquer the city of Troy) is a simple program that purports to do one thing, but actually do something else entirely, often very destructive. A Trojan’s spreading potential is not very big, as once they are run, they cease to be Trojans. But its simplicity can be extremely deceptive in terms of damage. “A ‘worm’ is a type of non-parasitic- code (unlike virus) that purposely replicates a possibly evolved copy of itself by exploiting security vulnerabilities on systems. The vulnerability that a worm exploits need not be exclusively software faults. It may exploit configuration errors or operator errors. Unlike viruses, worms do not replicate by attaching themselves to a host executable or by modifying the system environment to execute the malicious code” (Symantec, 2014). In the present scenario, the malicious researchers are concentrating on worms and the term ‘worm’ has become synonymous with ‘malware’ and would be used interchangeably sometimes in this paper. A more crisp and modern definition of worm is “an independently replicating and autonomous infection agent, capable of seeking out new host systems and infecting them via a network” (Nazario, 2004). As the most of the malware encountered in recent past belong to the category of worms, let us have some deep introspection of the basic components of worms. A worm must have at least one of the following five components, the attack component being the minimum set of one (Nazario, 2004);

  1.  Reconnaissance Component hunts down other network nodes to infect. This component is responsible for identifying the host on network that is capable of being compromised by the worm’s known methods.
  2.  Attack component launches an attack against target. The attacks can be the old age buffer or heap overflow, string formatting attacks, Unicode misinterpretations and misconfigurations.
  3.  Communication Components gives the worms the interface to send messages between nodes or some other central location.
  4.  Command Components provides the interface to the worm node to issue and act on commands.
  5.  Intelligence Components provides the intelligence required to contact various worm nodes.

An assembly of the components of a worm is depicted in following figure (Nazario, 2004).

nazario

Many of the characteristics of a worm can be used to defeat it, for example, predictable behavior and characteristic signatures in contrast to manual attacks, where tactics is changed now and then. However, the worms continue to be generated as majority of the malware due to ease of continuous and the malware due to ease of continuous and exponential propagation, capacity to penetrate even difficult networks, persistence in infecting the systems despite patching and sanitization, and broad base coverage of the networks in space and time.

Hence, the future malware will continue to be worm-based in view of the foregoing discussion.

The History and Evolution of Malware

The future of malware cannot be predicted, unless we have an introspection of the history of malware to understand the evolution of malware over time.

The historical time line is depicted in the following table (Lava Soft, 2013) in a generalist manner;

HISTORY OF MALWARE (modified after Lavasoft, 2013)

S.No. Year Name of Malware Details of malware
1. 1971 Creeper First ever computer virus. ARPANET
2. 1981 Elk Clover First known microcomputer virus attached itself to Apple DOS 3.3 operating system and spread by floppy.
3. 1986 Brain Brain First computer virus for MS-DOS infected the boot sector of the storage media formatted with the FAT file –system. Written to demonstrate insecurity of computers.
4. 1987 Stoned A boot sector computer virus.
5. 1988 Morris Worm Infected around 6000 computers of University, military and NASA. Morris was a researcher, introduced the worm by accident and was the first person to be arrested for such crime.
7. 1995 Concept First Macro virus, and hid itself in a word document and spreads by integrating itself into more files each time the host program is run.
8. 1999 Happy 99, Melissa, Kak Advance malware spread quickly through Microsoft environments.
9. 2000 I Love You Computer worm attacked millions of window PCs through email message. An estimated $15 Billion was spent to clean the mess up.
10. 2001 Code Red Worm attacked computers running on Microsoft IIS server. It chose the targets pseudo-randomly on the same or different subnets as the infected machines in accordance with fixed probability distribution
11. 2001 Nimda Computer worm and file infector, utilized several propagation techniques and thus become most widespread worm in 22 minutes.
12. 2003 Sol Slammer Computer worm that caused DoS on internet hosts.
13. 2004 Cabir First mobile phone virus attacking Symbian OS spread through Bluetooth.
14. 2007 Storm Botnet A remote controlled botnet linked by storm worm spread through email and infected 50 million computers.
15. 2009 Koobface Multiplatform work that attacked users of popular social networking websites and designed to infect windows, Mac OS and Linux platforms.
16. 2010 Geinimi First Android Malware displaying botnet capability.

 

An era of weaponization of software code heralded in the year 2010 with the discovery of ‘Stuxnet’ followed by ‘DuQu’ and ‘Flame’ malware which are distinctively different in stealth, design, complexity and deployed for fully targeted attacks. “The Stuxnet’ targeted Iranian Nuclear Facility at Natanz. The Stuxnet used four ‘Zero day vulnerabilities’ and employed Siemens’ default passwords to access window OS that run WinCC and PC57 programs. It would hunt down frequency-converter drives made by FaraPaya in Iran and Vacon in Finland. These drives were used to power centrifuges used in the concentration of the Uranium-235 isotope. Stuxnet altered the frequency of the electrical current to the drives causing them to switch between high and low speeds for which they were not designed. This switching caused the centrifuges to fail at a higher than normal rate” (Farwell & Rohozinski, 2011). In 2011, another worm ‘DuQu’, which contained components almost identical to stuxnet, was discovered. However, the ‘DuQu’ was not self- replicating and was devoid of a payload. It seemed to be designed to conduct reconnaissance on an unknown industrial control system (Zetter, 2011). ‘Flame’ was another ‘stuxnet’- type of malware designed primarily to spy on infected computers and detectedfrom the computers of Iranian Oil Ministry, (Zetter, 2012).

Thus, it is seen from the discussion in the foregoing that the malware has evolved over a period of time from a ‘simplistic-experimental-code’ to ‘highly complex and complicated codes’ synonymous with Internet-wide devastation.

The Future of Malware Design

The ‘Samhain Project’ (Zalewski, 2000), intended to design an intelligent malware, listed seven requirements and guidelines for the intelligent worm;

  1. Portability across hardware architectures and operating system to achieve the largest possible dispersal.
  2. Invisibility from detection.
  3. Independence from manual intervention. The worm must not only spread automatically but must be adaptable to its network.
  4. The worm should be able to learn new techniques. It’s ‘database of exploits’ should be updatable itself.
  5. The integrity of the worm host must be preserved. The worm’s executable instances should avoid analysis by outsiders.
  6. Avoid the use of static signatures. By using the polymorphism the malware can avoid detection methods that rely on signature based analysis.
  7. Overall worm net usability. The network created by worms should be able to be focused to achieve the specific task.

The researchers (Zalewski, 2000) have discussed various options for implementation of ‘Samhain Worm’ for its assembly, to form the worm system. the details of which are beyond the scope of this essay. However it would be pertinent to mention the flaws in ‘Samhain Worm Architecture’ which can fail the worm network.

Firstly the ability to update the database of known attack methods requires a distribution system which would be either central or hierarchical. An attack at this point may disrupt the growth and capabilities of worm. Secondly, the mechanism used to prevent repeated worm installation on the same host is a serious flaw. The worm executable, during its initialization, looks for other instances for itself. An attack on the worm system would require forgery of this signal to prevent the installation of the worm executable. In doing so, the worm is not installed on the host and thus its growth is stopped at this point.

In earlier part of this paper, we identified five components of a functional worm. However, there are several problems with the design and implementation of current worms (Nazario etal., 2001). The signatures of the remote attacks and reconnaissance traffic can be used to identify the source nodes; as the traffic associated with worms grow exponentially the life span of the worm is reduced and traffic growth leads to increasing worm profile thus detection; no direction of spread therefore making the directed attacks against specific target, a matter of chance; utilization of a central database of affected host by worm make it susceptible to exploitation (Nazario et al., 2001). Further Nazario and his associates used these components and problems associated with them in its implementation, to give considerations for future worms by proposing various adaptations.

  1.  Instead of actively scanning the targets for exploitation, worm to simply observe network traffic to discover the hosts, remote operating system and applications in use and then launch an attack.
  2.  Instead of central topology, use ‘guerilla’ and ‘directed tree’ topologies to achieve specificity of target attack.
  3.  Instead of central communication topology, use a system where each node stores the messages and forward the messages to appropriate node one hop away to cut down the generation of traffic.
  4.  Instead of encrypted communication methods, use steganography e.g., hiding data in media files.
  5.  Attack new targets e.g., appliances with embedded technologies.
  6.  Instead of static signatures, use polymorphic pay-loads. Using modular worm behavior where single basic component is skipped in design may give the worm added evasion capability.
  7.  Design to support dynamic updates to the system.

Many of these adaptations have been observed in ‘stuxnet’, ‘duqu’ and ‘flame’ malwares. Many are yet to be seen or discovered by the world.

The Future of Malware Deployment

The deployment of a malware by an attacker depends upon the intention and motivation of the attacker, which in turn would define the sophistication of the attack and typical target groups as summarized in following figure(Zoller,2011);

figure b

Zoller further classified the attacks based on the attacker deploying the attacks as opportunists, targeting opportunists, professionals and state founded. The script- kiddies would continue to use their unsophisticated attacks in the ‘mass-malware-market’. The exploits of targeting opportunists and professional have resulted in emergence of ‘commercial-vulnerability-market.’ However, the cause of worry is the future malware like’ stuxnet’, ‘flame’ and ‘duqu’ which are considered as acts of the nation-states. Take a look at the ‘latest’ malware to join the list- ‘Mask’ or ‘Careto’ discovered recently (Kaspersky, 2014). The ‘Mask’ is learnt to have targeted so far, 380 unique victims, e.g., Government, Diplomatic, Institutes, Energy, Oil & Gas Sectors, Research Institutes, Private Commercial Establishments and Activists spread over 31 countries and learnt to be in active cyber espionage since 2007. The ‘Mask’ becomes a special malware in view of the complexity of tool set used by attackers. This includes an extremely sophisticated malware, a root kit, a boot kit, 32-64-bit windows versions, Mac OSX and Linux versions and possible the versions of Android and iPhone/iPad (Apple iOS). When active in a victim system, ‘The Mask’ can interrupt network traffic, keystrokes, Skype conversations PGP keys, analyze Wi-Fi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations. The malware collects a large set of data from infected systems e.g. the encryption keys, VPN configurations, SSH keys etc. The time, money and expertise required to design and deploy such an extremely sophisticated malware leave no doubt that it is the handwork of some ‘nation state’.

The complete dependence of a Nation’s Economy and Critical-Infrastructure presents an opportunity to the ‘Nation-States’ to deploy malware to gain information- dominance in cyber- domain to transmit information and denial/restriction of such information to the ‘enemy- state’. Further, the critical- infrastructure of a country can be crippled through deployment of stealthy and well- crafted tools to exploit the ‘zero-day-vulnerability’ is a matter of hours, if not minutes (Mittal, 2014). The concept of war-maneuvering has been compared with cyber-maneuver (Applegate, 2012), where it is realized that blatantly hostile acts in cyber space are characterized by rapidity, anonymity and difficulty in attribution and are dispersed disproportionately in space and time. Even the territory of enemy or one of his allies or adversaries can be used to deploy such malware attacks.

The Future of Malware Terrain

The author has a strong feeling that the future of malware isn’t so much about the design and sophistication in the engineering of malware as much as how and where the potential victim would be attacked, thus making the terrain of malware deployment a key factor in future attacks. The low level attacks would continue to exploit the small and old vulnerabilities to their advantage. The social networking sites would be the most sought after ‘terrain’, in foreseeable future, for deployment of malware (Athanasopoulos, 2008; Luo, 2009; Felt, 2011; Abraham, 2010, Irani, 2011). Recently a malware was deployed to target the top executives of a major corporation through their spouses. The presumption was that at least there would be a few non-tech-savvy spouses using a poorly secured home PC sharing the connection, and this would provide the backdoor needed to compromise the executive’s computer and gain access to the systems of target companies (Vance, 2011). The platform- agnostic, web-based malware represent a new frontier. As the developers re-engineer websites and applications to work on a variety of devices, the malware would target the commonalities like HTML, XML, JPEGs, etc., that run on any device. The pace with which the smart phones are becoming e-wallets, tools of m-commerce and repository of flight e-boarding passes and rail-tickets, would soon make the smart phones a favorable terrain for deployment of malware. But the worst is yet to be discussed. Consider a number of embedded devices available all around us, the microwaves, the refrigerators, the washing machines, the internet cameras, the automated heating and cooling systems, the cars, the routers, the environment monitors, and the animal/cattle- tags and so on. Soon, the connected devices would be part of our lives and thus come the concept of ‘Internet of Things’ or subsequently ‘Internet of Everything’ and finally the malicious ‘Botnet of Things’. Having chips embedded in our appliances make our life simple but imagine what would happen when the number of ‘internet-connected-devises’ reaches50 billion by the year 2020 (Kumar, 2014). The main problem with these things is that unlike computers, the security patches are not updated on these things. The embedded- device- security is a matter of grave concern (John & Thompson, 2012; Stantucci, 2011). I have never seen a company or a user applying security patches to printers, modems, routers, ovens cameras etc. as it require extra time and money. Most of the embedded chips are old versions manufactured even two to three years before the device is manufactured and therefore susceptible to malware attacks even by script- kiddies. The ‘Internet of Things’ would be the favorite terrain for the deployment of malware in future (Stammberger, 2009).As a number of such nano and micro devices are likely to be implanted in human body in future, malware could be deployed even to commit murder, which at present is committed through use of conventional means. These ‘Implantable Medical Devices ( IMDs )’ often work on software- defined radios so that it can operate on multiple frequencies and use various processors ( see figure below, Leavit, 2010).

figure c

Mostly, these devices have no direct connectivity with the internet but may have connectivity with a bedside monitor who in turn may be connected to internet thus enabling hackers to deploy malware to exploit communication channel between the device and external control units. Adding encryption capabilities to IMDs would add complexity and require more battery life and computing powers to handle algorithms (Leavit, 2010). This would be a great challenge in future to build defense against such vulnerabilities by designing zero- power- defense mechanisms for IMDs (Ransford, 2014).

The future of Malware Detection

Based on the discussions in earlier parts of this paper regarding components of worms and the future considerations of worm, we would try to understand the methods of detecting worms. The aim of our ‘detection strategies’ is to detect almost any type of worm with little effort, for which one need to focus on the common features of worms. The three methods of worm detection are, traffic analysis, use of honey pots and dark network monitors and the employment of signature based detection systems and form the core of detection strategies for detecting both the hackers and worms. It is to be kept in mind that no single method work for all of the worms, however a combination of more methods would produce near complete detection. We would briefly discuss the three methods of detection in following part of this essay (modified after Nazario, 2004).

  1.  Traffic Analysis– It is the analysis of network’s communications and the inherent patterns. One need to monitor mainly three major features to detect the worms viz., volume of traffic at a network connection point like router or firewall, the number of type of scans occurring as most worms use active scans to identify new targets of attack, and change in the host traffic patterns when host is compromised. This method is a relatively simple yet powerful tool for worm detection. It uses the general properties seen in most of the worms like active reconnaissance and exponential growth. Even the worms using a variety of dynamic methods or polymorphic vectors can be detected in contrast to signature detection methods. However, this method may have difficulty in detection of ‘slow-worms’ and ‘worms using passive mechanisms’ for identifying and attacking targets. However these weaknesses would not prevent the use of traffic analysis in worm- detection in foreseeable future. Furthermore, the data generated by this analysis may also be useful to find some other network anomalies.
  2.  Honey pots and Dark (Black Hole) Network Monitors – Ahoney pot could be understood as a functional system that responds to malicious probes in a manner that elicits the desirable response by the attack. This could be designed using an entire system, a single service, or even a virtual host. The ‘dark-network-monitoring’ monitors unused network segments for malicious traffic. These could be local, unused subnets or global unused networks. Together these tools can be used in the analysis of worms. However, placing the honey pots on a production network or using the black-hole monitor on a network where the routine traffic is routed as a destination would introduce Large Vulnerability and could be counterproductive. The details of the ‘honey pot’ and ‘black-hole monitor’ setup and functionality are beyond the scope of this discussion. It would suffice to say at this point that, the ‘Black-hole Monitors’ are a more effective means to monitor worm behavior due to their promiscuous nature and can capture wealth of data from a significant portion of the Internet. However, the honey pots, in contrast, are best used at a time of high worm activity when a copy of the worm’s executable is needed. A honey pot is then quickly crafted and exposed to the network. Upon compromise, a set of worm- binaries are obtained for study (Honeynet Project, 2002).
  3.  Signature- based Detection – Adictionary of known fingerprints is used and run across a set of input. The dictionary typically contains a list of known bad signatures like ‘malicious network payloads’, or the ‘file contents of a worm executable’. The three types of signature analysis in worm detection are the ‘network payload signatures ’, ‘Log file analysis’ and ‘file signatures’. The most important weakness of the signature-based detection methods is that they are reactionary and rarely detect a new worm. They can be used only to detect only the known worms. They cannot detect the polymorphic and dynamically updatable worms.

A mix of all three technologies discussed would form a robust system to detect these worms. A detailed view of such system is well documented by NIST (Scarfone & Mell, 2007).

What is the direction of future research in this field? Off late, researchers have shown keen interest in application of principles of ‘Biological Immune Systems’ to Computer Systems, since both have to maintain their stability in ever changing environment. Numerous desirable features of the Biological Immune Systems (BIS) viz., diversity, self-tolerance, immune-memory, distributed computation, self-learning, self-organization, self-adaptation and robustness have inspired BIS based Artificial Immune Systems (AIS) for information security (Jin, 2013). This is based on the ‘danger model’ presented by many researchers (Aickelin & Cayzer, 2002, Matzinger, 2002). According to this model ‘adoptive immune systems’ are not able to distinguish self from non-self but immune response is triggered when danger signals are generated by damaged cells. The cells in the adaptive immune system are incapable of attacking their host. While the immune response of danger model is a reaction to the stimulus considered harmful by body and not reaction to non-self, the foreign and immune cells of danger model are allowed to exist together.

The following figure illustrates the main principle of danger model and its comparison with information system as shown in the accompanying table(Jin, 2013).

figure d

“The cells undergoing distress or unnatural death transmit an alarm signal to Antigen Presenting Cells (APCs), thus simulating the APCs who in term stimulate the adaptive immune system’s ‘B’ and ‘T’ – cells into action in accordance with signal 1 and 2. The signal 1 is the binding of an immune cell to an antigenic pattern presented by an APC and signal 2 is either a help signal to activate a B–Cell or a co-stimulation signal given by APC to activate T-cells (Jin, 2013). Attempts have been made by various researchers to apply this ‘danger model’ to the data processing, worm response and detection, computer network intrusion detection, security monitoring and so on. Multidisciplinary research is required to build a robust and self-healing system of malware detection and defense in foreseeable future.

Conclusion

The malware designs are becoming extremely complex and complicated and have evolved over a period from innocent ‘internet-joy-rides’ to ‘precision cyber-weapons’ of military grade. While the script-kiddies would continue to exploit even old vulnerabilities spread across multiple platforms, the nation-states are looking at the cyber-domain as a fifth domain of war. They would continue to deploy dangerous weaponised-malware to inflict harm in the physical world. The ‘things’ of the ‘Internet of Things ‘would act as a ‘watering hole’ for the attackers to deploy malwares to use ‘insecure-simple-embedded-chips’ to enter into relatively secure computer systems. ‘Malware as a Service’ (MaaS) would become a reality very soon. Despite all efforts, it seems that the malware is here to stay and would continue to be used in future by hacker, curious mind and the warrior of the information age.

Note: The views expressed in this paper are of the author and do not necessarily reflect the views of the organizations where he worked in the past or is working presently. The author convey his thanks to Chevening TCS Cyber Policy Scholarship of UK Foreign and Commonwealth Office, who sponsored part of this study.

References

  1. *Abraham, S. and I. Chengalur-Smith. n.d. “An Overview of Social Engineering Malware: Trends, Tactics, and Implications.” Technology in Society 32(3):183–93.
  2. Applegate, S., C. Cossack, R. Ottis , and K. Ziolkowski. n.d. “The Principle Of Maneuver in Cyber Operations.” The Principle of Maneuver in Cyber Operations. Retrieved March 2015 (http://www.academia.edu/1436096/the_principle_of_maneuver_in_cyber_operation).
  3. Athanasopoulos, E. et al. 2008. “Antisocial Networks: Turning a Social Network into a Botnet” Information Security. Springer.
  4. *Davis, M. 2010. Hacking exposed malware & rootkits : Malware & rootkits security secrets & solutions. New York: McGraw Hill.
  5. Farewell, P., & Rohozinsk, R. 2011. “Stuxnet and the Future of Cyber War”. Survival, 53(1), 23-40. April 2, 2014, http://dx.doi.org/10.1080/00396338.2011.555586
  6. Feder, B. 2008. “A Heart Device Is Found Vulnerable to Hacker Attacks.” New York Times, 12.
  7. *Felt,, A., Finifter, M., Chin, E., Hanna, S., & Wagner, D. 2011. “A survey of mobile malware in the wild”. Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile DevicesACM, 3-3.
  8. Honeynet Project, “Know Your Enemy: Passive Fingerprinting, Identifying Remote Hosts, Without them Knowing”. 2002. Retrieved April 5, 2014, from http://old.honeynet.org/papers/finger/
  9. *Irani, D., Balduzzi, M., Kirda, D., & Pu, C. 2011. “Reverse social engineering attacks in online social networks”. Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 55-74). Springer.
  10. Jin, X. 2013. “ENSREdm: E-government Network Security Risk Evaluation Method Based on Danger Model”. Research Journal of Applied Sciences, Engineering and Technology, 5(21), 4988-4993. Retrieved from http://maxwellsci.com/print/rjaset/v5-4988-4993.pdf
  11. Unveiling “ Careto – The Masked APT”. 2014. Retrieved September 3, 2015, from http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
  12. Kumar, A. 2014, March. “Internet of Things (IOT): Seven enterprise risks to consider”. Retrieved April 2, 2015, from http://searchsecurity.techtarget.com/tip/Internet-of-Things-IOT-Seven-enterprise-risks-to-consider
  13. History of Malware. (n.d.). Retrieved April 2, 2014, from http://www.lavasoft.com/mylavasoft/company/blog/history-of-malware
  14. *Leavitt, N. 2010. “Researchers fight to keep implanted medical devices safe from hackers”. Computer, 43(8), 11-14.
  15. Luo, W., Liu, J., & Fan, C. 2009. “An analysis of security in social networks”. Dependable, Autonomic and Secure Computing, 2009. DASC’09. Eighth IEEE International Conference OnIEEE, 648-
  16. Matzinger, A. 2002. “The danger model: A renewed sense of self”. Science, 2002(12), 301-305. Retrieved April 5, 2014, from http://maxwellsci.com/print/rjaset/v5-4988-4993.pdf
  17. Mittal, S. 2014. The Threats and Opportunities in Cyber Domain. Essay submitted to Cranfield University.
  18. Nazario, J. 2004. Defense and Detection Strategies against Internet Worms. USA: Artech House.
  19. Nazario, J. 2001. “The Future of Internet Worms”. Retrieved September 3, 2015, from http://www.blackhat.com/presentations/bh-usa-01/JoseNazario/bh-usa-01-Joes-Nazario.pdf
  20. *Ransford, B., Clark, S., Kune, D., & Burleson, W. 2014. “Design Challenges for Secure Implantable Medical Devices”. Security and Privacy for Implantable Medical Devices, 157-173.
  21. *Santucci, G. 2011. “The Internet of Things: The Way Ahead”. Internet of Things-Global Technological and Societal Trends From Smart Environments and Spaces to Green ICT, 53.
  22. Scarfone, K., & Mell, P. 2007. “Guide to Intrusion Detection And Prevention System”. NIST Special Publication, 80-94. Retrieved April 5, 2014, from http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
  23. Skardhamar, R. 1996. Virus Detection And Elimination (UK ed.). Academic Press.
  24. *Stammberger, K. 2009. “Current trends in cyber attacks on mobile and embedded systems”. Embedded Computing Design, 7(5), 8-12.
  25. Symantec. 2014. Worms. Retrieved September 3, 2015, from http://www.symantec.com/security_response/glossary/define.jsp?letter=w&word=worms
  26. Vance, J. 2011. “The Future of Malware”. Network World, (October). Retrieved April 5, 2014, from http://www.networkworld.com/news/2011/100311-malware-251426.html?page=1
  27. Viega, J., & Thompson, H. 2012. “The State of Embedded-Device Security (Spoiler Alert: It’s Bad)”. IEEE Security & Privacy, 10(5), 68-70.
  28. Zalewski, M. 2000. “I Don’ t think I Really Love you, or Writing Internet Worms for Fun and Profit”. Retrieved April 1, 2014, from http://lcamtuf.coredump.cx/worm.txt
  29. Zetter, K. 2012. “’Flame’ spyware infiltrating Iranian computers”. Wired. Retrieved April 1, 2014, from http://www.cnn.com/2012/05/29/tech/web/iran-spyware-flame
  30. Zetter, K. 2011. “Son of the Stuxnet in the Wild”. Wired. Retrieved April 1, 2014, from http://www.wired.com/2011/10/son-of-stuxnet-in-the-wild/
  31. Zoller, T. 2011. “Musings on Information Security – Luxembourg / A blog by Thierry Zoller.: Attacker Classes and Pyramid (Version 3)”. Retrieved April 1, 2014, from http://blog.zoller.lu/2011/10/attacker-classes-and-pyramid-version-1.html

* Indicates that the Abstract of this reference was read on Google Scholar as these references were not available to Author.

*Shri Sandeep Mittal, I.P.S., presently working as Deputy Inspector General of Police in LNJN National Institute of Criminology and Forensic Science, Ministry of Home Affairs, Government of India, Delhi since 2012, joined I.P.S. in 1995. He has served in various communally sensitive districts in Tamilnadu. He specializes in Cyber Security and was instrumental in neutralizing a number of ‘online-drug-trafficking-syndicates’ globally. He is Life Member of USI, Associate Member of IDSA and Life Member of Indian Society of Criminology. He is a Chevening Cyber Policy Scholar sponsored by Foreign & Commonwealth Office, United Kingdom.

Risks and Opportunities provided by Cyber Domain and Policy-needs to address the Cyber Defense

Posted on Updated on

cisco  Posted by Sandeep Mittal, IPS on March 17, 2015

The term ‘Cyber Domain’ has been used widely by various experts, sometimes interchangeably with ‘Cyber Space’, to imply – “the global domain within the information environment that encompasses the interdependent networks of information technology infrastructures, including the internet and telecommunication networks” (Camillo & Miranda, 2011). Today it has become “the fifth domain of warfare after land, sea, air and space and its a challenge to have a common definition of cyber Domain” but for the purpose of this essay the definition given above would suffice. Any entity, whether it is a Nation State or an Enterprise, who operates in cyber domain need to maintain confidentiality, integrity and availability of its deployed resources. The dynamics of cyber domain is complex and complicated in time and space. The humans, machines, things and their interaction is evolving continuously to pose risks and opportunities in the cyber domain. The risk to someone becomes opportunity for the other. In this essay, the ‘risks presented by’ and ‘opportunities available in’ the cyber Domain would be identified, discussed and analyzed to consider key strategic policy elements to defend the cyber domain.

Risks and Opportunities in Cyber Domain

The ‘very low cost efforts’ giving asymmetric results coupled with anonymity in space and time makes the cyber domain attractive (Cyber Security Strategy of UK, 2009) for use by various actors for malicious objectives. This faceless and boundary less domain is highly dynamic and throwing surprises with rapidity and having the potential of causing damages (real and virtual) which are disproportionate to the resources deployed. Let us have a look at various realms in terms of risks associated with them.

  • a) The information system platforms and the equipment supporting the cyber ecosystem is susceptible to conventional physical attacks. The electronic equipment can be subjected to destruction by generating High Energy Radio Frequencies and Electromagnetic Pulses.
  • b) The services in the cyber- space may be disrupted by direct attack e.g. DoS, DDoS etc. This is the most common attack and has the potential to paralyze the lines of communication, bring down banking services and sabotage military operations. It has been deployed over the years not only by novice script kiddies but also sophisticated state sponsored agencies successfully. Botnets working round the clock have become a serious challenge.
  • c) The sensitive data (in storage and on the move) may be accessed, stolen or manipulated to have the desired effect immediately or at a subsequent date. The technology and deployment methodology is evolving with time and simple malware tools have been replaced with complex, intelligent and well-crafted attacks generally known as Advanced Persistent Threats (APTs). The stealth, patience and dedicated consistency of APTs has the capability to bypass the best firewalls (including New Generation Firewalls) and Intrusion Detection and Prevention Systems to exploit the Zero- Day- Vulnerabilities (Fire Eye White Paper, 2014).

The risks associated with various realms as discussed above may manifest themselves in various dimensions of the society like Civic Infrastructural Breakdown (e.g., failure of electric power grids, disruption of fuel pipelines, disruption of water supply chain etc.), Economy Disruption (e.g., disruption of banking services, business continuity and maintenance related costs), Social Behavioral Effects on Society (e.g., gambling, spamming, pornography, drugs supply, propagation of extremist ideology) and last but not the least hacking and intrusion into privacy, compromising the Nations Morale through use of social media leading to civic unrest and hampering diplomatic relations (e.g. Wiki Leaks ) and thus finally setting the stage for Cyber Warfare. Eventually, the Cyber Domain becomes a ‘means’ of most serious ‘end’, that is, the Cyber Warfare (Cornish et al, 2009). The ‘research-tool of yester- years’ has evolved into a strong medium of mass communication. In the Chatham Report titled ‘Cyberspace and the National Security of the United Kingdom, 2009, the concept of Cyber Threat Domains is introduced.

Let us have a look at the challenges and opportunities in Cyber security in terms of four ‘Cyber- Threat- Domains” (Cornish et al, 2009).

  • a) ‘State-sponsored Cyber-attacks: The complete dependence of a Nation’s economy and critical infrastructure presents an opportunity to the ‘Nation States’ to deploy cyber- tools to gain information-dominance in cyber-domain to transmit information and denial/ restriction of such information to enemy state, as also the collection of tactical information. Going further, crippling a nation by paralyzing its critical infrastructure through deployment of stealthy and well-crafted tools to exploit ‘Zero-day-vulnerability’ is a matter of hours, and not even days. The use of Cyber attacks in raising the temperatures of furnaces in nuclear power plants and increasing the flow-speed of liquids in fuel pipelines may be used as weapons of mass- destruction.
    The concepts of war-maneuvering have been compared with cyber-maneuver (Applegate 2012), where it is realized that blatantly hostile acts in cyber space are characterized by rapidity, anonymity and difficulty in attribution and are dispersed in space and time. Even the territory of enemy or one of his allies can be used to achieve desired asymmetric results.
  • b) Cyber-Terrorism /Extremism –There is no other medium which is more powerful and anonymous than cyberspace, where asymmetric results can be achieved by deploying minimal resources with ease. The internet is an anarchic play ground or an ungoverned space, which can be exploited by extremists for communication and information sharing, designing strategies, conducting training for its members, procurement of resources, infiltrating State’s assets and forming alliances with organization having common objectives but different motivations. The use of social media by political extremists to propagate their ideology and take on the government machinery may spearhead insurgency by exploiting public sentiment.
  • c) Serious and Organized Criminal Groups are exploiting the cyber space not only to maintain their criminal networks but also for money laundering, drug-trafficking, extortion, credit card frauds, industrial espionage etc. “In the cyber space, physical strength is insignificant […….] , strength is in software , not in numbers of individuals“ (Brenner, 2002). It poses a great challenge to the Law Enforcement Agencies to tackle Cyber- criminality. The need of operational level coordination with international LEAs can not be under stated as the existing mechanisms of MLAT etc have not given desired results. The thrust LEAs is on acquisition of hardware and software and the training of human resources is lacking.
  • d) Lower –level Individual Attacks: are acts of individuals and may give results disproportionate to the skills deployed. These attacks may not be technologically advanced but have the capabilities to create panic and day to day disruptions. Sometimes fools pose great questions. Free availability of a number of hacking and penetration testing tools on internet assist the script kiddies to venture in the world of hacking.

Thus it is amply clear form the foregoing that the cyber domain presents unimaginable opportunities spread over space and time with rapidity, anonymity and almost no investments.

Policies to Address Cyber Defense

Any policy for cyber- defense has to be multipronged, tiered and dynamic. There are many approaches to decide upon the strategic policies. One is the systematic approach while the other is to keep the national security as the central theme and then weave other defenses around it. What should be the strategy for a secure Information Society? For the purpose of this essay we may define it as “the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems” (Commission of the European Communities, 2006). Though this is a network- system- centric definition, it is felt by author that, if this approach is taken care of, by the strategic policy, the other considerations would fall in line. The approach should not be like the example of the “elephant and the five blind men’ rather it should be an integrative approach to address various risks, issues and opportunities in the cyber domain. We would try to build up the key elements of the strategy which a strategic policy should address to defend the cyber domain. “The integrated application of cyberspace capabilities and processes to synchronize in real- time, ability to detect, analyze and mitigate threats and vulnerabilities, and outmaneuver adversaries, in order to defend designated networks is part of cyber defense strategy and includes proactive network operations, defensive counter cyber operations and defensive countermeasures” ( U.S Department of Defense, 2010 ). As policy should be general and broad, it would be beyond the scope of this essay to discuss procedures, details of technologies and processes associated with them and mechanisms to deploy them. We would be focusing rather on the key elements; a security policy should incorporate to achieve the objective of defending the cyber domain. It should incorporate the ground realities present in the scenario where policy would be applied.

The author has perused the summaries of the National Cyber Security Strategies of nineteen countries (Luijf, Besseling & Graaf, 2013) and based on them, tried to identify the key elements of the strategic policy to defend the cyber domain.

  • a) Legislation/Legal Framework:
    The cyber domain has no boundary. The various stakeholders and players may be spread all round the globe irrespective of national jurisdictions. Hence, a law which is progressive and aligned with international conventions on cyber-crime and Laws of the other nation states would be a basic requirement to defend the cyber domain. Additionally, the judiciary needs to be sensitized on various aspects of cyber law for better appreciation while dealing with such cases.
  • b) Mandating the Security Standards:
    Mandating the minimal security standards in information security is like preparing the ground before the seeds are sown. Security assurance measures for products ( ISO/IEC 15408), security assurance measures for development process (ISO /IEC 21827) , measures for Security Management (ISO/IEC 27001) etc should be implemented with Zero tolerance for non-compliance. Personnel expertise and knowledge should be mandated through professional certifications.
  • c) Secure protocols, Soft wares and Products:
    At present there is no system in place for ‘cyber-supply-chain-security-ratings’. This is a big loophole as these hardware and software , have to be frequently changed and have the potential of getting compromised thus putting the cyber- security at stake. These software and hardware become the gateway to attacks in the cyber domain.
  • d) Active-Dynamic Security Measures for Prevention, Detection and Response Capabilities:
    The technology of the malware and the methodology of its deployment in cyber-domain has radically evolved over the years. “The attacks are advanced, targeted, stealthy and persistent and cut across multiple threat vectors [web, email, file shares, and mobile devices ] and unfold in multiple stages, with calculated steps to get in , signal back out of the compromised network, and get the valuables out (Fire Eye White Paper, 2013). While firewalls, new generation firewalls , Intrusion Prevention Systems etc. are important security defenses, they can not stop dynamic attacks that exploit zero-day vulnerabilities. Hence integrated platforms having the capability to identify and block these sophisticated attacks, and thus safeguard their critical and sensitive assets. Attack Attribution Analysis should be deployed to identify the attackers (Lewis, 2014) . Zero Trust Model of Information Security also helps in reducing the attacks from digitally- signed-malware (IBM Forrester Research Paper, 2013).
  • e) Threat and vulnerability Analysis: A detailed threat and vulnerability analysis of the resources should be maintained and updated periodically as per minimum At least a broad 3×3 matrix as per NIST FIPS 199 Standards is suggested. A risk- profile- dashboard should be kept ready. The assets which are critical need to be identified clearly and SOPs for their protection be put in place.
  • f) Continuity and contingency Plans should be prepared and kept ready. Many nations are deploying in house “Government- off- the- shelf“ (GOTS) technology for sensitive defense and critical infrastructure systems. The attacks are inevitable but if the services are maintained, the confidence and trust of the stakeholders is vindicated. The Governments should also work towards a mechanism of Cyber Liability and Cyber Insurance which at present is generally lacking.
  • g) Information Sharing: In most of the countries there is a mechanism to share information on security breaches and related developments by establishing Computer Emergency Response Teams (CERTs). These national CERTs also interact with each other at international level. However , the author’s personal experience shows that many of the enterprises don’t share information on breaches in order to protect corporate image. Sometimes the security breaches may not be even known for months. There is an urgent need for devising a mechanism where reporting of security breaches should be made mandatory with penalties for non-compliance.
  • h) Awareness, education and training: Practice makes a man perfect. Continuous awareness and educational campaigns for various stakeholders on dos and don’ts have to be run repeatedly. The training workshops for the workforce should be organized. We should always remember that the human behavior is the greatest risk to security and this risk can only be minimized by education and training only.
  • i) Reforms in school and Collegiate Education: If cyber security as a subject is included in the school and college curricula, a ready cyber work force would be available to be deployed across various sectors. The online training courses in cyber security should be designed and incentives offered to workers, if they attend and successfully complete these courses.

International Collaboration:The cyber domain has no boundaries. The attacker sitting in one country using the system and resources of a second country may compromise a sensitive database in a third country. If there is no international collaboration, what ever strategy we may design, it is bound to fail. Although, there is a Regional Convention on Cyber Crime but unfortunately there is no such convention on cyber security [The Council of Europe (Budapest) convention on Cyber Crime, 2004]. There is a necessity for comprehensive international cooperation to sort-out issues regarding Jurisdiction, Mutual Assistance, Extradition , 24 / 7 Network etc ( Clough, 2013). However , personal experience of the author is that there is need to galvanize international cooperation, which is presently almost ineffective at operational level.

However, to achieve the desired objectives, the strategies need to be implemented through acquirement and effective allocation of sufficient resources through accountable responsibilities ( Ward & Peppard, 2002). But even if all this is done, the things will not turn out as desired ( Johnson & Scholes, 2002 ). Therefore a strategic management process that can adapt to changing scenarios during the implementation of original strategy is not a substitute for the original strategy but it’s a way of making it work.

Conclusion

The Cyber Domain by virtue of its unique characteristics of anonymity, availability and maneuverability in space and time, having no international borders , and capacity to give asymmetric results hugely disproportionate to the resources deployed, offers tremendous risks and opportunities for various stakeholders. It is rapidly expanding its scope from internet of human beings and machines to internet of things. It has the potential of disrupting a Nations economy, polity, civic and military infrastructure and last not the least, may lead to the cyber-warfare. Any policy and strategy to defend the Cyber Domain should be dynamic enough to adjust to the rapidly changing nature of attacks and technology. The futuristic scenarios like “Botnet of Things” have the potential of disrupting the normal life of humans. The strategic policy explained in this essay, if implemented, should take care of various aspects of defending the cyber domain. However, as the attacks, technologies and attackers evolve, the policy should also evolve with the same rapidity. The ‘unknown- unknown’ of the cyber domain is yet to be seen by the world.

References

Applegate,S. 2012, “ The Principle of Maneuver in Cyber Operations

http://www.academia.edu/1436096/The_Principle_of_Maneuvar_in_Cyber_&#8230; accessed on 14/03/2014.

Brenner, S.W. 2002, “Organized Cybercrime? How Cyberspace May Affect theStructure of Criminal Relationships (Vol. 4, Issue 1, Fall 2002), p. 24.”, Journal of Law & Technology, North Carolina, vol. 4, no. 1, pp. 24.

Clough , J. 2013, “The Budapest Convention on Cyber Crime: Is Harmonisation Achievable in a Digital World.

Accessed on 13/03/2014.”, 2nd International Serious and Organised Crime Conference, ed. Presentation, Monash University, Brisbane, 29-30 July 2013.

Cornish, P., Livingstone, D., Clemente, D. & and Yorke, C. 2009, Cyber Security and the UK’s Critical National Infrastructure. http://www.chathamhouse.org/sites/default/files/public/Research/Int&#8230; Accessed on 13/03/2014, A Chatham House Report, United Kingdom.

Cornish, P., Hughes, R. & and Livingstone, D. 2009, Cyber space and the National Security of the UnitedKingdom : Threats and Responses. http://www.chathamhouse.org/sites/default/files/public/Research/Int&#8230; Accessed on 14/03/2014, A Chatham House Report, United Kingdom.

Cornish, P., Livingstone, D., Clemente, D. & and Yorke, C. 2010, On Cyber Warfare https://www.chathamhouse.org/sites/default/files/public/Research/In&#8230; on: 11/03/2014, A Chatham House Report, United Kingdom.

Federica Di Camillo and Vale’rie Miranda 2011, Ambiguous Definitions in Cyber Domains: Costs, Risks and the Way Forward., Istituto Affari Internazionali, Roma.

FireEye White Paper 2014, Advanced Attacks Require Federal Agencies to Reimagine IT Security, online publisher, http://docs.media.bitpipe.com/io_11x/io_114094/item_844153/advanced&#8230; Accessed 11/03/2014.

FireEye White Paper 2013, Thinking Locally, Targetted Globally- New Security Challenges for State and Local Governments

http://docs.media.bitpipe.com/io_11x/io_114094/item_844153/fireeye-&#8230; accessed on 11/03/2014,

IBM 2013, Supporting the Zero Tr ust Model of Information Security:The Important Role of Today’ s Intrusion Prevention Systems http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03038usen/WGL03038US&#8230; on 13/03/2014, IBM Forresster Research Paper, Online.

Luiijf, E., Besseling, K. & and de Graaf, P. 2013, “Nineteen national cyber security strategies’, , Vol. 9, Nos. 1/2, pp.3–31.”, Int. J. Critical Infrastructures, vol. 9, no. 1/2, pp. 3–31.

NIST 800- 39, Managing Information Security Risk: Organization Mission and Information System View. , NIST Special Publication., USA.

NIST “Guide for Applying Risk Management Framework to Federal Information Systems. NIST Special Publication 800- 37. “, NIST, vol. 800- 37.

NIST Recommended Security Controls for Federal Information Systems and Organizations. NIST Special Publication 800- 53., 800- 53 edn, NIST, USA.

NIST FIPS Standards for Security Categorization of Federal Information and Information Systems., NIST FIPS, USA.

NIST FIPS Standards for Security Categorization of Federal Information and Information Systems. NIST FIPS Publication 199 , 199th edn, NIST FIPS, USA.

Purser, S. 2004, A practical guide to managing information security, Artech House, Boston, Mass. ; London.

Stevens, T. 2010, , ‘US Cyber Command achieves “full operational capability,” international cyberbullies be warned’, 5 November 2010,
http://www.engadget.com/2010/11/05/us-cyber-command-achieves-full-o&#8230;
Accessed 11/03/2014, November edn,

The Joint Chiefs of the Staff 2010, http://www.nsci-va.org/CyberReferenceLib/2010-11-joint%20Terminolog&#8230;, Memorendum for Chief of Military Services edn, US Department of Defense, Washington D.C.

UK Cabinet Office 2010, Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review , p. 47.
http://www.direct.gov.uk/prod_consum_dg/groups/dg_digitalassets/@dg&#8230;
Accessed 11/03/2014, Cm7948 edn, The Stationary Office, London.

UK Cabinet Office 2009, Cyber Security Strategy of the United Kingdom: Safety, Security and Resilience in Cyber Space, p. 12., Cm7642 edn, The Stationery