Computer Software Bugs and Other IT Threats to Critical Infrastructure: A Preliminary Set of Considerations for IT Governance

Transcription

1 Computer Software Bugs and Other IT Threats to Critical Infrastructure: A Preliminary Set of Considerations for IT Governance Presentation for the Seventh European Academic Conference on Internal Audit and Corporate Governance by Michael K. Lavine, Ph.D. Johns Hopkins University Information Security Institute and Georges M. Selim, Ph.D. Cass Business School 16 April 2009

2 Background Information Since President Clinton s administration in the 1990s, there have been a number of important initiatives in the USA to use Government and Web Information Systems to share information about IT Security/Information Assurance threats, risks, protection mechanisms and best practices With the growth of E-Commerce and IT systems, emphasis has been made to protect the critical infrastructures (e.g. banking, telecomm, emergency services etc.) of which approximately 90% in the USA is controlled by the private sector

3 Introduction and Background Tremendous growth of E-Commerce systems, networks, mobile devices and Internet connectivity all contributed to increased threats to IT security Various national Government initiatives in critical infrastructure protection and information sharing The focus of this project is on Software Bugs with additional information on viruses, trojans and exploit scripts as major areas of risk to organisations How can this research potentially impact IT governance and risk management?

4 Research Overview Methodology based on a Grounded Theory approach (Glaser and Strauss, 1967) Provides an ability to develop creative approaches to new areas of research This is a popular research methodology in the Information Systems field Data collection and analysis was based on secondary data from official U.S. government data sources supported by the FBI and DHS

5 Common IT Technical Risks Software Bugs Viruses Trojans Exploit Scripts Other Types of Computer Malware Denial of Service Web Site Defacements Plus a Growing Range of Emerging Techniques (i.e. Phishing, Botnets, Crimeware, Scareware)

6 Descriptive Data Summary: Bugs Exploit Scripts Viruses Trojans Freq. Perc. Freq. Perc. Freq. Perc. Freq. Perc. Year , , , , , , , , , Total 6, , , ,

7 Software Bugs Software Bugs are errors in a computer program (i.e. operating systems or application software) which causes the program to not perform as intended. Most software bugs are attributable to the software source code and result in design or compilers processing errors. Normally, computer programmers use a variety of techniques referred to as de-bugging to perform quality assurance and other tests on the software code. Some common types of software bugs are: buffer overflows, race condition errors, memory leaks and stack errors.

8 Software Bugs: Total Bugs Reported by Month Dec-03 Nov-03 Oct-03 Sep-03 Aug-03 Jul-03 Jun-03 May-03 Apr-03 Mar-03 Feb-03 Jan-03 Dec-02 Nov-02 Oct-02 Sep-02 Aug-02 Jul-02 Jun-02 May-02 Apr-02 Mar-02 Feb-02 Jan-02 Dec-01 Nov-01 Oct-01 Sep-01 Aug-01 Jul-01 Jun-01 May-01 Apr-01 Mar-01 Feb-01 Jan-01 Dec-00 Nov-00 Oct-00 Sep-00 Aug-00 Jul-00 Jun-00 May-00 Apr-00 Mar-00 Feb-00 Jan New Bugs Month Updated Bugs Number of Reported Items

9 Critical Software Bugs by Risk Classification: Study Period High Medium Low All Other Total Freq. Percent. Freq. Percent. Freq. Percent. Freq. Percent. Freq. Percent. Q % % % % % Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Total 2, % 2, % 1, % % 6, % Percent of Total 40.50% 31.62% 16.12% 11.76% %

10 Critical Bugs by Vulnerability Type: in Rank Order Vulnerability Type Ranking Buffer Overflow 1 Denial of Service 2 Multiple Vulnerabilities 3 General Security 4 Password 5 Unauthorised Access 6 Remote Access 7 Directory Transversal 8 Race Condition 9 Web Server IIS 10 Root Access Format String 13

11 Exploit Scripts Exploit Scripts are purpose built program scripts or small sets/sequences of commands that attack specific vulnerabilities in computer software (Adapted from Karestand, 2003). Sometimes these can be generated by computer code generators (Thompson, 2002). Currently, common scripting languages include PERL, Visual Basic and Java Script.

12 Exploit Scripts: Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Frequency Percentage Study Quarter Number of Reported Cases Percentage

13 Viruses Viruses are a common form of malware and were studied early on by many computer science researchers. Karestand (2003, p. 42) quoting earlier researchers, defines a computer virus, as a computer program that is able to replicate by attaching itself to other computer programs in some way. Furthermore, the program the virus attaches to is called a host or victim program.

14 Frequency 6 Percent Q Viruses: Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Study Quarter Number of Reported Items Percentage

15 Trojans Trojans derive their name from the Trojan Horses of ancient times. This type of malware can pretend to be a piece of legitimate (e.g. trusted) software, but develops into a destructive mechanism or function that can be activated. Often this is done by a remote user such as a hacker, criminal organisation or terrorist group.

16 Trojans: Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Frequency Percentage Study Quarter Number of Reported Cases Percentage

17 Research Hypothesis No. 1 H1: There is a defined correlation between the new critical software bugs detailed in the NIPC s CyberNotes newsletters and the general number of new software bugs identified by the U.S. Computer Emergency Response Team/Coordination Centre (CERT/CC) and the U.S. National Institute of Standards and Technology (NIST).

18 Hypothesis No. 1 - Results Software Bugs Correlation Analysis Panel A: Pearson Correlation Coefficients (N=48) CERT/CC BUGS NIST BUGS BUGS p = p = Panel B: Spearman Rank Correlation Coefficients (N=48) CERT/CC BUGS NIST BUGS BUGS p = p = Result: The new critical software bugs are correlated to the CERT/CC Bugs, but there is no association of these same bugs to the NIST software bugs.

19 Research Hypothesis No. 2 H2: There is a defined correlation between the number of critical computer viruses detailed in the NIPC s CyberNotes newsletters and the general number of computer viruses found in the wild.

20 Hypothesis No. 2 - Results Computer Viruses Correlation Analysis Panel A: Pearson Correlation Coefficients (N=48) VIRUSES IN THE WILD VIRUSES p = Panel B: Spearman Rank Correlation Coefficients (N=48) VIRUSES IN THE WILD VIRUSES p = Result: No linear relationship was observed.

21 Possible Considerations for IT Governance 1. Board of Directors concerns and understanding of IT Security? Furthermore, what are their roles and responsibilities in this area? 2. Management has serious concerns about IT Threats and Risks (supported by various Big Four surveys), how does Internal Audit assist in this area from a risk management perspective? 3. Role of Internal Audit in IT Governance activities; more specifically how it relates to IT Security 4. What reporting measures can be developed to improve IT Governance? And can these measures be used in modeling and metric development?

22 Suggestions for Future Research 1. Assess the potential extensions of existing control frameworks to include more information about IT Security Threat reporting 2. Conduct a comparative international study 3. Expand statistical testing and modeling with the use of additional study variables for different threats

23 Questions and Feedback