Survey of Cyber Security Frameworks

Transcription

1 Survey of Cyber Security Frameworks Alice Nambiro Wechuli (Department of Computer Science, Masinde Muliro University of Science and Technology, Kenya Geoffrey Muchiri Muketha (Department of Information Technology, Meru University of Science and Technology, Kenya Nahason Matoke (Department of Computer Science, Masinde Muliro University of Science and Technology, Kenya Abstract: In a digital world, the national economy and welfare have grown critically dependent on the cyber infrastructure due to the capabilities and opportunities the Internet provides. This leaves organizations open to various forms of malicious attack by cybercriminals which has overwhelmed some current methodologies used for tracking cyber attacks and vulnerabilities. This paper presents a review of literature on cyber security status, challenges to cyber security, and existing cyber security frameworks. Findings indicate that though efforts are in place to bring about effective assessment of cyber security, there is no single accepted framework to offer a lasting solution to the cyber security assessment challenge. Key Words: Cyber Security, Internet, Vulnerability, Threat, Cyber Attack, Cyber crime 1. Introduction The way of carrying out business in the world today is changing rapidly with new technologies taking the center stage. Both government and the private sector are increasingly adopting the emerging technologies to modernize their service delivery. According to the US President s Information Technology Advisory Committee [1], innovations in ICT have created a whole new industry through the ubiquitous interconnectedness first exhibited by the Internet. This revolution of interconnectivity has brought with it an increased potential of opportunities, including risk and uncertainties, especially for those cyber criminals who can now cause harm with catastrophic impact from remote locations, while equipped with only a computer and the knowledge needed to identify and exploit vulnerabilities [1]. As a result of increasing interconnectivity, information systems and networks are now exposed to a growing number and a wider variety of threats and vulnerabilities which raise new security issues for all. Throughout the world, governments, defense industries, and companies in finance, power, and telecommunications are increasingly targeted by overlapping surges of cyber attacks from criminals and nation-states seeking economic or military advantage [2]. The number of attacks is now so large and their sophistication so great, that many organizations are having trouble determining which new threats and

2 vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first. The Australian government has made effort to address the cyber security issues in industry although further development is needed in terms of the rights of an individual company to take action against a threat source [3]. United States, General Accounting Office [4] states that long-term efforts are needed, such as the development of standards, research into cyber security vulnerabilities and technological solutions for the cyber security problems, and the transition of research results into commercially available products. 2. Defining Cyber Security There isn t a single definition of the term cyber security in existence but the different existing definitions encompass a set of concepts which include availability, confidentiality and secure sharing of information. Cyber security refers to three things: measures to protect information technology; the information it contains, processes, and transmits, and associated physical and virtual elements; the degree of protection resulting from application of those measures; and the associated field of professional endeavor [5]. Cyber security is Measures relating to the confidentiality, availability and integrity of information that is processed, stored and communicated by electronic or similar means [3], [6]. Cyber security refers to a measure for protecting computer systems, networks, and information from disruption or unauthorized access, use, disclosure, modification or destruction [7]. In the context of this paper, cyber security is to be understood as the collection of policies, security safeguards, security concepts, risk management approaches, guidelines, technologies, actions and training that can be used to protect the organization and cyber environment together with the user s assets. 3. Current Status of Cyber Security According to Cole et al. [8], only a few countries had additional security measures apart from legislation. The researchers indicate in their study that Malawi had hardly any cyber security initiatives taking place at national level. A study by the World Economic Forum found Malawi to be amongst the bottom 15 of 133 countries surveyed for ICT networked readiness [9]. Malaysia is one of Asia s most alluring countries for cyber criminals [10]. According to Lt Col Prof Datuk Husin Jazri, the Cyber Security Malaysia chief executive officer, until August 2011, there were 10,000 cases reported every month in Malaysia [11]. The researcher also indicated that the Cyber Early Warning System that had been set up by Cyber security Malaysia detected over 5,000,000 security threats. This is hard evidence that shows cyber crimes are increasing at an alarming rate. As Kenya s internet connectivity blossoms, so are the cyber security threats which are becoming more dynamic and sophisticated [12]. The researcher indicates that most organizations in Kenya don t know enough about the threats or their own security posture to defend themselves adequately. Stating an example that they can t see signs of an attack because they haven t sufficiently analyzed data on the latest attack techniques. The researcher further quotes the Kenya s Information Permanent Secretary, Dr Bitange Ndemo, who stated that with high speed internet comes increased security risks therefore there is need to develop policies both to ensure wider access and the safety of internet users. 4. Cyber Security Challenges

3 Security of cyberspace is complicated because it involves the increasing dependence on information networks that, in turn, introduce vulnerabilities and create opportunities to be exploited by criminals, adversaries and others Organized Criminal Activities New challenges to data and communications networks are evolving as rapidly as the spread of high-speed Internet infrastructure. It has been argued that the more significant the volume of revenues that flow over ICT based networks, the greater will be the incentive for organized criminals to corrupt or economically exploit high-value data resources [13]. A global black economy has been found to be found to be capable of generating finances for terrorism, as well as off-budget funding for military, police, or national security agencies of nation states [14] Weak Links in the Global Information Infrastructure A poorly secured network is potentially the weakest link in the cyber security chain [15], [16]. For example, malware in an out of date network can become a botnet through which other systems could be attacked. Internet Service Providers are usually not proactive in identifying and removing botnets in view of the cost implications [17]. Significant weaknesses within the industry need to be addressed, including the lack of effective governance, poor understanding of the cyber threat, and the sharing of data. However, many boards fail to understand and, therefore, address the business risks in the cyber environment [3] Constant Evolution of the Nature of Cyber Threats In [18], the ability of governments to gauge threats to critical infrastructures has traditionally been contingent upon their ability to evaluate a malicious actor s intent and that actor s ability to carry out a deliberate action. She further states that due to the global nature of information networks, attacks can be launched from anywhere in the world, and discovering the origin of attacks remains a major difficulty, if, indeed, they are detected at all. Compared to traditional security threat analysis, which consists of analyses of actors, their intentions, and their capabilities, cyber-threats have various features that make such attacks difficult to monitor, analyze, and counteract [19] Insufficient Funding A secondary but nonetheless significant issue is the funding of cyber security research and development. Researchers have established that departments and agencies outside of defense do not have dedicated research funds to apply to cyber security [3]. The security threats faced in the cyber domain need to be addressed with a coherent integrated and funded research program in advance of the threat and not just in reaction to it. 5. Cyber Security Frameworks Cyber security is important for competitiveness of organizations now that most of them have gone digital. In order to remain undisrupted, a deeper research on cyber security assessment was necessary. The paper identified some cyber security frameworks which are discussed in the subsequent sections.

4 5.1. Cyber Security Workforce Framework The National Initiative for Cyber security Education (NICE) is an interagency effort coordinated by the National Institute of Standards and Technology and focused on cyber security awareness, education, training and professional development [20]. NICE came up with the cyber security workforce framework. The framework organizes cyber security into seven categories, each comprising several specialty areas as follows: i. Securely Provision which is concerned with conceptualizing, designing, and building Information Technology systems. ii. Operate and Maintain which is responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient Information Technology system performance and security. iii. Protect and Defend which is responsible for the identification, analysis, and mitigation of threats to internal Information Technology systems or networks. iv. Investigate which is responsible for the investigation of cyber events and/or crimes of Information Technology systems, networks, and digital evidence. v. Operate and Collect which is responsible for the highly specialized collection of cyber security information that may be used to develop intelligence. vi. Analyze which is responsible for highly specialized review and evaluation of incoming cyber security information to determine its usefulness for intelligence. vii. Support that provides support so that others may effectively conduct their cyber security work. This framework has limitations although it might have worked to satisfaction during the time it was developed. First, the cyber security workforce framework has put its emphasis on awareness which basically is through training. This ensures secure cyber infrastructure as explained in the framework. The framework has not considered the fact that the technologies are ever emerging rapidly which brings about the challenge of increased cyber security threats. For this reason, there must be adequate cyber security policies and standards which should be reviewed frequently. Also the framework has not considered the fact that threats do exploit vulnerabilities thus risk management strategy should be put into place. Furthermore the framework has not considered the fact that some cyber criminals like hawkers who have malicious intentions have a broad range of knowledge in the cyber security area. Thus cyber crime legislation was not put in place to bring the criminals to book. Then, for any cyber security initiative to be a success, there be a driving force which is sufficient funding. This framework has not presented any budget for the training U.S. GAO Cyber Security Framework The United States, General Accounting Office [21] puts it forth that the use of an overall cyber security framework that can assist in the selection of technologies to protect critical infrastructure against cyber attacks. It further proposes that an overall cyber security framework includes determining the business requirements for security and performing risk assessments. Also, establishing a security policy, implementing a cyber security solution and continuously monitoring and managing security are part of the framework [21]. Risk assessments, which are central to this framework, help organizations to determine which assets are most at risk and to identify countermeasures to mitigate those risks. Risk assessment is based on a consideration of threats and vulnerabilities that could be exploited to inflict damage.

5 The U.S GAO cyber security framework has considered the issue of security policies and standards. It has also presented the necessity for risk management because technologies are rapidly evolving for example the use of mobile computing and the cyber threats are on the rise. However, the framework stresses on putting risk management on the fore front but no end user education is considered which may lead to commitment of some cyber crimes due to lack of knowledge. The framework has too not presented review of the management structure that is whether it is centralized or decentralized because a centralized management structure brings about challenges like lack of team work thus no effective implementation of any initiative. Also, the framework does not consider assessment of the services provided by third party service providers like the internet service providers. This is because the services provided might create vulnerabilities which are exploited by cyber criminals. Also, cyber crime legislation to deal with cyber criminals is not presented and finally, funding, be it from insurance agencies or self for any cyber security initiative is not presented Framework for Assessing Cyber Security Initiatives in Africa A study on cyber security in Africa has established the need for measures which include standards and policies regarding the technical security measures, accreditation for said systems, legislation to criminalize cybercrime, international cybercrime legislation harmonization, and a national computer emergency and response team to provide these national security systems with analysis of potential vulnerabilities and quick incident response [8]. The security perspectives of these measures depend on their target organizations and systems. There should also be higher education cyber security programs provide increased opportunities for technical jobs and industry. They also serve as the necessary workforce for all cyber security initiatives across all of the security concerns. Also cyber security education for the end user helps individuals to protect their private information. The framework has well presented the need for awareness, cyber security policies and standards together with the cyber legislation. It has also considered the need for a computer emergency response team. However, it has not presented a review of the management structure because this contributes to implementation of effective cyber security assessment framework. Also, the paper has not presented whether there is assessment of services provide by third party service providers. Finally, no budget is reviewed to ensure sufficient funding available to initiate the cyber security assessment program. 6. Discussion Ensuring cyber security is a very important aspect both globally and to an organization in particular. Thus several researches have been going on to act as guides to cyber security assessment. Based on the review of the literature concerning the cyber security frameworks, several cyber security issues have been raised. This implies that there is much to be done in order to come up with an overall acceptable cyber security framework. In the cyber security workforce framework, the framework needs an inclusion of the cyber security policies that are to be reviewed frequently. Also a risk management plan should be put in place and implemented. The cyber crime legislation should be put in place to deal with the cyber criminals. Finally, a budget must be presented stating how much each cyber security initiative should be allocated. The U.S. GAO cyber security framework has stressed on the need for risk management without any consideration of the end user education. This proves cyber security measures to be unsuccessful because for success to be achieved, all levels of management must participate. Since there is no assessment of

6 services provided by third party service providers, then it is certain that some of the services provided are unsecure. Also cyber criminals can go unpunished because there is no cyber crime legislation. Finally, there is need to include the budget with sufficient funds. In the framework for assessing cyber security initiatives in Africa, it implies that effective cyber security is achievable without involving all the levels of management which can t be because the management structure is not presented. Also, services provided by the third party service providers need to be assessed for security. Finally, for any cyber security initiative to be successful, adequate funds must be available to support it. 7. Conclusions We have looked at the status of cyber security and the challenges encountered during implementation of cyber security programs. We have also looked at the existing cyber security frameworks after which we discussed the implications of these limitations in the previous section. Since all the frameworks had some limitations, this provides a basis on the need of further research on the cyber security assessment framework that will provide a lasting solution to the ever arising cyber security assessment challenge. 8. References [1] President's Information Technology Advisory Committee (PITAC). Cyber-Security: A Crisis of Prioritization. 2005, National Coordination Office for Information Technology Research and Development, Arlington, VA. [2] Billo, C. and Chang, W. "Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States". 2004, Institute for Security Technology Studies, Dartmouth College. [3] Blackburn, J.and Waters, G. Optimizing Australia's Response to the Cyber Challenge.Kokoda Foundation [4] United States, General Accounting Office. Technology assessment cybersecurity for critical infrastructure protection. 2004, Washington, D.C. U.S. General Accounting Office. [5] Fischer, E. A. Creating a National Framework for Cybersecurity: An Analysis of Issues and Options. 2005, Congress Research Service (CRS). [6] Australian Government. Cyber Security Strategy. 2009, Canberra:Attoney-General's Department; retrieved from Security+Strategy+-+for+ website.pdf/$file/ag+cyber+security+strategy+-+for+website.pdf, accessed 14 May [7] Gallaher, M. P., Link, N. A. and Rowe, R. B. Cyber Security. 2008, Cheltenham: Edward Elgar Publishing Limited. [8] Cole, K., Chetty, M., LaRosa, C., Rietta, F., Schmitt, D. and Goodman, S.E. Cybersecurity in Africa: An Assessment. 2008, Sam Nunn School of International Affairs, Georgia Institute of Technology Atlanta, GA US. [9] World Economic Forum. The Global Information Technology Report Available at Technology%20Report/index.htm [Accessed 7 March 2011]. [10] Muniandy, L. and Muniandy, B. State of Cyber Security and the Factors Governing its Protection in Malaysia. International Journal of Applied Science and Technology, (4). [11] Timbuong, J. Cybercrimes continue to rise Retrieved November 3, 2011, from continue-to-rise. [12] Itosno, S. Kenya: Cyber criminals becoming untamable. BiztechAfrica, 2012.

7 [13] Krebs, B. "Three Worked the Web to Help Terrorists". The Washington Post, [14] Sipress, A. 'An Indonesian's Prison Memoier Takes Holy War Into Cyberspace'. Washington Post 2004, 14 December, from [15] Allison, I. and Strangwick, C. Computer Security, Privacy and Politics: Current Issues, Challenges and Solutions. IRM Press, [16] Anderson, R. and Moore, T. "The Economics of Information Security." Science 314, 2006: [17] Bauer, M.J. and vaneeten, G.J. Cyber-Security: Stakeholders incentives, externalities and policy options.telecommunication Policy. 2009, 33 (10). [18] Dunn, M. A Comparative Analysis of Cybersecurity Initiatives Worldwide. WSIS ThematicMeeting on Cybersecurity (Geneva: International Telecommunications Union) [19] Dunn, M. Threat Frames in the US Cyber-Terror Discourse. British International Studies Association (BISA) conference. Warwick, [20] National Institute of Standards and Technology (NIST). Cybersecurity workforce framework issued for public comment. ScienceDaily, Retrieved July 26, 2012, from /releases/2011/11/ htm [21] United States, General Accounting Office. Technology assessment cybersecurity for critical infrastructure protection. Washington, D.C. U.S. General Accounting Office, 2004.