Are we designing cybersecurity to protect people from malicious actors?

This blogpost is based on a paper written for the International Conference on Human Systems Engineering and Design: Future Trends and Applications (IHSED 2018). 

Abstract


When the discussion about engaging people to take an active approach to cybersecurity there is a focus on ensuring they protect their devices from malware and controlling access to their devices. There is a lesser focus on providing education and awareness to identify potential attacks from malicious actors. At the moment technology and software companies focus on protecting devices and not the people directly. This is due to a need to protect data from malware and unauthorised access. The conversation surrounding cybersecurity and data protection has come to the fore again due to the EU General Data Protection Regulation 2016/679 (GDPR) and hardware design flaws that include Intel Spectre bug. This paper will look at four areas the first is basic phishing attack along with malware and ransomware. The second area is compromised devices that includes cryptojacking and distributed denial of service attacks (DDOS). The third area is swatting attacks looking at experiences in America and Europe, which include privacy protection, spoofing and fraud. The fourth area is the problem of online sextortion and revenge porn. Which includes entrapment, grooming, limited education and awareness. A gap analysis will examine what is being done in cybersecurity in these areas and what needs to be done to provide better cybersecurity in these areas in order to achieve better cybersecurity protection for people from malicious actors. Finally, the questions of are we designing cybersecurity to protect people from malicious actors will be answered.



Introduction
  • Definition of cybersecurity refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorised access. 
  • At the moment the focus is on protecting devices and not people directly they gain protection indirectly. 
  • By looking at different types of attacks this will show “where we are" (the present state) and "where we want to be" (the target state). 


For the most part it can be adequate until it's not. The question is whether a failure in cybersecurity has led to loss of human life either. The paper and this blogspot take the view that failure of cybersecurity has already led to the loss of human life. Though there will be a people who take the opposite view



Phishing, malware and ransomware

  • Phishing is the untargeted, mass emails sent to many people asking for sensitive information (such as bank details) or encouraging them to visit a fake website. 
  • Malware short for malicious software is a term that includes viruses, trojans, worms or any code or content that could have an adverse impact on organisations or individuals. 
  • Ransomware is a specific group of malicious software that makes data or systems unusable until the victim makes a payment. Often by encrypting the storage devices of computers and other devices that have been infected. 
  • Doxing is when anyone finds or seeks out someone's personal private information and publicly publishes it for everyone to see. Motives can range from boredom to malice; doxing victims can range from people known personally to public figures they’ve never met but detest. Above all, doxxers hide behind Internet anonymity. 
  • The advice given to prevent these types of attacks is to follow best security practices but against a determined attacker and human error they can still very effective attacks against end-users.
  • There is a paradox even by follow best security practise the way the internet works by encouraging the sharing and disseminating of information creates the conditions for these attacks to happen. 


Cryptojacking and DDOS

  • Cryptojacking is the technique of hijacking browsers for mining cryptocurrency without user consent.
  • It can also be carried out through malware and infecting IoT devices. 
  • A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.  
  • It can also be viewed as a form of ransomware because payment is often demanded to either stop the attack or prevent it from occurring. 
  • If standards of security are not increased or implemented in IoT devices the size and scale will only increase which would lead to increasing loss of money and function for end-users while the malicious actors would receive greater profits from these attacks. 
  • Consequences of no actions: Disrupted online payments; limited of or no access to online services — could be critically as more critical public services move online; compromised ability to share information and take actions. Limits means to respond to crisis.

They target a wide variety of important resources, from banks to news websites, and present a major challenge in making sure people can publish and access important information. 

  • Cryptocurrency threat has lessened as prices have crashed and regulators and lawmakers have played catch-up with the technology. But as it remains linked to criminal activity the problem of preventing Cryptojacking will never go away. 
  • DDOS attacks will continue to evolve and have now moved from hackers and organised crime into a means for Countries to carry hybrid-warfare against opponents to targets. 

Swatting

  • FBI definition: the use of technology to deceptively cause a heightened emergency and law enforcement response.
  • These attacks originated in the USA, due to the militarised police response units - SWAT teams. Hence Swatting.
  • Game Streamers or hackers would target rivals. It has led to people being seriously injured and killed. With the people who committed the swatting being charged with manslaughter. 
  • Swatting is not just linked to gaming but also attacks on Charities and other groups. 
  • It doesn’t just happen in the USA. Attacks have occurred in the UK, Germany and France. Swatters target people in the US but live in other countries including Canada, Finland , etc. 
  • Swatting’s link to cybersecurity is due for an individual to carry out a successful attack and often the often acts linked to it which include DDOS and Doxing (publishing personal data of a victim) are typical forms of cyber-attacks and thus require cybersecurity measures to prevent them from happening. 

A broad sweep of felonies under swatting include fraud, misusing communications, reporting a false incident to police, criminal harassment, public mischief and extortion. 

Including schools, places of work etc.. This had made prosecution when attacks occurs in the US but the perpetrator lives in another country. Often these incidents involve minors so when warrants or extradition requests are issued they can’t acted upon since countries will not extradite minors. In Finland swatters have been questioned by the police there and cautioned or have restrictions placed on them but due to being minors never been arrested or charge. Though if they decide to travel to the States they would likely be arrested due to outstanding warrants on them. 

Online Sextortion and Revenge Porn


  • FBI definition: a serious crime that occurs when someone threatens to distribute a person’s private and sensitive material if they don't provide the perpetrator with images of a sexual nature, sexual favours, or money.
  • Online predators work to gain the trust of the targeted victim by pretending to be someone they are not. Predators look for their prey by lurking in chat rooms and record users who post or live-stream sexually explicit images and videos of themselves, or they may hack into a target victims’ electronic devices using malware to gain access to their files and control their web camera and microphone without them knowing it.  

Findings of a EUROPOL Report


  • Victim Profile:  Any person whose sexual material a perpetrator has acquired.
    • Usually female if sexually motivated perpetrators.
    • Usually male if financially motivated perpetrators. 
  • The characteristics in cases of online sexual coercion and extortion affecting children: The naivety of the victims. The absence of parental control. Willingness to share self-generated sexual content. A significant amount of time spent online each day. Use of social networks and other ways of online communication. Befriending strangers. Sexualised conversions with strangers. Lack of technical knowledge  
  • Offender Profile Sexual Motivation: Male.
    • Operates alone but trades the acquired content.
    • May act on both international or national level.
    • Activity-driven by knowledge of languages.
    • Targets female victims.
    • May know the victim in person.
    • Goal to obtain sexual material.
  • Offender Profile Financial Motivation: Both genders. 
    • Members of an organised criminal enterprise.
    • Operates in teams based in developing countries.
    • May act at both international and national level.
    • Targets male victims in countries linked by language.
    • Does not know the victim in person.
    • Main goal: to obtain money.


The issues surrounding online sextortion doesn’t at first seem to be linked to cybersecurity or cyber-attack. Because this doesn’t take account into malicious actors targeting specific people but focuses more on protecting devices and securing data. But if you take a holistic view of connected devices, services and people the relationships are people-people, people-things, and things-things. This means you need to bring into the cybersecurity toolkit the means to protect people from malicious actors regardless of the type of attack and the means it is carried out.  

Recommendations


  • Pro-active approach to identifying malicious actors, sites and hosts to stop the spreading and sharing of malware and stolen data before they affect potential victims there needs. 
  • Technology and service companies need to better identify and block fraudulent accounts. This will prevent malicious users or actors from setting up new accounts when previous accounts are blocked. 
  • We examine how to bring in deterrence into the cyber domain in the same law enforcement take actions to deter people from committing crime. 

We are slowly moving in this direction but is varies between countries and service providers. 

  • To reiterate a pro-active approach to removing and preventing threats from proliferating is required instead of the current reactive approach that is used. This is the same approach which is used in public health to stop or prevent outbreaks. Or how public vaccination programmes work. 
  • This is due to fact that end-users who are concerned about cybersecurity are most likely to take action. While the users who need protection are least likely to take the necessary action. These are the design challenges in cybersecurity to provide protection for all end-users.

Though with the analogy to public health there needs a certain level of critical mass before they become truly effective. Herd-immunity principle. Also, they are not a silver bullet they require work and resources to be maintained and to remain effective. The majority of the time in cybersecurity it seems too many are looking or promotinga silver bullet which will always be inadequate to the task. 

Conclusion
  • The question of “Are we designing cybersecurity to protect people from malicious actors?” the answer is no. Still a focus on hardware, devices, software and data.
  • Though if best practise if followed of secure by design and default is goes a long way to protecting the end-user. 
  • In the long term how cybersecurity is implemented should improve and lead to safer environment which protects devices, data and people equally from all types of attacks. 
  • This is being driven by GDPR, NIS Directive, upcoming ePrivacyregulation and the growing cyber insurance industry. 





Comments

Popular posts

Personal Interest - Unbuilt fleets of the Royal Navy

A personal interest post - Replacing the Tornado in the RAF

Applying Anthropology to Online Communities