Cybercon 2 3 Cyber Security Governance and Cyber Crime Governance Prof Basie Von Solms

Cyber Security and Cyber Crime
Different sides of the same coin?
y in
t
i
r
g
e
t
n
force I
n
ents
e
m
o
n
t
o
r
i
m
yste
Prof Basie
Von
Solms
c Env
S
i
s
m
a
e
t
i
d
r
a
Ac Security
e Integ: Center for Cyber
ThDirector
Academy for Computer Science and Software Engineering
lms
University of Johannesburg
von So
ie
s
a
B
f
Pro
du Toit
Mr Jaco
[email protected]
What is a Cyber Security?

Cybersecurity
is
the
body
of
technologies, processes and practices
designed
to
protect
networks,
computers, programs and data from
attack, damage or unauthorized
http://whatis.techtarget.com/definition/cybersec
urity
A
major part of Cyber Security is to

fix broken software
What is a Cyber Crime?

Cyber crime encompasses any criminal
act dealing with computers and networks
(called hacking). Additionally, cyber crime
also includes traditional crimes conducted
through the Internet.
http://www.webopedia.com/TERM/C/cyber_crime.h
tml
A
major attack vector of Cyber Crime

is to exploit broken software
major
part
Security is to fix
of
Cyber
broken
software
A
major attack vector of

Cyber Crime is to exploit
broken software
Common Factor :
Broken Software
Let us investigate two aspects related to cre

Creating (and selling) broken software
Creating (and selling) massive untestable
big software systems
Let us investigate two aspects related to

creating software
Creating (and selling) broken software

systems
Software security vulnerabilities are caused by defective

specification, design, and implementation. Unfortunately,
common development practices leave software with many
vulnerabilities. To have a secure US cyber infrastructure, the
supporting software must contain few, if any, vulnerabilities.
http://www.cigital.com/papers/download/secure_software_process.pdf
Public companies face material cyber security risks from

weaknesses in the software applications they use to run their
businesses.
http://www.veracode.com/images/pdf/software-related-cybersecurity-risks-publiccompanies.pdf?
mkt_tok=3RkMMJWWfF9wsRonuqTLZKXonjHpfsX87u0uUK6g38431UFwdcjKPmjr1YIA
SMd0dvycMRAVFZl5nRpdCOGWc4RF
More and more hackers are targeting the same application

vulnerabilities on Macs and Windows PCs as a way to reap the
financial benefits of writing cross-platform malware.
The trend involves exploiting vulnerabilities that go as far back
as 2009 in Office documents. Other cross-platform, third-party
technologies favored by hackers include Java, Adobe PDF and
Adobe Flash .. Microsoft security researcher Ferrer said.
http://www.csoonline.com/article/712640/hackers-increasingly-aim-for-crossplatform-vulnerabilities
Although targeted vulnerabilities may have already been patched

by vendors, hackers bank on user negligence when it comes to
installing software updates.
As an example, people are notoriously slow in installing Java
patches to Windows PCs and Macs. As much as 60 percent of Java
installations are never updated
"All these un-updated applications on the desktop, whatever they
may be, are low-hanging fruit. These are the easiest things to
attack.
http://www.csoonline.com/article/712640/hackers-increasinglyaim-for-cross-platform-vulnerabilities
Lets investigate a few examples:

If a new application system is rolled out and customers suffer losses, in
whatever form, because the system was not properly tested and inherent
vulnerabilities were exploited by cyber criminals, have the developers and
company officials committed cybercrime?
Is the process of rolling out systems software like operating systems,
browser software etc. in which vulnerabilities appear which are exploited
to the detriment of some user, an act of cybercrime?
Therefore, can the whole process of rolling out patches to existing
software, i.e. repairing which was originally done wrong or bad, be seen as
acts of cybercrime?
All 3 cases above resulted because of bad software design (engineering)
In all 3 cases Cyber Security must come to the rescue!
I believe that cyber security policy must focus instead on solving the
software security problem fixing the broken stuff from the beginning
(or not creating broken stuff) instead of simply watching the broken
stuff and reporting when it is attacked.
We must refocus our energy on fixing the glass house we find
ourselves in. We must begin to solve the software security problem
Frankly the target-rich environment filled with broken software
makes it far too easy and tempting to misbehave criminally.
In the end, someone must pay for broken software and someone
must be rewarded for good software
http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems
VS Conclusion 1
Creating (and selling)
broken software is as a
cyber crime!
Creating (and selling) broken software is a

systems is a cyber crime
Lets investigate
How is cyber crime advanced by the complexity of software
systems consisting of millions of lines of code, too big to
comprehensively test?
It is tempting to believe that the only solution is to redouble our

efforts to control complexity.
True enough, we should continue to construct better engineering
solutions to each problem: reduce complexity, create more perfect
firewalls, and better structure the interactions between all
computers under our control.
But we must also understand that such measures are at best
stopgaps. As Tahar Elgamal points out, The hard truth of network
security is that while many approaches are good, no individual
effort makes the network completely safe. Implement enough
fixes, and you only succeed at making your network more complex
and, hence, more ungovernable, with solutions that wind up acting
at cross-purposes.
The same can be said for each of the other specialized tasks in
managing complex computing systems.
To successfully improve the security of our computing systems, we
will need to modify our systems at an architectural level.
http://www.evolutionofcomputing.org/Multicellular/OutOfControlComplexity.h
tml
Cybercriminals use the Web to serve malicious

content capable of compromising users' computers
and running arbitrary code on them.
This has been made possible largely by the
increased complexity of Web browsers and the
resulting vulnerabilities that come with complex
software.
http://queue.acm.org/detail.cfm?id=1517412
Analogy
`The Strategic Defense Initiative (SDI), commonly called Star Wars after
the popular science fiction series, was a system proposed by U.S.
President Ronald Reagan on March 23, 1983 to use space-based
systems to protect the United States from attack by strategic nuclear
missiles.
It was never implemented and research in the field tailed off after the end
of the Cold War.'
Analogy
Prof David Parnas, one of the pioneers in the development of Computer Science
and Software Engineering, was at that time a consultant to the Office of Naval
Research in Washington, and was one of nine scientists asked by the Strategic
Defense Initiative Office to serve on the panel on computing in support of battle
management".
Analogy
Parnas resigned from this advisory panel on antimissile defense, asserting
that it will never be possible to program a vast complex of battle management
computers reliably or to assume they will work when confronted with a salvo of
nuclear missiles.
Analogy
In his letter of resignation he said that it would never be possible to test
realistically the large array of computers that would link and control a system
of sensors, antimissile weapons, guidance and aiming devices, and battle management stations. Nor, he protested, would it be possible to follow orthodox
computer program-writing practices in which errors and bugs are detected
and eliminated in prolonged everyday use.
Analogy
I believe," Professor Parnas said, that it is our duty, as scientists and
engineers, to reply that we have no technological magic that will accomplish
that. The President and the public should know that."
Analogy
In 1984 (a year later) the ACM Council passed and published an important
resolution. It begins:
Contrary to the myth that computer systems are infallible, in fact computer
systems can and do fail. Consequently, the reliability of computer-based systems
cannot be taken for granted. This reality applies to all computer-based systems,
but it is especially critical for systems whose failure would result in extreme risk
to the public. Increasingly, human lives depend upon the reliable operation of
systems such as air traffic and high-speed ground transportation control systems,
military weapons delivery and defense systems, and health care delivery and
diagnostic systems.
VS Conclusion 2
Creating (and selling) massive
untestable big software
systems is a cyber crime
VS Conclusion 3
Cyber Security will be
massively improved
if there are less broken
software
Cyber Crime will be massively
reduced if there are less
broken software
Cy
be
rC
rim
e
ec
S
er
b
Cy
it y
r
u
Decrease in broken software =

Increase in good software
Cyber Crime
Cyber Security
VS Graph - two sides of the sam
The Coin : Broken/Complex Software

Cyber Security : One side of the coin
Cyber Crime : Other side of the coin
I believe that Government can and should play a role in building more
secure systems. The US Government should develop incentives for vendors
to build security in (to software) and break the endless loop.
Perhaps the government should even grant tax credits for creating better
more secure software.
http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-securesystems
We must penalize broken software and

reward good software
That will decrease Cyber Crime and
increase Cyber Security!
Thanks
[email protected]
adam.uj.ac.za/csi

Cybercon 2 3 Cyber Security Governance and Cyber Crime Governance Prof Basie Von Solms

Uploaded by

Copyright:

Available Formats

Cybercon 2 3 Cyber Security Governance and Cyber Crime Governance Prof Basie Von Solms

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybercon 2 3 Cyber Security Governance and Cyber Crime Governance Prof Basie Von Solms

Uploaded by

Copyright:

Available Formats

Cyber Security and Cyber Crime

Different sides of the same coin?

What is a Cyber Security?

major part of Cyber Security is to

What is a Cyber Crime?

major attack vector of Cyber Crime

major attack vector of

Let us investigate two aspects related to cre

Let us investigate two aspects related to

Creating (and selling) broken software

Creating (and selling) massive untestable

Software security vulnerabilities are caused by defective

Public companies face material cyber security risks from

More and more hackers are targeting the same application

Although targeted vulnerabilities may have already been patched

Lets investigate a few examples:

Creating (and selling) broken software is a

Creating (and selling) massive untestable

It is tempting to believe that the only solution is to redouble our

Cybercriminals use the Web to serve malicious

Decrease in broken software =

VS Graph - two sides of the sam

The Coin : Broken/Complex Software

We must penalize broken software and

You might also like