This is part 3/4 of the whole paper
In all military art of operation asymmetry, deception and unconventional execution is a basis of planning. No single dominance can only outperform asymmetric opponent for longer period. When human being is a part of system, he is almost always the weakest link or single point of failure that may be exploited by adversary. Even though sustaining military secrets and complexity of post-modern societies makes effective attacks difficult, the basic principles of human behaviour are mostly known and thus exploitable. Defence of one’s information freedom does require asymmetric methods as well as attack and, since people believe the first information better than post-explanations, attack is often the best way of defence.
A very good example of asymmetry is the case with North Korea, who has been waging computer network attack against its opponents South Korea, Japan and USA for last four years. Although its own digitalization degree is very low, vulnerability for computer network attacks is diminutive and state propaganda machine has very strong grip of in-state information, they have built strong computer network attack arm that is launching information operations outside of their country. They infiltrate to information systems, inject malware in critical points utilizing zero day vulnerabilities and activate effects simultaneously like it was done on 20th of March 2013, when South Korean bank and media outlets were jammed and about 32 000 computers boot records were wiped out in ongoing operation called “DarkSeoul”. DarkSeoul operation is depicted in the following picture.
Picture 19: Four years of DarkSeoul activity explained by Symantec.com
This is a typical asymmetric strategy, when attacking society itself is almost immune to IO, but their opponents are very vulnerable. Attacks are further disguised to come from different parts of Internet and it has taken long time from global security companies to gather factual evidences on North Korea malevolent actions. Attacker has also improved their attack profiles as defender has increased their countering capabilities. Both have learned from other similar operations elsewhere in Internet.
Picture 20: IDC estimate on how volume of information will grow but number of IT professionals is not increasing in proportion
IT-architecture is changing roughly every 5 years. If one follows computing architectures during last 30 years there are following waves of change:
Although information and telecommunications technology is changing fast, hence it is more difficult to build lasting countermeasures, it opens also new avenues and vulnerabilities to be exploited by attacker. More complex interrelationships between people and machines create opportunities for attack and Internet becomes so integrated, big and important, that there is problems to patch vulnerabilities of the very core protocols and functions.
Information defence has a main problem with dynamic structure of the defended assets. Legislation and policies tend to be too late, because technology and utilization of information is changing so quickly, opening new possibilities for humans and machines to interact and process information. Information and ICT -systems are interconnected globally creating an entirely new space of cyberage. The Cyberspace without nationality, without international legislation, pervading to each part of living from human birth to death. This is making citizens, states, industry, economy and defence more dependent on ICT-technology and Information Assurance (Confidentiality, Integrity and Availability) than any time before.
Information Management has been the major enhancer of productivity in private enterprises and public organizations. The Information Technology structure has changed with technical innovations, but also with business integration requirements:
Information and information processing has become an essential part of any business from agriculture to art. Information is a part of almost all products, information is needed in production phase and sometimes information is also raw material as seen in next picture.
Picture 21: Information and ICT has changed both business, governance and living within last three decades
Knowledge working in Information society supported by eGovernance and living provided by eCommerce are post-modern phenomena. Digital transactions between entities has become a standard. Strategic supply chain management of networked companies has become advantage in global markets. Almost every product includes information. This requires interagency, inter-enterprise and international agreements on how to exchange information between organizations in value adding chain depicted in next picture.
Picture 22: Networked society needs defined rules of information exchange between entities
These agreements are based on either standards or increasingly on "de facto" policies of:
Co-operation between entities with different status and role ends up with weak value chains, where weakest link will define the sustainability of whole supply chain. Strengthening the chain against information operations requires common practices of:
Picture 23: This is showing the evolution of value chain’s ICT-services where autonomous organizations gradually integrate in supply chain and finally out-source their ICT to either hub organization of their chain or to third party like specialized ICT-service provider or cloud service provider.
Information and other immaterial assets are more important to all functions of society. Some nations and coalitions have constructed common criteria and security auditing functions to build equally followed security culture. Still there is a need to include security chapters that are followed through value chain with common ability to conduct synchronized counter measures against any hostile or malevolent action.
Picture 24: Enterprise security and business continuation approach that focused on physical security.
Physical boundaries have been main base for almost all security measures. Different inter-limited areas have created clear zones of access and areas to manage confidential information. Military have especially utilized this to utmost with structures to prevent all kinds of emission to extend to outsiders (TEMPEST), minimizing all connections out from their camps, shred all their paper waste, grind their used data storage devices and prevent any cameras or electronic devices to be brought in premises for easy content capturing.
Value added networks, force integration and supply chains have made it impossible to sustain site centered onion security structure. While virtual value chain of entities at same maturity level will increase their joint value exponentially according Metcalf’s law, there is also the Beach’s law expressing that with unequal entities the vulnerability of chain is increasing also exponentially as number of entities is growing expressed in next picture. This makes it understandable to outsource Information Services to 3rd party and simultaneously equal all shareholders Information Assurance at same level. When one service provider is offering ICT-services from cloud i.e. shared platform and application structure, a question is risen of trust and crosstalk between different clients on the same platform.
Picture 25: Beach’s law of increasing vulnerability with growing number of entities in chain
Virtual value chain has risks in six qualities of information assurance which are confidentiality, possession, integrity, authenticity, availability and utility. To achieve in sustaining these qualities the ISO/IEC 27002:2005 Code of practice for information security management recommends the following be examined during a risk assessment session: security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management, and regulatory compliance.
When integrated value chain is out-sourcing their ICT-services to cloud computing service provider, information assurance is implemented within one technical structure, but facilities, people, information content and procedure measures are still to be aligned. Cloud Computing security reference architecture points that there may be 3rd party auditor who inspects and analyses security, privacy and performance issues of each cloud provider or broker as seen in next picture.
Picture 26: Cloud Computing Security Reference Architecture according to NIST.
Furthermore it is important to understand that in cloud computing there is Main provider, a Hub, and then there are subcontractors or operators in a chain of ICT-service providers. Thus Cloud Brokering is essential to manage subcontracted services like communications services, information content services, transaction brokering services, etc. In this model ICT Hub is responsible of maintaining security and business continuation according contract with customer. If this co-operation network is intensive and defined as strategic then there are three qualities in value chain that are better in crises than basic contracted task. First there might be collective action that is intentionally developed and managed inter-organizational co-operation between stake holders in a value chain. Second there might be value driven management that is leading organizational values towards integration rather than fragmentation or differentiation of chain. Third there might be long history of practised co-operation along all levels of organizational interaction, which has amalgamated their behaviour and assumptions to a level of matrix co-operation culture that extends over all boundaries of hierarchical organizations.
Attacking against technical Cloud Structure might be done for example via software, hardware or physical avenues. The software attack is at most cost-efficient if program patching or version delivery can be misused to distribute malevolent patch or software update. This was the case in Iraq operation early 1990’s when malevolent software was distributed via virus detection fingerprint updates. Thus man-in-the-middle attack is most probable and service provider’s programmable electronics maintenance system should be audited and specially secured.
Hardware attack may be more costly and at best requires arrangements in advance. There are possibilities that some foreign sale integrated circuits do include back doors to provide access to manufacturer to prohibit use of IC. Other theories claim that by manipulating IC-production process, a change in thickness of lead inside circuit can affect random generator within each circuit. There has also been alleged misuse of hardware provider chain for Iranian nuclear plants in famous STUXNET-case, where retailer injected malevolent software to devices that were used in controlling centrifuges. Normally hardware attack is requiring resources and time not to be very cost-effective, but maybe security devices like encryption machines or key delivery systems might be valuable targets.
The physical destruction has been main measure in both operations of U.S. lead alliance attack against Iraq command and control of their defence systems. In operation Iraqi Freedom A-day deliveries more than 500 cruise missile strikes and about 700 aircraft strikes, carried out across Iraq, went after command and control, communications, and Republican Guard headquarters and facilities. If computing and communications grid is not distributed enough, few nodes are fixed, recognisable and vulnerable targets not only directly but also indirectly through electricity, sewer or air conditioning systems.
To be continued...
3. ABOUT INFORMATION DEFENCE OF GLOBALISED SOCIETY
In all military art of operation asymmetry, deception and unconventional execution is a basis of planning. No single dominance can only outperform asymmetric opponent for longer period. When human being is a part of system, he is almost always the weakest link or single point of failure that may be exploited by adversary. Even though sustaining military secrets and complexity of post-modern societies makes effective attacks difficult, the basic principles of human behaviour are mostly known and thus exploitable. Defence of one’s information freedom does require asymmetric methods as well as attack and, since people believe the first information better than post-explanations, attack is often the best way of defence.
A very good example of asymmetry is the case with North Korea, who has been waging computer network attack against its opponents South Korea, Japan and USA for last four years. Although its own digitalization degree is very low, vulnerability for computer network attacks is diminutive and state propaganda machine has very strong grip of in-state information, they have built strong computer network attack arm that is launching information operations outside of their country. They infiltrate to information systems, inject malware in critical points utilizing zero day vulnerabilities and activate effects simultaneously like it was done on 20th of March 2013, when South Korean bank and media outlets were jammed and about 32 000 computers boot records were wiped out in ongoing operation called “DarkSeoul”. DarkSeoul operation is depicted in the following picture.
Picture 19: Four years of DarkSeoul activity explained by Symantec.com
This is a typical asymmetric strategy, when attacking society itself is almost immune to IO, but their opponents are very vulnerable. Attacks are further disguised to come from different parts of Internet and it has taken long time from global security companies to gather factual evidences on North Korea malevolent actions. Attacker has also improved their attack profiles as defender has increased their countering capabilities. Both have learned from other similar operations elsewhere in Internet.
3.1 Information technology as target
Information technology itself is a very dynamic target. Processor capacity is doubling every 18 months according Moore’s law. Since software has become very complex interactive entities, there are more mistakes and possible vulnerabilities, thus software providers have to publish new versions every month or at least twice a year to patch their products. Amount of digital information in world is multiplied by 3.6 every year as shown in following picture by IDC.Picture 20: IDC estimate on how volume of information will grow but number of IT professionals is not increasing in proportion
IT-architecture is changing roughly every 5 years. If one follows computing architectures during last 30 years there are following waves of change:
- Early computing before 1980's utilized centralized computer ending with mainframes with virtual structures. Users were using terminals i.e. only screen and keyboard and connected to mainframes by data communications when all processing was done in centralized computers.
- 1980 to 1990's integrated circuits and personal computing enabled distribution of processing and software. Even mainframe tasks were distributed by local servers usually serving only one function. Application development was driven by singular functions of administration or industrial process, which ended up having several information systems within enterprise doing each tiny bit of processing in isolated stovepipes.
- 2000's saw first attempts to integrate separate systems in to larger entities to cut down the amount of manual data re-typing and integration costs. Enterprise resources management started to centralize computing again with thinner clients using n-Tier -structured applications and cloud computing (new version of mainframe computing) was introduced in Internet domain.
- 2010's is seeing cloud computing continuing strongly but new wave of distributed computing is being invented. Internet of devices is being defined and plenty of research is done in peer-to-peer communications and computing between different machines.
- 2020 might see IT-architecture extending to networked devices (to TV's, car's, wearable devices, domestic devices), knowledge improved industry, personal information management (digital real time diary) to name couple of examples. It is either more networked society between people and machines or the wave will change towards closed information societies.
Although information and telecommunications technology is changing fast, hence it is more difficult to build lasting countermeasures, it opens also new avenues and vulnerabilities to be exploited by attacker. More complex interrelationships between people and machines create opportunities for attack and Internet becomes so integrated, big and important, that there is problems to patch vulnerabilities of the very core protocols and functions.
3.2 Information as an asset for industry, governance and military force
Information structures and containers have changed as well:- From files in folders to documents in web pages
- From file downloads to live data streams
- From files to relation databases and further to web-service structured information services.
Information defence has a main problem with dynamic structure of the defended assets. Legislation and policies tend to be too late, because technology and utilization of information is changing so quickly, opening new possibilities for humans and machines to interact and process information. Information and ICT -systems are interconnected globally creating an entirely new space of cyberage. The Cyberspace without nationality, without international legislation, pervading to each part of living from human birth to death. This is making citizens, states, industry, economy and defence more dependent on ICT-technology and Information Assurance (Confidentiality, Integrity and Availability) than any time before.
Information Management has been the major enhancer of productivity in private enterprises and public organizations. The Information Technology structure has changed with technical innovations, but also with business integration requirements:
- During 1980 - 1990 Metaframe information processing was distributed to function specific servers and applications. Information was modelled within single function and stored in relational databases. Interoperability was done manually, mainly retyping information from papers or printouts to other systems. Information was processed mainly locally because connecting sites with high capacity networks was just happening. Security was accomplished mainly by physical and personal security measures in fixed locations.
- During 2000 function based data processing was integrated into branch, division or enterprise level systems. First Enterprise Resource Planning systems was implemented and extended internationally. Digital transactions (EDI..., X.400, ANSI X12) between companies were established to improve integrity of information and speed up interaction. Information models got complex and federated models was introduced. Information assets concentrated to big systems and their integrity and availability become issue. Information Assurance focused mainly on systems security and implementing security controls and devices.
- During 2010 integration went further. Enterprise Resource Management Systems were built and networked with other enterprises by transaction broker services utilizing XML-structures (XML, SOAP). Information processing systems become n-Tier structured, strong identification and role based access was introduced. Users went mobile with mobile IP and roaming over multichannel access. Clients become thinner (browser) and personal terminals were multipurpose (business, pleasure, social media together in same device). Information process is faster allowing Business Intelligence kind of applications, which make information even more valuable for business.
- Towards 2020 integration of machines, enterprises and people to effective systems is a quest. Information is handled as a service with address, metadata and other features and issued as a service (Semantic web, SOAP). Business knowledge is defined with ontologies that create a bases for technical systems artificial intelligence. Information processing perceives all other technical systems. Information integration opens new possibilities in all levels of life.
Information and information processing has become an essential part of any business from agriculture to art. Information is a part of almost all products, information is needed in production phase and sometimes information is also raw material as seen in next picture.
Picture 21: Information and ICT has changed both business, governance and living within last three decades
Knowledge working in Information society supported by eGovernance and living provided by eCommerce are post-modern phenomena. Digital transactions between entities has become a standard. Strategic supply chain management of networked companies has become advantage in global markets. Almost every product includes information. This requires interagency, inter-enterprise and international agreements on how to exchange information between organizations in value adding chain depicted in next picture.
Picture 22: Networked society needs defined rules of information exchange between entities
These agreements are based on either standards or increasingly on "de facto" policies of:
- Architecture of datawarehouses, where all needed data is collected into huge base and structured with one data model. Or there might be virtual integration, where data remains where it is been stored originally and queried only just-on-time for different needs.
- how to connect gateways and do transaction brokering between entities
- what wrappers, containers or schemas to utilize when querying and transferring data
- how to protect data in between entities from man-in-the-middle intrusion
- how to agree and certify that data has been delivered and responsibility is handed over to other party according to contract
- copyrights, data ownership and responsibilities with coming with that, data integrity and non-repudiation policies between organizations.
- how to update appendixes of contract, service level agreements (SLA) or operator level agreements (OLA) with sanctions etc.
Co-operation between entities with different status and role ends up with weak value chains, where weakest link will define the sustainability of whole supply chain. Strengthening the chain against information operations requires common practices of:
- Security policies on how to manage secure information at same level of risk through whole chain of entities
- Enforce similar policy (legislation or norms) for every participant of the chain. This is for example case in NATO and EU where same security levels and main requirements for each level is given to each nation by declarations. This gives national security authorities (NSA) the common criteria and authorization to approve and control security measures of both public and private sectors of that country.
- Extend enterprise level information system of the hub of value chain with appropriate security to all partners, providers and stake holders of the network.
- Have trust for each singular organizations own abilities to maintain security in technical, policy and cultural levels. One may also utilize third party auditors for sequential inspections to ensure of shared security level.
- Computer Emergency Response Team (CERT) practices on how to confront cyber crises when they appear and how to continue working around problem. All organization based CERT-teams should co-operate together in really flat matrix to be swiftly response to incidents or create synchronized proactive plan to tackle with existing vulnerabilities.
- Labelling information content similarly in every organization through the chain of value. Sometimes this is done nationally with national security legislation and agreed also internationally. If this is not the case, then agreement must be included into contract between all parties.
- Similar security labelling is a base for equal information assurance measures, where people have adapted common culture, especially in cross domain situations, when information is changed manually. Same labelling and categorization of information enable individuals continue information management at similar security level.
- Utilization of similar security measures and systems through whole chain of organizations or consortium to be able to maintain similar level of security. This is increasingly done by common application service provider or cloud service provider as depicted in following picture.
Picture 23: This is showing the evolution of value chain’s ICT-services where autonomous organizations gradually integrate in supply chain and finally out-source their ICT to either hub organization of their chain or to third party like specialized ICT-service provider or cloud service provider.
- At national or global enterprise level these ICT-service providers are very important for continuation of main business and in governmental approach also main targets for malevolent functions since service downtimes will lose money and immaterial assets. Thus business continuation management should consider thoroughly all force majeure chapters of contracts with ICT-service or cloud providers.
Information and other immaterial assets are more important to all functions of society. Some nations and coalitions have constructed common criteria and security auditing functions to build equally followed security culture. Still there is a need to include security chapters that are followed through value chain with common ability to conduct synchronized counter measures against any hostile or malevolent action.
3.3 Information Assurance of a virtual value chain
Information Assurance, IA and Business Continuation Management, BCM used to concentrate on triad of CIA (Confidentiality, Integrity and Availability) with emphasis on confidentiality and have simple seven measure approach to protect these qualities with onion structure, where physical measures were main solutions. This approach is depicted in next picture.Picture 24: Enterprise security and business continuation approach that focused on physical security.
Physical boundaries have been main base for almost all security measures. Different inter-limited areas have created clear zones of access and areas to manage confidential information. Military have especially utilized this to utmost with structures to prevent all kinds of emission to extend to outsiders (TEMPEST), minimizing all connections out from their camps, shred all their paper waste, grind their used data storage devices and prevent any cameras or electronic devices to be brought in premises for easy content capturing.
Value added networks, force integration and supply chains have made it impossible to sustain site centered onion security structure. While virtual value chain of entities at same maturity level will increase their joint value exponentially according Metcalf’s law, there is also the Beach’s law expressing that with unequal entities the vulnerability of chain is increasing also exponentially as number of entities is growing expressed in next picture. This makes it understandable to outsource Information Services to 3rd party and simultaneously equal all shareholders Information Assurance at same level. When one service provider is offering ICT-services from cloud i.e. shared platform and application structure, a question is risen of trust and crosstalk between different clients on the same platform.
Picture 25: Beach’s law of increasing vulnerability with growing number of entities in chain
Virtual value chain has risks in six qualities of information assurance which are confidentiality, possession, integrity, authenticity, availability and utility. To achieve in sustaining these qualities the ISO/IEC 27002:2005 Code of practice for information security management recommends the following be examined during a risk assessment session: security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management, and regulatory compliance.
When integrated value chain is out-sourcing their ICT-services to cloud computing service provider, information assurance is implemented within one technical structure, but facilities, people, information content and procedure measures are still to be aligned. Cloud Computing security reference architecture points that there may be 3rd party auditor who inspects and analyses security, privacy and performance issues of each cloud provider or broker as seen in next picture.
Picture 26: Cloud Computing Security Reference Architecture according to NIST.
Furthermore it is important to understand that in cloud computing there is Main provider, a Hub, and then there are subcontractors or operators in a chain of ICT-service providers. Thus Cloud Brokering is essential to manage subcontracted services like communications services, information content services, transaction brokering services, etc. In this model ICT Hub is responsible of maintaining security and business continuation according contract with customer. If this co-operation network is intensive and defined as strategic then there are three qualities in value chain that are better in crises than basic contracted task. First there might be collective action that is intentionally developed and managed inter-organizational co-operation between stake holders in a value chain. Second there might be value driven management that is leading organizational values towards integration rather than fragmentation or differentiation of chain. Third there might be long history of practised co-operation along all levels of organizational interaction, which has amalgamated their behaviour and assumptions to a level of matrix co-operation culture that extends over all boundaries of hierarchical organizations.
Attacking against technical Cloud Structure might be done for example via software, hardware or physical avenues. The software attack is at most cost-efficient if program patching or version delivery can be misused to distribute malevolent patch or software update. This was the case in Iraq operation early 1990’s when malevolent software was distributed via virus detection fingerprint updates. Thus man-in-the-middle attack is most probable and service provider’s programmable electronics maintenance system should be audited and specially secured.
Hardware attack may be more costly and at best requires arrangements in advance. There are possibilities that some foreign sale integrated circuits do include back doors to provide access to manufacturer to prohibit use of IC. Other theories claim that by manipulating IC-production process, a change in thickness of lead inside circuit can affect random generator within each circuit. There has also been alleged misuse of hardware provider chain for Iranian nuclear plants in famous STUXNET-case, where retailer injected malevolent software to devices that were used in controlling centrifuges. Normally hardware attack is requiring resources and time not to be very cost-effective, but maybe security devices like encryption machines or key delivery systems might be valuable targets.
The physical destruction has been main measure in both operations of U.S. lead alliance attack against Iraq command and control of their defence systems. In operation Iraqi Freedom A-day deliveries more than 500 cruise missile strikes and about 700 aircraft strikes, carried out across Iraq, went after command and control, communications, and Republican Guard headquarters and facilities. If computing and communications grid is not distributed enough, few nodes are fixed, recognisable and vulnerable targets not only directly but also indirectly through electricity, sewer or air conditioning systems.
To be continued...
No comments:
Post a Comment