11Security Threats
6. The risk of theft and data loss is lowered (though not gone) because
the data are maintained and processed at the cloud.
1.7 Cyber Physical Systems
Cyber physical systems (CPS) integrate cyber, computational, and physical
components to provide mission-critical systems. Examples of systems are
smart electricity grids, smart transportation, and smart medical technology.
These systems are “smart” because they are able to collect and use sensitive
information from their environment to have an effect on the environment.
But, because of the vast applications of CPS and the integrated computers
and networks, they are impacted by cyber security.
The CPS needs not only to be usable but also to be safe and secure because
the loss of security for a CPS can “have signicant negative impact including
loss of privacy, potential physical harm, discrimination, and abuse” (Banerjee
etal. 2011). The rst step in securing a CPS system is being aware of the cyber
attacks that may impact the system. The smart grid, for example, needs to
include the following security properties (Govindarasu, Hahn, and Sauer 2012):
1. Condentiality and protection of the information from unauthorized
disclosure
2. Availability of the system/information where it remains operational
when needed
3. Integrity of the system/information from unauthorized modication
4. Authentication prior to access by limiting access only to authorized
individuals
5. Nonrepudiation, where the user or system is unable to deny responsi-
bility for a previous action
CPS is relatively young; thus, as these systems are being designed, we
need to keep in mind the necessary components to uphold the security
properties.
1.8 Theft
You not only need to improve your security posture to protect against hack-
ers, but you also need to monitor the activities of your own employees. It is
difcult to imagine that someone you trusted enough to hire would steal
12 What Every Engineer Should Know About Cyber Security
from you, but as we know this happens every day. Consider a situation
where making and selling a specic food product contributes to most of a
company’s revenue. None of the company’s competitors have been able to
duplicate this product. Thus, the recipe is guarded and only a few people
have access to it. One of the people that know this trade secret announces
that she is leaving but gives the impression that she is retiring. However, her
plan is to work for a competitor. The security team determined from analyz-
ing her system activity that she had begun accessing condential les and
storing them on a ash drive in the weeks prior to her departure.
Another example was described in the “Report to Congress on Foreign
Economic Collection and Industrial Espionage.” In this situation, an employee
downloaded a proprietary paint formula valued at $20 million that he planned
to deliver to his new employer in China. Just recently it was discovered at the
University of South Carolina Health and Human Services that an employee
e-mailed himself over 200,000 patient records. These examples show that some-
times it is the authorized users who cause the data breaches. There are many
ways to protect against theft, which will be discussed in Chapters 3 and 4.
In the Hewlett-Packard 2012 “Cyber Risk Report,” researchers deter-
mined the risk trends for cyber security. For example, the number of
new disclosed vulnerabilities had increased 19 percent from 2011. These
come from every angle, such as web applications, legacy technology,
and mobile devices. For example, the skyrocketing mobile device sales
in 2012 brought with it a similar number of mobile application vul-
nerabilities. Mobile device applications alone have seen a 787 percent
increase in vulnerability disclosures. Understanding a company’s
technical security risk begins with knowing how and where the vul-
nerabilities occur within the organization (Hewlett-Packard 2013).
References
Baker, S. January 2010. In the crossre: Critical infrastructure in the age of cyber war.
McAfee, http://resources.mcafee.com/content/NACIPReport.
Banerjee, A., Venkatasubramanian, K., Mukherjee, T., and Gupta, S. 2012. Ensuring
safety, security, and sustainability of mission-critical cyber-physical systems.
Proceedings of the IEEE 100 (1).
Buyya, R., Broberg, J., and Goscinski, A. 2010. Cloud computing principles and paradigms.
New York: John Wiley & Sons.
Carnegie Mellon, Software Engineering Institute. November 2010. Trusted computer
in embedded systems. http://www.cert.org/tces/pdf/archie%20andrews.pdf
(accessed May 1, 2012).
13Security Threats
Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., and Sheth, A. 2010.
TaintDroid: An information-ow tracking system for realtime privacy monitor-
ing on smartphones. OSDI.
FBI (Federal Bureau of Investigation). 2012. New e-scams & warnings. http://www.
fbi.gov/scams-safety/e-scams (accessed May 24, 2012).
Georgia Tech. October 18, 2011. Smartphones’ accelerometer can track strokes on
nearby keyboards. http://www.gatech.edu/newsroom/release.html?nid=71506
(retrieved June 21, 2012).
Govindarasu, M., Hahn, A., and Sauer, P. May 2012. Cyber-physical systems
security for smart grid. Power Systems Engineering Research Center,
publication12-02.
Grace, N. 2012. FCC Advisory Committee adopts recommendations to minimize three
major cyber threats, including an anit-bot code of conduct, IP route hijacking indus-
try framework and secure DNS best practices. http://www.fcc.gov/ document/
csric-adopts-recs-minimize-three-major-cyber-threats (retrieved June 22, 2012).
Hewlett-Packard Development Company. March 2013. HP 2012 cyber risk report,
white paper. http://www.hpenterprisesecurity.com/collateral/whitepaper/
HP2012CyberRiskReport_0313.pdf (retrieved April 9, 2013).
Hulburt, G., Voas, J., and Miller, K. 2011. Mobile-app addiction: Threat to security?
ITProfessional 13:9–11.
IBM. September 2011. IBM X-Force 2011 mid-year trend and risk report. http://www-
935.ibm.com/services/us/iss/xforce/trendreports/ (retrieved June 1, 2012).
Internet Crime Complaint Center. 2011. 2011 Internet crime report. http://www.ic3.
gov/media/annualreport/2011_IC3Report.pdf (retrieved December 28, 2012).
Jansen, W., and Grance, T. December 2011. Guidelines on security and privacy in pub-
lic cloud computing. Special publication 800-144, http://csrc.nist.gov/publica-
tions/nistpubs/800-144/SP800-144.pdf.
Kaplan, D. 2008. Google Docs aw could allow others to see personal les. SC
Magazine, September 16, 2008, http://www.scmagazine.com/Google-Docs-
aw-could-allow-others-to-see-personal-les/article/116703/?DCMP=EMC-
SCUS_Newswire (retrieved June 1, 2012).
Laplante, P., and DeFranco, J. 2010. Another ode to paranoia. IT Professional 12:57–59.
Lipson, H. 2002. Tracking and tracing cyber-attacks: Technical challenges and global
policy issues. Special report CMU/SEI-2002-SR-009.
Long, J. 2008. No tech hacking: A guide to social engineering, dumpster diving, and shoulder
surng. Burlington, MA: Syngress.
Luscombe, B. August 2011. 10 Questions for Kevin Mitnick. http://www.time.com/
time/magazine/article/0,9171,2089344-1,00.html (accessed May 18, 2012).
Mandiant. January 2013. APT1 exposing one of China’s cyber espionage units. www.
mandiant.com (retrieved April 10, 2013).
McAfee Labs. 2012. Threats report: First quarter 2012. http://www.mcafee.com/us/
resources/reports/rp-quarterly-threat-q1-2012.pdf (retrieved June 22, 2012).
Mell, P., and Grance, T. September 2011. The NIST denition of cloud com-
puting. Special publication 800-145, http://csrc.nist.gov/publications/
nistpubs/800-145/SP800-145.pdf.
Mitnick, K., and Simon, W. 2002. The art of deception. New York: Wiley Publishing.
Mokey, N. 2010. Wallpaper Apps Swiped Personal Details off android Phones. Digital
Trends, July 19, 2010. http://www.digitaltrends.com/mobile/wallpaper-apps-
swiped-personal-details-off-android-phones/(accessed may 18, 2012).
14 What Every Engineer Should Know About Cyber Security
Nakashima, E. 2010. More than 75,000 computer systems hacked in one of largest
cyber attacks, security rm says. Washington Post, February 19, 2010.
Ofce of the Director of National Intelligence. October 2011. Foreign spies stealing
US economic secrets in cyberspace—Report to Congress on foreign economic
collection and industrial espionage. http://www.ncix.gov/publications/reports/
fecie_all/Foreign_Economic_Collection_2011.pdf (retrieved May 24, 2012).
Rantala, R. 2008. Cybercrime against businesses, 2005. Bureau of Justice Statistics
special report, US Department of Justice, revised October 27, 2008.
Rogers, D. 2012. How phone hacking worked and how to make sure you’re not a victim.
nakedsecurity, July 8, 2012, http://nakedsecurity.sophos.com/2011/07/08/
how-phone-hacking-worked/ (retrieved June 1, 2012).
Sonne, P. 2012. News Corp. Faces Wave of Phone-Hacking Cases. Wall Street Journal,
June 1, 2012. http://online.wsj.com/article/SB1000142405270230364010457744
0060134799828.html (retrieved June 1, 2012).
US Congress. February 2004. Annual report to Congress on foreign economic
collection and industrial espionage—2003, NCIX 2004-1003. http://www.fas.
org/irp/ops/ci/docs/2002.pdf (retrieved May 24, 2012).
US Department of Justice, Federal Bureau of Investigation. n.d. Business travel bro-
chure. http://www.fbi.gov/about-us/investigate/counterintelligence/business-
brochure (retrieved May 24, 2012).
Weiner, Z. 2012. Hacking (http://www.smbc-comics.com/[2/20/12]).
Wilson, C. n.d. 15-Year-old admits hacking NASA computers. http://abcnews.
go.com/Technology/story?id=99316&page=1 (retrieved June 17, 2012).
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.