Fluent Essays

Read the attached paper and write a research summary, in two sections Overall summary What you would like to add or change to the conclusion section   APA format, two references, 1000 words minimum Journal of Computer and System Sciences 80 (2014) 973–993 Contents lists available at ScienceDirect Journal of Computer and System Sciences www.elsevier.com/locate/jcss A survey of emerging threats in cybersecurity Julian Jang-Jaccard, Surya Nepal ∗ CSIRO ICT Centre, Australia a r t i c l e i n f o a b s t r a c t Article history: Received 25 September 2012 Received in revised form 15 March 2013 Accepted 27 August 2013 Available online 10 February 2014 Keywords: Cybersecurity Malware Emerging technology trends Emerging cyber threats Cyber attacks and countermeasures The exponential growth of the Internet interconnections has led to a significant growth of cyber attack incidents often with disastrous and grievous consequences. Malware is the primary choice of weapon to carry out malicious intents in the cyberspace, either by ex- ploitation into existing vulnerabilities or utilization of unique characteristics of emerging technologies. The development of more innovative and effective malware defense mech- anisms has been regarded as an urgent requirement in the cybersecurity community. To assist in achieving this goal, we first present an overview of the most exploited vulner- abilities in existing hardware, software, and network layers. This is followed by critiques of existing state-of-the-art mitigation techniques as why they do or don’t work. We then discuss new attack patterns in emerging technologies such as social media, cloud comput- ing, smartphone technology, and critical infrastructure. Finally, we describe our speculative observations on future research directions. Crown Copyright © 2014 Published by Elsevier Inc. All rights reserved. 1. Introduction Our society, economy, and critical infrastructures have become largely dependent on computer networks and information technology solutions. Cyber attacks become more attractive and potentially more disastrous as our dependence on informa- tion technology increases. According to the Symantec cybercrime report published in April 2012 [17], cyber attacks cost US$114 billion each year. If the time lost by companies trying to recover from cyber attacks is counted, the total cost of cyber attacks would reach staggering US$385 billion [17]. Victims of cyber attacks are also significantly growing. Based on the survey conducted by Symantec which involved interviewing 20,000 people across 24 countries, 69\% reported being the victim of a cyber attack in their lifetime. Symantec calculated that 14 adults become the victim of a cyber attack every second, or more than one million attacks every day [105]. Why cyber attacks flourish? It is because cyber attacks are cheaper, convenient and less risky than physical attacks [1]. Cyber criminals only require a few expenses beyond a computer and an Internet connection. They are unconstrained by geography and distance. They are difficult to identity and prosecute due to anonymous nature of the Internet. Given that attacks against information technology systems are very attractive, it is expected that the number and sophistication of cyber attacks will keep growing. * Corresponding author. E-mail addresses: [email protected] (J. Jang-Jaccard), [email protected] (S. Nepal). http://dx.doi.org/10.1016/j.jcss.2014.02.005 0022-0000/Crown Copyright © 2014 Published by Elsevier Inc. All rights reserved. http://dx.doi.org/10.1016/j.jcss.2014.02.005 http://www.ScienceDirect.com/ http://www.elsevier.com/locate/jcss mailto:[email protected] mailto:[email protected] http://dx.doi.org/10.1016/j.jcss.2014.02.005 http://crossmark.crossref.org/dialog/?doi=10.1016/j.jcss.2014.02.005&domain=pdf 974 J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 Fig. 1. Vulnerabilities and defense strategies in existing systems. Cybersecurity concerns with the understanding of surrounding issues of diverse cyber attacks and devising defense strategies (i.e., countermeasures) that preserve confidentiality, integrity and availability of any digital and information tech- nologies [18]. • Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. • Integrity is the term used to prevent any modification/deletion in an unauthorized manner. • Availability is the term used to assure that the systems responsible for delivering, storing and processing information are accessible when needed and by those who need them. Many cybersecurity experts believe that malware is the key choice of weapon to carry out malicious intends to breach cybersecurity efforts in the cyberspace [12]. Malware refers to a broad class of attacks that is loaded on a system, typically without the knowledge of the legitimate owner, to compromise the system to the benefit of an adversary. Some exemplary classes of malware include viruses, worms, Trojan horses, spyware, and bot executables [15]. Malware infects systems in a variety of ways for examples propagation from infected machines, tricking user to open tainted files, or alluring users to visit malware propagating websites. In more concrete examples of malware infection, malware may load itself onto a USB drive inserted into an infected device and then infect every other system into which that device is subsequently inserted. Malware may propagate from devices and equipments that contain embedded systems and computational logic. In short, malware can be inserted at any point in the system life cycle. Victims of malware can range anything from end user systems, servers, network devices (i.e., routers, switches, etc.) and process control systems such as Supervisory Control and Data Acquisition (SCADA). The proliferation and sophistication of fast growing number of malware is a major concern in the Internet today. Traditionally, malware attacks happened at a single point of surface amongst hardware equipments, software pieces or at network level exploiting existing design and implementation vulnerabilities at each layer. Rather than protecting each asset, the perimeter defense strategy has been used predominantly to put a wall outside all internal resources to safeguard every- thing inside from any unwanted intrusion from outside. The majority of perimeter defense mechanism utilizes firewall and anti-virus software installed within intrusion prevention/detection systems. Any traffic coming from outside is intercepted and examined to ensure there is no malware penetrating into the inside resources. General acceptance of this perimeter defense model has occurred because it is far easier and seemingly less costly to secure one perimeter than it is to secure a large volume of applications or a large number of internal networks. To give more defined access to certain internal re- sources, the access control mechanisms have been used in conjunction with the perimeter defense mechanism. On top of perimeter defense and access control, accountability is added to identify or punish for any misbehaviors, as represented in Fig. 1. However, the combined efforts of perimeter defense strategy have been found to be increasingly ineffective as the advancement and sophistication of malware improves. Ever evolving malware always seems to find loopholes to bypass the perimeter defense altogether. We describe in details the most common exploitations in the three distinct layers of existing information system at hardware, software and network layers. We then discuss the pros and cons of the most representative defense mechanisms that have been used in these layers. Malware evolves through time capitalizing on new approaches and exploiting the flaws in the emerging technologies to avoid detection. We describe a number of new patterns of malware attacks present in the emerging technologies. In choosing emerging technologies for illustration, we focus a few that have changed the way we live our daily life. These include social media, cloud computing, smartphone technology, and critical infrastructure. We discuss unique characteristics of each of these emerging technologies and how malware utilizes the unique characteristics to proliferate itself. For example, social media, such as social networking sites and blogs, are now an integral part of our life style as many people are journaling about their life events, sharing news, as well as making friends. Realizing its potential to connect millions people at one go, adversaries use social media accounts to befriend unsuspecting users to use as vehicles for sending spam to the victim’s friends while the victim’s machine is repurposed into a part of botnet. Cloud computing paradigm allows the J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 975 Fig. 2. Types of malware and mediums to spread them [101]. use of computer resources like utilities where the users pay only for the usage without having to set up any upfront expense or requiring any skills in managing complex computing infrastructure. The growing trove of data concentrated in the cloud storage services is now attracting attackers. In June 2012, attackers compromised Distributed Denial of Service (DDoS) mitigation service on CloudFlare by using flaws in AT&T’s voicemail service for its mobile users; similarly, Google’s account-recovery service for its Gmail users [19]. With the subjected growth by 2 billion smartphone users by 2015, a significant growth in mobile malware has been witnesses in recent times. For example, the number of unique detections of malware for Android increased globally by 17 times in 2012 from the previous year [107]. There is also growing concerns in cyber threats to critical infrastructure such as electricity grids and healthcare systems to use in terrorism, sabotage and information warfare. Apart from investigating exploitations through unique characteristics in the selected emerging technologies, we also discuss general malware attack patterns appear in them to understand the methods and trends of the new attacks. Finally, we provide our speculative observations as where future research directions are heading. These include: (1) pri- vacy concerns to safeguard increasing volumes of personal information entered in the Internet, (2) requirement to have a new generation of secure Internet from scratch with careful consideration of the subjected growth and usage patterns which was not the case with the internet we use today, (3) trustworthy system whose fundamental architecture is different from their inception to withstand from ever evolving malware, (4) being able to identify and trace the source of attacks assisted by the development of global scale identity management system and traceback techniques, and (5) a strong emphasis on usable security to give individuals security controls they can understand and control. The remainder of the article is organized as follows. Section 2 provides an insight of the malware. Section 3 provides an overview on how malware penetrates in exiting systems and efforts to mitigate any existing vulnerabilities exploited by adversaries. Section 4 reviews emerging approaches to malware infiltration and discusses the general attack patterns and methods. Section 5 discusses future research directions we identified; this will be followed by concluding remarks in Section 6. 2. Malware as attack tool In early days, malware was simply written as experiments often to highlight security vulnerabilities or in some cases to show off technical abilities. Today, malware is used primarily to steal sensitive personal, financial, or business information for the benefit of others [129,131]. For example, malware is often used to target government or corporate websites to gather guarded information or to disrupt their operations. In other cases, malware is also used against individuals to gain personal information such as social security numbers or credit card numbers. Since the rise of widespread broadband Internet access that is cheaper and faster, malware has been designed increasingly not only for the stealth of information but strictly for profit purposes [130]. For example, the majority of widespread malware have been designed to take control of user’s computers for black market exploitation such as sending email spam or monitoring user’s web browsing behaviors and displaying unsolicited advertisements. Based on Anti-Phishing group report [101], there was a total of 26 million new malware reported in 2012. Fig. 2 describes relative proportions of the types of new malware samples identified in the second half of 2012 reported by the Anti-Phishing group. According to this report, Trojans continued to account for most of the threats in terms of malware counting as the number grows spectacularly. In 2009, Trojans were reported to have made up 60 percent of all malware. In 2011, the number has jumped up to 73 percent. The current percentage indicates that nearly three out of every four new malware strains created in 2011 were Trojans and shows that it is the weapon of choice for cyber criminals to conduct network intrusion and data stealing. 976 J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 Fig. 3. Common attacks and examples of countermeasures in existing system. Malware authors use a number of different intermediaries to spread malware to infect a victim’s system. Traditionally, spam, phishing and web download have been the most commonly used mediums for the purpose. – Spam refers to sending irrelevant, inappropriate and unsolicited messages to thousands or millions of recipients. Spam has turned out to be a highly profitable market since spam is sent anonymously with no costs involved beyond the management of mailing lists. Due to such low barrier to entry, spammers are numerous, and the volume of unsolicited mail has grown enormously. In the year 2011, the estimated figure for spam messages is around seven trillion [2]. This figure includes the cost involved in lost productivity and fraud, and extra capacity needed to cope with the spam. Today, most widely recognized form of spam is email spam. According to the Message Anti-Abuse Working Group report [1], between 88–92\% of email messages sent in the first half of 2010 carried spam. – Phishing is a way of attempting to acquire sensitive information such as username, password or credit card details by masquerading as a trustworthy entity. Most phishing scams rely on deceiving a user into visiting a malicious web site claiming to be from legitimate businesses and agencies. Unsuspecting user enters private information in the malicious web site which is then subsequently used by malicious criminals. Most methods of phishing use some form of technical deception designed to make a link in an email (and spoofed website) appear to belong to a legitimate organization, such as well known bank. Misspelled URLs or the use of sub-domains are common tricks used by phishers. The Anti-Phishing technical report [101] stated that, there was a visible trend of phishers in 2011 to hide their intentions by avoiding the use of obvious IP host to host their fake login pages. Instead the phishers preferred to host on a compromised domain to avoid detection. It is reported that there was 16 percent drop in the number of phishing URLs containing the spoofed company name in the URL. These combined trends show how phishers are adapting as users becoming more informed and knowledgeable about the traits of a typical phish. – Drive-by Downloads concerns the unintended downloads of malware from the Internet and have been increasingly used by the attackers to spread malware fast. Drive-by downloads happen in a variety of situations; for example, when a user visits a website, while viewing an email message by user or when users click on a deceptive pop-up window. However, the most popular drive-by downloads occur by far when visiting websites. An increasing number of web pages have been infected with various types of malware. According to Osterman Research survey [3], 11 million malware variants were discovered by 2008 and 90\% of these malware comes from hidden downloads from popular and often trusted websites. Before a download takes place, a user is first required to visit the malicious site. To lure the user into visiting a website with malicious content, attackers would send spam emails that contain links to the site. When unsuspecting user visits the malicious website, malware is downloaded and installed in the victim’s machine without the knowledge of the user. For example, the infamous Storm worm makes use of its own network, multiple of infected computers, to send spam emails containing links to such attack pages [102]. 3. Exploiting existing vulnerabilities Once malware is carried out to the victim’s system, cyber criminals could utilize many different aspects of existing vulnerabilities in the victim’s system further to use them in their criminal activities. We examine most commonly exploited existing vulnerabilities in hardware, software, and network systems. This is followed by the discussion on existing efforts that have been proposed to mitigate negative impacts from the exploitations. The summary of the common attacks in the hardware, software and network layers are presented along with the examples of countermeasures in Fig. 3. 3.1. Hardware Hardware is the most privileged entity and has the most ability to manipulate a computing system. This is the level where it has the potential to give attackers considerable flexibility and power to launch malicious security attacks if the hardware is compromised [23,24]. Compare to software level attacks where many security patches, intrusion detection tools, J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 977 and anti-virus scanners exist to detect malicious attacks periodically, many of the hardware-based attacks have the ability to escape such detection. Taking advantage in lack of tools support in hardware detection, the hardware-based attacks have been reported to be on the rise [23]. Among different types of hardware misuse, hardware Trojan is the most hideous and common hardware exploits [24]. The hardware Trojans are malicious and deliberately stealthy modification made to electronic devices such as Integrity Circuits (IC) in the hardware [25]. The hardware Trojans have a variety of degrees which cause different types of undesirable effects. A hardware Trojan might cause an error detection module to accept inputs that should be rejected. A Trojan might insert more buffers in the chip’s interconnections and hence consume more power, which in turn could drain the battery quickly. In more serious case, Denial-of-Service (DoS) Trojans prevent operation of a function or resource. A DoS Trojan can cause the target module to exhaust scarce resources like bandwidth, computation, and battery power. It could also physically destroy, disable, or alter the device’s configuration, for example, causing the processor to ignore the interrupt from a specific peripheral. Illegal clones of hardware become source of hardware-based exploitation since the chances of illegally counterfeited hardware to contain malicious backdoor or hardware Trojans increase. The chance to produce unauthentic hardware has increased with a new trend in IT companies trying to reduce their IT expense via outsourcing and buying off untrusted hardware from online sites. Karri et al. [26] discusses how today’s IT model of outsourcing has contributed to the increased chance of producing tampered hardware components from untrusted factories in the foreign countries. Similarly, it is also pointed out that IT companies often buy untrusted hardware such as chipsets and routers from online auction sites or resellers which in turn may contain harmful hardware-based Trojans. These practices are not only problematic for IT com- panies operated on the tampered hardware with potential backdoor entry, it also increases the chance that the original design and the details of internal states of system to be leaked to unauthorized personnel. Side channel attacks occur when adversaries gain information about a system’s internal states by the examination of physical information of device such as power consumption, electromagnetic radiation and timing information of data in and out of CPU. Sensitive data can be leaked via the results of such side channel attacks. An approach has been reported in [22] that examines a number of way cryptographic algorithm’s secret key leaked as a result of analyzing radio frequency. A number of techniques have been proposed to thwart attacks on hardware level. Tamper-resistant hardware devices have become an important consideration due to its criticality as an entry point to the overall system security. Trusted Platform Module (TPM) provides cryptographic primitives and protected storage along with the functionality to exchange tamper resistant evidence with remote servers [29–31,28]. The term Trusted Computing Base (TCB) has been defined to refer to parts of a system, the set of all hardware and software components, to be critical to the overall security of the system. The TCB must not contain any bugs or vulnerabilities occurring inside because this might jeopardize the security of the entire system. An exhaustive and rigorous examination of its code base is conducted through computer-assisted software audit or program verification to ensure the security of TCB. In a hardware watermarking, the ownership information is embedded and concealed in the description of a circuit preventing the host object from illegal counterfeit. Hardware Obfuscation is a technique to modify the description or the structure of electronic hardware to intentionally conceal its functionality [22]. These techniques are used to prevent adversaries from obtaining the original design or counterfeiting /cloning important parts of the hardware such as IC units. Some of the countermeasures to count against side channel attacks includes introducing noises so that the physical information cannot be directly displayed, filtering some parts of physical information, and making/blinding which seeks to remove any correlation between the input data and side channel emission [23,24]. 3.2. Software defects A software bug is the common term used to describe an error, flaw, mistake, or fault in a computer program such as internal OS, external I/O interface drivers, and applications [103]. Cyber attacks utilize the software bugs in their benefits to cause the systems to behave unintended ways that are different from their original intent. The majority of cyber attacks today still occur as a result of exploiting software vulnerabilities caused by software bug and design flaws [104]. Software-based exploitation occurs when certain features of software stack and interface is exploited. Most common software vulnerabilities happen as a result of exploiting software bugs in the memory, user input validation, race conditions and user access privileges [40,39,42]. Memory safety violations are performed by attackers to modify the contents of a memory location. Most exemplary technique is buffer overflow. The buffer overflow occurs when a program tries to store more data in a buffer than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. It allows attackers to interfere into existing process code. Input validation is the process of ensuring that the input data follows certain rules. Incorrect data validation can lead to data corruption such as seen in SQL injection. SQL injection is one of the most well known techniques that exploit a program bug in a website’s software. An attacker injects SQL commands from the web form either to change the database content or dump the database information like credit cards or passwords to the attacker. Adversary exploits a flaw in a process where the output of the process is unexpectedly and critically dependent on the timing of other events. The time of check to time of use is a bug caused by changes in a system between the checking of a condition and the use of the results of that check. It is also called exploiting race condition error. Privilege confusion is an 978 J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 act of exploiting a bug by gaining elevated access to resources that are normally protected from an application or user. The result is that adversaries with more privileges perform unauthorized actions such as accessing protected secret keys. In the programming community, a number of projects have been initiated that are devoted to increasing the security as a major goal [36–38]. Not only attending to fix inherent common set of security flaws, the primary concern of these projects is to provide new ideas in an attempt to create a secure computing environment. In a code review-based secure coding practice, software engineers identify common programming errors that lead to software vulnerabilities, establish standard secure coding standards, educate software developers, and advance the state of the practice in secure coding. In a language-based secure coding practice, techniques are developed to ensure that programs can be relied on not to violate important security policies. The most widely used techniques include analysis and transformation. A well-known form of analysis is “type checking” where the program detects any unsafe type of objects before the program is run. Another well-known form of program transformation is the addition of runtime checks where the program is instrumented in a way that prevents the program from making any policy-violating transformation [42]. Code obfuscation is a process of producing source or machine code that has been made difficult to understand for humans [43,44]. Programmers often deliberately obfuscate code to conceal its purpose or its logic to prevent any possibility with reverse engineering. Secure design and development cycle has also been proposed in [41,27] which provides a set of design techniques enabling efficient verification that a piece of system component is free of any potential defects from its original design. Though they are not straightforward approaches, formal methods provide the ability to comprehensively explore the design and identify intricate security vulnerabilities. Tools [34,35] and techniques [32,33] have been developed to facilitate the verification of mission critical security properties. These tools and techniques help to translate higher-level security objectives into a collection of atomic properties to be verified. 3.3. Network infrastructure and protocol vulnerabilities The early network protocol was developed to support entirely different environment we have today in a much smaller scale and often does not work properly in many situations it is used today. Weaknesses in network protocols are complicated when both system administrators and users have limited knowledge of the networking infrastructure [46,47]. For example, the system administrators do not use efficient encryption scheme, do not apply recommended patches on time, or forget to apply security filters or policies. One of the most common network attacks occurs by exploiting the limitations of the commonly used network protocols Internet Protocol (IP), Transmission Control Protocol (TCP) or Domain Name System (DNS) [14]. The IP is the main protocol of the network layer. It provides the information needed for routing packets among routers and computers of the network. The original IP protocol did not have any mechanism to check the authenticity and privacy of data being transmitted. This allowed the data being intercepted or changed while they are transmitted over unknown network between two devices. To prevent the problem, IPSec was developed to provide encryption of IP traffic. In many years, IPSec has been used as one of the main technology for the creation of a virtual private network (VPN) which creates a secure channel across the Internet between a remote computer and a trusted network (i.e., company intranet). TCP sits on top of the IP to transmit the packets in reliable (i.e., retransmitting lost packets) and ordered delivery of the packets. SSL was originally developed to provide end-to-end security, as oppose to only layer-based protocol, between two computers which sits over the transmission control protocol (TCP). SSL/TLS is commonly used with http to form https for secure Web pages. The domain name server (DNS) is the protocol that translates the human-readable host names into 32-bit Internet protocol (IP) addresses. It is essentially works as a directory book for the Internet telling routers to which IP address to direct packets when the user gives a url. Because DNS replies are not authenticated, an attacker may be able to send malicious DNS messages to impersonate an Internet server. Another major concern about DNS is its availability. Because a successful attack against the DNS service would create a significant communication disruption in the Internet, DNS has been the target of several Denial-of-Service (DoS) attacks. Cryptography is an essential tool to protect the data that transmits between users by encrypting the data so that only in- tended users with appropriate keys can decrypt the data. Cryptography is the most commonly used mechanism in protecting data. A survey conducted by Computer …