Human Dimensions of Cybersecurity Human Dimensions of Cybersecurity Terry Bossomaier, Steven D’Alessandro, and Roger Bradbury CRCPress Taylor&FrancisGroup 6000BrokenSoundParkwayNW,Suite300 BocaRaton,FL33487-2742 (cid:13)c 2020byTaylor&FrancisGroup,LLC CRCPressisanimprintofTaylor&FrancisGroup,anInformabusiness NoclaimtooriginalU.S.Governmentworks InternationalStandardBookNumber-13:978-1-138-59040-3(Hardback) Thisbookcontainsinformationobtainedfromauthenticandhighlyregardedsources.Reasonableeffortshave beenmadetopublishreliabledataandinformation,buttheauthorandpublishercannotassumeresponsibility forthevalidityofallmaterialsortheconsequencesoftheiruse.Theauthorsandpublishershaveattemptedto tracethecopyrightholdersofallmaterialreproducedinthispublicationandapologizetocopyrightholdersif permissiontopublishinthisformhasnotbeenobtained.Ifanycopyrightmaterialhasnotbeenacknowledged pleasewriteandletusknowsowemayrectifyinanyfuturereprint. ExceptaspermittedunderU.S.CopyrightLaw,nopartofthisbookmaybereprinted,reproduced,transmitted,or utilizedinanyformbyanyelectronic,mechanical,orothermeans,nowknownorhereafterinvented,including photocopying,microfilming,andrecording,orinanyinformationstorageorretrievalsystem,withoutwritten permissionfromthepublishers. Forpermissiontophotocopyorusematerialelectronicallyfromthiswork,pleaseaccesswww.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers,MA01923,978-750-8400.CCCisanot-for-profitorganizationthatprovideslicensesandregistra- tionforavarietyofusers.FororganizationsthathavebeengrantedaphotocopylicensebytheCCC,aseparate systemofpaymenthasbeenarranged. TrademarkNotice:Productorcorporatenamesmaybetrademarksorregisteredtrademarks,andareusedonly foridentificationandexplanationwithoutintenttoinfringe. LibraryofCongressCataloging-in-PublicationData Names:Bossomaier,TerryR.J.(TerryRichardJohn),author.| D’Alessandro,Steven,author.|Bradbury,R.H.(RogerH.),author. Title:Humandimensionsofcybersecurity/byTerryBossomaier,Steven D’Alessandro,RogerBradbury. Description:BocaRaton:CRCPress,[2020]|Includesbibliographical referencesandindex.|Summary:“Thebookidentifiesthetechnological featuresthatgiverisetosecurityissues.Itdescribesthestructure oftheInternetandhowitiscompromisedbymalware,andexaminessome ofthemorecommonsecurityissues.Itthenlooksataspectsofhuman persuasionandconsumerchoice,andhowtheseaffectcybersecurity.It arguesthatsocialnetworksandtherelatednormsplayakeyroleas doesgovernmentpolicy,aseachimpactonindividualbehaviorof computeruse.Thebookidentifiesthemostimportanthumanandsocial factorsthataffectcybersecurity.Itillustrateseachfactorusingcase studies,andexaminespossiblesolutionsfrombothtechnicalandhuman acceptabilityviewpoints”–Providedbypublisher. Identifiers:LCCN2019038924(print)|LCCN2019038925(ebook)| ISBN9781138590403(hardback)|ISBN9780429490989(ebook) Subjects:LCSH:Computersecurity–Casestudies.|Computer security–Socialaspects.|Computernetworks–Securitymeasures.| Dataprotection.|Computersecurity–Governmentpolicy. Classification:LCCQA76.9.A25B63952020(print)|LCCQA76.9.A25 (ebook)|DDC005.8–dc23 LCrecordavailableathttps://lccn.loc.gov/2019038924 LCebookrecordavailableathttps://lccn.loc.gov/2019038925 VisittheTaylor&FrancisWebsiteat http://www.taylorandfrancis.com andtheCRCPressWebsiteat http://www.crcpress.com Contents Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv ListofCyberNuggets . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxvii 1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 ThatCouldHaveBeenMe . . . . . . . . . . . . . . . . . . . 1 1.2 ABriefHistoryofCybersecurity . . . . . . . . . . . . . . . . 3 1.2.1 TheGermanCelebrityHack . . . . . . . . . . . . . . 5 1.2.2 TheAustralianParliamentaryHack . . . . . . . . . . . 6 1.3 TheBigPicture . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 CaseStudies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1 DenialofService . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.1 MotivationandFrequencyofDoSAttacks . . . . . . . 12 2.1.2 PreventingandCounteringaDoSAttack . . . . . . . . 13 2.2 Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.1 WannaCry. . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.2 PetyaandNotPetya . . . . . . . . . . . . . . . . . . . 20 2.3 Check Before You Send: Business Email Compromise (BEC) Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 v vi (cid:4) Contents 2.3.1 BlockchainLandTitles . . . . . . . . . . . . . . . . . 24 2.4 When Too Much Concern over Cybersecurity Is Too Much: OptingOutofMyHealthRecordsinAustralia . . . . . . . . . 24 2.5 CorporateDataBreaches . . . . . . . . . . . . . . . . . . . . 26 2.5.1 SupplyChainAttacks . . . . . . . . . . . . . . . . . . 26 2.5.2 IllustrativeFloods . . . . . . . . . . . . . . . . . . . . 27 2.5.2.1 GuardYourCV . . . . . . . . . . . . . . . 27 2.5.2.2 TheEquifaxHack . . . . . . . . . . . . . . 27 2.5.2.3 Don’tOrganizeanAffairOnline . . . . . . . 28 2.5.2.4 FloodPrevention . . . . . . . . . . . . . . . 28 2.6 The Nation State and CyberSecurity: Firewalls, Friends, and Enemies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.6.1 The Great Firewall, Golden Shield, and the Great CannonofChina . . . . . . . . . . . . . . . . . . . . 29 2.6.2 SocialCreditsAnyone? . . . . . . . . . . . . . . . . . 30 2.7 Encryption: The Government Is Your Friend but Not Always YourBestFriend . . . . . . . . . . . . . . . . . . . . . . . . 31 2.7.1 CantheLawoftheLandDefeattheLawof Mathematics? . . . . . . . . . . . . . . . . . . . . . . 31 2.7.2 Who Watches the Watchers and the Impact on the Economy . . . . . . . . . . . . . . . . . . . . . . . . 33 2.8 CambridgeAnalytica . . . . . . . . . . . . . . . . . . . . . . 33 2.9 TramplingoverTransportLayerSecurity . . . . . . . . . . . . 36 2.10 BewaretheInsider . . . . . . . . . . . . . . . . . . . . . . . 37 3 NetworksandNorms . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.2 Mindsets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.3 SocialNetworks . . . . . . . . . . . . . . . . . . . . . . . . 44 3.3.1 SomeElementaryGraphTheory . . . . . . . . . . . . 44 3.3.1.1 SmallWorlds . . . . . . . . . . . . . . . . 44 3.3.1.2 Scale-FreeNetworks . . . . . . . . . . . . . 45 3.3.1.3 NetworkMotifs . . . . . . . . . . . . . . . 47 3.3.2 SomeMeasuresonNetworks . . . . . . . . . . . . . . 47 3.3.2.1 ClusteringandAssortativeness . . . . . . . 47 3.3.2.2 BetweennessCentrality . . . . . . . . . . . 47 3.3.2.3 Modularity . . . . . . . . . . . . . . . . . . 48 3.3.3 NetworkDiscovery . . . . . . . . . . . . . . . . . . . 49 3.3.4 UsingandTransformingNetworks . . . . . . . . . . . 50 3.3.5 FriendsofFriends. . . . . . . . . . . . . . . . . . . . 50 3.3.6 SecureNetworks . . . . . . . . . . . . . . . . . . . . 51 3.4 SocialNorms . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Contents (cid:4) vii 3.4.1 EmergentversusAgreedNorms . . . . . . . . . . . . 52 3.4.2 TrendsandSocialMediaMarketing . . . . . . . . . . 53 3.4.3 SomeAdverseSocialNormsinCybersecurity . . . . . 53 3.4.3.1 TermsandConditions . . . . . . . . . . . . 53 3.4.3.2 DataSecurity . . . . . . . . . . . . . . . . 54 3.4.3.3 CyberHygiene . . . . . . . . . . . . . . . . 55 3.4.3.4 DistributedTrust . . . . . . . . . . . . . . . 56 3.4.3.5 SlackEmail . . . . . . . . . . . . . . . . . 56 3.4.3.6 GoodandBadAdvice . . . . . . . . . . . . 56 3.4.3.7 The Ups and Downs of Virtual Private Networks . . . . . . . . . . . . . . . . . . 57 3.4.3.8 DataFragility . . . . . . . . . . . . . . . . 57 3.5 ModularityinCybersecurity . . . . . . . . . . . . . . . . . . 58 3.5.1 ConcludingComments . . . . . . . . . . . . . . . . . 59 4 ConsumerChoice . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4.2 CybersecurityasPredictedbyDemographics . . . . . . . . . . 63 4.3 CybersecurityandtheTheoryofReasonedAction . . . . . . . 65 4.4 MotivationToAvoidHarm(MTAH)andCybersecurity . . . . 67 4.5 TheTechnologyAcceptanceModel(TAM)andtheAdoptionof NewTechnologiesinCybersecurity . . . . . . . . . . . . . . 70 4.6 SocialandSituationalFactorsinCybersecurity . . . . . . . . . 72 4.6.1 TrustandRiskintheOnlineEnvironment . . . . . . . 72 4.6.2 CybersecurityasPredictedbyPersonality . . . . . . . 73 4.6.3 StressandTimePressuresonUsers . . . . . . . . . . . 73 4.6.4 InformationOverload . . . . . . . . . . . . . . . . . . 74 4.7 ImprovingtheSecurityBehaviorofUsers . . . . . . . . . . . 74 4.7.1 ANeedforaSystematicApproachtoCybersecurity . . 75 5 RiskPerspectivesinCybersecurity . . . . . . . . . . . . . . . . . 77 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 5.2 CostsandOccurrencesofCyberattacksasof2018 . . . . . . . 78 5.3 TypesofThreatsandTheirAssociatedRisks . . . . . . . . . . 80 5.3.1 ThreatsbySourceofAttack . . . . . . . . . . . . . . 80 5.3.2 ThreatsbyTypeofAttack . . . . . . . . . . . . . . . 83 5.3.2.1 DDoSAttacks . . . . . . . . . . . . . . . . 84 5.3.2.2 MiddlewareAttacks . . . . . . . . . . . . . 86 5.3.2.3 SpoofingAttacks. . . . . . . . . . . . . . . 86 5.3.2.4 SocialEngineeringAttacks . . . . . . . . . 87 5.3.2.5 AdvancedPersistentThreat(APT) . . . . . . 90 viii (cid:4) Contents 6 GovernmentPolicyandStatecraftinCybersecurity . . . . . . . . 93 6.1 LegalFrameworksandTheirEffectsonReducingRisk . . . . 94 6.2 Accreditation and National Frameworks to Reduce Cyber-Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 6.2.1 CBEST . . . . . . . . . . . . . . . . . . . . . . . . . 101 6.2.2 FrameworkforImprovingCriticalInfrastructure CybersecurityortheNationalInstituteofStandardsand Technology(NIST)Framework . . . . . . . . . . . . . 103 6.2.3 TheAustralianSignalsDirectorateEssentialEight . . . 108 6.3 OtherApproachestoCorporateGovernancetoReduce Cyber-Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 6.4 CyberWarfare . . . . . . . . . . . . . . . . . . . . . . . . . 112 6.5 ConclusionandRecommendations . . . . . . . . . . . . . . . 112 7 TechnicalPerspectives . . . . . . . . . . . . . . . . . . . . . . . . 115 7.1 Public–PrivateKey(PPK)Cryptography . . . . . . . . . . . . 116 7.2 SomePreliminaryConcepts . . . . . . . . . . . . . . . . . . 116 7.2.1 AsymmetricCyphers . . . . . . . . . . . . . . . . . . 117 7.2.2 Diffie–Hellman,withApologiestoMaryPoppins . . . 118 7.2.2.1 NumericalExample . . . . . . . . . . . . . 119 7.2.3 TheRSAAlgorithm . . . . . . . . . . . . . . . . . . 119 7.2.3.1 TheReallyHairyPart . . . . . . . . . . . . 121 7.2.4 EllipticCurveCryptography(ECC). . . . . . . . . . . 122 7.3 SymmetricEncryption . . . . . . . . . . . . . . . . . . . . . 123 7.3.1 AdvancedEncryptionStandard(AES) . . . . . . . . . 124 7.3.2 StreamCyphers . . . . . . . . . . . . . . . . . . . . . 124 7.4 KeysGalore . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 7.4.1 CommunicationKeys . . . . . . . . . . . . . . . . . . 125 7.4.2 Goodand(Very)BadSignatures . . . . . . . . . . . . 126 7.4.3 AntiencryptionLegislation . . . . . . . . . . . . . . . 127 7.5 Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 7.5.1 ThePasswordFile . . . . . . . . . . . . . . . . . . . 128 7.5.2 GoodPasswords . . . . . . . . . . . . . . . . . . . . 129 7.5.3 PasswordManagers/Safes . . . . . . . . . . . . . . . 130 7.5.3.1 UsingtheBrowser . . . . . . . . . . . . . . 131 7.5.3.2 RainbowTables . . . . . . . . . . . . . . . 132 7.5.3.3 KeyExchangePrecomputation . . . . . . . 133 7.5.3.4 StoringPasswordsLocally . . . . . . . . . . 134 7.5.3.5 OnlinePasswordSafes . . . . . . . . . . . . 134 7.5.4 Two-FactorIdentification . . . . . . . . . . . . . . . . 135 7.6 Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Contents (cid:4) ix 7.7 BasicIdeasofComputerNetworks . . . . . . . . . . . . . . . 136 7.7.1 NetworkLayers . . . . . . . . . . . . . . . . . . . . . 137 7.7.1.1 ProtocolStacks.ASimpleAnalogy . . . . . 137 7.7.1.2 Abstraction . . . . . . . . . . . . . . . . . 138 7.7.1.3 TCP:TheTransportControlProtocol . . . . 139 7.7.1.4 UDP:TheUserDatagramProtocol . . . . . 139 7.7.1.5 TheApplicationLayer . . . . . . . . . . . . 139 7.7.2 AddressesofAllSorts . . . . . . . . . . . . . . . . . 139 7.7.2.1 IPAddressesfortheInternet . . . . . . . . . 139 7.7.2.2 Ethernet . . . . . . . . . . . . . . . . . . . 140 7.7.2.3 WiFi . . . . . . . . . . . . . . . . . . . . . 140 7.7.3 DomainNameServer(DNS) . . . . . . . . . . . . . . 140 7.8 IncreasingInternetSecurity . . . . . . . . . . . . . . . . . . . 142 7.8.1 IPSec:GoingaBitDeeper . . . . . . . . . . . . . . . 143 7.8.2 Ports,Firewalls,andFilters . . . . . . . . . . . . . . . 144 7.8.2.1 DetectingOpenPorts . . . . . . . . . . . . 144 7.9 VirtualPrivateNetworks . . . . . . . . . . . . . . . . . . . . 145 7.9.1 VirtualPrivateNetworksintheHome . . . . . . . . . 145 7.9.2 ChoosingaVPN . . . . . . . . . . . . . . . . . . . . 146 7.9.3 ValueofaVirtualPrivateNetwork . . . . . . . . . . . 146 7.9.4 AvoidingtheNeedforVPNs . . . . . . . . . . . . . . 147 7.10 OnionsandtheDarkWeb . . . . . . . . . . . . . . . . . . . . 147 7.10.1 TheDarkWebandOnionRouting . . . . . . . . . . . 147 7.11 LocalThreatsandMalware . . . . . . . . . . . . . . . . . . . 149 7.12 CertificatesandTrust . . . . . . . . . . . . . . . . . . . . . . 150 7.12.1 PublicKeyInfrastructure(PKI) . . . . . . . . . . . . . 151 7.13 Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 7.13.1 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . 154 7.13.2 EmailSecurity . . . . . . . . . . . . . . . . . . . . . 154 7.13.2.1 SenderPolicyFrameworkResults . . . . . . 156 7.14 Blockchains . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 7.14.1 TheHardFork . . . . . . . . . . . . . . . . . . . . . 158 7.15 EUDataProtectionRules . . . . . . . . . . . . . . . . . . . . 159 7.16 QuantumComputing . . . . . . . . . . . . . . . . . . . . . . 160 7.16.1 MrHyde:SuperpositionandParallelComputation . . . 160 7.16.2 DrJekyll:Entanglement . . . . . . . . . . . . . . . . 160 8 TheFuture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 8.1 KeepingNastiesOut . . . . . . . . . . . . . . . . . . . . . . 163 8.1.1 FormalValidation . . . . . . . . . . . . . . . . . . . . 164 8.2 UseofEncryption . . . . . . . . . . . . . . . . . . . . . . . . 165 8.3 EncouragingGoodCyberPractice . . . . . . . . . . . . . . . 166