A Survey of Emerging Threats in Cybersecurity Summary


  1- Overall summary  

  2- What you would like to add or change to the conclusion section   

Explanation & Answer length: 1000 words.

Journal of Computer and System Sciences 80 (2014) 973–993 Contents lists available at ScienceDirect Journal of Computer and System Sciences www.elsevier.com/locate/jcss A survey of emerging threats in cybersecurity Julian Jang-Jaccard, Surya Nepal ∗ CSIRO ICT Centre, Australia a r t i c l e i n f o Article history: Received 25 September 2012 Received in revised form 15 March 2013 Accepted 27 August 2013 Available online 10 February 2014 Keywords: Cybersecurity Malware Emerging technology trends Emerging cyber threats Cyber attacks and countermeasures a b s t r a c t The exponential growth of the Internet interconnections has led to a significant growth of cyber attack incidents often with disastrous and grievous consequences.

Malware is the primary choice of weapon to carry out malicious intents in the cyberspace, either by exploitation into existing vulnerabilities or utilization of unique characteristics of emerging technologies. The development of more innovative and effective malware defense mechanisms has been regarded as an urgent requirement in the cybersecurity community. To assist in achieving this goal, we first present an overview of the most exploited vulnerabilities in existing hardware, software, and network layers. This is followed by critiques of existing state-of-the-art mitigation techniques as why they do or don’t work. We then discuss new attack patterns in emerging technologies such as social media, cloud computing, smartphone technology, and critical infrastructure. Finally, we describe our speculative observations on future research directions.

Crown Copyright © 2014 Published by Elsevier Inc. All rights reserved. 1. Introduction Our society, economy, and critical infrastructures have become largely dependent on computer networks and information technology solutions. Cyber attacks become more attractive and potentially more disastrous as our dependence on information technology increases. According to the Symantec cybercrime report published in April 2012 [17], cyber attacks cost US$114 billion each year. If the time lost by companies trying to recover from cyber attacks is counted, the total cost of cyber attacks would reach staggering US$385 billion [17]. Victims of cyber attacks are also significantly growing. Based on the survey conducted by Symantec which involved interviewing 20,000 people across 24 countries, 69% reported being the victim of a cyber attack in their lifetime.

Symantec calculated that 14 adults become the victim of a cyber attack every second, or more than one million attacks every day [105]. Why cyber attacks flourish? It is because cyber attacks are cheaper, convenient and less risky than physical attacks [1]. Cyber criminals only require a few expenses beyond a computer and an Internet connection. They are unconstrained by geography and distance. They are difficult to identity and prosecute due to anonymous nature of the Internet. Given that attacks against information technology systems are very attractive, it is expected that the number and sophistication of cyber attacks will keep growing. * Corresponding author. E-mail addresses: julian.jang-jaccard@csiro.au (J. Jang-Jaccard), surya.nepal@csiro.au (S. Nepal). http://dx.doi.org/10.1016/j.jcss.2014.02.005 0022-0000/Crown Copyright © 2014 Published by Elsevier Inc. All rights reserved. 974 J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 Fig. 1. Vulnerabilities and defense strategies in existing systems.

Cybersecurity concerns with the understanding of surrounding issues of diverse cyber attacks and devising defense strategies (i.e., countermeasures) that preserve confidentiality, integrity and availability of any digital and information technologies [18]. • Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. • Integrity is the term used to prevent any modification/deletion in an unauthorized manner. • Availability is the term used to assure that the systems responsible for delivering, storing and processing information are accessible when needed and by those who need them. Many cybersecurity experts believe that malware is the key choice of weapon to carry out malicious intends to breach cybersecurity efforts in the cyberspace [12]. Malware refers to a broad class of attacks that is loaded on a system, typically without the knowledge of the legitimate owner, to compromise the system to the benefit of an adversary. Some exemplary classes of malware include viruses, worms, Trojan horses, spyware, and bot executables [15]. Malware infects systems in a variety of ways for examples propagation from infected machines, tricking user to open tainted files, or alluring users to visit malware propagating websites. In more concrete examples of malware infection, malware may load itself onto a USB drive inserted into an infected device and then infect every other system into which that device is subsequently inserted.

Malware may propagate from devices and equipments that contain embedded systems and computational logic. In short, malware can be inserted at any point in the system life cycle. Victims of malware can range anything from end user systems, servers, network devices (i.e., routers, switches, etc.) and process control systems such as Supervisory Control and Data Acquisition (SCADA). The proliferation and sophistication of fast growing number of malware is a major concern in the Internet today. Traditionally, malware attacks happened at a single point of surface amongst hardware equipments, software pieces or at network level exploiting existing design and implementation vulnerabilities at each layer. Rather than protecting each asset, the perimeter defense strategy has been used predominantly to put a wall outside all internal resources to safeguard everything inside from any unwanted intrusion from outside. The majority of perimeter defense mechanism utilizes firewall and anti-virus software installed within intrusion prevention/detection systems.

Any traffic coming from outside is intercepted and examined to ensure there is no malware penetrating into the inside resources. General acceptance of this perimeter defense model has occurred because it is far easier and seemingly less costly to secure one perimeter than it is to secure a large volume of applications or a large number of internal networks. To give more defined access to certain internal resources, the access control mechanisms have been used in conjunction with the perimeter defense mechanism. On top of perimeter defense and access control, accountability is added to identify or punish for any misbehaviors, as represented in Fig. 1. However, the combined efforts of perimeter defense strategy have been found to be increasingly ineffective as the advancement and sophistication of malware improves. Ever evolving malware always seems to find loopholes to bypass the perimeter defense altogether.

We describe in details the most common exploitations in the three distinct layers of existing information system at hardware, software and network layers. We then discuss the pros and cons of the most representative defense mechanisms that have been used in these layers. Malware evolves through time capitalizing on new approaches and exploiting the flaws in the emerging technologies to avoid detection. We describe a number of new patterns of malware attacks present in the emerging technologies. In choosing emerging technologies for illustration, we focus a few that have changed the way we live our daily life. These include social media, cloud computing, smartphone technology, and critical infrastructure.

We discuss unique characteristics of each of these emerging technologies and how malware utilizes the unique characteristics to proliferate itself. For example, social media, such as social networking sites and blogs, are now an integral part of our life style as many people are journaling about their life events, sharing news, as well as making friends. Realizing its potential to connect millions people at one go, adversaries use social media accounts to befriend unsuspecting users to use as vehicles for sending spam to the victim’s friends while the victim’s machine is repurposed into a part of botnet. Cloud computing paradigm allows the J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 975 Fig. 2. Types of malware and mediums to spread them [101]. use of computer resources like utilities where the users pay only for the usage without having to set up any upfront expense or requiring any skills in managing complex computing infrastructure. The growing trove of data concentrated in the cloud storage services is now attracting attackers. In June 2012, attackers compromised Distributed Denial of Service (DDoS) mitigation service on CloudFlare by using flaws in AT&T’s voicemail service for its mobile users; similarly, Google’s account-recovery service for its Gmail users [19]. With the subjected growth by 2 billion smartphone users by 2015, a significant growth in mobile malware has been witnesses in recent times. For example, the number of unique detections of malware for Android increased globally by 17 times in 2012 from the previous year [107].

There is also growing concerns in cyber threats to critical infrastructure such as electricity grids and healthcare systems to use in terrorism, sabotage and information warfare. Apart from investigating exploitations through unique characteristics in the selected emerging technologies, we also discuss general malware attack patterns appear in them to understand the methods and trends of the new attacks. Finally, we provide our speculative observations as where future research directions are heading. These include: (1) privacy concerns to safeguard increasing volumes of personal information entered in the Internet, (2) requirement to have a new generation of secure Internet from scratch with careful consideration of the subjected growth and usage patterns which was not the case with the internet we use today, (3) trustworthy system whose fundamental architecture is different from their inception to withstand from ever evolving malware, (4) being able to identify and trace the source of attacks assisted by the development of global scale identity management system and traceback techniques, and (5) a strong emphasis on usable security to give individuals security controls they can understand and control. The remainder of the article is organized as follows. Section 2 provides an insight of the malware.

Section 3 provides an overview on how malware penetrates in exiting systems and efforts to mitigate any existing vulnerabilities exploited by adversaries. Section 4 reviews emerging approaches to malware infiltration and discusses the general attack patterns and methods.

Section 5 discusses future research directions we identified; this will be followed by concluding remarks in Section 6. 2. Malware as attack tool In early days, malware was simply written as experiments often to highlight security vulnerabilities or in some cases to show off technical abilities. Today, malware is used primarily to steal sensitive personal, financial, or business information for the benefit of others [129,131]. For example, malware is often used to target government or corporate websites to gather guarded information or to disrupt their operations. In other cases, malware is also used against individuals to gain personal information such as social security numbers or credit card numbers. Since the rise of widespread broadband Internet access that is cheaper and faster, malware has been designed increasingly not only for the stealth of information but strictly for profit purposes [130]. For example, the majority of widespread malware have been designed to take control of user’s computers for black market exploitation such as sending email spam or monitoring user’s web browsing behaviors and displaying unsolicited advertisements. Based on Anti-Phishing group report [101], there was a total of 26 million new malware reported in 2012. Fig. 2 describes relative proportions of the types of new malware samples identified in the second half of 2012 reported by the Anti-Phishing group.

According to this report, Trojans continued to account for most of the threats in terms of malware counting as the number grows spectacularly. In 2009, Trojans were reported to have made up 60 percent of all malware. In 2011, the number has jumped up to 73 percent. The current percentage indicates that nearly three out of every four new malware strains created in 2011 were Trojans and shows that it is the weapon of choice for cyber criminals to conduct network intrusion and data stealing. 976 J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 Fig. 3. Common attacks and examples of countermeasures in existing system. Malware authors use a number of different intermediaries to spread malware to infect a victim’s system. Traditionally, spam, phishing and web download have been the most commonly used mediums for the purpose. – Spam refers to sending irrelevant, inappropriate and unsolicited messages to thousands or millions of recipients. Spam has turned out to be a highly profitable market since spam is sent anonymously with no costs involved beyond the management of mailing lists. Due to such low barrier to entry, spammers are numerous, and the volume of unsolicited mail has grown enormously.

In the year 2011, the estimated figure for spam messages is around seven trillion [2]. This figure includes the cost involved in lost productivity and fraud, and extra capacity needed to cope with the spam. Today, most widely recognized form of spam is email spam. According to the Message Anti-Abuse Working Group report [1], between 88–92% of email messages sent in the first half of 2010 carried spam. – Phishing is a way of attempting to acquire sensitive information such as username, password or credit card details by masquerading as a trustworthy entity. Most phishing scams rely on deceiving a user into visiting a malicious web site claiming to be from legitimate businesses and agencies. Unsuspecting user enters private information in the malicious web site which is then subsequently used by malicious criminals. Most methods of phishing use some form of technical deception designed to make a link in an email (and spoofed website) appear to belong to a legitimate organization, such as well known bank.

Misspelled URLs or the use of sub-domains are common tricks used by phishers. The Anti-Phishing technical report [101] stated that, there was a visible trend of phishers in 2011 to hide their intentions by avoiding the use of obvious IP host to host their fake login pages. Instead the phishers preferred to host on a compromised domain to avoid detection. It is reported that there was 16 percent drop in the number of phishing URLs containing the spoofed company name in the URL. These combined trends show how phishers are adapting as users becoming more informed and knowledgeable about the traits of a typical phish. – Drive-by Downloads concerns the unintended downloads of malware from the Internet and have been increasingly used by the attackers to spread malware fast.

Drive-by downloads happen in a variety of situations; for example, when a user visits a website, while viewing an email message by user or when users click on a deceptive pop-up window. However, the most popular drive-by downloads occur by far when visiting websites. An increasing number of web pages have been infected with various types of malware. According to Osterman Research survey [3], 11 million malware variants were discovered by 2008 and 90% of these malware comes from hidden downloads from popular and often trusted websites. Before a download takes place, a user is first required to visit the malicious site. To lure the user into visiting a website with malicious content, attackers would send spam emails that contain links to the site. When unsuspecting user visits the malicious website, malware is downloaded and installed in the victim’s machine without the knowledge of the user.

For example, the infamous Storm worm makes use of its own network, multiple of infected computers, to send spam emails containing links to such attack pages [102]. 3. Exploiting existing vulnerabilities Once malware is carried out to the victim’s system, cyber criminals could utilize many different aspects of existing vulnerabilities in the victim’s system further to use them in their criminal activities. We examine most commonly exploited existing vulnerabilities in hardware, software, and network systems. This is followed by the discussion on existing efforts that have been proposed to mitigate negative impacts from the exploitations. The summary of the common attacks in the hardware, software and network layers are presented along with the examples of countermeasures in Fig. 3. 3.1. Hardware Hardware is the most privileged entity and has the most ability to manipulate a computing system.

This is the level where it has the potential to give attackers considerable flexibility and power to launch malicious security attacks if the hardware is compromised [23,24]. Compare to software level attacks where many security patches, intrusion detection tools, J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 977 and anti-virus scanners exist to detect malicious attacks periodically, many of the hardware-based attacks have the ability to escape such detection. Taking advantage in lack of tools support in hardware detection, the hardware-based attacks have been reported to be on the rise [23]. Among different types of hardware misuse, hardware Trojan is the most hideous and common hardware exploits [24]. The hardware Trojans are malicious and deliberately stealthy modification made to electronic devices such as Integrity Circuits (IC) in the hardware [25]. The hardware Trojans have a variety of degrees which cause different types of undesirable effects. A hardware Trojan might cause an error detection module to accept inputs that should be rejected. A Trojan might insert more buffers in the chip’s interconnections and hence consume more power, which in turn could drain the battery quickly.

In more serious case, Denial-of-Service (DoS) Trojans prevent operation of a function or resource. A DoS Trojan can cause the target module to exhaust scarce resources like bandwidth, computation, and battery power. It could also physically destroy, disable, or alter the device’s configuration, for example, causing the processor to ignore the interrupt from a specific peripheral. Illegal clones of hardware become source of hardware-based exploitation since the chances of illegally counterfeited hardware to contain malicious backdoor or hardware Trojans increase.

The chance to produce unauthentic hardware has increased with a new trend in IT companies trying to reduce their IT expense via outsourcing and buying off untrusted hardware from online sites. Karri et al. [26] discusses how today’s IT model of outsourcing has contributed to the increased chance of producing tampered hardware components from untrusted factories in the foreign countries. Similarly, it is also pointed out that IT companies often buy untrusted hardware such as chipsets and routers from online auction sites or resellers which in turn may contain harmful hardware-based Trojans. These practices are not only problematic for IT companies operated on the tampered hardware with potential backdoor entry, it also increases the chance that the original design and the details of internal states of system to be leaked to unauthorized personnel. Side channel attacks occur when adversaries ..

Do you have a similar assignment and would want someone to complete it for you? Click on the ORDER NOW option to get instant services at EssayBell.com