WP2 Metrics of Cyber Security

Transcription

1 WP2 Metrics of Cyber Security WP2 Athens March 2018 CYBE Presented by: Jart Armin This work is performed within the SAINT Project (Systemic Analyser in Network Threats), with the support of the European Commission and the Horizon 2020 Program, under Grant Agreement No SAINT WP2 - Athens March Jart Armin 1

2 Things are so bad for usable security that we need to give up on perfection and focus on essentials. The root cause of the problem is economics: we don t know the costs either of getting security or of not having it so users quite rationally don t care much about it.... To fix this we need to measure the cost of security Butler Lampson ACM Turing award and von Neumann medal winner SAINT WP2 - Athens March Jart Armin 2

3 Cybercrime and Cyber-Security Metrics should: Enable decision-makers to take action (digital epidemiology). Be definable in numbers: Qualitative measures like Good, Bad, or Average aren t sufficient as drivers for policy-setting or decisionmaking, so the metrics should be capable of expression as meaningful figures. Have a firm foundation in facts and data based on evidence based practice: This is crucial in allowing metrics to be used to communicate with stakeholders at all levels. Be repeatable (automation): The metrics should be easy to collect and update Show trends and at a reasonable cost. SAINT WP2 - Athens March Jart Armin 3

4 Cybercrime & Threat data - Epidemiology Cybercrime & Cyber Threats Public Health Analogy Dr John Snow - Epidemiology Cholera epidemic1854 London Epidemiology: the science that studies the patterns, causes, and effects of health and disease in defined populations. Cholera, Bubonic Plague, Aids, Ebola! Stuxnet, Zeus, Conficker, BlackEnergy. + DDoS, Spam Cybercrime & Cyber Threats = an epidemiological approach. i.e. patterns & causes Just to note: The science of: Public health & epidemiology = >150 years Cybercrime & Threat Data research = < 10 years Policy decisions and evidence-based practice by identifying threats and targets for prevention. All cybercrime, cyber threats are hosted or routed from somewhere and by someone on the Internet it is not magic! SAINT WP2 - Athens March Jart Armin 4

5 To achieve workable practices for deriving cyber security metrics towards an empirical science Its all about the data and the evidence! Digital Epidemiology and evidence based practice Use of the triad to enable & bring about disease prevention. A innovative paradigm from SAINT cyber security metrics for attack and threat prevention! Within SAINT who and how we aim the surveys & gather knowledge from multiple data sources. SAINT WP2 - Athens March Jart Armin 5

6 SAINT WP2 Systemic Analyser In Network Threats T2.1 D Current Cybersecurity Indicators & Open Source Intelligence Methodologies D2.2. Final Report on Cyber-security Indicators & Open Source Intelligence Methodologies T2.2Comparative Analysis Of Cybercrime Victims By Region, Country And Forecasting D2.3 - Initial D2.4 Final Comparative Analysis Of Cybercrime Victims By Region, Country And Forecasting T2.3 D2.5 - Measuring The Effect And Analysis Of Incentivized, Cooperative & Regulatory Processes In Cybersecurity And Impact Of Cybercrime Economics Analysis On Privacy T2.4 D2.6 Metrics for Measuring Privacy T2.5 D2.7 Cyber-security Standards, Benchmarking & Best Practices Surveys SAINT WP2 - Athens March Jart Armin 6

7 Outputs and challenges - Practical ENISA s Top 15 Threats Practical challenge = Application of WP2 Metrics of Cybersecurity - to - threat analysis examples: Determine, Quantify & Rank ENISA s ETL - metrics Economic analysis (overlap WP3) economic metrics SAINT WP2 - Athens March Jart Armin 7

8 SAINT Data Plan SAINT WP2 - Athens March Jart Armin 8

9 Global Security Map Current improvements being developed SAINT WP2 - Athens March Jart Armin 9

10 Methodology How do we rank countries and ASNs? Sources of data: 1. CyberDefcon s network of data collection sensors Includes honeypots, darknets and crawlers 2. Feeds from data partners Data is processed into an index for each IP address, subnet, ASN and country: Ranges from 0 (best) to 1,000 (worst) Based on Bayesian statistics & Risk Analysis: Considers that the analysis is only from one viewpoint Assigns confidence levels & actuarial analysis to the data SAINT WP2 - Athens March Jart Armin 10

11 Global Security Map Systemic Analyser In Network Threats Current improvements being developed A new version of Global Security Map is being developed and tested. It adds support for: Customised indexes: Instead of hardcoded indexes such as Malware and Spam, they can be customised to suit what is required Outputted into custom reports Commercial options, including: Advanced metrics Notifications BGP routing alerts SAINT WP2 - Athens March Jart Armin 11

12 1. Methodology Systemic Analyser In Network Threats How do we rank countries and ASNs? Reputational analysis The index represents the reputation of the IP/subnet/ASN/country It considers historical data it does not over-react to isolated incidents Weighted according to the size of the ASN/Country The size is considered to be larger if these factors are larger: # of IPs # of internet users income However, the weighting is not equal larger ASNs/countries are expected to commit more resources to aid prevention SAINT WP2 - Athens March Jart Armin 12

13 Infrastructure Why the infrastructure is targeted Example client Of 60,369 Number of ASes in routing system estimate 250 ASNs = 85% sources of malware, spam, attacks. One of the largest hosting companies in Europe Despite a large abuse team, their ranking was very high as they were highly targeted Index fell very quickly once the core issues were addressed SAINT WP2 - Athens March Jart Armin 13

14 EU example Romania #12 of 224 counties Note: lower the number = higher measurable cyber security issues / risk SAINT WP2 - Athens March Jart Armin 14

15 Finland the EU anomaly? #221 of 224 lowest in cyber security incidents / measurable issues in Europe Why is this? What can we learn? FICORA. technology & as regulator SAINT WP2 - Athens March Jart Armin 15

16 Finland OECD Enterprises encountering Security issues Finland Microsoft Lowest number of malware hosting SAINT WP2 - Athens March Jart Armin 16

17 Saint Survey Experience of cybercrime: Top threats = Phishing #1 Malware #2 Extensive survey 55 queries experience, costs, threats, opinion of cyber security, home & work Potentially 47% of Respondents victims of Cybercrime! SAINT WP2 - Athens March Jart Armin 17

18 Saint Survey - examples Potentially 75% of Respondents sought guidance on threats SAINT WP2 - Athens March Jart Armin 18

19 Continuation Advanced surveys Finland (Finnish FICORA & SAINT) Advanced surveys Risk, threats, & best practices Cyber-security Standards, Benchmarking & Best Practices SAINT WP2 - Athens March Jart Armin 19

20 Reworking Norton / Symantec Metrics (1) Norton Cyber Security Insights Report Global Results (Feb 18 - Symantec) 20 countries 21,000 respondents 36.21% experienced cybercrime 6.5% GDP 3.75 billion US$ (20 countries) Important as first effort to also show time spent / hours lost / cybercrime victim = 22.9 hours / victim - Average (20 countries) SAINT WP2 - Athens March Jart Armin 20

21 Reworking Norton / Symantec Metrics (2) Analysis of the 7 EU countries Within report: Changed to Cost of time spent / cybercrime Eurostat average of 25/hour 415 = Average / victim 2017 SAINT WP2 - Athens March Jart Armin 21

22 Reworking Norton / Symantec Metrics (3) Extended analysis for all 28 EU countries from report: GDP = Eurostat figures 42 billions cost of cybercrime 7.9% of GDP 16 hours time spent / cybercrime victims 60 billion cost of time spent in EU 2017 Therefore = 102 billion total cost in EU But metrics need refinement i.e. Finland / Ficora / SAINT Finnish study SAINT WP2 - Athens March Jart Armin 22