“Cyber” is all the rage today. Many topics fall under the “cyber-” umbrella: cyberspace, cybersociety, cyberculture, cybersecurity, cyberpunk, cyberterrorism, cyberinfrastructure, cyberart, cyberwar, cyberdefense, cyberoffense, cyberattack, cyberexploitation, cybercrime, and many more. From the perspective of the IEEE Computer Society, one of the most interesting (and challenging) of these is cybersecurity. This month in Computing Now, we explore a few cybersecurity-related topics including policy, education, attacks, infrastructure, trust, and architecture.
Although a couple of years old, “Lifting the Veil on Cyber Offense” (based on a related report from the National Research Council; login required for full text) raises interesting issues on offensive use of cyberattack capabilities on an adversary including some of the legal, ethical, technical, and operational aspects of such an attack. It includes some of the detailed findings from the report as well as some of its recommendations.
Just as we have a need for students to pursue education in science, technology, engineering, and mathematics (STEM), we have a need for students to pursue education in cybersecurity as well. “The CyberPatriot National High School Cyber Defense Competition” (login required for full text) introduces a contest that challenges high school students to secure a network and protect it against a simulated attack. Developing skills in cyberdefense benefits everyone from governments and large multinational corporations down to small businesses and individuals, and these contests are one way to seed the pipeline to that end.
The best way to learn is through experience; the best way to gain experience is to learn from others’ mistakes. “Anatomy of an Intrusion” (login required for full text) and “Analysis of a Botnet Takeover” (login required for full text) describe two attack experiences — one, a network intrusion, and the other, a study of a network of infected machines. Both offer lessons learned without having to experience the learning process directly.
Almost everyone is aware of the Internet, which connects computers together around the world. But few are aware other infrastructures — in this case the power grid — are also interconnected. Whether it’s reading your power meter remotely or controlling the generation and distribution of power across regions, it’s critical that these systems operate safely and securely. “Smart-Grid Security Issues” (login required for full text) describes the smart grid and some of the security issues associated with it.
Part of using a computer is trusting that it will do the right thing. But what if it doesn’t? How do you know? The Trojan horse goes way back as a way of compromising a hardened target. Software trojans compromise software systems in a manner similar to their historical/literary counterpart; hardware trojans compromise hardware in ways that can be much harder to detect or to avoid. “Trustworthy Hardware: Identifying and Classifying Hardware Trojans” (login required for full text) describes the various dimensions across which hardware trojans can be classified and provides a broad view into the problem. (The September 2010 issue of Computing Now covered related topics; login is required to access the full text of the articles.)
Cyberdefense can be done in many ways, but using hybrid hardware–software solutions combines both performance and flexibility. “An Architectural Approach to Preventing Code Injection Attacks” (login required for full text) demonstrates a software-only technique (no hardware modifications required) that uses memory protection and management features that already exist in modern processors to protect against inadvertently executing injected malicious code.
These articles should give you some useful background in a range of cybersecurity topics. You can follow the references and citations to find other related articles, and see the Related Resources below as well. Note that other IEEE societies and other organizations will have different coverage of various “cyber-” topics, so there are many rewards for exploration.
Kevin Rudd is an assistant professor at the United States Naval Academy and a member of IEEE Micro‘s editorial board. Contact him at rudd at usna dot edu.
These resources will help you to explore cybersecurity and to keep abreast of ongoing developments. Note that login may be required to access the full text.
C. Visaggio, “Session Management Vulnerabilities in Today’s Web,” IEEE Security & Privacy, Sept/Oct 2010, pp. 48–56, http://doi.ieeecomputersociety.org/10.1109/MSP.2010.114.
S. Abu-Nimeh and T. Chen, “Proliferation and Detection of Blog Spam,” IEEE Security & Privacy, Sept/Oct. 2010, pp. 42–47, http://doi.ieeecomputersociety.org/10.1109/MSP.2010.113.
D.J. Leversage and E.J. Byres, “Estimating a System’s Mean Time-to-Compromise,” IEEE Security & Privacy, Jan/Feb 2008, pp. 52–60, http://doi.ieeecomputersociety.org/10.1109/MSP.2008.9.
T. Huffmire, B. Brotherton, T. Sherwood, R. Kastner, T. Levin, T.D. Nguyen, and C. Irvine, “Managing Security in FPGA-Based Embedded Systems,” IEEE Design & Test of Computers, Nov/Dec 2008, pp. 590–598, http://doi.ieeecomputersociety.org/10.1109/MDT.2008.166.
J.R. Kenny and C. Robinson, “Embedded Software Assurance for Configuring Secure Hardware,” IEEE Security & Privacy, Sept/Oct 2010, pp. 20–26, http://doi.ieeecomputersociety.org/10.1109/MSP.2010.150.
S.W. Boyd, G.S. Kc, M.E. Locasto, A.D. Keromytis, and V. Prevelakis, “On the General Applicability of Instruction-Set Randomization,” IEEE Trans. Dependable and Secure Computing, July-Sept. 2010, pp. 255–270, http://doi.ieeecomputersociety.org/10.1109/TDSC.2008.58.