H2O

This is the old version of the H2O platform and is now read-only. This means you can view content but cannot create content. You can access the new platform at https://opencasebook.org. Thank you.

1.3 Sources of Network Vulnerability

by Jack Goldsmith and a Berkman Center Cybersecurity Team Show/Hide
Purpose: This unit provides an overview of points of vulnerability, exploring how different aspects of the cyber environment are particularly exposed to attack, and how vulnerability may be defined. EDIT PLAYLIST INFORMATION DELETE PLAYLIST

Edit playlist item notes below to have a mix of public & private notes, or:

MAKE ALL NOTES PUBLIC (6/6 playlist item notes are public) MAKE ALL NOTES PRIVATE (0/6 playlist item notes are private)
    1. 1.1 Show/Hide More Martin C. Libicki, Cyberdeterrence and Cyberwar: Ch. 2: A Conceptual Framework, RAND, 2009
      This chapter outlines three layers of cyberspace: physical, syntactic, and semantic, through which to consider vulnerabilities in cyberspace. It briefly addresses external and internal threats, paying particular attention to the problem of insiders and supply chain concerns.
  1. 2 Show/Hide More 1.3.2 Critical Infrastructure
    Original Creator: Jack Goldsmith and a Berkman Center Cybersecurity Team
    The reliance on critical infrastructure, such as the power grid, electronic information systems, and the increased interoperability of these systems makes them more susceptible to cyber threats.
    1. 2.1 Show/Hide More William D. O’Neil, Cyberpower and National Security Ch. 5: Cyberspace and Infrastructure, eds. Kramer, Starr, and Wentz, 2009
      This chapter addresses the issue of cyber attacks to electric infrastructure and any form of attack to cyber infrastructure. It provides a brief historical review of infrastructure attacks as well as an outline of threats and possible responses.
  2. 3 Show/Hide More 1.3.3 DNS and Man-in-the-Middle Attacks
    Original Creator: Jack Goldsmith and a Berkman Center Cybersecurity Team
    The DNS translates domain names into IP addresses. There is a whole family of vulnerabilities in which the DNS on one’s computer can be fooled in accepting different IP addresses for a given domain, allowing adversaries to extract information under the pretence of a trusted site. Such vulnerabilities including cache poisoning, packet sniffing, and session hijacking. In a similar fashion, Man-in-the-Middle attacks can cause users to disclose sensitive information without being aware of a third-party’s involvement in the transfer of data.
    1. 3.1 Show/Hide More Bruce Schneier, Lessons from the DNS Bug: Patching Isn’t Enough, Wired, Jul 23, 2008
      This article discusses a DNS bug discovered in 2008 and argues that designing systems with a security mindset would account for vulnerabilities before they surface, rather than the retroactive engineering of patches.
    2. 3.2 Show/Hide More Callegati, F., Man-in-the-Middle Attack to the HTTPS Protocol, Security & Privacy, IEEE, 2009
      The man-in-the-middle attack exploits the fact that the HTTPS server (a protocol which guarantees privacy and security in transactions) sends a certificate with its public key to the Web browser. If this certificate isn’t trustworthy, the entire communication path is vulnerable. This article demonstrates how attackers can successfully intercept the data transfer and corrupt the safety of the communication.
    3. 3.3 Show/Hide More Seth Schoen, The Message of Firesheep:”Baaaad Websites, Implement Sitewide HTTPS Now!”, EFF, Oct 29, 2010
      Firesheep, a software taking advantage of packet sniffing and cookie stealing to hijack sessions on websites such as Facebook and Paypal while using the same network as the victim’s, has caused much discussion regarding the need to implement HTTPS universally across session-based platforms.
  3. 4 Show/Hide More 1.3.4 Could Computing
    Original Creator: Jack Goldsmith and a Berkman Center Cybersecurity Team
    In recent years, many computer and Internet functions have moved from users’ computers to remote servers that make up a “cloud” of data and processing power. The increasing prevalence of cloud-based services, including a federal policy to transition to the cloud, raises several concerns regarding data.
    1. 4.1 Show/Hide More Chris Clayton, Standard Cloud Taxonomies and Windows Azure, MSDN, 2011
      Cloud solutions come in three main taxonomies: infrastructure as service, platform as service, and software as service. This article reviews the strengths and weaknesses of each taxonomy, demonstrating the trade-off between control, agility, and cost-efficiency.
    2. 4.2 Show/Hide More Harvard Law National Security Research Group, Cloud Computing and National Security Law, 2010
      This report presents a definition of cloud computing, examining both its benefits and drawbacks. Second, it examines legal challenges posed by cloud computing, with particular attention to implications of cloud computing for U.S. law enforcement and national security agencies. Third, it outlines several recommendations for legislative responses to this new technology.
  4. 5 Show/Hide More 1.3.5 User-based Vulnerabilities
    Original Creator: Jack Goldsmith and a Berkman Center Cybersecurity Team
    Some vulnerabilities do not rely on specific technical hacks, but simply on the susceptibility of individual users.
    1. 5.1 Show/Hide More 1.3.5.a Phishing
      Original Creator: Jack Goldsmith and a Berkman Center Cybersecurity Team
      Phishing is the process of enticing people into visiting fraudulent websites and persuading them to enter identity information such as usernames, passwords, addresses, social security numbers, personal identification numbers and anything else that can be made to appear to be plausible.
      1. 5.1.1 Show/Hide More David Goldman, Massive Gmail Phishing Attack Hits Top U.S. Officials, CNN Money, Jun 1, 2011
        In the summer of 2011, a major phishing scam originating from China targeted hundreds of personal Gmail accounts, including government officials.
      2. 5.1.2 Show/Hide More Tyler Moore and Richard Clayton, Examining the Impact of Website Take-down on Phishing, APWG eCrime Researchers Summit, 2007
        This article examines take-down times of phishing websites and estimates the cost of a phishing scam in face of the defenders’ efforts to eliminate the attack. It outlines a model of the mechanics of a phishing attack, concluding that by the time phishing sites are removed, damage has already been done: many responses have been received and the attackers are moving on to new sites.
    2. 5.2 Show/Hide More 1.3.5.b Insiders
      Original Creator: Jack Goldsmith and a Berkman Center Cybersecurity Team
      A rogue employee presents risks similar to those of a feckless user in the periphery of an open system, as computer systems are now designed in a distributed way that would not allow an individual to cause much damage without being traced.
      1. 5.2.1 Show/Hide More US Secret Service, Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, CERT, 2004
        This report examines the threat posed by insiders, that is, individuals who were, or previously had been, authorized to use the information systems they eventually employed to perpetrate harm, with a primary focus on the banking and finance sector. This piece explores the risk from a behavioral and technological perspective.
      1. 6.1.1 Show/Hide More Michael Sechrist, Cyberspace in Deep Water, Harvard Kennedy School, 2010
        This policy analysis argues for a public-private partnership in establishing industry best practices for the protection of undersea cables. It provides a light technical overview of how cables work and their significance as part of the ICT infrastructure.
Close

Playlist Information

May 21, 2013

Author Stats

Jack Goldsmith and a Berkman Center Cybersecurity Team

Other Playlists by Jack Goldsmith and a Berkman Center Cybersecurity Team

Find Items

Search below to find items, then drag and drop items onto playlists you own. To add items to nested playlists, you must first expand those playlists.

SEARCH
Leitura Garamond Futura Verdana Proxima Nova Dagny Web
small medium large extra-large