Informatik, TU Wien

From attack trees to attack navigators

Information security risk in socio-technical systems.

Abstract

Information security threats to organisations have changed completely over the last decade, due to the complexity and dynamic nature of infrastructures and attacks. Successful attacks cost society billions a year, impacting vital services and the economy. Examples include StuxNet, using infected USB sticks to sabotage nuclear plants, and the DigiNotar attack, using fake digital certificates to spy on website traffic. New attacks cleverly exploit multiple organisational vulnerabilities, involving physical security and human behaviour. Defenders need to make rapid decisions regarding which attacks to block, as both infrastructure and attacker knowledge change rapidly. Current risk management methods provide descriptive tools like attack trees for assessing threats by systematic brainstorming. Attack opportunities will be identified and prevented only if people can conceive them. In today’s dynamic attack landscape, this process is too slow and exceeds the limits of human imaginative capability. Emerging security risks demand tool support to predict, prioritise, and prevent complex attacks systematically. The 13.5 MEUR TREsPASS project will make this possible, by building an "attack navigator". This navigator analyses which attack opportunities are possible, which of them are the most urgent, and which countermeasures are most effective. In this presentation, I will discuss information security risk management, important challenges, and new solutions based on the attack navigator concept.

Biography

Wolter Pieters (1978) is an assistant professor in information risk at Delft University of Technology, and technical leader of the TREsPASS project at the University of Twente. He studied computer science and philosophy of science, technology and society at the University of Twente, and wrote his interdisciplinary PhD "La volonté machinale: understanding the electronic voting controversy" at the Radboud University Nijmegen. Afterwards he advised the Dutch Ministry of the Interior on electronic voting and electronic travel documents. Back in research, he analysed information risks in cloud computing, and contributed to decision support for security investments in electricity infrastructures. Together with Prof. Pieter Hartel he set up the TREsPASS European project, on information security risk management in socio-technical systems, which started in November 2012. He was program chair of the 2010 CPDP workshop on Security and Privacy in Cloud Computing, and co-organiser of the Dagstuhl seminars on Secure Architectures in the Cloud (2011) and Socio-technical Security Metrics (2014). He also teaches an online master course on computer ethics for Cologne University of Applied Sciences. He has published on electronic voting, verification of security properties, information risk management, and philosophy and ethics of information security.

Note

This talk is part of the "Cyber Security Lecture Series" and organized by the Automation Systems Group at the Institute of Computer Aided Automation supported by the AIT Safety and Security Department.