Abstract
Nation states engage in cyber espionage because they hope to gain an advantage. Cyber espionage is attractive because it is less risky than traditional espionage; there are no spies that have to enter foreign territory. After introducing the basic protection goals of information security (confidentiality, integrity, and availability) as well as fundamental security design principles, we describe typical attack vectors. As state-sponsored hacking is well funded, defensive measures are inconvenient and costly. We also present the attack-defence tree technique which helps defenders to consider all relevant attacks and countermeasures. Finally, we show that security vulnerabilities play an essential role in many attacks. Intelligence services state that their goal is to defend their homeland. However, citizens and business owners may be at the losing end: practices of stockpiling zero-day exploits and inserting backdoors on purpose make everybody less secure.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Recommended Reading
Almeshekah, M. H., Spafford, E. H., and Atallah, M. J. (2013). Improving security using deception. Center for Education and Research Information Assurance and Security, Purdue University, Tech. Rep. CERIAS Tech Report 13, 2013.
Chen, P., Desmet, L., and Huygens, C. (2014). A Study on Advanced Persistent Threats. B. Decker; A. Zúquete (eds.): 15th IFIP International Conference on Communications and Multimedia Security (CMS), LNCS 8735, pp. 63–72.
Heartfield, R. and Loukas, G. (2015). A Taxonomy of Attacks and a Survey of Defense Mechanisms for Semantic Social Engineering Attacks. ACM Comput. Surv. 48, 3 (2016), 38 pages
Rid, T., Buchanan, B. (2015). Attributing Cyber-attacks, Journal of Strategic Studies, 38:1-2, 4-37.
Stoll, C. (1989). The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday, New York, NY, USA.
Bibliography
Ablon, L. and Bogart, A. (2017). Zero-days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. RAND Corporation, http://www.rand.org/t/RR1751.
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J. A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., and Zimmermann, P. (2015). Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS’15, pages 5–17, New York, NY, USA. ACM.
Ahmed, F. (2017). The CCleaner malware targeted tech firms like Microsoft and Google. https://www.neowin.net/news/the-ccleaner-malware-targeted-tech-firms-like-microsoft-and-google.
Almeshekah, M. H., Spafford, E. H., and Atallah, M. J. (2013). Improving security using deception. Center for Education and Research Information Assurance and Security, Purdue University, Tech. Rep. CERIAS Tech Report 13, 2013.
Bernstein, D. J., Lange, T., and Niederhagen, R. (2016). Dual ec: A standardized back door. In LNCS Essays on The New Codebreakers - Volume 9100, pages 256–281, Berlin, Heidelberg. Springer-Verlag.
Biryukov, A., Dinu, D., and Khovratovich, D. (2017). The memory-hard Argon2 password hash and proof-of-work function. Internet Draft, https://tools.ietf.org/html/draft-irtf-cfrg-argon2-04.
Bhatt, S. N., Manadhata, P. K., and Zomlot, L. (2014). The operational role of security information and event management systems. IEEE Security & Privacy, 12:35–41.
Brewer, D. F. C. and Nash, M. J. (1989). The Chinese Wall security policy. In Proceedings. 1989 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1989, pp. 206–214.
Buchanan, B. (2017). Nobody but us: The rise and fall of the golden age of signals intelligence. Hoover Institution Press.
Budd, C. (2013). Ten Years of Patch Tuesdays: Why It’s Time to Move On. https://www.geekwire.com/2013/ten-years-patch-tuesdays-time-move/.
Chen, P., Desmet, L., and Huygens, C. (2014). A Study on Advanced Persistent Threats. B. Decker; A. Zúquete (eds.): 15th IFIP International Conference on Communications and Multimedia Security (CMS), LNCS 8735, pp. 63–72.
Coleman, K. G. (2008). Cyber Espionage Targets Sensitive Data. http://sip-trunking.tmcnet.com/topics/security/articles/47927-cyber-espionage-targets-sensitive-data.htm.
Colwill, C. (2009). Human factors in information security: The insider threat – Who can you trust these days? Information Security Technical Report, Volume 14, Issue 4, 2009, p. 186–196.
Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., and Halderman, J. A. (2015). A search engine backed by internet-wide scanning. In Ray, I., Li, N., and Kruegel, C., editors, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015, pages 542–553. ACM.
ENISA (2015). Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations. https://www.enisa.europa.eu/publications/vulnerability-disclosure.
Eunjung Cha, A. and Nakashima, E. (2010). Google China cyberattack part of vast espionage campaign, experts say. Washington Post. http://www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html.
Gallagher, S. (2015). Researchers confirm backdoor password in juniper firewall code. https://arstechnica.com/information-technology/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/.
Goodin, D. (2015). In major goof, Uber stored sensitive database key on public GitHub page. https://arstechnica.com/information-technology/2015/03/in-major-goof-uber-stored-sensitive-database-keyon-public-github-page/.
Halevi, T., Memon, N., and Nov, O. (2015). Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks. Available at SSRN: https://ssrn.com/abstract=2544742.
Heartfield, R. and Loukas, G. (2015). A Taxonomy of Attacks and a Survey of Defense Mechanisms for Semantic Social Engineering Attacks. ACM Comput. Surv. 48, 3 (2016), 38 pages.
Hern, A. (2017). WannaCry, Petya, NotPetya: how ransomware hit the big time in 2017. https://www.theguardian.com/technology/2017/dec/30/wannacry-petya-notpetya-ransomware.
Kerckhoffs, A. (1883). La cryptographie militaire. Journal des sciences militaires, IX:5–83.
Kordy, B., Mauw, S., Radomirovic, S., and Schweitzer, P. (2010). Foundations of attack-defense trees. In Degano, P., Etalle, S., and Guttman, J. D., editors, Formal Aspects of Security and Trust - 7th International Workshop, FAST 2010, Pisa, Italy, September 16-17, 2010. Revised Selected Papers, volume 6561 of Lecture Notes in Computer Science, pages 80–95. Springer.
Krombholz, K., Hobel, H., Huber, M., and Weippl, E. (2013). Social Engineering Attacks on the Knowledge Worker. In Proceedings of the 6th International Conference on Security of Information and Networks (SIN ‘13). ACM, New York, NY, USA, 28–35.
Langley, A. (2014). Apple’s SSL/TLS bug. https://www.imperialviolet.org/2014/02/22/applebug.html.
Langner, R. (2013). To kill a centrifuge: A technical analysis of what stuxnet’s creators tried to achieve. Arlington: The Langner Group.
Libicki, M. C., Ablon, L., and Webb, T. (2015). Defender’s Dilemma: Charting a Course Toward Cybersecurity. RAND Corporation, http://www.rand.org/pubs/research_reports/RR1024.html.
McConnell, S. (2004). Code Complete: A Practical Handbook of Software Construction. Microsoft Press, Redmond, Washington, 2 edition.
Melnitzky, A. (2012). Defending America Against Cyber Espionage Through the Use of Active Defenses. 20 Cardozo J. Int’l and Comp. L., pages 537, 566.
Microsoft (2013). Microsoft security intelligence report (msir). Vol. 15, January–June 2013, http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA92F33C/Microsoft_Security_Intelligence_Report_Volume_15_English.pdf.
Naraine, R. (2010). Stuxnet Attackers Used 4 Windows Zero-Day Exploits. http://www.zdnet.com/article/stuxnet-attackers-used-4-windows-zero-day-exploits/.
Nasheri, H. (2004). Economic Espionage and Industrial Spying. Cambridge University Press, Cambridge.
National Research Council (1999). Trust in Cyberspace. The National Academies Press, Washington, D.C.
Newman, L. H. (2017). Equifax Officially has no Excuse. https://www.wired.com/story/equifax-breachno-excuse/.
Orman, H. (2015). Encrypted Email – The History and Technology of Message Privacy, Springer, Cham.
O’Sullivan, D. (2018a). Dark Cloud: Inside The Pentagon’s Leaked Internet Surveillance Archive. https://www.upguard.com/breaches/cloud-leak-centcom.
O’Sullivan, D. (2018b). The RNC Files: Inside the Largest US Voter Data Leak. https://www.upguard.com/breaches/the-rnc-files.
Peterson, A. (2013). Why everyone is left less secure when the NSA doesn’t help fix security flaws. Washington Post, online: https://www.washingtonpost.com/news/the-switch/wp/2013/10/04/whyeveryone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/.
Pfleeger, C. P., Pfleeger, S. L., and Margulies, J. (2015). Security in Computing, 5th Edition. Prentice Hall.
poperob (2014). What is a specific example of how the Shellshock Bash bug could be exploited? https://security.stackexchange.com/a/68184.
Rashid, F. Y. (2013). GitHub Search Makes Easy Discovery of Encryption Keys, Passwords in Source Code. https://www.securityweek.com/github-search-makes-easy-discovery-encryption-keys-passwords-source-code.
Rescorla, E. (2003). Security Holes… Who Cares? In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, SSYM’03, pages 6–6, Berkeley, CA, USA. USENIX Association.
Rid, T., Buchanan, B. (2015). Attributing Cyber-attacks, Journal of Strategic Studies, 38:1-2, 4-37.
Saltzer, J. H. and Schroeder, M. D. (1975). The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278–1308.
Schneider, F. B., editor (1998). Trust in Cyberspace. National Academy Press, Washington, DC, USA.
Schneier, B. (1999). Attack trees. Dr. Dobb’s Journal of Software Tools, 24(12):21–29.
Schwartz, A. and Knake, R. (2016). Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process. Discussion Paper 2016-04, Cyber Security Project, Belfer Center for Science and International Affairs, Harvard Kennedy School.
Scott, C. R. D. (1999). Territorially intrusive intelligence collection and international law. A.F. L. Rev. 217, 46.
Shirey, R. W. (2007). Internet Security Glossary, Version 2. RFC 4949.
Shurmow, D. and Ferguson, N. (2007). On the possibility of a back door in the NIST SP800-90 dual EC PRNG. CRYPTO Rump Session, http://rump2007.cr.yp.to/15-shumow.pdf.
Smith, R. (2012). A contemporary look at Saltzer and Schroeder’s 1975 design principles. IEEE Security and Privacy, 10(6):20–25.
Spitzner, L. (2002). Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA.
Stallings, W. and Brown, L. (2014). Computer Security: Principles and Practice. Prentice Hall Press, Upper Saddle River, NJ, USA, 3rd edition.
Stoll, C. (1989). The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday, New York, NY, USA.
Voydock, V. L. and Kent, S. T. (1983). Security mechanisms in high-level network protocols. ACM Computing Surveys, 15(2):135–171.
Weissbrodt, D. (2013). Cyber-conflict, cyber-crime, and cyber-espionage. 22 Minn. J. Int’l L. 347.
Wheeler, D. A. (2017). The Apple goto fail vulnerability: lessons learned. https://www.dwheeler.com/essays/apple-goto-fail.html.
Wortham, A. (2012). Should cyber exploitation ever constitute a demonstration of hostile intent that may violate UN charter provisions prohibiting the threat or use of force? 64 Fed. Comm. L.J., pages 643, 655.
Zetter, K. (2015). A Cyberattack has Caused Confirmed Physical Damage for the Second Time Ever. https://www.wired.com/2015/01/german-steel-mill-hack-destruction/.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Fachmedien Wiesbaden GmbH, ein Teil von Springer Nature
About this chapter
Cite this chapter
Herrmann, D. (2019). Cyber Espionage and Cyber Defence. In: Reuter, C. (eds) Information Technology for Peace and Security. Springer Vieweg, Wiesbaden. https://doi.org/10.1007/978-3-658-25652-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-658-25652-4_5
Published:
Publisher Name: Springer Vieweg, Wiesbaden
Print ISBN: 978-3-658-25651-7
Online ISBN: 978-3-658-25652-4
eBook Packages: Computer Science and Engineering (German Language)