List of Abbreviations

Chapter 3. Methodology

3.3 Desk-Based Research

This section describes the desk-based research methodologies. Section 3.3.1 discusses the creation of the models and Section 3.3.2 describes the application and testing of the model and framework.

Section 3.3.3 describes the methods used to conduct the trend and incident analysis, Section 3.3.4 describes the mathematical methodologies, and Section 3.3.5 describes the simulations. Section 3.3.6 describes the formulation of the recommendations.

3.3.1 Creating the Models

A primary objective of the study was to develop and propose a vulnerability assessment framework from an IW perspective. This involves the creation of two models: an IW model and the vulnerability assessment framework. The models were developed by comparing existing models (discussed in Chapter 2) and identifying common aspects; these aspects are then incorporated into a single model in order to provide a generic model that is scalable.

As IW has high-level considerations such as situational context, and technical aspects such as the actual attack and defence methods and tools, a need for a consolidated IW model and a vulnerability assessment framework from an IW perspective. Both the need for consolidated taxonomies or models for IW and the consideration of broader contexts rather in addition to the technical aspects is corroborated by Armistead (2010). The purpose of proposing the IW model is to provide a model which provides a single, consolidated description of an IW event by integrating the models that describe various aspects of IW. Existing high-level models are also considered (which are presented in Sections 4.2.1 to 4.2.5), and their common aspects incorporated into the consolidated model.

Similarly, the proposed vulnerability assessment model was aimed at providing a framework which takes both high-level contextual issues and the technical issues and implementation into considerations. The majority of vulnerability and risk assessment methods presented in Section 2.7

101

are either too broad, or limited to the technical aspects. In addition, the existing frameworks are asset-centric rather than infrastructure-centric; the proposed model provides a single metric with which to measure the vulnerability and risk of an infrastructure or a single asset as required.

The proposed IW model is a descriptive model. This is in two parts: a high-level taxonomy adapted from the models discussed in the literature review; and an information warfare lifecycle model which is used to describe IW incidents. The vulnerability assessment incorporates techniques and common elements from existing frameworks to provide a top-down approach where the vulnerabilities and associated risks are assessed at a high-level, which flows to in-depth technical assessments. A technique for providing vulnerability and risk metrics for an entire infrastructure is proposed; this may also be used to assess the vulnerability and risk relating to specific IW areas and attack types. The information warfare lifecycle model was also used to in the development of the vulnerability assessment framework by relating IW characteristics to components of vulnerability and risk assessments. Chapter 4 presents the new models.

As the models are descriptive, it is possible to propose the models and then apply them. The test of these models will be the accuracy with which they describe the phenomena to which it is being applied. As such the models were tested by applying them to cases. For the IW Lifecycle model, it was tested by applying it to a number of IW incidents of varying type and complexity to determine the accuracy with which it described those incidents. The vulnerability assessment was applied to a cloud computing scenario to determine the accuracy with which it described the scenario. These tests are presented in Chapter 4.

3.3.2 Applying the Proposed Models

A need was identified for a consolidate model that describes IW incidents and a vulnerability assessment framework that considers both contextual and technical aspects from an IW perspective;

this need is corroborated by Armistead (2010). The motivations for the proposed models are presented in more detail Section 3.3.1.

The models were initially applied to cases to determine their accuracy in describing the phenomena they are applied to. For the IW model, a series of IW incidents of varying type and complexity were used for the cases. For the vulnerability assessment framework, a cloud computing scenario was employed. These are presented in Chapter 4.

The proposed IW model is applied to the documents that describe specific incidents. The model breaks down the incident qualitatively into categories from which trends can be extracted. The

102

model is also used as a guide for developing the vulnerability assessment framework from an IW perspective.

The application of the proposed vulnerability assessment framework forms one of the major objectives of the research. The framework is applied to the case of a generic mobile phone infrastructure. The results from the various research methodologies are brought together in specific categories determined by this framework; this provides the overall vulnerability assessment of the mobile infrastructure. This is presented in Chapter 8.

3.3.3 Trend and Incident Analysis

A primary objective of the research is to gather information regarding IW and security incidents.

This information can be gathered from analysis of documents and secondary data. Chapter 5 presents the trend and incident analysis, which contains a lot of literature; however, as the sources are primarily reports from newspapers, online news agencies, vendor notifications, and white papers, they will be considered as secondary data and documents for analysis. As such, the incidents were not included in the literature review except as examples for specific concepts. Section 3.3.3.1 discusses the document analysis methods in more detail, and Section 3.3.3.2 presents the secondary data collection and analysis.

3.3.3.1 Document Analysis

Document analysis is conducted on online news reports, threat notifications, and corporate weblog postings to identify recent IW and security incidents. The document analysis of specific incident reports illustrates the prevalence of attack types, specific vulnerabilities, and threats. By comparing the reported dates of incidents, trends over time for incident characteristics may become apparent.

The proposed IW model is used to analyse these incidents (as described by the documents), and categorise the characteristics of the incident. Document analysis may also provide secondary quantitative data in addition to qualitative information. For example, security surveys generally provide quantitative data illustrating incidents numbers and categorisation; however, incident and trend descriptions are usually qualitative.

The documents were gathered from various sources. A method to semi-automate this process that was used was to subscribe to the major news groups, vendors, and security-related websites via email and social networking websites. These subscriptions then provided alerts when news reports and vendor reports were released, and provided the links to access them. Online search engines were then used to find additional reports online. Newspaper and periodical articles were also used;

103

should there have been a report on television, then the story was accessed on the relevant news agency's website, and online search engines were used to identify and access alternative reports.

Only reports in English were considered.

For the incidents, the following information, where available, is extracted from the documents as determined by the proposed IW model:

Context and background;

The nature of the aggressor and target;

The IW functional area;

The IW tactic (denial, corruption, steal information);

Technical aspects in terms of offensive and defensive tools and techniques;

The outcome and impact of the incident.

Where multiple sources are available, these can be used to corroborate facts, or provide additional detail. The emphasis will be on facts; any assumptions or perceptions that are presented by the authors of the documents are indicated as such. As one of the aspects of IW is the altering of perceptions, it is important not to place too much emphasis on them; however it is still important to consider the perceptions presented in reports, as these may shape public perception and consequently reaction. Where possible, the complexity of the incidents was assessed to indicate the viability of such an attack being conducted again in the future.

The temporal occurrence of the incidents is also of interest; this provides trends in the shift between incident types, or shifts in the technologies or methods used to achieve similar objectives. General increases or decreases in incident numbers will also become evident. For this a timeline is used to illustrate the reported time period of the incident, and show clustering of incidents or incident types.

Information regarding the role of information and information technologies in conflict is also extracted from documents. This allows the trends in the relevance of IW, and the impact technology evolution is having on IW.

The document analysis was aimed at extracting specific information regarding incidents, assessing the significance and viability of similar incidents occurring, and trends in incident types and the methods or technologies used.

104 3.3.3.2 Secondary Data

Secondary data was gathered from reports released from research organisations, vendors, and national computer emergency response teams. As with the document analysis above, subscriptions to the relevant newsletters and vendor notifications via email and social networking websites provided a method of monitoring latest developments in information security related-topics, releases of research reports and surveys, and incidents as they developed. The secondary data is re- analysed in order to identify trends or specific vulnerabilities that contributed to security incidents.

This monitors the changing threat and vulnerability landscape, and can predict possible future developments.

Secondary data from national computer emergency response teams (CSIRTs) was gathered from their websites. The data is presented over time, providing for general trends in incident numbers.

This data is then analysed for trends across the data sets, looking at the prevalence of specific reported incident types in a global context, as opposed to the localised context provided by the individual data sets.

Secondary data was gained from vendor reports and books; these were used to analyse trends in malware infections. The trends for computer-based malware were re-analysed by re-ranking countries according to infection rates. The infections of African nations could then be assessed in a global context and compared to the world average. The secondary data for mobile malware was fragmented; therefore the various datasets were incorporated to provide trends over a longer period of time.

In some instances, the secondary data is used only to illustrate a point; such as the penetration of mobile devices compared to other communications devices. Secondary data from a webpage was presented to illustrate the susceptibility of South African web servers to hacking. The secondary data is also used to collaborate and supplement outcomes from the qualitative document analysis.

3.3.4 Mathematical Calculations

Certain vulnerabilities can be determined by mathematical calculations. This can determine technical restrictions for certain scenarios to determine vulnerability. The calculations are done primarily for electronic warfare, to determine detection and jamming ranges for wireless communications. Network capacity limits can also be calculated. The results of the calculations determine the feasibility and restrictions of certain attacks. The equations used are identified in the literature review. Graph theory analysis of networks and infrastructure may be used to determine

105

critical nodes or choke points that may severely hinder network services should they be compromised. The calculations were done by writing a program in the Matlab software, and then confirming the results by hand to ensure no errors occurred. Chapter 7 contains the calculations and analysis.

3.3.5 Simulations

As with mathematical calculations, simulations can be used to analyse the impact of specific variables or scenarios. The simulations are aimed at assessing the performance of network under different loading conditions or electronic warfare performance. By investigating these characteristics of the networks, the susceptibility to certain attacks can be ascertained. The simulations provide visual representation of the results, and can be used for scenarios which are too complex to calculate by hand. The simulations are computer-based Monte-Carlo simulations, where numerous iterations of the same set-up are performed with a randomised input. The results of the iterations are averaged together to provide the final result. The specific simulation set-up is determined by the objectives and certain parameters, and will be discussed with the results and analysis of the simulations in Chapter 7.

3.3.6 Conclusions and Recommendations

The conclusions are drawn from the analysis of the gathered data, and from the outcomes of the vulnerability assessment. The recommendations follow the specific findings in the conclusion;

information from the workshop and documents analysis may also provide possible recommendations. A secondary objective of the research is to provide solutions to possible vulnerable areas; these will also form part of the final recommendations.