Cyber-attacks towards governments and public institutions
Public and government institutions represent a greedy target for criminals due to the huge amount of public data and information that can be exploited to achieve illegal objectives. Indeed, such institutions, which usually own more data than the private sector, often store date and information in vulnerable systems. As a consequence, cyber-criminals interest is to hack such systems to get access to big amounts of data containing confidential and personal information of citizens for political and economic reasons. Indeed, from a political or an economic point of view, cyber-criminals try to hack databases with the purpose to create monetary benefits and to bring benefits to their cyberterrorism community. Therefore, agencies are regularly targeted not only by single political hackers but also by teams funded and trained by nation-states. From a technical point of view, the most common problem is the software. Indeed even though the operating systems in these institutions are often outdated, they are still running old and ineffective security solutions. Moreover, the employees of these organizations are not well aware of new technologies and of new emerging security threats. Thus they represent a really easy target for criminal’s groups (Zaharia 2017).
On the basis of such consideration, three main threat scenarios and related prevention approaches are summarized in Table 1, which are then described in the next subsections.
Threat Scenarios related attacks | Prevention approaches |
Ransomeware attack – Cypto Ransomeware – Locker Ransomeware |
– Encryption, – Firewalls, – Trust-based mechanisms, – Reputation system, |
Denial of Service (DoS) Distibuted DoS (DDoS) Bot-nets |
– Intrusion Detection System (IDS) – Blackholing – Routers – Firewalls |
Defacement of governmental platform |
– Monitoring system – Detection techniques |
Defacement of Governmental platform. In this scenario the main objective is to deface institutional websites or governmental web platform. The major goal of the criminal groups is to takedown the entire system or the network by making it inefficient to operate normally. Such kind of cyber-attacks aims to potentially cause the damage to the organization’s stature economically and financially. Consequently, making the organization inefficient in providing the services, thus the service is blocked for the undetermined amount of time. Moreover, when the websites are hacked, they can be totally changed so as to include messages of propaganda or publicity, with the purposes to take them down or to re-direct the users to other websites, which may contain similar messages and so on. A recent event happened to the United Kindom’s National Health Service trust that was affected by the “Wannacry” attack by demanding money to get back the access to the infected systems. More than 2.000 computers were compromised. The network was down for more than one week resulting in a huge loss and service disruption. The problem was initiated through a simple email that infected the network, resulting in devastating consequences (Hoeksma 2017). The number of cases of such attacks has dwindled in the past few years thanks to a greater awareness on the issue. However, even more cases are happening in the context of public and governmental IT platform. As a consequence, proper security measures will need to be taken into account to avoid not only financial disasters but also embarrassing situations.
A further threats scenario related to government and public institutions is caused by Ransomeware attack. Ransomeware is a malware that restricts the user from accessing his/her own computer system or the personal data files stored either by locking the system or by encrypting some of the data files stored, thus by blocking the user from accessing it. Using such attacks, the criminals ask for the ransome (money or digital currency) to be paid in order to decrypt the files and to regain the access to the system (Pathak and Nanded 2016). There are several ways in which ransomeware attacks are done. One of such ways is through email spams, phishing, redirecting the websites to malicious sites and software downloaders (Zahra and Shah 2017; Sgandurra, Muñoz-González, Mohsen and Lupu 2016; Cabaj, Gregorczyk and Mazurczyk 2015). Ransomeware can be classified as cypto-ransomeware and locker-ransomeware. In the first case, the user data files are encrypted and blocked from accessing it until a ransome is paid for the decryption. Only certain files such as doc, jpg, png etc., which are vital for system, are not encrypted. In the second case, the entire system is blocked and the user is unable to access it even if the files are untouched.
Another scenario is based on (Distributed) Denial of Service (D)DoS attacks. Denial of Service attacks or DOS attacks are widely known as a common method of attack. The impact of such attacks is felt the most by e-commerce enabled business, which sells products or services online. Public and institutional IT platform are nowadays the main target of this type of attack operated by cyber-criminals. The main objective of DOS attacks is to disable or disrupt the online operations by flooding the targeted servers with huge number of packets (requests), which would ultimately lead to the fact that the servers are unable to handle normal service requests from legitimate users. The impact of such attacks can be disastrous from both an economic and social perspective where it can cause organizations to suffer from massive losses. An extension of DoS are Distributed-DoS (DDoS) attacks, where the incoming traffic originates from many different sources – potentially hundreds of thousands or more. Distributed Denial of Service attacks are executed by a so-called botnet – a collection of computers around the world infected with an attacker’s malware. Malware infections can install silent software on a victim machine which places it under the control of a remote attacker. Successful botnets can be comprised of hundreds of thousands of infected machines, typically without the owners’ knowledge. There exists a big business in creating botnets – among other things, indeed botnet creators rent out their creations to criminal enterprises who can use them to launch a DDoS (Cisco Systems 2004).
In the following, specific prevention approaches, which can be adopted to improve the level of security in the context of the before mentioned scenarios, are proposed and described.
Prevention mechanisms against Ransomeware. The most common practices against Ransomeware threats are Encryption, System recovery, Firewalls, Reputation and Trust-based mechanisms, (NMR 2017; Pope 2016). In particular, encryption represents a possible mechanism to protect the sensitive information stored in the system. It allows encoding a message or information in such a way that only authorized parties can access it. In the event that the data is stolen, thanks to cryptography, it cannot be used. System Recovery is a very useful mechanism that can be adopted to avoid that data get lost in case of blackout of the system or corruption. To reduce the occurrence of stolen data or corrupted systems, the use of firewalls and antivirus programs represent the basis of prevention mechanisms. Moreover, reputation system and trust-based frameworks, where nodes maintain reputation of other nodes and use it to evaluate their trustworthiness, represent a prevention way to provide a scalable and a generalized approach for countering different types of misbehaviours resulting from malicious attacks and threats.
Prevention mechanism against DoS and DDoS. Defense and prevention from (D)DoS-type attacks is very important. Among the existing techniques and approaches against them, effective mechanisms are represented by: Blackholing, Intrusion Detection System (IDS), Routers, Firewalls. In particular: Blackholing describes the process of a service provider blocking all traffic destined for a targeted enterprise as far upstream as possible by sending the diverted traffic to a “black hole”, where it is discarded in an effort to save the provider’s network and its other customers. Because legitimate packets are discarded along with malicious attack traffic, blackholing is not always an effective solution. Indeed, the victims can lose part of their legitimate traffic. A further possibility is centred on Routers based on Access Control Lists (ACLs). The routers can protect against some DDoS attacks, such as ping attacks, by filtering non-essential and unneeded protocols. Moreover, Firewalls play an important role in any organization’s security solution, and although they are not purpose-built DDoS prevention devices, they can be used as complementary prevention mechanisms. Similarly, Intrusion Detection System are able to offer anomaly-based capabilities to detect external attacks, although they require extensive manual tuning by experts (Sen 2016).
Prevention mechanism against Defacement. Web site defacement is one of the most common attacks on the Internet, the most vulnerable being those of critical government organizations such as banking and finance, oil and gas, and emergency services. Typical security mechanisms are based on system monitoring, which are able to detect changes (add, delete, modify), that can be associate to detection techniques (IDS) to prevent the legitimate user from accessing defaced web pages. Furthermore, the prevention approaches mentioned before can be also used to prevent defacement scenarios (Verma and Sayyad 2015; Viswanathan and Mishra 2016).