Multi sensor national cyber security data fusion I. Swart, B. Irwin, M.M. Grobler Rhodes University, Grahamstown, South Africa CSIR, Pretoria, South Africa
[email protected] [email protected] [email protected] Abstract: A proliferation of cyber security strategies have recently been published around the world with as many as thirty five strategies documented since 2009. These published strategies indicate the growing need to obtain a clear view of a country’s information security posture and to improve on it. The potential attack surface of a nation is extremely large however and no single source of cyber security data provides all the required information to accurately describe the cyber security readiness of a nation. There are however a variety of specialised data sources that are rich enough in relevant cyber security information to assess the state of a nation in at least key areas such as botnets, spam servers and incorrectly configured hosts present in a country. While informative both from an offensive and defensive point of view, the data sources range in a variety of factors such as accuracy, completeness, representation, cost and data availability. These factors add complexity when attempting to present a clear view of the combined intelligence of the data. By applying data fusion the potential exists to provide a comprehensive and representative view of all data sources fused together, regardless of their complexity. This method is not often used in cyber defence systems, since cyber sensor data is typically hard to classify in traditional data fusion techniques due to the diversity and ambiguity present in the sources. This research will examine a variety of currently available Internet data sources and apply it to an adapted Joint Directors of Laboratories (JDL) data fusion model. The model has been adapted to suit national level cyber sensor data fusion with the aim to formally define and reduce data ambiguity and enhance fusion capability in a real world system. The data examined will then be applied to a case study that will show the results of applying available open source security information against the model to relate to the current South African cyber landscape. Keywords: Attack surface, Cyber security readiness, JDL model, Open Source, National security policy, Personally Identifiable Information, Sensor fusion 1. Introduction: As many as 35 nations around the world have published national cyber security policies since 2009 (Luiijf, Besseling, & De Graaf, 2013). The published cyber defence policies seek to address the growing concern that Governments, organisations and individuals have regarding their safety on the Internet. The proposed implementations will involve not only Government or individual organisations but will have to be implemented at a ‘whole of nation’ or ‘whole of Government’ level. This is due to the way that the Internet is structured with no single entity controlling all the required infrastructure. These policies were tallied and used as an indicator of cyber readiness (Hathaway, 2013) to set the stage for more technical analysis of nation state cyber readiness to be obtained on a measureable level. Obtaining a more quantifiable measurement than just taking policy publication into account is no trivial task however. A variety of factors such as available attack surfaces, national information sources, Internet penetration and general population education can play a significant role in such an assessment. Data fusion has the potential to process the information from these multiple sensors in such a manner to provide increased situational awareness. However cyber data fusion has not been extensively implemented. The purpose of this research is to examine data sources available for information fusion on a national level and apply this to a Joint Directors of Laboratories (JDL) data fusion model. The research will further provide a view of what can be considered as the national demarcated area of a country in an attempt to provide scope and structure to the evaluation. The research will conclude with a case study presenting data fusion of multi sensor national cyber security information for South Africa. 2. Responsibility and demarcation of a nation’s Internet domain Current cyber defence policies published by nations contain lists of key national capabilities that they are striving for. Various frameworks, models and standards are being used to assess the current state and to move forward to a more secure state such as the guide from (National Institute of Standards and Technology (NIST)
& United States of America, 2014). The problem is however that once the cyber defence policies of Governments are studied it becomes visible that no clear definition of what exactly will be protected is available (Cavelty, 2014). A recent study (de Souza, 2014) of United States cyber defence policies have revealed that Government is responsible for the safety of the Internet but current implementations focus on only protecting .gov websites. In South Africa legislation exists, but responsibility for each sector is only defined in the draft National Cyber Security Policy Framework yet to be released in final format. Although not formalised there is a clear indication of the responsibility that Government has towards Internet enabled infrastructure. In addition, the Electronic Communication and Transactions Act of 2002 (South African Government Gazette, 2003) mandated that the .co.za domain be placed under the control of the Government (Naidoo, Singh, & Levine, 2013). The question then is, what exactly constitutes the Internet domain of a country? Does liability stop when the IP address of a device is external to the IP address block assigned to the country? Or does geographic location play an important role in the determination of responsibility? The implications of unclear definitions can lead to unnecessary expenditure, misallocation of resources and insufficiently protected infrastructure (Ford, 2012). Geographical boundaries have been presented as a manner of defining Internet domain (Goldsmith & Wu, 2006). This method seems to be commonly accepted due to its business driven incentives such as tax collection. Attempts to establish an Internet provider that ignores borders by establishing services in international areas such as the middle of the ocean (Ford, 2012) have failed to attract significant investment indicating that there is no significant economic incentive to have such a service. Making use of geolocation of clients and services is becoming the norm and has been applied to a variety of fields ranging from taxation to content filtering by national service providers such as France and Germany (Breindl & Kuellmer, 2013). It should however be considered that several instances have been documented where even critical infrastructure has been operating outside the geo-graphical borders of a country. Demarcation of Internet borders is thus not a trivial operation and while geo-graphic borders is important, domain names, IP ranges should all be considered. 3. Attack surface and potential data sources The attack surface of a nation is a vast area to monitor considering the amount of hardware, software and people involved. Traditional methods of attack surface calculations focus on formal elements such as attack trees and privilege/attack graphs (Hahn & Govindarasu, 2011). Other research focus on the assessment of entry and exit points in a service and base attack surface results on the results obtained (Manadhata & Wing, 2011). The formal assessment of attack surfaces is complex to apply to any given organisation due to the variety of attack surfaces present. This makes the probability of applying current methodologies on an even larger national scale unrealistic. Sharing of information by national partners has been identified as the only real method of obtaining a clear view or the current threat landscape. Unfortunately, despite numerous attempts by Government and private sector entities, information sharing is still not effective due to a variety of factors such as security concerns, embarrassment and cost. Recent research suggests that while collaboration is required, effective use of open source data might provide a sufficient source of information to at least increase the cost of attackers prior to an attack (Bianco, 2013). It has been stated that 80% of information required to conduct an attack is available online and as such, it should be considered by defenders (Thomas, 2003). Online data sources are not perfect and cannot cover all aspects of cyber security but do provide a representative picture of what attackers will see when they examine national infrastructure from the outside. Limitations exist when considering aspects such as supply chain infrastructure or physical security investigation that would require physical presence to audit. In this section an examination of the three major areas of attack will be examined namely hardware, software and people (Giacomello, 2014). An example of data sources available for each of the components in the attack surface will be discussed along with an analysis of the data source. Following this, supplementary data sources will be examined for their usefulness in providing metadata for the primary data sources. 3.1 Hardware To investigate the attack surface for infrastructure, the Shodan data source will be discussed. The system was selected due to the high data availability, high coverage and for the previous academic work available that can be used as reference and comparison. The Shodan search engine was created by John Matherly in 2009 and has been described as ‘the search engine for hardware devices’. The service allows an individual to search for
devices connected to the Internet in a variety of ways such as vendor, operating system, specific ports utilized by the hardware or even by country code. In addition Shodan attempts to keep a history of devices detected on the Internet from first detection to last seen date. This is useful due to the nature of the Internet where a multitude of devices make use of temporarily allocated IP addresses. The system has been extensively used in recent years in academic and commercial research. Previous use focused on the detection, visualization and assessment of critical infrastructure type and vulnerabilities (Leverett, 2011). The service relies on artefacts such as banner type which has previously been proven useful to identify devices (Caselli, Hadžiosmanović, Zambon, & Kargl, 2013). The Shodan project’s ability to provide data regarding the devices the Internet is operating on is of tremendous importance to both researchers and infrastructure owners. While it is true that software vulnerabilities are still the most dominant form of attack vector, attacking the hardware has recently become significantly more likely. Hardware attacks have previously been extensively researched and while physical access to a device is often required, there is a variety of attacks such as timing attacks that could potentially be performed over a network connection (Karaklajić, Schmidt, & Verbauwhede, 2013). Common Vulnerability and Exposures (CVE) lists already contain vulnerabilities that affect hardware devices as well and with the aid of Shodan, defenders can obtain insight into the devices under their control exposed to the Internet. 3.2 Software Obtaining information regarding the software that a nation uses is readily available. While the available information is mainly limited to the machines and infrastructure hosting web pages and exposing services to the Internet, there are a wealth of information to make use of. One company that has made a commercial success of providing this type of information is Builtwith. Information regarding web server technology is available from their site and a comprehensive source of information is provided. As an example, the AcademicConferences website is examined with the following findings. At the time of writing the last update of content was on 23 August 2014. There are 15 different technologies used to serve the content of the website and this has been in place since 18th December 2011. The web server technology used is Microsoft IIS Server version 7 and content is ASP.NET based. Analytics and tracking is provided by Google Analytics and documents are served in HTML version 4.01 and JavaScript. From this example it can be seen that a rich set of information is publically available regarding the software that operate basic functionality on the Internet. Buildwith claims to monitor well over 250 million sites worldwide, a number sufficiently large to be able to obtain a technology profile for a country should it be broken down by domain. This type of information combined with vulnerability databases as discussed in section 3.4.1 could highlight significant vulnerabilities present on a national level. 3.3 People To investigate the attack surface of people on a national level, it is necessary to examine data sources providing information about attacks aimed at people. There is however a variety of data sources available indicating how current attacks against individuals are being performed. For example, examining spam effectiveness in a country can be a leading indicator of that country’s information security readiness (Ryoo & Park, 2011). While there is not currently a reliable data source that can provide information on the effectiveness of spam in a country, several data sources are tracking the proliferation of spam. The people component’s attack surface will be discussed by means of Phishtank and personal information leakage. 3.3.1 PhishTank The PhishTank service is a collaborative effort where users can contribute suspected phishing site data. The submitted data is then presented to active participants to vote if the site can be regarded a phishing site or if it is not. This allows the system to present users with a reputability score that they can use to decide if the site is indeed a phishing site or not. As with any voting based system, the opportunity for bias, manipulation and incorrect conclusions are very real due to the human element involved (Moore & Clayton, 2008). The
PhishTank database has inspired many information security solutions, such as a novel phishing site detection manner by CSS comparison (Mao, Li, Li, Wei, & Liang, 2013). In other work, PhishTank data were combined with other sources such as Escrow Fraud to increase phishing site detection ratios (Fahmy & Ghoneim, 2011). 3.3.2 Personal information leakage Personal information has in prior research repeatedly proven to increase the susceptibility rate of persons to spam by up to 70% (Sheng, Holbrook, Kumaraguru, Cranor, & Downs, 2010). In an experimental system created to search and index Personally Identifiable Information (PII) in the South African national domain, a large volume of information regarding individuals were assessed (Swart, Irwin, & Grobler, 2014). Providing the ability to detect these data breaches is important since effective control of personal information has been proven to lower identity theft on a national level by approximately 6%. The results of this study will be further discussed in section 5 as part of the case study presentation. 3.4 Metadata sources Previous sections discussed data sources directly related to hardware, software and people available. While useful on their own, additional data sources can serve to enrich these primary sources by providing information indirectly related to the attack surface elements. In the cyber domain these additional data sources can be to provide a physical location of the hardware or software device. Additionally, information regarding the vulnerabilities that potentially exists on the identified hardware or software devices is key to start a national risk assessment. To that end, two examples of additional meta data sources will be discussed. 3.4.1 Vulnerability libraries Most vulnerabilities are reported via a CVE number although it should be noted that this is not always the case and that other numbering schemas exist. This is due to the fact that vulnerability databases are operated by a variety of organizations and the manner in which they classify vulnerabilities differ. CVE is one of the most popular standards and was created as a schema implemented by the MITRE organization to facilitate the sharing of information security vulnerabilities. A CVE is typically published along with additional information such as a Common Vulnerability Scoring System (CVSS) score that is calculated by following a set of predetermined criteria. CVSS criteria such as the type of access required for the exploit to function and what the impact of the exploit is, all contribute to a set of scores. The obtained scores serve to provide a quantifiable way for a variety of groups to interact and judge the potential severity that the CVE number might have on their organization. While it is possible to calculate the score manually a variety of online calculators are available to ease the task. One such example is the CVSS calculator created by the CISCO corporation that with the aid of a online service provides entities the ability calculate a CVE score related to their organization. 3.4.2 Geolocation technology Geolocation technology provides the ability to point to a latitude and longitude where a specific device is thought to be located. The use of such technology is vast and ranges from traditional asset management to more complex tasks such as obtaining attribution from a country after a cyber incident. Typically, geolocation on the Internet is achieved by examining the IP address of a system and then performing lookups to determine the nationality of the registered IP. Obtaining higher resolution geolocation is possible by performing queries to specialized databases. Services such as MaxMind, Skyhook and several others that contain information regarding the potential state, suburb and in a variety of instances even the street address of a specific device is available. Third party libraries is not the only potential geolocation solution, using the known average latency of network connections can achieve up to a 690 meter accuracy level (Y. Wang, Burgener, Flores, Kuzmanovic, & Huang, 2011). Many researchers have raised the question of accuracy in the types of geolocation services. Geolocation from commercial datasets were evaluated and the results indicate that geolocation was accurate 76% of the time for China (Poese, Uhlig, Kaafar, Donnet, & Gueye, 2011). The work considered five geo libraries: HostIP, IP2Location, InfoDB, Maxmind and Software77. The overall conclusion was that the higher the resolution
expected of the service the lower the accuracy. To simply determine the country of origin the geo-library services achieved a 96% and 98% accuracy. As soon as the location of the IP address needs to be located to a street block, apartment building or physical location the accuracy was nearly never correct. Extending the research performed on geolocation, researchers found that with enough data from the libraries, it becomes possible to infer the topology of ISPs serving a specific geo-located area under investigation (G. Wang, Zhang, Qiu, & Zeng, 2011). Due to constant IP assignment flux on the Internet, obtaining clear geolocation results are also indicated as problematic (Zhu, Guo, Huang, Hu, & Gao, 2013). The experiment discussed in this article made use of the freeware Maxmind geolocation service in the experimental data fusion system. 4. Experimental data fusion on a national level Data fusion is defined as the study of efficient methods for automatically or semi-automatically transforming information from different sources and different points in time into a representation that provides effective support for human or automated decision making (Khaleghi, Khamis, Karray, & Razavi, 2013). The successful application of data fusion techniques is present in a wide variety of fields ranging from transportation optimisation (Anand, Ramadurai, & Vanajakshi, 2013) to military situational awareness (Blasch, 2013). Data fusion in the cyber domain has been conducted previously with Intrusion Detection Systems and Intrusion Prevention Systems and achieved good results. More recent work aimed to incorporate soft fusion techniques that integrate the human component in the data fusion process (Hall, McNeese, Hellar, Panulla, & Shumaker, 2009). One of the most challenging aspects of data fusion occurs when the reliability of data sensors output are not equal. The reliability aspect of data fusion has been discussed at length with a variety of proposed solutions offered such as Dempster Shafers method and derivatives such as the Transferrable belief model (Smets, 1993). To achieve reliable data fusion, it is critical to assess the data sources in a complete and uniform manner. Traditionally, information sources can be classified according to three main characteristics, namely the quality of the source, quality of the information and quality of presentation (Rogova & Bosse, 2010). Ontology research has extended the categories to ensure that a comprehensive evaluation structure is available (Rogova & Bosse, 2010). While these measurement techniques are established in other domains, accurate assessment of cyber domain data sources are hard to achieve. Data source classification is often subjective due to a lack of metrics and can introduce significant bias in classification. An example of the bias present in commonly used CVE data is examined in section 3.4.1. Further influencers that complicate data source assessment in the cyber domain can be found in temporal factors. There is a constant flux where IP addresses are assigned and reassigned between devices on the Internet. To address the complexities involved in cyber data fusion a structured approach is required. In this work, the authors propose an adapted JDL model for data fusion on a national level. The JDL model was first adapted to the cyber defence domain when the benefits of data fusion was explored to obtain a more reliable Intrusion Detection System (IDS) was examined (Giacobe, 2010). In related work (Schreiber-Ehle & Koch, 2012) extended the JDL model to fuse cyber information in IDS and Intrusion Prevention System (IPS) related systems in a variety of manners. Figure 1 shows the proposed adapted JDL model.
Figure 1: Adapted JDL Model for national level cyber fusion (own compilation) At Level 0 the cyber data sensors such as Shodan, PhishTank and the custom PII detector will feed information into the system. This will allow for the identification of objects in cyberspace such as devices, services offered and information location at Level 1. Combined with additional metadata sources such as vulnerabilities and geolocation, it then becomes possible to obtain Level 2 situation assessment of the host state, potential vulnerability state or breach state. At Level 3 it is possible to see threat related information indicating what damage has been done, this would typically require access to the required devices and might not always be available. With the correct metadata available it might become possible to determine what actions to take or what the damage of an attack was. As an example, consider the information available on BuiltWith or PhishTank that is able to determine the original state of a website and could thus be used to indicate damage incurred. Level 4 is a management layer and will allow the operator to assign a reliability score to each sensor as well as adjust a variety of setting such as target revisit rate. At Level 5 the information will be presented to the user in a manner that maximises the information available to such an extent that the user can prioritise and act on priorities. The data sources discussed in section 3 has been fused in an experimental system based on the JDL model discussed in section 4. The results of this fusion process will be discussed in section 5. 5. Case study The application of the discussed data sources led to an experimental system with the following discoveries of the South African cyber domain. A dataset of 29743 Internet facing devices were obtained from Shodan and forms the basis of the experiment. The study also includes data extracted from a data breach detection system with the summary results listed in Table 3. The sources were applied to the JDL model as discussed in section 4. This case study presents the results of the data fusion process occurring on Levels 0 to 4. Level 5 presents a visual representation of the fused data. While there are many vendors that produce hardware devices in the world, the results shown in Table 1 seem to suggest that preference is given to a certain number of vendors in the South African domain. Any national cyber security strategy could thus focus its efforts to establish a good relationship with these vendors to obtain
expedited security patches should it be required. It is expected that the distribution of vendors will vary by country, depending on the most dominant suppliers of that region but this has not been verified. Table 1: Number of software products installed on infrastructure identified in the South African domain per vendor (Own compilation) Vendor Number of products identified Cisco 114 Microsoft 69 IBM 20 Avaya 18 RedHat 18 VMware 16 Nortel 14 Sun 13 Oracle 12 Suse 10 Of the 29743 devices contained in the dataset obtained from Shodan at level 0 of the JDL model, 352 contained critical vulnerabilities when CVE data was combined at level 2 of the adapted JDL fusion model. The CVE classification is presented in Table 2. Table 2: Amount of devices grouped by CVE classification (Own compilation) CVE Severity 2 4 5 6 7 Number of Hosts affected 3047 1226 442 27 3046
8 25
9 101
10 352
At Level 0 a significant amount of personal information was detected in the South African landscape Table 3. Since identity theft is considered to cost the South African economy approximately R1 Billion annually, this type of information can greatly assist the yet to be appointed privacy regulator (Costin, Isacenkova, Balduzzi, Francillon, & Balzarotti, 2013). The numbers in Table 3 are simply what are currently detected and many more could remain undetected due to the complexity of extracting information from unstructured data sources. Table 3: Personally Identifiable Information found per category (Own compilation) PII Type Count ID Number 892811 Land Line Number 852713 Cell Phone Number 1214516 Email Address 407307 Credit Card Number 78037 Address 537141 Further processing indicates the potential that one entity’s security posture could have on another entity’s posture, should a data breach occur. The potential security posture of the companies listed in Table 4 were weakened significantly since information regarding their customers and employees were made available via data leaks. The personal information that could be used in spear phishing attacks has been summarised Table 3 previously. This type of correlation between leakage and incident at third parties has not been researched significantly but highlights the importance of privacy preservations laws.
Table 4: Top domains associated with leaked information (Own compilation) Domain Number of times domain was detected mweb.co.za 19433 statusib.co.za 18162 webmail.co.za 10605 getaways.co.za 6519 absamail.co.za 5766 vodamail.co.za 5174 sample.cybertrenz.co.za 4842 jdconsulting.co.za 4344 ultimatespray.co.za 3042 Figure 2 combines the entities identified in Level 1 with geographic information to visualise the distribution of infrastructure nationally. In a warfare situation, this could assist with infrastructure protection planning. The numbers represents the number of devices located in proximity of each other for a geographic region.
Figure 2: Distribution of devices geographically from the experimental system (Own compilation) Extending the fusion process between host location, hardware and software profile and CVEs detected can highlight risk distribution in areas as shown in Figure 3. Various types of visualisation methods are available for this type of data and heat maps were chosen in this experimental system. The picture depicts a region of South Africa’s Gauteng province that is the economic centre of the country. The numbers in blue represent the number of geographic devices located in the region while the different shadings from red to blue indicate the potential risk the devices is under. While the visualisation process does not correct any detected vulnerabilities, it does highlight the need for corrective action that varies by regional distribution.
Figure 3: Distribution of devices geographically with vulnerability overlays from the experimental system (Own compilation) 6. Conclusion In this research we have presented a modified data fusion JDL model that will enable the co-ordinated fusing of information sources to present not just an organisational view but a limited national view. The research presented an overview of the responsibility and demarcation of a nation’s Internet infrastructure. It further explored the available attack surfaces and the potential data sources that can provide with situational awareness in a nations domain. The identified data sources were applied with data fusion on the South African Internet infrastructure through the use of an experimental fusion system. While it is not yet possible to assign a security readiness indicator on a national level, this research shows that the variety of data sources available to the cyber defence community can be valuable if applied in a co-ordinated manner. It also further serves to highlight the potential that exist should effective sharing of organisational information can implemented. By combining open source intelligence and shared organisational information, visibility of the cyber domain can be greatly increased. Further refinement of the sensor fusion process to include reliability calculations and improve cyber readiness assessments, should be researched and implemented to improve accuracy of results. 7.References Anand, A., Ramadurai, G., & Vanajakshi, L. (2013). Data fusion based traffic density estimation and prediction. Journal of Intelligent Transportation Systems, (just-accepted) Bianco, D. (2013). The pyramid of pain. Retrieved, 2014/01/26, Retrieved from http://detectrespond.blogspot.com/2013/03/the-pyramid-of-pain.html. Blasch, E. (2013). Enhanced air operations using JView for an air-ground fused situation awareness udop. Paper presented at the Digital Avionics Systems Conference (DASC), 2013 IEEE/AIAA 32nd, 5A5-1-5A5-11. Breindl, Y., & Kuellmer, B. (2013). Internet content regulation in france and germany: Regulatory paths, actor constellations, and policies. Journal of Information Technology & Politics, 10(4), 369-388. Caselli, M., Hadžiosmanović, D., Zambon, E., & Kargl, F. (2013). On the feasibility of device fingerprinting in industrial control systems. Critical information infrastructures security (pp. 155-166) Springer. Cavelty, M. D. (2014). Breaking the cyber-security dilemma: Aligning security needs and removing vulnerabilities. Science and Engineering Ethics, , 1-15. Costin, A., Isacenkova, J., Balduzzi, M., Francillon, A., & Balzarotti, D. (2013). The role of phone numbers in understanding cyber-crime schemes. Paper presented at the Privacy, Security and Trust (PST), 2013 Eleventh Annual International Conference On, 213-220. de Souza, C. (2014). National Cyber Security: The Responsibility of all Sectors, Fahmy, H. M., & Ghoneim, S. A. (2011). PhishBlock: A hybrid anti-phishing tool. Paper presented at the Communications, Computing and Control Applications (CCCA), 2011 International Conference On, 1-5. Ford, R. T. (2012). Law and borders. Giacobe, N. A. (2010). Application of the JDL data fusion process model for cyber security. Paper presented at the SPIE Defense, Security, and Sensing, 77100R-77100R-10.
Giacomello, G. (2014). Security in cyberspace: Targeting nations, infrastructures, individuals Bloomsbury Publishing USA. Goldsmith, J. L., & Wu, T. (2006). Who controls the Internet?: Illusions of a borderless world Oxford University Press New York. Hahn, A., & Govindarasu, M. (2011). Cyber attack exposure evaluation framework for the smart grid. Smart Grid, IEEE Transactions On, 2(4), 835-843. Hall, D. L., McNeese, M. D., Hellar, D. B., Panulla, B. J., & Shumaker, W. (2009). A cyber infrastructure for evaluating the performance of human centered fusion. Paper presented at the Information Fusion, 2009. FUSION'09. 12th International Conference On, 1257-1264. Hathaway, M. (2013). Cyber readiness index 1.0. Retrieved, 2013/12/27, Retrieved from http://belfercenter.hks.harvard.edu/publication/23607/cyber_readiness_index_10.html. Karaklajić, D., Schmidt, J., & Verbauwhede, I. (2013). Hardware designer's guide to fault attacks. Khaleghi, B., Khamis, A., Karray, F. O., & Razavi, S. N. (2013). Multisensor data fusion: A review of the state-ofthe-art. Information Fusion, 14(1), 28-44. Leverett, E. P. (2011). Quantitatively assessing and visualising industrial system attack surfaces. University of Cambridge, Darwin College, Luiijf, E., Besseling, K., & De Graaf, P. (2013). Nineteen national cyber security strategies. International Journal of Critical Infrastructures, 9(1), 3-31. Manadhata, P. K., & Wing, J. M. (2011). An attack surface metric. Software Engineering, IEEE Transactions On, 37(3), 371-386. Mao, J., Li, P., Li, K., Wei, T., & Liang, Z. (2013). BaitAlarm: Detecting phishing sites using similarity in fundamental visual features. Paper presented at the Intelligent Networking and Collaborative Systems (INCoS), 2013 5th International Conference On, 790-795. Moore, T., & Clayton, R. (2008). Evaluating the wisdom of crowds in assessing phishing websites. Financial cryptography and data security (pp. 16-30) Springer. Naidoo, G., Singh, S., & Levine, N. (2013). An overview of Internet developments and their impact on EGovernment in south africa. Technology, Sustainability, and Rural Development in Africa, 25(20,000), 188. National Institute of Standards and Technology (NIST), & United States of America. (2014). Framework for improving critical infrastructure cybersecurity. Poese, I., Uhlig, S., Kaafar, M. A., Donnet, B., & Gueye, B. (2011). IP geolocation databases: Unreliable? ACM SIGCOMM Computer Communication Review, 41(2), 53-56. Rogova, G. L., & Bosse, E. (2010). Information quality in information fusion. Paper presented at the Information Fusion (FUSION), 2010 13th Conference On, 1-8. Ryoo, J., & Park, E. (2011). Internet security readiness: The influence of Internet usage level and awareness on Internet security readiness capital, skill, and actual uptake/use of infrastructure. JCSE, 5(1), 33-50. Schreiber-Ehle, S., & Koch, W. (2012). The JDL model of data fusion applied to cyber-defence—A review paper. Paper presented at the Sensor Data Fusion: Trends, Solutions, Applications (SDF), 2012 Workshop On, 116-119. Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., & Downs, J. (2010). Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. Paper presented at the Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 373-382. Smets, P. (1993). Belief functions: The disjunctive rule of combination and the generalized bayesian theorem. International Journal of Approximate Reasoning, 9(1), 1-35. Electronic communications security (pty) ltd act, 452Cong. (2003). Swart, I., Irwin, B., & Grobler, M. (2014). On the viability of pro-active automated PII breach detection. Proceedings of the Southern African Institute for Computer Scientist and Information Technologists Annual Conference 2014 on SAICSIT 2014 Empowered by Technology, Centurion, South Africa. (SAICSIT'14) 251259. doi:10.1145/2664591.2664600. Thomas, T. L. (2003). Al Qaeda and the Internet: The Danger of'Cyberplanning', Wang, G., Zhang, C., Qiu, X., & Zeng, Z. (2011). Modelling a tractable and annotated ISP's router-level topology based on statistical data and geolocation mapping. Paper presented at the Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference On, 31-35. Wang, Y., Burgener, D., Flores, M., Kuzmanovic, A., & Huang, C. (2011). Towards street-level clientindependent IP geolocation. Paper presented at the NSDI'11. Proceedings of the 8thUSENIX Conference on Networked Systems Design and Implementation, 27-36. Zhu, X., Guo, W., Huang, L., Hu, T., & Gao, W. (2013). Pan-information location map. ISPRS-International Archives of the Photogrammetry, Remote Sensing and Spatial Information Sciences, 1(4), 57-62.
